[ESHOP launched] Trezor: Bitcoin hardware wallet

[jl2012]

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

But if the new Trezor can use those words in random order, why couldn't the attacker do it too?

Please read this: https://github.com/satoshilabs/docs/blob/master/trezor-user/recovery.rst

'
I have read it but cannot see the answer.

The attack that worries the OP may be:  hacker installs malicious browser/plugin in many computers and waits for one of the owners to start the recovery procedure.  As the victim types the words, the malicious software sends them to the thief, and sends the wrong words to the victim's Trezor, so that his recovery will fail.  Meanwhile the thief starts the legitimate recovery procedure with another Trezor, enters the words (garbled, with nulls and all), and gets access to the victim's wallet.

(A basic problem of all security systems is that, whatever one must do to get access, someone else with the right information could do the same.  Including biometrics.  Thus, security always depends ultimately on preventing the bad guys from getting some critical information that the good guys have somewhere.)

The TREZOR will ask you to enter the recovery seed in random order, and the order is only displayed on the trezor. You computer dosn't know what order is right.

So even if the attacker has all words, it is pretty much useless. And the entered order is different everytime you are promted to enter it!

As I read from the manual, the Trezor will also ask the user to input some random extra words, making it more secure. Still, I don't feel very comfortable to enter my private key on a network-connected computer.

[1714612939]

1714612939

[1714612939]

1714612939

[1714612939]

1714612939

[1714612939]

1714612939

[Carlton Banks]

Why not make a small recovery utility, to be used on a cheap device (Raspberry Pi, etc) that's kept permanently offline? Or would wallet/seed recovery functions in MyTREZOR work if copied to an offline machine? I realise third party wallet software with Trezor compatibility could be used, but this may take some time to reach the main branch of those projects, or possibly never happen if the developers change their minds (however doubtful that is).

[Perlover]

Hi,

please wait

Ok, MyTrezor.com asks a user (i don't know - i didn't get my trezor, i wait) to enter 12 (by default) words. May be it ask by random order directed by trezor device. But words are entered in computer! Trojan already know exectly 12 words, may be order is randomized but there may be 2^12 variants to get right order of words. Am i right?
It's BIP32 wallet so hacker doesn't need to use a Trezor device - this process can be automated. 2^12 computations can be run in computer for seconds or less one second.

I don't talk about to guess seed (where 2^128 combinations). I am about to guess seed if hacker knows exectly 12 words (one word - it's already hacker knows exactly 2^11 bits of seed part) of seed which he sniffed by trojan/faked mytrezor.com site and etc.

[TwinWinNerD]

Hi,

please wait

Ok, MyTrezor.com asks a user (i don't know - i didn't get my trezor, i wait) to enter 12 (by default) words. May be it ask by random order directed by trezor device. But words are entered in computer! Trojan already know exectly 12 words, may be order is randomized but there may be 2^12 variants to get right order of words. Am i right?
It's BIP32 wallet so hacker doesn't need to use a Trezor device - this process can be automated. 2^12 computations can be run in computer for seconds or less one second.

I don't talk about to guess seed. I am about to guess seed if hacker knows exectly 12 words of seed which he sniffed by trojan/faked mytrezor.com site and etc.

12 words is completely insecure if the attacker has infested your computer:

 Input: 12!


Result: 479001600 combinations

Just choose 24! and if you are paranoid then make a new account after recovery.

[Perlover]

Ok, i am hacker and the right seed (for easy example) is three word, but in dictionary 2048 words for one position (as trezor has):

User entered: red green blue

Hacker got:blue green red

Ok, he run process and got only these variants (B, G, R):

B G R
G B R
R G B
B R G

Here 2^2 variants (may be because 2^(3-1))

If hacker doesn't know exactly words he should make 2048^3 variants (may be 'red', may be 'cat' and so on).

Now imagine it for 12 words and for 24 words
May be there will be 2^11 variants for 12 words, not 2^12 as i wrote above.
Ok, for 24 words we will get 2^23 = 8388608 combinations
I think this combinations can be computed for 1-10 seconds. I think user will not have a time to send him bitcoins to other.

Ok, wallet32 is an Android application as BIP32 wallet. But if you use special hardware device with private keys inside only it will be very strange to setup seed at Android device phone for sending all bitcoins If you trust to your Android phone same as Trezor, i think this topic not for you

But this hack will be made for one second if hacker will sniff 12 or 24 words.

[TwinWinNerD]

Ok, i am hacker and the right seed (for easy example) is three word, but in dictionary 2048 words for one position (as trezor has):

User entered: red green blue

Hacker got:blue green red

Ok, he run process and got only these variants (B, G, R):

B G R
G B R
R G B
B R G

Here 2^2 variants (may be because 2^(3-1))

If hacker doesn't know he should make 2048^3 variants (may be 'red', may be 'cat' and so on).

Now imagine it for 12 words and for 24 words
May be there will be 2^11 variants for 12 words, not 2^12 as i wrote above.
Ok, for 24 words we will get 2^23 = 8388608 combinations
I think this combinations can be computed for 1-10 seconds. I think user will not have a time to send him bitcoins to other.

Ok, wallet32 Android application is BIP32 wallet. But if you use hardware device with private keys only in this device it will be very strange to setup seed at Android device for sending all bitcoins

But this hack will be made for one second if hacker will sniff 12 or 24 words.

Your math is off, it is not 2^X but X!

3! = 3x2x1 = 6 combinations
12! = 479001600
24! = 6.2044840173323943936 × 10^23

This number is incredible huge, but potentionally crackable!

[Perlover]

Your math is off, it is not 2^X but X!

3! = 3x2x1 = 6 combinations
12! = 479001600
24! = 6.2044840173323943936 × 10^23

This number is incredible huge, but potentionally crackable!

Sorry, i don't understand your math


3! = 3x2x1 = 6 combinations
^^^^ Why? Please write other variants for my example. You say that there (in my example) should be 6 variants. Please add other two ones

[TwinWinNerD]

Your math is off, it is not 2^X but X!

3! = 3x2x1 = 6 combinations
12! = 479001600
24! = 6.2044840173323943936 × 10^23

This number is incredible huge, but potentionally crackable!

Sorry, i don't understand your math


3! = 3x2x1 = 6 combinations
^^^^ Why? Please write other variants for my example. You say that there (in my example) should be 6 variants. Please add other two ones

If you have 3 words that can be on each position, but can only be used once, the math to calculate the total amount of combinations is 3! aka 3x2x1
Proof:
1 2 3
1 3 2
2 1 3
2 3 1
3 1 2
3 2 1

That are all the possible combinations.

12! = 12x11x10x9x...x2x1
So you see, 24! would be an incredible amount of combinations you would not be able to crack very easily.

[Perlover]

Sorry, yes, you are right.
I see now

But i think if hacker knows exactly words in random order it's not fine

Ok, i will use 24 words. I think 6.2044840173323943936 × 10^23 variants of brute force will be enough for me

P.S. Only suggestion for future versions of Trezor recovery procedure. Now 12 or 24 words are written in one paper. The Armory program has 3-of-4 backup types for example. If same backup could be too in Trezor, i will happy I understand that it's more difficult procedure and there a lot programming for this. It's only suggestion.

[TwinWinNerD]

Sorry, yes, you are right.
I see now

But i think if hacker knows exactly words in random order it's not fine

Ok, i will use 24 words. I think 6.2044840173323943936 × 10^23 variants of brute force will be enough for me

Very good decision. And I agree that the 12 word option should probably not be the default!

[JorgeStolfi]

Only the victim and victim's Trezor knows the order of the words. The order is generated by Trezor, only shown on its screen, and never transmitted to the infected computer. The malware may make the recovery fail. However, as the malware does not know the order, it can't recover the wallet either

I see it, thanks.

[molecular]

@Pelover, well, the seed is entered in a random order. So even if the computer is compromised the attacked still needs to try 24! combinations before cracking your password. So you will have enough time to create a new account as BurtW said.

In addition to that, trezors asks to enter random words from the dictionary in between the shuffled seed words.

However: should you make a mistake and have to enter re-do the whole process, the random words will be known to a keylogger, because trezor chooses different random words every time. So the words identical between the 2 restore-processes (1 failed, 1 succeeded) will be the seed words.

With a 12 word seed theres only 12! = 479,001,600 combinations. So better not "try again" after a failed restore from seed on the same machine if you have a short seed like that... or just just 24 word seed to be safe.

[Carlton Banks]

However: should you make a mistake and have to enter re-do the whole process, the random words will be known to a keylogger, because trezor chooses different random words every time. So the words identical between the 2 restore-processes (1 failed, 1 succeeded) will be the seed words.

With a 12 word seed theres only 12! = 479,001,600 combinations. So better not "try again" after a failed restore from seed on the same machine if you have a short seed like that... or just just 24 word seed to be safe.

Definitely needs that offline recovery tool

[TwinWinNerD]

However: should you make a mistake and have to enter re-do the whole process, the random words will be known to a keylogger, because trezor chooses different random words every time. So the words identical between the 2 restore-processes (1 failed, 1 succeeded) will be the seed words.

With a 12 word seed theres only 12! = 479,001,600 combinations. So better not "try again" after a failed restore from seed on the same machine if you have a short seed like that... or just just 24 word seed to be safe.

Definitely needs that offline recovery tool

Or a 36 seed recovery.

Another possibility would be that a certain TREZOR has hardware specific "random words" in the seed recovery. So even if you recover twice on the same trezor, the attacker wouldn't know what the wrong words were.

[molecular]

However: should you make a mistake and have to enter re-do the whole process, the random words will be known to a keylogger, because trezor chooses different random words every time. So the words identical between the 2 restore-processes (1 failed, 1 succeeded) will be the seed words.

With a 12 word seed theres only 12! = 479,001,600 combinations. So better not "try again" after a failed restore from seed on the same machine if you have a short seed like that... or just just 24 word seed to be safe.

Definitely needs that offline recovery tool

Or a 36 seed recovery.

Another possibility would be that a certain TREZOR has hardware specific "random words" in the seed recovery. So even if you recover twice on the same trezor, the attacker wouldn't know what the wrong words were.

I just discovered random words are not used on 24 word seed. Maybe random words are used just to fill up to 24 words? Would make sense.

[devthedev]

I wish there was an alternative way to recover the Bitcoin in case of hardware failure or other abnormality. Instead of having to wait for another Trezor to come in.

[DannyElfman]

I wish there was an alternative way to recover the Bitcoin in case of hardware failure or other abnormality. Instead of having to wait for another Trezor to come in.

If it is using BIP32, you should be able to just enter the seed into a programm capable of restoring a BIP32 wallet?

[keithers]

Still excited to get my Trezor.   Processing and shipping was pretty fast.   I ordered on 8/4, and it is already through customs... probably only a few days out from here.   I thought I would have to wait for much longer for it to actually arrive...

[ajas]

I have a question concerning advanced settings (use of passphrases).

As far as I see there are two exclusive options:
1) use no passphrases at all.
2) use one or more passphrases.

It would be nice to set up Trezor in a way so that you can have at the same time:
1) one 'account' with no passphrase (for small money).
    This could pop up in the web wallet immediatly without further interaction when you connect the Trezor.
2) one or more (hidden) accounts. These would be visible only if the correct passphrase is
    (optionally) given.

Is this possible ?

[AussieHash]

It would be nice to set up Trezor in a way so that you can have at the same time:
1) one 'account' with no passphrase (for small money).
    This could pop up in the web wallet immediatly without further interaction when you connect the Trezor.
2) one or more (hidden) accounts. These would be visible only if the correct passphrase is
    (optionally) given.
Is this possible ?

http://doc.satoshilabs.com/trezor-user/advanced_settings.html