Author

Topic: Cold storage wallet idea -criticism welcomed! (Read 3769 times)

legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
In that case, give the password already, right now. Just keep the encrypted paper wallet. The printed password goes in an envelope, and given personally to your trusted relatives (who knows they will inherit whatever bitcoins you have.)

The password can then be completely random, and be maybe 64 characters long. That way, no one is going to brute force that.

The only way now is for someone to physically steal:
1. The encrypted paper wallet AND
2. The password

You give the password to a relative who you know, knows how to secure things, like they have a vault or a safe or they have a safe deposit box in the bank, or the know to file things and are organized.

Personally, I'd just rather keep an unencrypted paper wallet and keep that safe, seal it, sign it, and send it to someone or hide it or something. Bury it in your backyard or some property you own, then pour cement over it. Then, and only when you are really dead or gone or missing, will even your relatives attempt to dig it up.

Of course, choose your people. They just might kill you for it.
full member
Activity: 140
Merit: 100
Mining FTW
People can take care of paper documents rather well, sealed in envelopes and all that. If it had a password and you disappeared, no one can get to the coins.
Thats why you want to encrypt your paper wallet, and put the password on there with it, making no sense for random people. For example First-school+birth-date-first-girlfriend+place-first-own-house. Your wife or kids would know this, but a random person or a not so close friend not. (hence you are safe for burglars trying to steal your paper wallet, if you have copies that is...)

As far as me goes, two relatives are both going to get half of a password, in case I'm gone, a letter comes up with locations of wallets and how to unlock them. (this is only readable by using before mentioned password, held by a notary under instructions only to hand out when I'm gone.)
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
I don't like brain wallets, as so many have already discussed. I also don't like deterministic wallets for similar reasons. But the OP's idea is almost a 2 factor wallet.

1. Something you have / need.
2. Something you know.

Which is essentially a wallet.dat encrypted with your password / passphrase. If you can physically secure it, an unencrypted wallet or randomly generated private key is fine, I think.

People can take care of paper documents rather well, sealed in envelopes and all that. If it had a password and you disappeared, no one can get to the coins.
newbie
Activity: 10
Merit: 0
I've finally looked up Brain Wallet, and your scheme is essentially the same: the passphrase is used to generate or recover the private address through some complex mathematical functions.  The "brain wallet" described in the link simply uses the SHA256 hash function to generate the private key based on a passphrase.  Your "encrypted private key" uses a passphrase to scramble the private key, but you also leave a clue to help you remember the passphrase.

Essentially, in both schemes, the attacker wants to generate your private key, and to do that, he will need to guess the passphrase and perform the proper mathematical operations that would generate the private key.  In the "brain wallet" scheme, the mathematical operations are well know; that makes it easier for multiple pieces of software to be written that can generate the private key with the owner not being required to know the details of the math functions.  You are using a non-standard order of mathematical functions to generate your private key, but you are also giving the attacker information that will help him guess your passphrase, and if you do end up using the encryption procedure you've described, he also knows the math functions, so you're scheme is no more secure than the "brain wallet" plus you've given clues to your passphrase.

This thread is really a discussion about "how do I come up with a good passphrase with lots of entropy."

One alternative to coming up with a good passphrase might be to use a bad passphrase, such as "Mark Twain," but run that through the MD5 hashing function then use that output as your "brain wallet" passphrase.  An attacker assuming that your "brain wallet" was generated with a simple or complex passphrase would put things that look nothing like an MD5 result into the SHA256 function, and you would have an effectively good passphrase, but if the attacker knew your procedure (or used more sophisticated methods than brute-force), he would probably get your private key in short order.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Brainwallets are only as good as the amount of entropy you end up with - there is no "best" solution to creating a good brainwallet but the more creative your ideas and the more effort you put into it the more secure a system you'll be able to come up with.

Another idea is to use a starting address (which you fund with a non-trivial amount) that is a seed for creating more secure addresses (I would recommend several rather than just the one). By keeping a watch on the starting address(es) if you see the funds go missing then perhaps you'll have time to move the rest of the more secure funds before they are found (of course if the thief knows you have set this up then it probably won't help).
newbie
Activity: 10
Merit: 0
I like the idea of an encrypted private key that you don't mind letting other people see.

But, I don't think the "key" mnemonic is a good idea. If you're going to make the effort to remember something, just spend the time developing and memorizing a good passphrase.

http://imgs.xkcd.com/comics/password_strength.png
member
Activity: 104
Merit: 10
Hi everyone,

Here is my idea for how I was going to keep my coins for long term saving. It is kind of a hybrid cold storage/ brain wallet idea. I liked the idea of convenience provided by a brainwallet, but not the potential risk that a password without enough entropy would eventually be hacked. I also wanted to be able to keep my private key in some form where it could be accessed anywhere in the world. So anyway here is my plan:

1) Generate a standard public/private key pair using bitaddress.org offline on a fresh OS install, never been connected to internet.
2) I will then encrypt the bitcoin private key using AES encryption. The AES decryption key will be a long seemingly random password, for example:

Full Decryption Key: 123452335 BBBA HP136QT

However, this password will actually be remembered using a mnemomic reminder that would only make sense to me e.g.:

Decryption Key Mnemomic: SS EDEXAM PC1

Where:

SS= social security number
EDEXAM = my exam results
PC1 = Zipcode of my first house

I won't keep the full AES decryption key written out in full anywhere. I will only write down/memorize the mnemonic, from which I could later construct the full decryption key. The only time I would ever write out the full decryption key would be in the *offline* decryption software, when decrypting my bitcoin private key.

By doing this, I will actually be able to store both the encrypted private key, and the mnemomic (not the full decryption key!) in a fairly unsecure but convenient place, lets say my gmail account, and email it to a few other reasonably secure (but not necessarily infallible) places... so I would email the following two bits of information to myself:

AES Encrypted private key: U2FsdGVkX19a7dz/OAYELQsjCiGl90GH0XSRAhtY4y2d61s8Byclz7/wMaRNA5ca
Decryption key Mnemonic: SS EDEXAM PC1

This to me provides the advantage of not needing to keep a physical paper wallet anywhere, which is not convenient and could still be lost in fire or theft, etc. I would be able to get access to my wallet from anywhere, but only after decypting the private key, which is only possible using the mnemomic that only makes sense to me. I would probably keep a paper wallet backup, but this would still be the encrypted form of the key, with the mnemonic - not the raw private key itself. It would not be clear to a potential attacker that the encrypted private key has anything to do with bitcoin whatsoever. 

The full decryption key will actually be a lot longer and more complicated/abstract than this example which was only based on 3 bits of info.

I hope that makes sense. Does anybody see any flaws with this idea?

Many thanks!

Alex





Jump to: