Bitcoin Forum

I've been reading up on bitcoin wallet security recently and there is no clear winner. It seems to me that there are a whole lot of complex solutions that involve encrypting volumes, memorising long passwords etc. There are many points of failure.

It seems to me that a much simpler method has been overlooked. I see this as a lo-tech solution, that can be widely used by everyone. You only have to memorise 4 or 5 steps to entirely encrypt/decrypt your private key.

You could call it "hiding in plain sight with obfuscation".

Instead of complex software encryption, you can simply take your private key and obscure it with a few personal, easy-to-remember obfuscation rules. Then, simply save the obscured data as a text file, email it to yourself or print it out and you don't have to worry whether anyone steals it or not, as it would be garbage and undecipherable to them.

a).
Take this private key:

5Kb8kLf9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB9KF

Encrypt:
1. Add/Subtract x to each number (e.g. +5)
0Kb3kLf4zgWQnogidDA21MzPL1TsZZY81hWXMssSzNydYXYB4KF
2. Shift characters along x places (e.g. +7)
YXYB4KF0Kb3kLf4zgWQnogidDA21MzPL1TsZZY81hWXMssSzNyd
3. Take a memorable name and swop first with last letter and add symbol to the first letter. So if your cat is called fluffy, you could replace every "F" with "y$". You could mix it up by having a personal rule to alternate the symbol with case, so F->y$ and f->y#
YXYB4Ky$0Kb3kLy#4zgWQnogidDA21MzPL1TsZZY81hWXMssSzNyd

4. Replace a number with a line break (e.g. 4).
YXYB
Ky$0Kb3kLy#
zgWQnogidDA21MzPL1TsZZY81hWXMssSzNyd

5. Transpose lines (e.g. 3 and 2)
YXYB
zgWQnogidDA21MzPL1TsZZY81hWXMssSzNyd
Ky$0Kb3kLy#


Now you have a totally obscured private key that is IMPOSSIBLE to hack without the hacker knowing your obsfucation steps/rules.

If you memorise the obsfucation steps, you now have a totally secure private key, that you can store in plain sight.

The amount of steps you choose is up to you and you can make up your own rules. Maybe you will add another step where you always replace the 10th character with an "M".  It's up to you.

b).
If you feel you HAVE to write the steps down (try not to!), they need to be obfuscated to.

The above could be coded as
5_7cat4

Save it in a text file, write it on a piece of paper, carve it in a tree.

Then you keep the calculations in a separate place, which could be written as
----
++$#
3trans2
----

Save it in a different text file, write it on a different piece of paper, carve it in a different tree.

I highly suggest you create your own shorthand notation, which will obfuscate further. There are many ways you can do this, but Google translate is your friend here ;) Obviously use words you understand. kurang, מינוס

Decrypt with rules in reverse:
YXYB
zgWQnogidDA21MzPL1TsZZY81hWXMssSzNyd
Ky$0Kb3kLy#
>
YXYB
Ky$0Kb3kLy#
zgWQnogidDA21MzPL1TsZZY81hWXMssSzNyd
>
YXYB4Ky$0Kb3kLy#4zgWQnogidDA21MzPL1TsZZY81hWXMssSzNyd
>
YXYB4KF0Kb3kLf4zgWQnogidDA21MzPL1TsZZY81hWXMssSzNyd
>
0Kb3kLf4zgWQnogidDA21MzPL1TsZZY81hWXMssSzNydYXYB4KF
>
5Kb8kLf9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB9KF


The Avenger

I suppose the main question about this approach is whether it can be brute forced in some way? Could you take the encrypted data and somehow brute force it backwards to the original unencrypted key? I don't think it could be, but I'd be glad to hear what others have to say.

There are too many possibilities.

Many many years ago HP put out a calculator, the HP-25, which was programmable, but had no card-reader type of thing for recording "programs", which were basically up to 25 stored keystrokes.

They had an example pseudorandom number generator that I typed in so many times for playing tabletop roleplaying games that to this day I still remember it: start with a random number less than one (zero point a bunch of digits), add it to pi, raise it to the fifth power, and take the fractional part.

You could probably do that with some chosen number of digits of accuracy yourself with any of a number of arbitrary accuracy calculators such as 'bc'.

But why do exactly that? Why not use root two instead of pi? Or the golden ratio? Or any other famous number easy to look up on the internet? Why the fifth power? Wouldn't the seventh, or thirteenth, or whatever number you would find easy to remember, work just as well?

This does not even use any of the steps involved in the original post so merely bruteforcing using the original post's repertoire of steps ought not stumble upon it...

Plus what number less than one did you even start with? The genesis block hash with a decimal point in front of it? The date in the headline in the genesis block, expressed in seconds since the purported birthtime of some prophet (with a decimal point in front of it) or what? Etc.

And how many digits accuracy, exactly, did you tell your arbitrary accuracy calculator to use? How does that version of it on that architecture "round" or "truncate" extra digits? Etc.

-MarkM-

-MarkM, your answer is confusing. This bit I understand and think is the bottom line:
The rest of your post I don't really understand what you are saying.

The simplest method? Encrypting the wallet is the simplest method. Just type in a password and done.

So you figured another complex solution was a great idea?


And this is somehow less complex than:

• type password
• remember password

So everyone just uses a password to encrypt their wallet. That's it? That's all the security people use to protect their bitcoin? That may be enough if you only have 1 bitcoin, but it falls a bit short of secure if you have 100 or 500BTC.

If a keylogger is installed, your bitcoin are gone. If someone steals your password protected wallet, they can run a brute force attack on it for weeks/months until they crack it. If you haven't used a massive password, your bitcoin will eventually be gone. And if you forget that massive, unwieldy password of letters, numbers and punctuation, your bitcoin are gone.

I'm suggesting an approach that is simple and personal to the person that uses it.


Memorising "five seven cat four" is not difficult. And as I said, you can write it down if you really want to. All you've got to do is come up with a fairly simple shorthand *you* understand, using names and numbers that have a relevance to *you* (which are fundamentally BAD to use in a traditional password) and *you* have uncrackable wallet security.

If you are generating your private key on a compromised computer that is connected to the internet, it won't mater what method of obfuscation you use, your bitcoin are gone.

If you are using an uncompromised computer that is not connected to the internet to generate your private key, then why wouldn't you use the exact same computer (at the exact same time) to encrypt it.


And they can run a brute force attack on your obfuscation for weeks/months until they crack that too.  Since a private key has a specific structure to it, they'll have some substantial hints as to what steps you've taken.  If they have access to your "five seven cat four", they'll have even more to help them along.  You really think that a few character manipulations are more secure against brute force than a reasonable passphrase?


Sure, but that's true if you forget what the acronym means for your obfuscation as well.


You are welcome to your opinion in the matter.

Perhaps.  Perhaps not.  But memorizing what each of those things are supposed to mean to you a few years from now:

Was that a carriage return for the fifth letter of the alphabet, or am I swapping the position of every 5th and seventh character?  Wait, no, I think I was replacing every fifth letter with the letter that occurs 7 places later.  No that's not it.  I think I was using my cat's name for part of it, but I've owned a few cats.  Was it my first cat?  No, I think it was my favorite cat.  Darn it.  If I can memorize a 19 character set of instructions "five seven cat four", why didn't I just memorize a 19 character passphrase instead.  Heck, I could have written it down and stored it somewhere secure (like a safe or safety deposit box).  That way my family would still have access if something should happen to me.

Please prove this statement and then I'll read the rest of the stuff you've written. Thanks

Your "password" is now a series of steps to decipher the key, which you'll need to memorize.

bravo

There's not a lot of entropy in your obfuscation process, so it can be brute-forced.

Okay. Can you explain in a few more sentences exactly what this means? I am genuinely interested to know if this system can be broken easily.

Do bear in mind that I'm not saying you have to follow the 5 steps in my example above. You can take any approach that shifts and replaces the characters/numbers, in any order, as many times are you like (within reason).

What you have done: presented an example of a custom cryptographic function. What you are asking others to do: create your own cryptographic function. This (http://diovo.com/2009/02/wrote-your-own-encryption-algorithm-duh/) is (http://stackoverflow.com/questions/3651090/home-made-cryptography) closest (http://www.linuxdoc.org/HOWTO/Secure-Programs-HOWTO/crypto.html) to the worst thing (http://programmers.stackexchange.com/questions/175489/how-can-i-get-my-own-encryption-algorithm-tested) to do here. (http://security.stackexchange.com/questions/9605/techniques-for-writing-encryption-algorithms-exclusively-for-personal-use)

We all think we're very clever at coming up with unique ways to obscure our data.

We are wrong.

We tend to think alike, so pretty much any process you can think up is likely very similar to a process somebody else will think up.

In short: humans are really bad at creating randomness (aka entropy). And we're even meta-bad, because we THINK we're good at it.

lol, okay, fair enough. My thought is that many people are trying to crack passwords, no doubt many people do it for a living. I figured that a custom solution like this would be harder to crack, for the reason that no one would spend there time trying to crack a custom solution. They could never be sure how many people use it, would it be worth their time?

It's more valuable to be able to crack passwords, as they are currently the key to everything we use in modern day society - email, online banking, bitcoin wallets etc.

Obfuscation is a bit different. The idea was also that you *could* use memorable names (like fluffy in my example), which are total no-no's in password selection. You just keep the rules to yourself, which are also a lot easier to remember than strings of random data.

I'll read through the links knowitnothing has provided, as they probably will explain the problems in my logic entropy  ;D

P.S. My approach was also supposed to be user friendly, accessible to non-technical people.

If you are worried about keyloggers, then why not worry about malware which simply steals your bitcoins as soon as you use the software? You will also need to decrypt the keys by a chosen method which would then leave the keys vulnerable.

And Gavin is right, I know that when people are asked to pick a "random" number between 1 and 10, a large number of people will choose 7. Watch these:

http://www.youtube.com/watch?v=SxP30euw3-0
http://www.youtube.com/watch?v=H2lJLXS3AYM

Just one more example why I think this is different to passwords and possible a lot more user friendly:

Let's say the pin number for your credit card is 3879. Let's just say you've used the same number for years, you know it and will not forget it.

And your cat is still called fluffy

We all know the password "fluffy3879" is weak.

However, depending on how you use them, these are not such a bad thing in obfuscation.

Let's use this memorable number one time:

Alternate shifting 3 from the end to the start, 8 from start to the end, 7 from the end to the start, 9 from start to the end
5Kb8kLf9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB9KF
9KF5Kb8kLf9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB
Lf9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB9KF5Kb8k
KF5Kb8kLf9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB9
9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB9KF5Kb8kLf

Now let's use this memorable number a second time:
9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB9KF5Kb8kLf
let's add 3 to each number
2zgWQnogidDA09MzPL9TsZZY69hWXMssSzNydYXYB2KF5Kb1kLf
subtract 8 from each number, add 7, subtract 9

Okay, some of that is a bit redundant. You could have more complex rules. But it remains reversible, if you know the steps you used and you know basic adding and subtracting. You can work it all out on paper if you want.

Then use the fluffy word replacing again (step 3 in my first example). But this time perhaps you also replace the second character with the second last l > f. Or l > f%, L > f"

You know your pin number and your cats name, so it's just a matter of remembering the rules.

At the end you have a really wacky string of letters, numbers and strings. It seems to me if the hacker doesn't get the first step backwards to decrypt, then they won't be able to follow through the rest of the steps. It seems that brute forcing would be as random as generating random private keys and hoping one will give you entry to someone's wallet.

These are just my thoughts and I'm definitely no encryption expert. Indeed everyone might decide to subtract 7 from the numbers in their private key and then consider that secure. But I suppose I'm suggesting if we gave people guidance on how to make at least 4 or 5 steps (the same way we explain how to create a strong password), things get quite hard to reverse without knowing the steps. I was only trying to find out how hard or easy people think this would be, given it was very different to a regular password.

Gavin is the man. If you like your super secret ninja password protection method, here is one additional step that you have forgotten that goes right with Obfuscation. Obscurity. Don't tell everyone what you're doing. Of course, that's about as good as Obfuscation, but why not combine them? And not bother everyone else?

Gavin is the man, because he's pretty much the only one who replied without being aggressive or condescending. Why does it "bother" you I asked a question on the forum? That just seems weird on a forum for "discussing" bitcoin related matters.

gavin does an excellent job of not being rude to people.

i, however, am not as buddha-like. your suggestion to use some obfuscated process to 'protect' your wallet is a classic example of 'security through obscurity'. it is vulnerable to the same threat model as any other method of protecting your wallet short of carefully-implemented multifactor auth:

your machine gets compromised because you clicked on some poisoned link, ran a trojaned executable, etc, and then a keylogger sits on your computer, silently recording all your keystrokes. when you enter your super-obscurely-generated and stored password, it is keylogged just like any other password and your coins are gone.

to suggest that this is in any way better than a normal password, especially from an entropy standpoint, is downright misleading.

I said it was different, not better.

I never said I published a paper in "Encryption Monthly" proving this was a scientific fact. I thought about it, tried to explain the idea and then invited people's opinion on it. Where did I mislead anyone?

An endearing quality. Your mother must be proud.

Look, now I'm being rude! Does that mean I can be elevated to Senior or Hero member status?

Naw, I'd rather not be considering how most of them replied to me in this thread.

Even when Gavin replies nicely, you want to argue that you're a genius. I don't think anyone will be able to convince you otherwise.

Forgive me if this has already been mentioned.  The method described is, roughly, what existing encryption schemes do.  They are nothing more than scramblers.  Modern encryption schemes like AES evolved from older methods like the Enigma machine (http://en.wikipedia.org/wiki/Enigma_machine).  That evolved from ancient encryption like the Caesar cipher (http://en.wikipedia.org/wiki/Caesar_cipher).

A Caesar Cipher is where you take each letter of the message, and count some number of letters further down the alphabet.  For example, A becomes B, B becomes C, Z becomes A.  The word DOG becomes EPH, if shifting by 1 letter.  As can be seen, this forms a simple mapping from one alphabet to another.  AES also maps from one alphabet to another.  Except with AES, the alphabet is very large (2^128), and the way that it maps from one alphabet to the other is so complex that, without the key, no one can figure it out.  Each key in AES creates a different mapping.

Wrapping back around to the method described in the OP, we can see that if you took the sum total of all the steps, what you're ultimately doing is mapping from one alphabet to another.  Given a certain sequence of steps, we can map from a private key to a scrambled key.  We have an alphabet of private keys, an alphabet of scrambled keys, and the sequence of steps describes the mapping between the two.  As the OP mentioned, one can encode the sequence of steps as a list of words/numbers.  This list of words/numbers describing the steps to take is the key (i.e. the password).

Therefore, this is not fundamentally different than AES or any other modern encryption scheme.  As to whether the method should be used, I would strongly suggest no.  This is because AES is well studied by the best minds mankind has to offer.  We know with high confidence that it is secure.  It is also specifically designed to resist all known crypt-analytic attacks.  The method described in the OP is more akin to the Enigma Machine, which was completely demolished by early crypt-analytic attacks developed by people like Alan Turing.

If what you want is "security through obscurity", use the well studied methods for doing so.  Steganography is a great example.  Encrypt your data with world class encryption schemes like AES, and then use steganography to hide it somewhere.  This is well studied as well, and if someone feels that obscurity adds an extra level of protection, that is the way to do it.

EDIT: Spelling; thanks Meni!

I already said I'm not an expert. I was trying to draw Gavin out a bit to explain what he meant, I was not trying to pretend I know more than him.

I was hoping someone could explain why something that seems a "good" idea to me is (or is not) a good idea. Did you read this:


I'm told "entropy". People aren't as smart as they think they are.

It seems it's too much to ask experts to spend a few minutes to explain something. I'm not pretending to be a genius, I'm not in the encryption field, I'm just trying to get an answer that makes sense.

But you can all take your clubs and go back into your caves now, I'm not going to ask anything else. This forum is sick in the amount of abuse it pumps out every day. Thanks to those (very few) that were helpful.

fpgaminer - this is a brilliant and clear answer. Thank you very much for explaining.

This is far from the simplest, nor the most secure.  An offline or paper wallet are simpler and more secure.

I'm sure this could be brute forced some way.  The private key starts with 5, has a checksum, is exactly 64 characters long, etc.

I hope my explanation clears things up a bit.  If not, feel free to ask questions.  I did intend my reply to explain more than it chastises; though forgive me if any parts of it come off as chastising.

You probably shouldn't take the replies here as a good measure of this community.  The reason why, is that cryptography is hard, and it is very often that cryptographers and related engineers see developers come along thinking that they know better, but end up implementing something horrifying.  Since this is so common, the natural reaction to anyone cooking their own encryption is to, as you put it, bash them with clubs.  Sure, it's not ideal, but it's understandable.  Anyone with a modicum of knowledge in the field grows quickly jaded by all the horrific pseudo-crypto in the world.

There was nothing chastising about your explanation. It is probably the most scholarly and thoughtful message ever addressed to me on this forum. And I appreciate you taking the time to help me, I really do.

75% of the replies to any thread on this forum are hideous. Nasty, bullying, unhelpful, misleading, unfounded and vicious. It makes me believe that 75% of the community are nasty, bullying, unhelpful, deceitful and vicious. It's hard to get a true measure of the community when this is what you see every day in every thread  :-\

I studied hard subjects at university. And in the area's I am an expert, I would not stomp - like quite a few people did in this thread - on someone who obviously was not an expert, trying to figure something out. I hope I'd be more like you, trying to explain the flaw in the logic or how to think about it differently, see it in a different way, clear up the confusion.

I'd given up trying and then your message answered all my questions. Thanks again fpgaminer. You are a decent person amongst many cavemen.

Certainly, but a lot of fields don't involve quite the same risks that cryptography does; doubly so when the cryptography is being used to secure large sums of money.  No one is going to die from a bad theory about quantum gravity :P  Also, cryptography is one of those strange scientific fields where we can't formally prove much of our work*.  We can build "spherical cows" around the work, but that's about it (most of the time).  Really, our best tools are history, paranoid minds, and big scary clubs to fend off the NSA.

Because of those reason, the problem of sophomorism will be more prevalent 'round cryptography.

I'm going to horrify you here perhaps, but it's only money.

If people were dying, I'd stand for a lot more shouting and viciousness from doctors looking for medicine or to clamp a ruptured artery.

No one is going to die if some guys thinks he's got an interesting idea, which turns out not to be.

This forum went from a place of ideals and principles to what it is now because of money.

I respect your field - cryptography is VERY hard - I have no doubt about that.

And I'd say a lot of the people who make this forum unbearable are *not* cryptographers, just people interested in money. Making it or stealing it. You just have to look at the amount of scams in the Newbies section every day and the fact that it's allowed.

Anyway, I don't want to keep bumping this thread up to the top of the forum, as it may be "bothering" some people ;)

Best wishes

Here's why I dislike your method in a practical sense. It makes the human do the work of a computer. Yes we're very bad at mentally generating true randomness. However we aren't so bad at memorization. Reciting a personal tune or poem composed of nonsense is way easier than running a string of characters through several steps of modifications before accessing your private key. Also this uses up brain power that is probably better spent making sure you don't do something stupid like paying an 80 BTC fee. http://blockchain.info/tx/258478e8b7a3b78301661e78b4f93a792af878b545442498065ab272eaacf035

This  & /thread.

Asking a user to come up with a password with sufficient entropy is a challenge.  That is why key stretching should be used in any key derivative function.  Asking the end user to ignore trusted and peer review cryptographic systems and "roll his own" almost always ends in catastrophic failure.

It isn't difficulty to come up with a cryptographic system that you (the creator) can't break.  It is very difficult to come up with a system which remains strong in the face of crypto analysis.

On a related note, I know of a way to harden weak passwords well beyond what a KDF could do.  I might make a thread about it later.

This scheme can easily be shown to be bogus just by calculating how much entropy each step adds to the "key":

Zero. x can be trivially derived by subtracting 5 mod 10 from the first digit of the obfuscated private key (since the first digit of the private key is known to be 5).

Although it may appear at first glance that all values of x from 0 to 52 are equally likely, we know that only transpositions that put a number at the start are valid, and on average, there will be 9 possibilities.
log2(9)

We only need to guess the first letter, since we know what the last letter is - it's the one with the symbol after it.
log2(52)

log2(10)

log2(3)

Which gives us a grand total of log2(9) + log2(52) + log2(10) + log2(3) = 13.8 bits of entropy. Which is less than a password consisting of 3 lowercase letters. It can be bruteforced with a pencil and paper in only a few days!

Please leave designing cryptosystems to the experts, okay?

EDIT: Typo

You know BIP 0038? The only thing that is missing is a bitaddress.org integration or a simple platform independant tool (like bitaddress.org) to encrypt/decrypt a key.

You mean "steganography". Stenography means transcribing in shorthand.

However unique you think your method is, there is always the chance the attacker will think the same as you, The only thing giving you a guarantee of security is true randomness. If you randomly choose one method out of 1000, there's no way the attacker will pick the same one as you by thinking like you, because you didn't choose by thinking, but by leaving it to chance. It is mathematically impossible to guess your method without 500 attempts on average.

"Entropy" is a measure of how much randomness there is in the process used to generate the method. (It is assumed the final choice is uniformly random among some options.) A process with x bits of entropy means there are 2^x different equally likely choices, and the attacker can't do any better than guessing until he finds the right one.

Foxpup gives an estimate for the amount of entropy in your process.

Let's imagine a challenge with 4 facts:

1.) There is a merchant out in the world who is offering something you want, (something truly amazing, like an Enzo Ferrari) for 1,000 BTC.

2.) Fortunately, I'm about to give you 1,000 BTC because I owe ya.

3.) Using a wallet of your design, your job is to create a new address to receive this bitcoin into your wallet, and then subsequently spend this bitcoin into the merchant's 3rd party address.  

4.) Unfortunately, the computer you are using is infected with undetectable and unremovable keylogging Malware and screencapture technology.  It's designed to immediately intercept and re-spend bitcoins to a thief's address.  You don't even know its infected.  In other words, as soon as the malware is able to see either your password or your private key, any funds in your wallet will immediately be stolen.

So how can you receive this bitcoin onto the computer's wallet and spend it again without the thief intercepting ANY of it?  AND without changing the current bitcoin protocol?

(Hint: easier than you think, don't spend too much time on it, I will reply with the correct solution in about 12 hours time.)

If memory is not infected use no password at all and write a script to transfer the incoming BTC to the third party. If memory is infected as well you can pay the third party for me. If that is not an option everything is lost.

iirc it is possible to send the coins to me using a multisig transaction (CHECKMULTISIGVERIFY), requiring 2 signatures to spend them: Mine and the merchant's.
The malware only knows my key so it can't steal the(se) coins!

Secretly program your computer to use morse code via the caps lock key, so that screen capture is useless.

Just for fun, let's also imagine that the memory is infected as well.  The thief already knows your password and the private key to every address you have ever created.  The wallet is currently empty, but as soon as any funds go into it, they're going to get stolen right back out unless the wallet is truly of a remarkable design.

One type of valid solution would be to remove the lines of communication.

Step 1) Turn off your computers internet connection.

Step 2) Open up your computers wallet and generate an address and private key at your leisure.

Step 3) Tell me to transfer that 1,000 bitcoin to your new address now.

Step 4) Use another computer to monitor the blockchain.info page of that address. Once confirmed call up the merchant to tell him you have a 1,000 BTC address to import via private key when ready.  (But I will admit, all this is a little cumbersome and only slightly bending the rules by using 2 computers)

There is an even better solution, but before describing it I'm still interested in what else you might think of.

Ah, is a second computer ok? Then unplug from the internet. Ask you the txid of your 1000 BTC payment to me. Generate and sign another transaction redeeming the coins in your transaction and sending them to the merchant. Broascast the transaction from another computer (or from the same computer after setting up a tight firewall that only permits the blockchain.info URL that allows you to broadcast transactions, I can't remember it now blockchain.info/pushtx—thank you TBZ!).

blockchain.info/pushtx

Obfuscation can be useful especially if the method is unknown and even more if paired with steganography.
Just look how the freemasonry kept their secrets over hundreds of years. If it were secured with cryptography we would already know their secrets or at least the secrets what they had 60 years ago.
They have just hidden(a kind of steganography) the secrets and obfuscated it(gave false explanations and hints).
Was this method successful ? Sure.

You're welcome.