The difference is that you can easily calculate the entropy of a brainwallet. Your function however not so much. So you won't know how secure it is.
That was exactly the point of this "challenge" in the first place (to test the concept for real and of course as stated this is not for "Gavin's grandma" but instead for highly creative minds which I think in the Bitcoin world we have many). |
|
|
|
I don't see how this is not a brainwallet too. It would be like creating an electrum 10 word passphrase, remembering only 4 of them and writing 6 of them down on a piece of paper.
You're just adding the entropy either way.
It is indeed a "brainwallet" of sorts but I think it is a much better one - if I am so wrong then I would have thought that the 10 BTC would have already been moved by now. |
|
|
|
To be picky the term "secret key derivation function" is probably more correct than "salting algorithm". This might look like salting, but actually isn't. I'm not going to link to wikipedia again, but there is some nice info on slating there as always. To better illustrate that the derivation function is a part of the password is that you could of course select an "algorithm" that doesn't use any input. such as Here you add zero bits of entropy to get the key and the entire security lies in the secrecy of the function. Sorry for the poor terminology (I am actually far from being an encryption expert) but I am hoping that the point being that "it only takes a bit of creativity" to create a secure password is being made (rather than the "brainwallet - type in a very long and hard to remember password" approach). |
|
|
|
The difference is that in the case we are cracking you haven't yet published the algorithm. One could say that the algorithm is a part of the key and it needs to be kept secret in order to not compromise security. I recommend reading this: http://en.wikipedia.org/wiki/Security_by_obscurityNice link - and indeed the "salting algorithm" *needs* to be changed by the user (the *real* script literally won't hash a password for you unless you do modify it). This technique (perhaps unlike Mike's) is only being aimed at those who are capable of using it (i.e. not for Gavin's grandma) although perhaps others can work out some ways to make this even easier for the less computer literate (am willing to set up a task on CIYAM Open and provide some funds if anyone is interested in taking this on). |
|
|
|
Ok, but now you have to also remember the secret derivation function!
Yes - you can store it on your computer. But then you could also just have stored a better password to begin with!
If you make the derivation function public the security of your short password goes down the drain.
Of course - that is a very key point to the technique (although I have no need to write things like that down as I have a very good memory) - but so far you guys haven't been able to read my mind and I wasn't even trying with this one.  |
|
|
|
If your key derivation is secret then what you are essentially doing is using that as your password as well. Because to decrypt it you dont only have to remember your 4 chars, but you also have to remember the exact formula of the key derivation.
Very true - but it's rather easy to hide a mathematical equation (or something else) in some notes that wouldn't seem directly related to your bitcoins isn't it? |
|
|
|
...we don't know the exact implementation of your key derivation function.
Why would you? The idea is that you have to change the script to create your *own* puzzle. I understand that creating entropy is not easy (and I am certainly not trying to trivialise this problem) but I think it doesn't need to be nearly as hard as trying to remember huge passwords. If I am wrong then you will be able to steal funds from CIYAM Open - I welcome the challenge!!! |
|
|
|
This is security by obscurity though. Once they know about your implementation it will be easily cracked.
Oh really - then why hasn't this been cracked already? (the script in the OP is a simplified version of the one I will publish - btw you cannot run the script I will publish without first modifying it in order to hopefully stop someone being silly enough to run it without first modifying it as I modified the one being tested here) If I can modify one line of a script and use a 4 letter password that no-one here has been able to crack already then I think that speaks for itself.  |
|
|
|
You can send it to 1GAtPwoTGPQ35y9QugJueum5GzaEzLYjiQ
All winnings will be passed on to a followup contest! It might take a while, but there will be one!
On it's way: http://blockchain.info/tx/003a4b9ee67639a08c28b9c183ab36f3b2fc192aeac84d9bd8cc29684f6f094eI have a much better bash script that I am including with a custom Open SUSE distro (which I am still putting together) - that will be a hell of a lot more challenging than this to crack (the point being similar to Mike Caldwell's one that you don't need to remember a huge password to get good security). |
|
|
|
I tested all passwords for 9 different key derivations before throwing in the towel.
Sorry to hear that but as you have been very helpful with this I will be sending you 1 BTC anyway (let me know what address to send to either here in a PM if you prefer). How are the rest of you going - want that hint earlier or happy to wait till until confirmation # 200? |
|
|
|
|
Not sure if you guys have already been doing this but if some basic stats (such as the total # of attempts each of you have tried) could be published then I think that would be very useful (after it has been cracked of course and perhaps only by the winner).
|
|
|
|
|
Well in case you haven't noticed the "challenge" I put up (to crack an encrypted password that I created using a simple script and very unsafe starting password) seems to be heating up.
A more sophisticated and secure version (along with a USB installable Live OS) with instructions will soon be coming.
|
|
|
|
Aha - nice spot - well I think by average calculations confirmation # 200 should occur around the time I had given (or maybe an hour either side) - but if it makes it more interesting to keep using confirmation #'s then no problem! |
|
|
|
just in case i find the privkey for the 10BTC, i gonna share a piece of it to the guys who helped.
Very honourable - I also have pledged to provide some extra bounties for all the great testing being done here. |
|
|
|
|
Actually only noticed for the first time that blockchain.info doesn't show the # of confirmations for an address when it gets above 100.
So rather than a confirmation # I will pick a time in (UTC) so unless there is a consensus to give it out sooner the next hint will be at 2012-12-27 04:00 (I will be going to sleep in another 5 or 6 hours at the most so I won't be available from around 2012-12-26 10:00 until 2012-12-26 20:00).
|
|
|
|
I can obviously only speak for myself, but I simply see too many possibilities to brute force at the moment. Or rather that I see no good way of automating the guessing of the equation modification.
Replacing the "=" and "at least" with ">=" was the only logical change I could come up with.
Next up is a ton of "two times %s..." etc.
Indeed - I could have easily changed it to something like: etothei$password (which I didn't so don't bother with that one) and am pretty certain that the next hint will help clarify things. |
|
|
|
Remember that withholding good hints will contribute to global warming!  Very true - that's why I had originally wanted to make the last hint more specific - but in any case it seems that you guys are doing some very useful work in testing the approach that I am using (so some extra bounties will be given out to those who have contributed significantly to this thread). |
|
|
|
|
The next hint will be a little more specific about the equation change - let me know how soon you think you need this hint (if no other consensus then I will be giving it at a 200 confirmations).
|
|
|
|
So now the next hint (and as promised it should not make things too easy): |
|
|
|
...but how did he encrypt the private key?
The GPG private key was of course encrypted by GPG itself (using standard settings) with a password that is actually an SHA256 hash (as hex) - the script shown in the OP was what I used to convert a 4 character password into the hash (with the key point that I modified a line of the script that adds "salt" to the weak password to strengthen it before hashing). I have put the script into a "code block" in order to make the OP clearer (the script itself was unchanged from that in the original OP version). |
|
|
|
|
Show Posts
