Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: ZelCore generated wallet (Read 202 times)

ABCbits
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
ZelCore generated wallet
November 06, 2018, 05:43:31 AM
#7
Quote from: mocacinno on November 06, 2018, 03:40:32 AM
Exactly... It's actually a pretty good defense...
If i follow the logic, the encryption key of the wallet file is sha256(salt2.sha256(salt1.password).nickname).

It'll become virtually impossible for an attacker to use a rainbow table using this scheme, and the resulting 256 bit encryption key they use with AES-256-CTR is pretty good if i'm not mistaking

Without knowing how they choose/generate salt value for hashing, i can't say it's "pretty good defense" (even though it's far better than we initially think).
If they choose/generate salt value poorly, then attacker could find out the salt value easily and then they just need to brute-force all password combination. AES-256-CTR is still easy to brute-forced according to https://www.cryptopp.com/benchmarks.html and https://www.sisoftware.co.uk/q-a-benchmarks-cpu-vs-gpgpu-cryptographic-performance/.

But in the end, it doesn't matter since the software is closed-source and there's no way to verify it.
mocacinno
legendary
Activity: 3612
Merit: 5297
https://merel.mobi => buy facemasks with BTC/LTC
Re: ZelCore generated wallet
November 06, 2018, 03:40:32 AM
#5
Quote from: odolvlobo on November 06, 2018, 03:37:05 AM
I think everyone has misunderstood what is being done.

Quote
...This value (SHA256 hash) is the encryption key.
The encryption key is used to encrypt both contacts.json and wallet.dat files with AES-256-CTR algorithm.

The name and password are used to encrypt the wallet data. Nothing is said about how the private keys are generated.

Exactly... It's actually a pretty good defense...
If i follow the logic, the encryption key of the wallet file is sha256(salt2.sha256(salt1.password).nickname).

It'll become virtually impossible for an attacker to use a rainbow table using this scheme, and the resulting 256 bit encryption key they use with AES-256-CTR is pretty good if i'm not mistaking
odolvlobo
legendary
Activity: 4522
Merit: 3426
Re: ZelCore generated wallet
November 06, 2018, 03:37:05 AM
#4
Quote from: bob123 on November 05, 2018, 04:13:40 PM
That's basically a brain wallet. A brain wallet with slowed down bruteforce. ...

I think everyone has misunderstood what is being done.

Quote
...This value (SHA256 hash) is the encryption key.
The encryption key is used to encrypt both contacts.json and wallet.dat files with AES-256-CTR algorithm.

The name and password are used to encrypt the wallet data. Nothing is said about how the private keys are generated.
bob123
legendary
Activity: 1624
Merit: 2509
Re: ZelCore generated wallet
November 05, 2018, 04:13:40 PM
#3
That's basically a brain wallet. A brain wallet with slowed down bruteforce.

The entropy used to create this seed is less than the entropy an individual private key could have.
This method basically reduces the randomness of the seed by a lot.

While this MIGHT(!) be safe from bruteforce (for now, until better hardware is available OR a shortcut has been found in the function), it is less secure than the established methods to generate a seed.

Whats more severe (in my opinion) is the fact that the wallet is closed-source. You don't know how they build the code, whether it contains malware, vulnerabilities, mistakes in the seed generation etc.. Definitely NOT recommended.

IMO, you shouldn't risk more BTC than you would carry with you in a mobile wallet. And only install it inside of a VM or a machine without sensitive information stored.

HCP
legendary
Activity: 2086
Merit: 4363
Re: ZelCore generated wallet
November 05, 2018, 04:06:20 PM
#2
It seems somewhat similar to the methods employed by Warp Wallet... although their use of the "slow" (and memory intenstive) Scrypt functions were the real basis for preventing bruteforcing of the wallet. No-one managed to claim the 20 BTC prize from a "simple" 8 char password... even given the salt.

However, I'm not familiar with the exact methods being employed by ZelCore, so cannot comment on the robustness of their particular implementation.
MadGamer
legendary
Activity: 1568
Merit: 1031
Re: ZelCore generated wallet
November 05, 2018, 03:22:34 PM
#1
I'm not a cryptographer, I don't know how wallets like Electrum etc. does it but since I've checked ZelCore FAQ page, I came across this:

Quote
When you create an account using your nickname and password, ZelCore takes this password and create a salted hash from it.

ZelCore then adds your nickname to that and creates another salted hash from that value. This value (SHA256 hash) is the encryption key.

The encryption key is used to encrypt both contacts.json and wallet.dat files with AES-256-CTR algorithm.

And I might be a little bit paranoid, but is this a secure and safe way to generate a wallet?
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: