jl2012
Legendary
Offline
Activity: 1792
Merit: 1093
|
|
August 09, 2014, 07:17:00 PM |
|
@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.
But if the new Trezor can use those words in random order, why couldn't the attacker do it too? Please read this: https://github.com/satoshilabs/docs/blob/master/trezor-user/recovery.rst' I have read it but cannot see the answer. The attack that worries the OP may be: hacker installs malicious browser/plugin in many computers and waits for one of the owners to start the recovery procedure. As the victim types the words, the malicious software sends them to the thief, and sends the wrong words to the victim's Trezor, so that his recovery will fail. Meanwhile the thief starts the legitimate recovery procedure with another Trezor, enters the words (garbled, with nulls and all), and gets access to the victim's wallet. (A basic problem of all security systems is that, whatever one must do to get access, someone else with the right information could do the same. Including biometrics. Thus, security always depends ultimately on preventing the bad guys from getting some critical information that the good guys have somewhere.) The TREZOR will ask you to enter the recovery seed in random order, and the order is only displayed on the trezor. You computer dosn't know what order is right. So even if the attacker has all words, it is pretty much useless. And the entered order is different everytime you are promted to enter it! As I read from the manual, the Trezor will also ask the user to input some random extra words, making it more secure. Still, I don't feel very comfortable to enter my private key on a network-connected computer.
|
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY) LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC) PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
|
|
|
If you see garbage posts (off-topic, trolling, spam, no point, etc.), use the "report to moderator" links. All reports are investigated, though you will rarely be contacted about your reports.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
Carlton Banks
Legendary
Offline
Activity: 3430
Merit: 3071
|
|
August 09, 2014, 07:21:35 PM |
|
Why not make a small recovery utility, to be used on a cheap device (Raspberry Pi, etc) that's kept permanently offline? Or would wallet/seed recovery functions in MyTREZOR work if copied to an offline machine? I realise third party wallet software with Trezor compatibility could be used, but this may take some time to reach the main branch of those projects, or possibly never happen if the developers change their minds (however doubtful that is).
|
Vires in numeris
|
|
|
Perlover
|
|
August 09, 2014, 07:23:41 PM |
|
Hi,
please wait
Ok, MyTrezor.com asks a user (i don't know - i didn't get my trezor, i wait) to enter 12 (by default) words. May be it ask by random order directed by trezor device. But words are entered in computer! Trojan already know exectly 12 words, may be order is randomized but there may be 2^12 variants to get right order of words. Am i right? It's BIP32 wallet so hacker doesn't need to use a Trezor device - this process can be automated. 2^12 computations can be run in computer for seconds or less one second.
I don't talk about to guess seed (where 2^128 combinations). I am about to guess seed if hacker knows exectly 12 words (one word - it's already hacker knows exactly 2^11 bits of seed part) of seed which he sniffed by trojan/faked mytrezor.com site and etc.
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
August 09, 2014, 07:26:57 PM |
|
Hi,
please wait
Ok, MyTrezor.com asks a user (i don't know - i didn't get my trezor, i wait) to enter 12 (by default) words. May be it ask by random order directed by trezor device. But words are entered in computer! Trojan already know exectly 12 words, may be order is randomized but there may be 2^12 variants to get right order of words. Am i right? It's BIP32 wallet so hacker doesn't need to use a Trezor device - this process can be automated. 2^12 computations can be run in computer for seconds or less one second.
I don't talk about to guess seed. I am about to guess seed if hacker knows exectly 12 words of seed which he sniffed by trojan/faked mytrezor.com site and etc.
12 words is completely insecure if the attacker has infested your computer: Input: 12! Result: 479001600 combinations Just choose 24! and if you are paranoid then make a new account after recovery.
|
|
|
|
Perlover
|
|
August 09, 2014, 07:34:05 PM Last edit: August 09, 2014, 07:45:34 PM by Perlover |
|
Ok, i am hacker and the right seed (for easy example) is three word, but in dictionary 2048 words for one position (as trezor has): User entered: red green blue Hacker got:blue green red Ok, he run process and got only these variants (B, G, R): B G R G B R R G B B R G Here 2^2 variants (may be because 2^(3-1)) If hacker doesn't know exactly words he should make 2048^3 variants (may be 'red', may be 'cat' and so on). Now imagine it for 12 words and for 24 words May be there will be 2^11 variants for 12 words, not 2^12 as i wrote above. Ok, for 24 words we will get 2^23 = 8388608 combinations I think this combinations can be computed for 1-10 seconds. I think user will not have a time to send him bitcoins to other. Ok, wallet32 is an Android application as BIP32 wallet. But if you use special hardware device with private keys inside only it will be very strange to setup seed at Android device phone for sending all bitcoins If you trust to your Android phone same as Trezor, i think this topic not for you But this hack will be made for one second if hacker will sniff 12 or 24 words.
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
August 09, 2014, 07:44:10 PM |
|
Ok, i am hacker and the right seed (for easy example) is three word, but in dictionary 2048 words for one position (as trezor has): User entered: red green blue Hacker got:blue green red Ok, he run process and got only these variants (B, G, R): B G R G B R R G B B R G Here 2^2 variants (may be because 2^(3-1)) If hacker doesn't know he should make 2048^3 variants (may be 'red', may be 'cat' and so on). Now imagine it for 12 words and for 24 words May be there will be 2^11 variants for 12 words, not 2^12 as i wrote above. Ok, for 24 words we will get 2^23 = 8388608 combinations I think this combinations can be computed for 1-10 seconds. I think user will not have a time to send him bitcoins to other. Ok, wallet32 Android application is BIP32 wallet. But if you use hardware device with private keys only in this device it will be very strange to setup seed at Android device for sending all bitcoins But this hack will be made for one second if hacker will sniff 12 or 24 words. Your math is off, it is not 2^X but X! 3! = 3x2x1 = 6 combinations 12! = 479001600 24! = 6.2044840173323943936 × 10^23 This number is incredible huge, but potentionally crackable!
|
|
|
|
Perlover
|
|
August 09, 2014, 07:49:32 PM |
|
Your math is off, it is not 2^X but X!
3! = 3x2x1 = 6 combinations 12! = 479001600 24! = 6.2044840173323943936 × 10^23
This number is incredible huge, but potentionally crackable!
Sorry, i don't understand your math 3! = 3x2x1 = 6 combinations ^^^^ Why? Please write other variants for my example. You say that there (in my example) should be 6 variants. Please add other two ones
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
August 09, 2014, 07:51:49 PM |
|
Your math is off, it is not 2^X but X!
3! = 3x2x1 = 6 combinations 12! = 479001600 24! = 6.2044840173323943936 × 10^23
This number is incredible huge, but potentionally crackable!
Sorry, i don't understand your math 3! = 3x2x1 = 6 combinations ^^^^ Why? Please write other variants for my example. You say that there (in my example) should be 6 variants. Please add other two ones If you have 3 words that can be on each position, but can only be used once, the math to calculate the total amount of combinations is 3! aka 3x2x1 Proof: 1 2 3 1 3 2 2 1 3 2 3 1 3 1 2 3 2 1 That are all the possible combinations. 12! = 12x11x10x9x...x2x1 So you see, 24! would be an incredible amount of combinations you would not be able to crack very easily.
|
|
|
|
Perlover
|
|
August 09, 2014, 07:53:30 PM |
|
Sorry, yes, you are right. I see now But i think if hacker knows exactly words in random order it's not fine Ok, i will use 24 words. I think 6.2044840173323943936 × 10^23 variants of brute force will be enough for me P.S. Only suggestion for future versions of Trezor recovery procedure. Now 12 or 24 words are written in one paper. The Armory program has 3-of-4 backup types for example. If same backup could be too in Trezor, i will happy I understand that it's more difficult procedure and there a lot programming for this. It's only suggestion.
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
August 09, 2014, 07:57:27 PM |
|
Sorry, yes, you are right. I see now But i think if hacker knows exactly words in random order it's not fine Ok, i will use 24 words. I think 6.2044840173323943936 × 10^23 variants of brute force will be enough for me Very good decision. And I agree that the 12 word option should probably not be the default!
|
|
|
|
JorgeStolfi
|
|
August 09, 2014, 08:16:32 PM |
|
Only the victim and victim's Trezor knows the order of the words. The order is generated by Trezor, only shown on its screen, and never transmitted to the infected computer. The malware may make the recovery fail. However, as the malware does not know the order, it can't recover the wallet either
I see it, thanks.
|
Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
August 09, 2014, 09:08:11 PM |
|
@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.
In addition to that, trezors asks to enter random words from the dictionary in between the shuffled seed words. However: should you make a mistake and have to enter re-do the whole process, the random words will be known to a keylogger, because trezor chooses different random words every time. So the words identical between the 2 restore-processes (1 failed, 1 succeeded) will be the seed words. With a 12 word seed theres only 12! = 479,001,600 combinations. So better not "try again" after a failed restore from seed on the same machine if you have a short seed like that... or just just 24 word seed to be safe.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Carlton Banks
Legendary
Offline
Activity: 3430
Merit: 3071
|
|
August 09, 2014, 10:10:40 PM |
|
However: should you make a mistake and have to enter re-do the whole process, the random words will be known to a keylogger, because trezor chooses different random words every time. So the words identical between the 2 restore-processes (1 failed, 1 succeeded) will be the seed words.
With a 12 word seed theres only 12! = 479,001,600 combinations. So better not "try again" after a failed restore from seed on the same machine if you have a short seed like that... or just just 24 word seed to be safe.
Definitely needs that offline recovery tool
|
Vires in numeris
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
August 09, 2014, 10:17:37 PM |
|
However: should you make a mistake and have to enter re-do the whole process, the random words will be known to a keylogger, because trezor chooses different random words every time. So the words identical between the 2 restore-processes (1 failed, 1 succeeded) will be the seed words.
With a 12 word seed theres only 12! = 479,001,600 combinations. So better not "try again" after a failed restore from seed on the same machine if you have a short seed like that... or just just 24 word seed to be safe.
Definitely needs that offline recovery tool Or a 36 seed recovery. Another possibility would be that a certain TREZOR has hardware specific "random words" in the seed recovery. So even if you recover twice on the same trezor, the attacker wouldn't know what the wrong words were.
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
August 09, 2014, 10:22:24 PM |
|
However: should you make a mistake and have to enter re-do the whole process, the random words will be known to a keylogger, because trezor chooses different random words every time. So the words identical between the 2 restore-processes (1 failed, 1 succeeded) will be the seed words.
With a 12 word seed theres only 12! = 479,001,600 combinations. So better not "try again" after a failed restore from seed on the same machine if you have a short seed like that... or just just 24 word seed to be safe.
Definitely needs that offline recovery tool Or a 36 seed recovery. Another possibility would be that a certain TREZOR has hardware specific "random words" in the seed recovery. So even if you recover twice on the same trezor, the attacker wouldn't know what the wrong words were. I just discovered random words are not used on 24 word seed. Maybe random words are used just to fill up to 24 words? Would make sense.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
devthedev
Legendary
Offline
Activity: 1050
Merit: 1004
|
|
August 09, 2014, 10:24:08 PM |
|
I wish there was an alternative way to recover the Bitcoin in case of hardware failure or other abnormality. Instead of having to wait for another Trezor to come in.
|
|
|
|
DannyElfman
|
|
August 09, 2014, 10:39:52 PM |
|
I wish there was an alternative way to recover the Bitcoin in case of hardware failure or other abnormality. Instead of having to wait for another Trezor to come in.
If it is using BIP32, you should be able to just enter the seed into a programm capable of restoring a BIP32 wallet?
|
This spot for rent.
|
|
|
keithers
Legendary
Offline
Activity: 1456
Merit: 1001
This is the land of wolves now & you're not a wolf
|
|
August 09, 2014, 10:44:15 PM |
|
Still excited to get my Trezor. Processing and shipping was pretty fast. I ordered on 8/4, and it is already through customs... probably only a few days out from here. I thought I would have to wait for much longer for it to actually arrive...
|
|
|
|
ajas
Member
Offline
Activity: 130
Merit: 58
|
|
August 09, 2014, 11:07:19 PM |
|
I have a question concerning advanced settings (use of passphrases).
As far as I see there are two exclusive options: 1) use no passphrases at all. 2) use one or more passphrases.
It would be nice to set up Trezor in a way so that you can have at the same time: 1) one 'account' with no passphrase (for small money). This could pop up in the web wallet immediatly without further interaction when you connect the Trezor. 2) one or more (hidden) accounts. These would be visible only if the correct passphrase is (optionally) given.
Is this possible ?
|
|
|
|
AussieHash
|
|
August 09, 2014, 11:41:51 PM |
|
It would be nice to set up Trezor in a way so that you can have at the same time: 1) one 'account' with no passphrase (for small money). This could pop up in the web wallet immediatly without further interaction when you connect the Trezor. 2) one or more (hidden) accounts. These would be visible only if the correct passphrase is (optionally) given. Is this possible ?
http://doc.satoshilabs.com/trezor-user/advanced_settings.html
|
|
|
|
|