|
|
|
btcven
|
 |
November 21, 2013, 01:06:28 AM |
|
Here is the original post from the Newbies section https://bitcointalk.org/index.php?topic=329087.0Hi Guys, Im Evil Knievel and I am new here. Im from the beauiful Brazil and get more and more intrested in the question how secure bitcoin eventually is. "The only way to improve security is to unveil its flaws" - 2013, Evil-Knievel Unfortunately I am a newbie and restricted to this forum. However I have the feeling, that the Electrum Brainwallet Principle is not fully secure. Let me first summarize how Electrum works. In Electrum you have a "Master-Key" which (even when you lose your wallet due to hard disk failure and stuff) you can fully restore all your wallets / change-wallets etc. This "Master Public Key" what they call it, is represented by a "memorizable" string of 12 random words from a word list. While in theory (at a word list length of 1626) you have 1626^12 different possibilites we are not yet sure if the search space is really that big. It yet has to be determined if (and how many) collisions e.g. word combinations leading to the same Master-Public-Key actually exist, and yet to be checked if some words are picked more likely than others depending on the entropy coming from pythons esdsa random function. But as a first step I have come up with an Electrum Cracker, that will search for active wallets created by random combinations of 12 words. I would hope you guys want to participate in that experiment and maybe contribute in this open source project. Checkout the script on github ( https://github.com/Evil-Knievel/electrum-cracker). Hope you like it, and I also hope for an intresting discussion towards electrum's brainwallet stuff. I haven't known of a response yet from the devs on what is this person referring to |
|
|
|
|
Eadeqa (OP)
|
|
November 21, 2013, 02:09:34 AM |
|
Here is the original post from the Newbies section https://bitcointalk.org/index.php?topic=329087.0Hi Guys, Im Evil Knievel and I am new here. Im from the beauiful Brazil and get more and more intrested in the question how secure bitcoin eventually is. "The only way to improve security is to unveil its flaws" - 2013, Evil-Knievel Unfortunately I am a newbie and restricted to this forum. However I have the feeling, that the Electrum Brainwallet Principle is not fully secure. Let me first summarize how Electrum works. In Electrum you have a "Master-Key" which (even when you lose your wallet due to hard disk failure and stuff) you can fully restore all your wallets / change-wallets etc. This "Master Public Key" what they call it, is represented by a "memorizable" string of 12 random words from a word list. While in theory (at a word list length of 1626) you have 1626^12 different possibilites we are not yet sure if the search space is really that big. It yet has to be determined if (and how many) collisions e.g. word combinations leading to the same Master-Public-Key actually exist, and yet to be checked if some words are picked more likely than others depending on the entropy coming from pythons esdsa random function. But as a first step I have come up with an Electrum Cracker, that will search for active wallets created by random combinations of 12 words. I would hope you guys want to participate in that experiment and maybe contribute in this open source project. Checkout the script on github ( https://github.com/Evil-Knievel/electrum-cracker). Hope you like it, and I also hope for an intresting discussion towards electrum's brainwallet stuff. I haven't known of a response yet from the devs on what is this person referring to Looking at older archive, I found The seed is a 128 bits random number, generated by os.urandom()
The seed is represented as a sequence of words in order to facilitate memorization and storage, but it can as well be represented as a hexadecimal string, or as a number.
For some reason, people tend to perceive words as "less random" than numbers. That's an illusion.
The only thing that actually matters is the number of bits of entropy in your seed (128 bits is considered as very safe, and will probably remain safe until real quantum computers are invented), and the quality of your source of randomness (electrum does not use python's random module) So as I understand it the words are used only for memorization, but the actual seed is 128 bit random number. "electrum does not use python's random module" If so, why os.urandom() ? Isn't that python's random module? |
|
|
|
|
|
ThomasV
Moderator
Legendary
 Offline
Activity: 1896
Merit: 1353
|
|
November 21, 2013, 04:53:35 PM |
|
it looks more like a noob trying to attract attention.. electrum uses the python-ecdsa library to generate the seed, which calls os.urandom(), and not python's random library. btw, this "cracker" does use python's random library. on linux, os.urandom is non blocking, meaning that it is safe as long as you don't call it repeatedly (which might deplete your entropy pool). |
Electrum: the convenience of a web wallet, without the risks
|
|
|
|
Eadeqa (OP)
|
|
November 21, 2013, 06:24:11 PM |
|
it looks more like a noob trying to attract attention.. electrum uses the python-ecdsa library to generate the seed, which calls os.urandom(), and not python's random library. btw, this "cracker" does use python's random library. on linux, os.urandom is non blocking, meaning that it is safe as long as you don't call it repeatedly (which might deplete your entropy pool). Yes, I looked it up. On Windows it will be using CryptGenRandom http://en.wikipedia.org/wiki/CryptGenRandomwhich on latest versions of Windows should be pretty secure. |
|
|
|
|
BkkCoins
|
|
November 22, 2013, 06:13:25 AM |
|
It's kind of funny when a newbie comes along and tries a naive approach to cracking something.
In this case he doesn't seem to understand he can totally remove all the code related to guessing words, and decoding them, and simply generate a 128 bit random number as seed directly. That should speed this up somewhat but to go even faster he may as well just increment a counter and check seed values sequentially - it has the same probability and would be faster still and not run into a depleted entropy pool.
2^128 = 3.402823669×10³⁸
One billion balance checks / second (very unlikely even with 10,000 computers attacking) looking for a hit in one of 2 millions addresses (current number with non-zero balances in network), would still take,
3.402823669×10³⁸ / 1x109 / 2x106 = 1.701411835×10⁵³ seconds,
or 5.395141537×10⁴⁵ years.
I wish him good luck.
|
|
|
|
wingsuit
Member
Offline
Activity: 64
Merit: 10
2100 trillion sats baby
|
|
November 23, 2013, 05:04:49 AM |
|
It's kind of funny when a newbie comes along and tries a naive approach to cracking something.
In this case he doesn't seem to understand he can totally remove all the code related to guessing words, and decoding them, and simply generate a 128 bit random number as seed directly. That should speed this up somewhat but to go even faster he may as well just increment a counter and check seed values sequentially - it has the same probability and would be faster still and not run into a depleted entropy pool.
2^128 = 3.402823669×10³⁸
One billion balance checks / second (very unlikely even with 10,000 computers attacking) looking for a hit in one of 2 millions addresses (current number with non-zero balances in network), would still take,
3.402823669×10³⁸ / 1x109 / 2x106 = 1.701411835×10⁵³ seconds,
or 5.395141537×10⁴⁵ years.
I wish him good luck.
/thread |
FLY
|
|
|
|
