Pages:
Author

Topic: Cold / Brain wallet security question (Read 1836 times)

legendary
Activity: 896
Merit: 1006
First 100% Liquid Stablecoin Backed by Gold
October 26, 2013, 02:36:50 PM
#25
Forgive my limited tech knowledge.  Isn't there some alt coins that use complex CPU hashing that takes a lot of resources/time.  Wouldn't using those be ASIC resistant so to speak.  Also it would have to be cold offline software otherwise not very secure sending your seed/key to somebody else online to hash.  Right?  The ultimate goal isn't for tech people it's to be able to plainly explain to someone who wants to store coins that this is secure.  If I want to cold store a long term investment it makes no sense for it to be just a plain visible key since safety deposit boxes and safes get cracked open all the time.  Also there's the problem of destruction from external factors or simply forgetting where it is.  I think it would be nice to be able to express the solution to this problem in the format that Jesse James posted.  One must change a certain amount of digits depending on how much values is stored.
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
October 26, 2013, 03:26:13 AM
#24
The goal here is to make cold storage more secure.

Then why not just use a password protected private key?

https://en.bitcoin.it/wiki/BIP_0038

My claim is that brain-wallets are dangerous (private key which is the password) as your virtual "encrypted wallet" is effectively stored on the block chain so anyone can have a go at grinding your password.  GPUs are frighteningly fast at grinding passwords.  Even a 46-bit password can be ground for 50c of compute at bitcoin prices or analogous with litecoin/scrypt.

Its not that much better with an encrypted randomly generated private key (BIP 38), if you are worried that its realistic other people will get hold of your encrypted private key.  Once that happens you're in the same boat as brain-wallets against the people who have your encrypted key file/wallet.

Of course its better to encrypt than not.

But about increasing the security of your private key, choose a parallelizable key derivation and buy yourself a machine with a lot of GPU cores.  (eg Scrypt(iter=1,deleted salt,...) with a deleted 30-bit or 40-bit salt; it will be GPU expensive to decrypt.  This delete salt bits (not a new idea its due to Merkle 1976 and mentioned in Rivest et al's time-lock puzzle paper) its described here:

https://bitcointalksearch.org/topic/m.3342217

Also see the top part of the thread, I proposed a couple of ways to securely outsource computing your KDF so that you can pay 50c and get 100 GPU miners to stretch your key for you, this one is interactive:

https://bitcointalksearch.org/topic/m.3341985

or lots of ASIC miners in the second version which is non-interactive, its a stretched signature verification, and after its spent you need to delete the private key component c to prevent somone who later gets a copy of your private key grinding your password against the now public stretched signature:

https://bitcointalksearch.org/topic/m.3402287

Adam
member
Activity: 116
Merit: 10
October 25, 2013, 10:18:57 PM
#23
The goal here is to make cold storage more secure.

Then why not just use a password protected private key?

https://en.bitcoin.it/wiki/BIP_0038

legendary
Activity: 896
Merit: 1006
First 100% Liquid Stablecoin Backed by Gold
October 25, 2013, 10:04:42 PM
#22
The goal here is to make cold storage more secure.  If I just stick a private printed key in a safety bank box or underground well then anyone who gets into my box gets my coins.  Let's say I don't include a public address next to it.  I still don't think it's that hard to just check if any of the addresses attempted through brute force have coins in them.  Is it?  Let's try it again.  If anyone needs a bounty please post and I will fund the address.
Same Private Key :  6108A178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C
Public Address     :  13VrtFYvfMrFcjnQNfTR2PSgWnBNxcst45
legendary
Activity: 896
Merit: 1006
First 100% Liquid Stablecoin Backed by Gold
October 25, 2013, 11:41:36 AM
#21
Would multi hashing it after increase the difficulty.  Or do asics now make that easy to brute as well. 
sr. member
Activity: 404
Merit: 362
in bitcoin we trust
October 25, 2013, 03:57:27 AM
#20
Well firstly the number of combinations of 2 transposed hex chars from a 256-bit (64 hex nibbles) is c(64,2) = 2016.  Secondly you need to swap about half the digits c(64,32)>2^64 for reasonable security and that will be really hard to remember, or not randomly chosen enough.

And thirdly for paranoia you probably dont want to do that directly Smiley  Because there are algorithms for finding discrete log knowing some of the digits, at least for non-EC discrete log.  So I think it would be safer to make x' the private key x'=H(shuffle(x)) and you publish shuffle(x).

In Shrem's case omitting one digit thats even worse - I presume they were in base58, so 44 chars, but actually you can use 128-bit private keys if you use them as a seed, then only 22 base-58 chars.

Then if Shrem missed one char there are 22 chars to choose from and each can hold 58 values 22*58=1276 which is laughably grindable.

I do like the private key on a physical object though.  Good unless you check out in a plane crash where the ring may get lost.  You want durable material, but I guess the jewelers know about that.

If you swap chars in 22 base-58 (128-bit private key) representation its weaker still 231 combinations.

Adam
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
October 25, 2013, 01:29:24 AM
#19
How did you go about figuring it out?  Also I guess Shrem is doing it wrong too.
http://www.wired.com/wiredenterprise/2013/03/bitcoin-ring/

1. You'd have to get him.
2. You'd have to get his finger, or the ring.

I don't think the father has that piece of paper anymore, and probably there is no other copy of that private key. A ring on a finger makes sense. You'd never lose it unless you got mugged or murdered.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
October 25, 2013, 01:26:48 AM
#18
6108F178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C
Example private key  6108A178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C
Bitcoin Address        1GHVFk9HB2ke2UJsqTWWYiqVHemUyn8jTL

Well, there you go. That didn't take long. Make another one, and this time change 2 digits, or 3 digits, but don't tell us. Show the public bitcoin address as well. I'm sure someone will get to work on it.

Put a token bounty.

Then do another one where you change 5 digits, and another one with 8 digits. heheheheh.

Let's see how fast it will get cracked, then you will find your answer.

In other words, don't do this with actual bitcoins unless you do change at least 30 or more digits. (and then, you might as well change everything.) What I meant was your true bitcoin savings or stash.
legendary
Activity: 896
Merit: 1006
First 100% Liquid Stablecoin Backed by Gold
October 25, 2013, 12:16:36 AM
#17
How did you go about figuring it out?  Also I guess Shrem is doing it wrong too.
http://www.wired.com/wiredenterprise/2013/03/bitcoin-ring/
newbie
Activity: 29
Merit: 0
October 24, 2013, 11:26:42 PM
#16
But if an attacker is unaware of which digit was changed or how many digits changed there is no way to deduce that from seeing the public address.  Is there?  Maybe I should send some BTC to the address to see if someone will crack it.

That is true, but he is simply going to try all 1 mutation variations, then 2, ... then 3 ... up to whatever budget he's allocated for the attack.

No need to create a bounty ... the corrected version of your private key is:

6108F178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C


legendary
Activity: 896
Merit: 1006
First 100% Liquid Stablecoin Backed by Gold
October 24, 2013, 04:59:25 PM
#15
But if an attacker is unaware of which digit was changed or how many digits changed there is no way to deduce that from seeing the public address.  Is there?  Maybe I should send some BTC to the address to see if someone will crack it.
newbie
Activity: 29
Merit: 0
October 24, 2013, 03:47:54 PM
#14
If the private key is represented in hex and n characters are mutated then there are 64! * 15 n / (64 - n)! possibilities to search through.

The attacker knowing the address (or even the full public key) doesn't tell him anything beyond giving him a way to know if a private key guess is correct or incorrect.

Assume a hardcore attacker (one e.g. with a repurposed GPU mining rig) can test 14e9 keys for 1 USD, then here are the attack costs:

mutations   possibilities   cost to crack
-----------------------------------------
1           960             ~0
2           907e3           ~0
3           844e6           0.06 USD
4           772e9           55.14 USD
5           695e12          49652.86 USD


As you can see, changing at least 5 digits in totally random locations makes an attack prohibitively expensive.  However, most humans will make less than totally random choices about which characters to mutate ... e.g. if I were attacking someone who I suspected of using the scheme you described I would assume they would be more likely to mutate successive digits ... especially at  the very beginning or end.  E.g. if I knew for sure only the last 8 digits were mutated it would only cost 0.19 USD to check.
legendary
Activity: 2053
Merit: 1356
aka tonikt
October 24, 2013, 02:27:34 PM
#13
oh, right - sorry.
so you are asking whether publishing a part of your private key creates a security risk?
yes it does - even bigger if you publish a corresponding public key along with it.

