Nesetalis
|
|
June 13, 2011, 01:13:35 PM |
|
aye I use gpg4win and it crashes constantly :p thankfully the crashes dont screw me over, just make me take a bit longer to do stuff.
|
ZOMG Moo!
|
|
|
ctoon6
|
|
June 13, 2011, 01:17:20 PM |
|
aye I use gpg4win and it crashes constantly :p thankfully the crashes dont screw me over, just make me take a bit longer to do stuff.
there's nothing i hate more than good software that crashes.
|
|
|
|
bcearl
|
|
June 13, 2011, 01:21:09 PM |
|
I wasn't aware of that, I have had no Windows for years now.
7zip seems to use AES256, that may be ok. But you have to choose a strong password, the 5 characters, that somebody suggested, are way too small. I am talking about 12 or more charakters, which are from different types and are not corresponding with dictionary words or keyboard patterns.
|
Misspelling protects against dictionary attacks NOT
|
|
|
BombaUcigasa
Legendary
Offline
Activity: 1442
Merit: 1005
|
|
June 13, 2011, 01:30:18 PM |
|
whats wrong with 7zip and use a password with a .7z archive?
Nothing. As long as you use AES-256 and encrypt the file listing too. It's not enough to use AES256, you have to use it without flaws. I have tried to crack one of my passwords on a 7-zip container just for fun. I had a 3 keys/second generation performance for a 5000 MIPS CPU. Even a 5 chars password would take 20 years to crack my that CPU. Since you could use GPUs, you could lower that to maybe 2 months? Just to break a wallet. I suppose it should have more than 50 BTC to be worth it... Use a sufficiently long password and you should be ok for now. It's an easy method of saving your wallet as it doesn't require you to store keys and whatnot. What exactly did you test? Why should an attacker try to decrypt the 7zip-file to get the password? There are certainly better ways! Bruteforce cracking. 5 chars alphanumeric passwords.
|
|
|
|
|
gene (OP)
|
|
June 13, 2011, 01:38:44 PM |
|
What exactly did you test? Why should an attacker try to decrypt the 7zip-file to get the password? There are certainly better ways!
Bruteforce cracking. 5 chars alphanumeric passwords. This is trivial to bruteforce (~1.0e8 possibilities). Get yourself a longer password.
|
*processing payment* *error 404 : funds not found* Do you want to complain on the forum just to fall for another scam a few days later? | YES | YES |
|
|
|
gene (OP)
|
|
June 13, 2011, 01:43:32 PM |
|
aye I use gpg4win and it crashes constantly :p thankfully the crashes dont screw me over, just make me take a bit longer to do stuff.
I have only used gpg4win via cmd.exe. No problems for me. Running windows is another issue altogether... Of course, use whatever tools you are most comfortable with. Just realize that not all crypto is created equal. Caveat emptor. When wallets start holding tens of thousands of dollars worth of BTC, I would not trust an archiver.
|
*processing payment* *error 404 : funds not found* Do you want to complain on the forum just to fall for another scam a few days later? | YES | YES |
|
|
|
ctoon6
|
|
June 13, 2011, 01:53:17 PM |
|
aye I use gpg4win and it crashes constantly :p thankfully the crashes dont screw me over, just make me take a bit longer to do stuff.
I have only used gpg4win via cmd.exe. No problems for me. Running windows is another issue altogether... Of course, use whatever tools you are most comfortable with. Just realize that not all crypto is created equal. Caveat emptor. When wallets start holding tens of thousands of dollars worth of BTC, I would not trust an archiver. when the stakes are that high i would not either. i would have all my coins split into 3 separate wallets on 3 separate servers on 3 separate continents.
|
|
|
|
lonestranger
Member
Offline
Activity: 115
Merit: 11
I like long walks on the beach, shaving my head...
|
|
June 13, 2011, 02:05:32 PM |
|
Oh my but I must lament once again how horrible this wallet problem is! Bitcoin's reputation is going to get creamed in the media until this is solved. You brilliant tech heads have a monster by the tail. So now let me slog through one of your opaque posts here, parsing and probing to uncover the nugget of truth for the uninitiated (like ME) to put to use... How to use GPG? gpg --compress-algo BZIP2 --bzip2-compress-level 9 --encrypt -a -o text_crypt_wallet.txt wallet.dat
This will compress and then encrypt your wallet using your private GPG key. Whoa there! I have used gpg in thunderbird to encrypt email but using it in my operating system is new to me because for one thing, at what point did I generate a key pair? Where is this private key? Another observation is that though you criticize truecrypt, at least it has a visual interface instead of this command line shit. Sorry if this offends... The -a flag tells gpg to give you ascii-armored (printable) output. The -o flag tells gpg to name the output file "text_crypt_wallet.txt". You can then print this out. The file will look something like this: . . . Make sure the font is OCR-readable ( http://en.wikipedia.org/wiki/Optical_character_recognition) and large enough to avoid scanning and transcription errors. Also, make sure to keep track of page numbers. If you don't have a GPG key, Whoa there! What do you mean? Why would I just happen to HAVE a GPG key? Where would it come from? But not having to mess with keypairs is an advantage anyway. To recover the wallet, you can scan the document and OCR it to a file. Then decrypt it: gpg --decrypt -o wallet.dat scanned_text_file.txt
So I now need to scan a printout with character recognition software....you truly live in a different world than most people. No offense you brilliant tech head but this situation is terrible.
|
|
|
|
error
|
|
June 13, 2011, 02:16:36 PM |
|
You do not have to print your encrypted file and scan it in later. However, plain paper is the most durable medium available for long-term data storage, so it will be useful in some circumstances.
|
3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
|
|
|
ctoon6
|
|
June 13, 2011, 02:20:04 PM |
|
if you were going the printing out a paper route, why not just print out your wallet file and delete the original?
|
|
|
|
gene (OP)
|
|
June 13, 2011, 02:22:18 PM |
|
Oh my but I must lament once again how horrible this wallet problem is! Bitcoin's reputation is going to get creamed in the media until this is solved. You brilliant tech heads have a monster by the tail. So now let me slog through one of your opaque posts here, parsing and probing to uncover the nugget of truth for the uninitiated (like ME) to put to use...
Sorry for being "opaque." Whoa there! I have used gpg in thunderbird to encrypt email but using it in my operating system is new to me because for one thing, at what point did I generate a key pair? Where is this private key? Another observation is that though you criticize truecrypt, at least it has a visual interface instead of this command line shit. Sorry if this offends...
<sigh> Please note the part where I specifically give an example of using a symmetric algorithm by itself (no public/private keypair required). And the subsequent posts where I repeated this. No offense taken... Whoa there! What do you mean? Why would I just happen to HAVE a GPG key? Where would it come from? But not having to mess with keypairs is an advantage anyway.
See above. So I now need to scan a printout with character recognition software....you truly live in a different world than most people. No offense you brilliant tech head but this situation is terrible.
No. You don't need to do it, at all. Nowhere did I state that this is a requirement. It seems obvious that this is an optional step for those who wish to have a secure hardcopy of the intact wallet.dat. If this isn't clear, then I would agree that we do live in different worlds. At the risk of putting too fine a point on it, perhaps my "opacity" comes from your lack of reading comprehension.
|
*processing payment* *error 404 : funds not found* Do you want to complain on the forum just to fall for another scam a few days later? | YES | YES |
|
|
|
bittersweet
|
|
June 13, 2011, 02:24:37 PM |
|
However, plain paper is the most durable medium available for long-term data storage, so it will be useful in some circumstances. Laser engraving on a metal plate would be better
|
My Bitcoin address: 1DjTsAYP3xR4ymcTUKNuFa5aHt42q2VgSg
|
|
|
gene (OP)
|
|
June 13, 2011, 02:25:11 PM |
|
if you were going the printing out a paper route, why not just print out your wallet file and delete the original?
It wouldn't be encrypted. Examine the title of the thread.
|
*processing payment* *error 404 : funds not found* Do you want to complain on the forum just to fall for another scam a few days later? | YES | YES |
|
|
|
|
gene (OP)
|
|
June 13, 2011, 02:35:26 PM |
|
This would be far more interesting (and would make the point a bit more clear) if you did this with a wallet holding all your BTC.
|
*processing payment* *error 404 : funds not found* Do you want to complain on the forum just to fall for another scam a few days later? | YES | YES |
|
|
|
BombaUcigasa
Legendary
Offline
Activity: 1442
Merit: 1005
|
|
June 13, 2011, 02:43:38 PM |
|
This would be far more interesting (and would make the point a bit more clear) if you did this with a wallet holding all your BTC. I'll consider a small donation for the good of the community considering that it improves our security, especially since I think this little 294 bytes archive could be broken in 2 months, and not 24 hours.
|
|
|
|
gene (OP)
|
|
June 13, 2011, 02:53:58 PM |
|
I'll consider a small donation for the good of the community considering that it improves our security, especially since I think this little 294 bytes archive could be broken in 2 months, and not 24 hours.
No. It does not improve anything at all. It demonstrates a deep misunderstanding of these tools and their limitations, and that you are happy to promulgate dangerous advice to others. It is well understood that a 5 character password (even using a larger characterspace) is total shit. What you think is immaterial. Such a short password is literally nothing to an even moderately-motivated attacker. It is worse than putting a luggage padlock on a 10 ton door to a steel vault. What is most laughable is that the cost of increasing the keylength is basically nothing, much like using the proper tools. Yet you reject even the most rudimentary advice for... well... no apparent reason.
|
*processing payment* *error 404 : funds not found* Do you want to complain on the forum just to fall for another scam a few days later? | YES | YES |
|
|
|
JohnDoe
|
|
June 13, 2011, 02:56:45 PM |
|
When decrypting my wallet it gets stored unencrypted in my hard drive right? Sure, I can shred and delete it after re-encrypting but that's a security risk TrueCrypt doesn't have.
Btw, I didn't read the whole Schneier paper but the abstract only talks about losing deniability under Windows with TrueCrypt version 5. Should I still be concerned about this using TrueCrypt v7 under Linux?
|
|
|
|
BombaUcigasa
Legendary
Offline
Activity: 1442
Merit: 1005
|
|
June 13, 2011, 03:00:33 PM |
|
Yet you reject even the most rudimentary advice for... well... no apparent reason.
I reject what?
|
|
|
|
|