Topic: stringwallet (Read 611 times)

Maybe I misunderstand you, but the obfuscation algorithm itself doesn't need to be secure. After all the attacker doesn't want to derive the original message from your obfuscated passphrase. That's were "security by obscurity" would fail.

Instead, my rationale is based on the potential attacker having two choices:

a) Derive your obfuscated passphrase from either your BTC address or your public key -- obviously unviable right now, otherwise we'd have other problems.

b) Brute force your original passphrase AND the correct steps with which you obfuscated it -- the latter of which there are effectively infinite possibilities, even when limiting yourself to pen-and-paper algorithms (eg. uppercase every nth letter, insert a special character according to the fibonacci sequence, apply multiple rounds of rot26... etc etc).

Combine a strong passphrase with some layered weird-ass obfuscation steps and you should get yourself enough entropy for decades to come.

On the other hand I just stumbled upon a fairly recent Def Con talk about cracking brainwallets, maybe it makes me rethink my assumptions.

Here's the link, without knowing yet whether it's going to be any good:
https://www.youtube.com/watch?v=foil0hzl4Pg

Edit: The talk above covers nothing that hasn't been discussed in this thread already. Keeping the link for reference though.

The most glaring error with "brain wallet" is the many various ways we have of spelling virtually identical words, capitalizing or not, hyphenating, punctuating...

This makes it possible to "remember" a brain wallet and still not be able to type it in and get it right. What is "remembered" is fundamentally imprecise.

Hence I think a predefined word list is a Very Good Idea with anything that would have the beginnings of BrainWalleticity.

Next I'm going to say the last word needs to be a checksum.

Keeping on going, looking like I'm reinventing Bitcoin Improvement Protocols, doesn't it?

Nice codes, i just take a looks and is a great code, i have done my bash to brain wallet codes in the past, will search them, and if i can find them, i will post it here.

Thanks for share.

True. That's why I mentioned above that "brainwallet" might be the wrong term.

I have to stress again, that I wanted simple code for generating key pairs from strings, either from a concatenated complex list of words (kind of brainwallet) or a complex set of characters (kind of passphrase). And I want to understand the code. A kind of finger exercise. And maybe some of the code is simple enough to be useful for others.

For instance, to derive the public key of a private key is the only piece of code, which is not a bash script. I found this code somewhere at stackoverflow (the link is given in the source). It is c, but relatively easy to compile. If I remember correctly only libssl-dev is necessary for compilation. This is the only simple (!) piece of code I found! Another example is the bash script for computing base58. The code you can find online uses a lot of bash magic, so that it is virtually impossible for a normal guy to understand. At least I learned what bc is. So it was easier to write the code by myself with the benefit, that I now know how it works.


Thanks for the suggestion. I will take a look.

Well... don't mean to be mean, but the answer is pretty obvious who anyone who isn't an idiot.

Because brute forcing of such a complex seed would require more computing than brute forcing of a standard bitcoin address.

Why would anyone trust something that can spawn all of your private keys ever out of nowhere? Im still using the old wallet.dat format because im paranoid of the HD format of the new wallet.dat, imagine if I had to trust any of these brainwallets. Why expect your seed isn't going to eventually get bruteforced?

I personally feel safer by holding private keys locally which could never be accessed unless you actually had access to the files and you could always host your file somewhere in an encrypted SHA512 file with a strong password or something, if you really needed to for example move somewhere without carrying your private keys physically.

I just don't like the idea of "you need a couple of data here and there to derive all of you private keys", doesn't sound like a strong model to trust.

No data stays secret for ever.

Brainwallet fans, I’ll tell you what:  Why don’t you generate a 12-word BIP 39 mnemonic representing a piddling 128 bits off /dev/urandom, then “secure” it with a BIP 39 passphrase consisting of the very mostest unguessablist sentence your oh so creative mind can imagine.  You will feel better; and yet despite your own desire for foot-shooting, you will be secured by 128 bits of entropy.  Sound fair?

On second thought, no.  Don’t do what I just said.  If you are so stupid as to use a “brainwallet”, then others deserve that money more than you do.  My sincere advice is to use the brainwallet.

---

curiosity81, it seems (at a glance) that you are deploying a word generator generated from a decent (i.e. non-human) source of randomness.  Not a syntactically valid phrase, not something the user comes up with, not something from a book you cross your fingers and hope to be really obscure.  Not what most people call a “brainwallet”.

That raises an obvious question, which I must ask out of—curiosity:  Why don’t you simply use BIP 39?  It was developed by the same experts whose security acumen you trust when you use Bitcoin anyway.  Its wordlists were developed with human use in mind, e.g., all words on the English wordlist are unique within the first four characters.  And it will perfectly encode 128–256 bits of randomness in 12–24 words, without any of the pitfalls of trying to develop your own word randomization scheme.

With your wordlist, I presume not tuned to a power of 2, did you avoid the common mistake of introducing modulo bias?  (I did not review your code.)  Does your wordlist exclude similar, confusable words?  (I am guessing not.)  Etc.

In that context, this:


...makes it irresistable for me to plug my own utility (red highlight added):


It’s admittedly growing a little bit more complex—with much of the complexity being in self-testing code.  However, I have a priority to keep it auditable and avoid external dependencies.  I still need to add the seed output, which per BIP 39 requires normalization of phrases to Unicode NFKD; no, I will not link ICU!  I’m working on a solution to that.

---

Quick comments on a skim down the thread:



(And more posts like this.)

piotr_n, you have no idea what you’re talking about.  A human-made natural language phrase is a horrible, stupid idea.  I don’t care how creative you claim to be, or how much you bluster about how amazingly scientific you are (versus all the people who know more than you about this subject).

You are giving bad advice which will get somebody hurt; and from how you’re talking, it’s evident that you will then turn around and say they didn’t do it right, like you could.  How very kind of you.

---

Using the word “algorithm” loosely, if you can’t design an algorithm which remains secure when your adversary knows it, then you will certainly be unable to design an algorithm which is secure when “unknown”.

Note the subtle difference from what you usually hear.

Regarding hardware breakage and obsolescence: Hardware wallets follow an industry standard (or whatever you may call it in our ecosystem) as far as seed words and private key derivation is concerned. This enables recovery of hardware wallets using software wallets such as Electrum.

Worst case you can still run a virtual machine / emulator once Electrum reaches end of life and is not supported by modern operating systems anymore. Best case you have other implementations to choose from, which will likely be the case since the private key derivation scheme used by current hardware wallets is an open standard.

Granted, it requires more code than just deriving a single private key from a complex passphrase, but at least to me this looks like a reasonable approach at securing Bitcoin wallets for the foreseeable future.

Mnemonic recovery seeds:
https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

Deterministic private key derivation:
https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki

I do not think, that this is a secure seed. Take numbers from 1 to 1000 and 100.000 possible words. Then you have roughly 100*(1000^3)*(100.000^3) = 10^26 = 2^86 possibilites if you sample with replacement (I count the "{" as character from the set of all printable character using a standard keyboard, I think there were roughly 100). And in this example the order and alternation is not considered. This is definitely too few. Especially, since you can order the words in a dictionary by their usage since some words are more likely to be used by humans. Moreover, an attacker would compute the key pairs once, maybe with optimized hardware. Each such brainwallet would be robbed in no time.


ACK. But, even if your hardware wallet almost never breaks, the law of big numbers dictates, that one will break within a few years, provided enough such wallets exit. My concern is, that at some point in time, the hardware is not supported anymore. What, if someone passes the hardware wallet to his / her children or grandchildren, but the computers have no usb-port anymore. Today, who has a working floppy disk drive at home. And floppy disk drives were relatively common around 2000, even though not state of the art these days. Even today CD/DVD-devices are not standard anymore.

I would prefer a system which follows the KISS-principle (KISS = Keep It Simple Stupid) for long term archiving: Firstly, the code should reproducible easily. I am not sure, if the bash is perfect for this. But I like it, since most algorithms are already developed by experts and available on a standard linux system. They only have to be plugged together. Secondly, code should be easy to understand (which might be a little bit contradictory with respect to bash-syntax). (In my case, comments are still missing in some scripts in the moment. And code is not uniformly yet with respect to mathematical computations.) But it should be possible to print out the scripts and the linux version used and archive it in a bookcase or similar. Much better would it be if it can be carved in stone or glas.

Yes, one could argue, that Bitcoin might be obsolescent in a few years. But this is no counter-argument against secure long term archiving.


I think, that it is not possible to remember a strong passphrase, if you do not use it daily. Thus, you must think about a secure way to archive it. Some non digital method similar to 2FA.

That's actually one of the physical attacks that I was referring to, and it is one of the vulnerabilities that got fixed early on. It even says so in the conclusion.



I'm not saying it's impossible to extract the private key from a hardware wallet, I'm just saying it's an academic exercise rather than a practical attack. If you have videos / articles on data extraction at the hardware level for current generations, or more precisely the chips that Trezor / Ledger are using, I'd love to see them (not being sarcastic, just being honestly curious). Smartcard hacks from 2010 are interesting for historical purposes, but likely not as relevant today.

And as mentioned above, this is ignoring the custom passphrase that acts as the 25th seed word. Which by itself already can have the complexity of a brainwallet passphrase. And that this passphrase can be hardly be extracted from your biological brain is something we both agree on. Apart from the $5 wrench attack of course



I never said that brain wallets aren't secure if you know what you're doing

All I'm saying is that hardware wallets are easier to secure for the average user, which makes them the better recommendation for the general populace.

(and that hardware wallets are more secure than brainwallets in that they extend the passphrase that is stored in your brain by 24 randomly selected seed words)

Speed Optimizations in Bitcoin Key Recovery Attacks gives examples of the passwords the researchers cracked. I think most people would consider {1summer2leo3phoebe to be quite strong.

I don't worry about your First concern, because of the recovery seed. The Third concern is a risk similar to paper wallets, but it's the Second concern that has until now stopped me from getting a hardware wallet. No matter how much the manufacturer is trusted, a hardware wallet is a black box to me, and I can't possibly check how it generates it's seed phrases.

I wouldn't trust my own memory to be able to reproduce the password after (say) 20 years. Most of my long passwords are used on a daily basis, so they're easy to remember. The brainwallet needs to have a unique password, and if I don't use a password for a very long time, chances are I forget part of it.

Probably the expression "brainwallet" is badly chosen anyway. Because a good brainwallet is similarly bad to remember like a complex password. Nevertheless, it might be possible to generate a story around the words so that they become more easily to remember.

Clearly, using a sentence from a book or similar and adding or replacing characters can make the brainwallet harder to break. Combined with a weird and high number of hashing rounds. Even though keys can be collected in each round.

Using a hardware wallet is a good idea for speculation, I think, if you need to store and shift around funds. But also those wallets implement brainwallets / seed sentences. So the difference is not big.

If you are paranoid enough, you would never use a hardware wallet from some manufacturer. Firstly, the hardware can break. Secondly, the hardware can be manipulated. Not necessarily by the manufacturer, but during shipment (except you buy it directly in a shop without providing your identity). Thirdly, the seed sentence can be stolen.

I do not claim, that my code is fast / perfect / bug free. Keep that in mind!

But for a coldwallet, I would claim that a "brainwallet" with a complex passphrase / seed is the best choice. Clearly, it is a method not suitable for the average user. Users should know what they do. And I admit, that I am not fully sure, that everything is implemented correctly. Therefore, the project is open source for erveryone. So that it can be corrected.

A agree with you, but I also agree with the general statement that most users should stay away from brainwallets. If you know what you're doing, it can be safe. All that's left is to keep your identity secret, so the passphrase can't be tortured out of you.

I expect most of those 1000 humans to quickly write down their phrase the moment you stop observing them in your little experiment. Your powerful computer won't find it, but a neighbour can.

From my own experience, I can remember some very long passwords, and I've known them for many years. But adding a new password to my "brain list" is very difficult and takes a very long time to completely rely on my memory to reproduce it. It gets even worse if I want to use 10 different wallets.

---

Last year user ArcCsch had an idea for brainwallets: Brain wallet, step-by-step guide (FIXED!)[Mod note: DO NOT USE BRAINWALLETS]. He uses a two-step brainwallet with BIP38 in between. Even though the title got adjusted to a big fat warning, the very heavy BIP38 encryption makes it much harder to brute-force than normal brain wallets.

Is it true....
as much as using the brain wallet is not safe, research on the implementation of brain wallet and find a gap in the brain wallet. because the process to make the brainwallet itself is quite simple.

Nee. Who told you that?

Getting a private key out of trezor is kind of trivial as the device doesn't even use any kind of a secure hardware.
See here for example: https://jochen-hoenicke.de/trezor-power-analysis/ - this is without even opening the case!

Ledger is harder as it uses ST secure chip, and the cost of peeling the layers of silicon to get into the memory is estimated at $300k or so.
But it also can be done - it has been done. There are even videos on Youtube of people dumping the entire memory of the chip.

The science of hacking (secure) chips is an actual science and is far more advanced than the non existing science of hacking brain wallets.
Like take this presentation for instance - that's from 2010: https://www.youtube.com/watch?v=62DGIUpscnY - see what he has done here? This is what I call hacking, not the bloody brain wallet hacking charlatans who just make empty claims without proving shit.

Anyway.
If you think that a hardware wallet is secure but a brain wallet isn't - it only shows how much you have been brainwashed by the brain wallet pseudo-scientists and how much they made you to loose touch with the reality. In reality everything can be hacked. And personally I am quite sure that any of the hardware wallet on the market is easier/cheaper to hack than my brain. Can't speak for your though

The main objective when it comes to securing Bitcoin has been to be safe of online attacks. Hardware wallets are the most secure in this regard, even assuming physical backups. Which are not even necessary, should one memorize their seed.

Regarding physical attacks -- I'm not sure if you have followed Trezor, but they have a great track record of thwarting physical attack vectors. In other words, the physical extraction of private keys from a Trezor is currently a purely academic question. The many eyes principle has worked exceptionally well in this case. I reckon that Ledger is in a similar position, however I don't follow them quite as closely.

Even should an attacker get their hands on your wallet seed, there's still the user defined passphrase to break -- which in terms of complexity can be that of a brainwallet. So the security of a hardware wallet is that of a brainwallet -- plus 24 seed words.

Well, now you are shifting the goal post from your prior argument of "some English sentence with 20 words."

It's easy to show that

So what is your argument?



A. That self-selected, human generated phrases within a certain length "might or could be" safe from attack?

B. Or that they "are safe from attack?"

(A) nobody would disagree.

(B) is not defensible without narrowly constricting the domain and the premises.

good luck with brainwallet

Such things as looking for the most common symbol, tagging it as the letter "e."
 
BTCrecover has many examples of incorporating English grammar into password cracking. How many examples would you like?