Topic: Wallet-Tag: New concept ~Feedback needed! (Read 104 times)

I really appreciate your FEEDBACK, as I told earlier it is just a concept, exactly since you say it's easy to brute force, I'll dive into studying KDF, and thanks for your point.

First of all what you are doing is not encrypting (SHA256 is also not an encryption algorithm). It is called computing checksum.

Secondly, since this checksum is very small (2 bytes) and the algorithm (single SHA256 hash of UTF8 string) is too fast (inexpensive) so it is not that hard to brute force and create a fake address with the same checksum. I computed this address in less than a second with the same checksum.

Of course this is just a concept to show how easy it is to find a "collision" when the checksum is very small. In practice the attacker needs the key to the malicious address which means they have to perform a process similar to generating a "vanity address", an address that has the same starting characters.
The extra 16 bit checksum is definitely adding an extra layer for authenticity check but but it doesn't slow down that process enough to be impactful.

P.S. Maybe the checksum algorithm could be changed into something far more expensive to make brute forcing harder. For example using a memory expensive KDF like scrypt with high iteration count.

I'm aware of the existance of clipboard malware and how copy-paste attacks could be executed. And since I know that Bitcoin public addresses already contain a partial SHA256 checksum, I'm asking myself why do we need this what you propose?

Sure, it's easier to check and compare only 4 hexadecimal characters (quite limited btw) and I don't oversee at the moment how much security for correctness of the copy/pasted address this brings.

You were scammed because you didn't care to check copy/pasted addresses. Now we need this extra limited checksum to wiggle around user's carelessness or lack of security conciousness with respect to Bitcoin public addresses? I'm not convinced that this is a needed solution.

I forced myself to always, without exception, check 6-7 characters at the front and at the end of a public address, sometimes also a few characters in the middle. This is usually enough to verify that an address has been copy/pasted intact as otherwise the integrated checksum won't be correct if there's another character difference. Everybody should know this and always check copy/pasted addresses or they're a lost case, period.

Software, where you paste public addresses to has to check the integrity of a Bitcoin address. The error correction for Bech32 and Bech32m is even better than with legacy types.

Wallet-Tag: Concept of Security Pre Transaction.

This idea of Wallet-Tag came to me since I was a victim of the crypto clipper malware months ago, and from that day on I kept checking my crypto wallet address before copying or scanning it. I was always in doubt if it is the correct address, and that is why I thought of simplifying the address verification by using a string of only 4 alphanumeric characters that is case-insensitive and easy to remember. I mean, this solution could be used as a verifier before making a transaction, receive as to send, you should use the wallet-tag to stop worrying about any possible error, as if it were a kind of pin to approve the transaction, obviously wallet-tag could be used for all type of crypto addresses.


What is a Wallet Tag ?
A Address Tag is a string of 4 alphanumeric characters that identify the wallet itself, since they are generated from it

What could it be used for?
It could be used to avoid clipper malware , or errors when writing, copying the wallet address in which you want to receive or send funds.

How a Wallet Tag look like?
It is usually represented next to the wallet address with a wallet address and ‘ | ’ separating the wallet tag.

Wallet Address | Wallet Tag
1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa| 313e

How a Wallet Tag is generated ?
The wallet tag is basicly generated through encrypting the wallet address in SHA256 and extraction from that hash the two first and last alphanumeric characters,together.


I also uploaded a repository on github, a simple html page that shows where you can put any crypto wallet address and it will give it the wallet tag of that address through a simple java (it can be used without a internet connection) : https://github.com/riqobitcoin/wallet-tag

I need to hear feedback and if it could be improved from flaws or even implemented.

Thanks.