BrainWallet Defcon Attack Discussion, Advice, Q&A, Brainflayer Info, etc.

[ryanc]

ryanc, I would like to see more documentation about brainflayer as there is almost none.

The initial release of brainflayer deliberately has very limited documentation to keep unskilled people from using it. I will be releasing an enhanced version (with better documentation) soon, now that it's made some news and convinced some people to stop using brainwallets.

In regards a commentary you made in your presentation on how to advert people that they have a weak address. You said that it could be thought sending a small amount to a vanity address but you could send it to a burn address like '1DontUseThisWeakBrainWa11etAf1F98T'. Here you have a python scrypt for generating them, also check the bitcoin address validation wiki entry.

This would pollute the UTXO set, and I don't think it's really any better than using multiple vanity addresses in the same transaction. I was going for subtle at the time.

[frenulum]

Wow. Just read about this tonight. Experimenting with Brain Wallet and found an empty wallet with 2 previous transactions.

It's true. People have no imaginations   :/

edit ... up to 4 now ..   all empty though
edit.. make that 6 ...

[crypto_trader#43xzEXrP]

I have several times changed the source of https://brainwalletx.girhub.io/ for supporting a different coins,
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt

Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code).  Grin

Maybe need to add or change anything else? Just PM me.

[Elliander]

Out of curiosity, where does the vulnerability originate? Is it in the seed phrase itself, or the way it makes use of the seed phrase? This is important because I noticed that with electrum wallets it will accept any seed phrase I give it meaning that I could technically just think up my own seed phrase to use the same way I'd use a brain wallet. If the issue is with the 12 word seeds it would mean that no seed wallet is safe, but if the issue is something else I'd like to know what that is and what if anything it might mean for other wallets. 

[timisis]

I have several times changed the source of https://brainwalletx.girhub.io/ for supporting a different coins,
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt

Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code).  Grin

Maybe need to add or change anything else? Just PM me.

Cant make up my mind if this is phishing or an honest typo, but the rating suggests phisher!

[ryanc]

I plan to release an update adding support for this "passphrase plus xor" brainwallet variant, so don't go using it.

[asenski]

What's your take on WarpWallet?

https://keybase.io/warp

Using a single step plain hash for brain wallets is definitely a bad idea. But I like the WarpWallet approach.

So far it has stood the test of time even with a password of just 8 alpha-numeric characters. (not even salt)

The key difference is that there are so many iterations instead of a single hash that brute-forcing those keys would not really be feasible (yet). Also you have the option of adding a salt.

There are still 10 BTC sitting there as a reward to whoever can guess the 8 alphanumeric characters. (this one has pre-defined salt)

[ryanc]

Don't use WarpWallet, the manual key management is a nightmare, and it uses uncompressed addresses. Just memorize a random 12 word seed phrase.

[almightyruler]

There are still 10 BTC sitting there as a reward to whoever can guess the 8 alphanumeric characters. (this one has pre-defined salt)

Do you mean "The WarpWallet Challenge 2"? Check the address, the 10 BTC was moved out in January 2018. The text also says that the challenge expires 1st Jan 2018.

https://www.blockchain.com/btc/address/1MkupVKiCik9iyfnLrJoZLx9RH4rkF3hnA

[pooya87]

Using a single step plain hash for brain wallets is definitely a bad idea. But I like the WarpWallet approach.

So far it has stood the test of time even with a password of just 8 alpha-numeric characters. (not even salt)

The key difference is that there are so many iterations instead of a single hash that brute-forcing those keys would not really be feasible (yet).

actually the main difference is in usage of a key derivation function called "scrypt" which is a memory expensive KDF and with decent settings it can become very expensive to break. N=2¹⁸ and r=8 are the "cost" that are making it expensive since you are basically deriving a 1024 byte long key and then mixing it in 8 blocks, 2¹⁸ times then deriving another key with that mixed key both times using PBKDF2.
by the way the "s2" variable it uses is quite pointless in my opinion, they could have just increase block size factor from 8 to a bigger value!

and finally i have to mention that even with this much complication, this implementation is also suffering from the same flaws as any other brain wallet: people are not capable of creating a truly random password. most of them will use simple terms which can be found/guesses easily.
setting a couple of complicated passwords as challenge doesn't mean the method is safe. you could do the same thing with other brainwallets too!

[crypto_trader#43xzEXrP]

I have several times changed the source of https://brainwalletx.girhub.io/ for supporting a different coins,
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt

Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code).  Grin

Maybe need to add or change anything else? Just PM me.

Cant make up my mind if this is phishing or an honest typo, but the rating suggests phisher!

Hehheh. Open-source. Where you can see any phishing in the source code?
I did host it using github-pages, here: https://username1565.github.io/brainwallet.github.io/
Source code - here: https://github.com/username1565/brainwallet.github.io/

Best regards.

[asenski]

Using a single step plain hash for brain wallets is definitely a bad idea. But I like the WarpWallet approach.

So far it has stood the test of time even with a password of just 8 alpha-numeric characters. (not even salt)

The key difference is that there are so many iterations instead of a single hash that brute-forcing those keys would not really be feasible (yet).

actually the main difference is in usage of a key derivation function called "scrypt" which is a memory expensive KDF and with decent settings it can become very expensive to break. N=2¹⁸ and r=8 are the "cost" that are making it expensive since you are basically deriving a 1024 byte long key and then mixing it in 8 blocks, 2¹⁸ times then deriving another key with that mixed key both times using PBKDF2.
by the way the "s2" variable it uses is quite pointless in my opinion, they could have just increase block size factor from 8 to a bigger value!

and finally i have to mention that even with this much complication, this implementation is also suffering from the same flaws as any other brain wallet: people are not capable of creating a truly random password. most of them will use simple terms which can be found/guesses easily.
setting a couple of complicated passwords as challenge doesn't mean the method is safe. you could do the same thing with other brainwallets too!

Agree that the s2 variable is pointless. The point I was making was that this is a much safer brain wallet, given that people don't use easy to guess input.
I'd still prefer WarpWallet to remembering 12 words. You can use things you'd never forget for master & salt, but are not that common or easy to guess.
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.

Don't use WarpWallet, the manual key management is a nightmare, and it uses uncompressed addresses. Just memorize a random 12 word seed phrase.

Yes, they should've generated compressed keys, but that can be fixed easily.

There are still 10 BTC sitting there as a reward to whoever can guess the 8 alphanumeric characters. (this one has pre-defined salt)

Do you mean "The WarpWallet Challenge 2"? Check the address, the 10 BTC was moved out in January 2018. The text also says that the challenge expires 1st Jan 2018.

https://www.blockchain.com/btc/address/1MkupVKiCik9iyfnLrJoZLx9RH4rkF3hnA

Right. They had the prior challenge for 2 years, and it wasn't cracked until the expiration date.

[pooya87]

~
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.

true but as i explained, the alternative is still flawed so in my opinion storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.
besides you can mitigate that by using some sort of encryption on it! for instance you could use the "brainwallet" as the password for encrypting the mnemonic phrase and then print the encrypted text instead and remember the password.

[crypto_trader#43xzEXrP]

storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.

This words can be encrypted by password, and saved in LocalStorage, in browser, like a seed on WAVES DEX.


Sometimes, warpwallet working good for me,
but sometimes, I see the "throw error" in console of my browser, when I try to run this WARPWALLET:

Code: ("Browser console (F12 button)")

event.returnValue is deprecated. Please use the standard event.preventDefault() instead.
Uncaught RangeError: Invalid array buffer length warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:10549
Scrypt.run warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:10549
(anonymous function) warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:10692
scrypt warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:10706
(anonymous function) warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:12650
exports.run.run warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:12660
Warper.click_submit warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:921
(anonymous function) warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:766
x.event.dispatch warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:692
v.handle warp_1.0.9_SHA256_a2067491ab582bde779f4505055807c2479354633a2216b22cf1e92d1a6e4a87.html:692

Someone can explain this, and repair?

[asenski]

~
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.

true but as i explained, the alternative is still flawed so in my opinion storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.
besides you can mitigate that by using some sort of encryption on it! for instance you could use the "brainwallet" as the password for encrypting the mnemonic phrase and then print the encrypted text instead and remember the password.

That is a fine idea!

What I don't like is using a simple SHA for a password. So even the password protected mnemonics if they fall in the wrong hands could easily be brute-forced.

So here is a thought perhaps we'd both agree on - what about WarpWallet type of encryption on top of the mnemonic phrases?

[pooya87]

~
There is no way you can remember 12 words for years to come without writing them somewhere. Which also means that they could easily be stolen or lost.

true but as i explained, the alternative is still flawed so in my opinion storing the 12 words that is randomly generated is a lot safer than using a brainwallet even if it is susceptible to physical theft.
besides you can mitigate that by using some sort of encryption on it! for instance you could use the "brainwallet" as the password for encrypting the mnemonic phrase and then print the encrypted text instead and remember the password.

That is a fine idea!

What I don't like is using a simple SHA for a password. So even the password protected mnemonics if they fall in the wrong hands could easily be brute-forced.

So here is a thought perhaps we'd both agree on - what about WarpWallet type of encryption on top of the mnemonic phrases?

extending the password with a salt first and then using that for encryption is always a great idea. extending it with a strong key derivation function that is expensive to brute force such as scrypt (which uses a lot of memory) is even a better idea. setting the values for N=2¹⁸ and r=8 is also a good setting for this purpose https://tools.ietf.org/html/rfc7914#section-2

[almightyruler]

Seems to me you can stretch and obfuscate as much as you want, but you will never solve a couple of fundamental problems:

1. The original passphrase will still have lower entropy than a sequence of random bytes.

2. The more complicated you make the passphrase->rawkey generation process, the more likely you (or the beneficiaries in your will) are to lose funds.

It's interesting proposing new ways to make a brainwallet more secure, and I get that there are some extraordinary situations where use of a brainwallet may be justified, but otherwise... wouldn't you be better off sticking with something more conventional like a paper wallet?

[asenski]

extending the password with a salt first and then using that for encryption is always a great idea. extending it with a strong key derivation function that is expensive to brute force such as scrypt (which uses a lot of memory) is even a better idea. setting the values for N=2¹⁸ and r=8 is also a good setting for this purpose https://tools.ietf.org/html/rfc7914#section-2

Am I understanding this correctly? You are saying that using scrypt with N=2¹⁸ and r=8 is just as good as WarpWallet, thus WarpWallet isn't achieving much by doing ton of iterations?

Seems to me you can stretch and obfuscate as much as you want, but you will never solve a couple of fundamental problems:

1. The original passphrase will still have lower entropy than a sequence of random bytes.

2. The more complicated you make the passphrase->rawkey generation process, the more likely you (or the beneficiaries in your will) are to lose funds.

It's interesting proposing new ways to make a brainwallet more secure, and I get that there are some extraordinary situations where use of a brainwallet may be justified, but otherwise... wouldn't you be better off sticking with something more conventional like a paper wallet?

Good points! I'm not suggesting using ONLY brain wallets. I just don't think they should be entirely dismissed because they were badly implemented at first.

I know this is more of a movie script than real life scenario, but interesting nonetheless:

Suppose somehow you are in a third world country robbed and left with nothing and you have a stash you can access via brain wallet just by passphrase and a salt.

(And I DON'T like that WarpWallet uses email for the salt, but could be anything that you are likely to remember forever)

[pooya87]

extending the password with a salt first and then using that for encryption is always a great idea. extending it with a strong key derivation function that is expensive to brute force such as scrypt (which uses a lot of memory) is even a better idea. setting the values for N=2¹⁸ and r=8 is also a good setting for this purpose https://tools.ietf.org/html/rfc7914#section-2

Am I understanding this correctly? You are saying that using scrypt with N=2¹⁸ and r=8 is just as good as WarpWallet, thus WarpWallet isn't achieving much by doing ton of iterations?

it is about at what layer this is being used.

* if scrypt is used to generate the mnemonic from a passphrase as it is with WarpWallet and brain wallets, it is a bad idea because even if it is a memory expensive KDF it still doesn't solve the problem of people using simple passwords and the attacker does NOT have to have access to anything to steal their coins. all they have to do is to iterate over most common words and rob them. look at this: https://bitcointalk.org/index.php?topic=4768828.0 it obviously will take a lot longer than SHA256 but it will not be impossible. if there is incentive, they will do it.

* but if it is used only for the encryption step, the attacker first has to gain physical access to your paper wallet for example and then attempt brute forcing that. so in this case scrypt is only used as one of the many security layers you are putting in place.

[iparktur]

Don't use WarpWallet, the manual key management is a nightmare, and it uses uncompressed addresses. Just memorize a random 12 word seed phrase.

Hi  ryanc !

Can you send me PM ?