Bitcoin Forum
November 12, 2024, 06:22:05 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Passphrase-protected private key format BIP proposal (plus working code)  (Read 3965 times)
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
November 22, 2012, 05:55:11 AM
Last edit: November 23, 2012, 05:24:52 PM by casascius
 #1

I have finally gotten around to writing up a proposal and test implementation for my Passphrase-Protected Private Keys proposal.  I have requested a BIP number be assigned.

The proposal is at https://en.bitcoin.it/wiki/Casascius/BIP_draft_for_passphrase-protected_private_key

The code (Windows, with source) can be found at https://casascius.com/btcaddress-alpha.zip (minimally tested use at your own risk).

Also on github: https://github.com/casascius/Bitcoin-Address-Utility

HERE IS WHAT YOU CAN DO:

1. Encrypt private keys with a password, including print password-protected paper wallets.  Password-protected private keys start with "6P".  You can decrypt them with this utility.  I am hoping by making a BIP of the standard, that you can decrypt them anywhere a private key is accepted.  For example, you could use this to put paper wallets in your safety deposit box without worrying that somebody from the bank could snoop in your box, and then keep the password memorized or at home.

2. Encrypt a passphrase into an intermediate value that can be used to create two-factor password-protected physical bitcoins.  That intermediate value can be used to create new keypairs for physical bitcoins that can only be redeemed with the original passphrase.  That means you can choose a passphrase, send me the intermediate value, and then I can make passphrase-protected physical bitcoins that only you can redeem, without me knowing the passphrase.  (The "intermediate value" consists of some salt and an elliptic-curve point derived from your password).

All password derivation is done using scrypt and is properly salted, so password cracking is extremely difficult.  A secure password good enough for a website is good enough here - the standard isn't as high as, say, an unsalted SHA256-based brainwallet.

An example of how it works (method 1):

You pick a passphrase "Satoshi" and have the private key 5KN7MzqK5wt2TP1fQCYyHBtDrXdJuXbUzm4A9rKAteGu3Qi5CVR.
When you encrypt it with my tool, the result is 6PRVWUbkzzsbcVac2qwfssoUJAN1Xhrg6bNk8J7Nzm5H7kxEbn2Nh2ZoGg.
(Using this method, the resulting Bitcoin address is used as salt, so the same private key and passphrase will always yield the same encrypted result).

An example of how it works (method 2):

You pick a passphrase "Satoshi" and enter it into my tool (or somebody else's tool implementing my BIP)
The tool gives you the following intermediate code: passphraseoRDGAXTWzbp72eVbtUDdn1rwpgPUGjNZEc6CGBo8i5EC1FPW8wcnLdq4ThKzAS
(the code contains 64 bits worth of salt, so you get a different intermediate even if you re-encode the same passphrase)

You give me the intermediate code.  I use it to create a physical bitcoin.
The physical bitcoin has the address 1CqzrtZC6mXSAhoxtFwVjz8LtwLJjDYU3V and you fund it.
The code inside the physical bitcoin is 6PfLGnQs6VZnrNpmVKfjotbnQuaJK4KZoPFrAjx1JMJUa1Ft8gnf5WxfKd (just wait and see how I fit this long sucker inside my bar... don't worry it's just as legible as all my other codes)
I am unable to compute the private key with just the intermediate.

You enter this code and the original passphrase "Satoshi".  The decryption process is slow and takes several seconds, this maximizes your security against brute force attacks.
You get the unencrypted private key 5KJ51SgxWaAYR13zd9ReMhJpwrcX47xTJh2D3fGPG9CM8vkv5sH and can claim the funds for 1CqzrtZC6mXSAhoxtFwVjz8LtwLJjDYU3V.

EDIT: reduced the scrypt strength of the 2nd half of method 2 since it's unnecessary - the passphrase is crunched entirely in the 1st half.  This invalidates my previous example of method 2 and I updated it.  I don't expect anyone is relying on these yet given this is merely a proposed draft, but just in case, if you've created any with the previous version, use the same version to decrypt it.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
luv2drnkbr
Hero Member
*****
Offline Offline

Activity: 793
Merit: 1026



View Profile
November 22, 2012, 11:39:56 AM
 #2

awesome

J-Norm
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
November 22, 2012, 10:17:55 PM
 #3

Good idea to use salt. Looks sturdy.
chriswilmer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile WWW
November 22, 2012, 10:36:02 PM
 #4

Great!
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 05, 2012, 06:01:45 AM
 #5

Updated Github with ability to manually input your own private keys so you can print them as voucher notes.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
wtfvanity
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500


WTF???


View Profile
December 05, 2012, 07:34:51 PM
 #6

Updated Github with ability to manually input your own private keys so you can print them as voucher notes.

Much better system than what I hacked in to make it work. I'll do some testing but I love what you have here. Love the passphrase protected private keys as well.

          WTF!     Don't Click Here              
          .      .            .            .        .            .            .          .        .     .               .            .             .            .            .           .            .     .               .         .              .           .            .            .            .     .      .     .    .     .          .            .          .            .            .           .              .     .            .            .           .            .               .         .            .     .            .            .             .            .              .            .            .      .            .            .            .            .            .            .             .          .
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 05, 2012, 07:39:16 PM
 #7

Updated Github with ability to manually input your own private keys so you can print them as voucher notes.

Much better system than what I hacked in to make it work. I'll do some testing but I love what you have here. Love the passphrase protected private keys as well.

I think I checked in UI elements to allow batch entry, but haven't written the code to actually parse them.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
December 05, 2012, 07:41:37 PM
 #8

Locking this thread so we don't have two active threads on the topic: continue at https://bitcointalk.org/index.php?topic=129317.msg1380271

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!