in other words: never publish any parts of your private key - the bigger part you publish, the more risky it is that someone will find it.
publishing one or two bits probably would not change much, but from what I understand you only change "one or more of the digits", which makes you pretty much exposed.
legendary
Activity: 896
Merit: 1006
First 100% Liquid Stablecoin Backed by Gold
October 24, 2013, 11:47:27 AM
#12
If I have a private key written down somewhere and for further security change one or more of the digits and then have the public address from the resulting private key written next to it.  How secure is that?  Would a brute force attack or any other attack be easier or no?  
Now after you announced it; it is a security risk, but only if the attacker gets to know one of your private keys.
Then he will try to brute force the remaining ones by changing one or more of the digits.

Without disclosing any of your private keys, you should be safe; you can even use them in a sequence and it shouldn't matter.
I mean: assuming that there isn't any secret math behind ECDSA, that we don't know and they do.. which has been a concern.
I'm not sure you are understanding me.  A regular brute force without knowing which digit or how many digits I changed is worthless since the total possible combinations should be exactly the same as a completely random number unless there is a relationship that can be derived from seeing a partial private key and a full public address next to it.  That's the question here. 
legendary
Activity: 2053
Merit: 1356
aka tonikt
October 24, 2013, 05:01:03 AM
#11
If I have a private key written down somewhere and for further security change one or more of the digits and then have the public address from the resulting private key written next to it.  How secure is that?  Would a brute force attack or any other attack be easier or no?  
Now after you announced it; it is a security risk, but only if the attacker gets to know one of your private keys.
Then he will try to brute force the remaining ones by changing one or more of the digits.

Without disclosing any of your private keys, you should be safe; you can even use them in a sequence and it shouldn't matter.
I mean: assuming that there isn't any secret math behind ECDSA, that we don't know and they do.. which has been a concern.
newbie
Activity: 42
Merit: 0
October 24, 2013, 04:22:48 AM
#10
One or more digits are different, but I have the rest of the private key? Someone is going to run a program against all the possibilities, and if it's below a few million someone will get the correct one.

Change more than one. Change maybe 30 digits.

maybe all 700 symbols


i Rusia
just say what i do see this topic
morning
Double lol



Private key:     HFTFK&T^RTG#&HFG&#H(G*J*(#J*)TJ*JT*(HDG&(H#


After Procedure Masturbation key:   77777777777777777777777777777777777777





HaHaHa i very positive morning thanx plug brother
legendary
Activity: 3710
Merit: 1586
October 24, 2013, 02:46:39 AM
#9
The best brain wallet is an electrum wallet. 12 words are all you have to remember.
legendary
Activity: 896
Merit: 1006
First 100% Liquid Stablecoin Backed by Gold
October 24, 2013, 02:40:13 AM
#8
So if someone finds it you are SOL.  With my way you perhaps still have a chance.  And how much of a chance is the question.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
October 24, 2013, 02:35:54 AM
#7
He'll try everything. He might get lucky. I dunno about you, but I'd rather not display the private key at all. You're better off encrypting it before printing it.
It wouldn't be displayed it's more of an issue if it's a weak way to store on a computer in case it gets hacked.

If it's in cold storage offline, printed, you better put it somewhere you can physically control or protect, like a bank vault, or a safe at home, or buried under your house or something like that.

I put a bunch of private keys on paper, put it in an envelope, seal it, lock it in my office desk, behind a locked door, with an armed guard. I would know immediately if it has been compromised. If the building burns down though, I'll have to dig up my backup copy under ... where ever I hid it.

If its on a computer, you had better have it in an encrypted container (such as TrueCrypt)... Or if you use the reference client or even Armory, you had better have a good strong password.

I dunno, you can never be too paranoid when it comes to bitcoins or even when it comes to fiat.
legendary
Activity: 896
Merit: 1006
First 100% Liquid Stablecoin Backed by Gold
October 24, 2013, 01:46:05 AM
#6
He'll try everything. He might get lucky. I dunno about you, but I'd rather not display the private key at all. You're better off encrypting it before printing it.
It wouldn't be displayed it's more of an issue if it's a weak way to store on a computer in case it gets hacked.
Pages:
Jump to: