A Secure and Redundant Savings Wallet Concept, Hopefully

[bcearl]

3. XOR files A and B (call the result file C)
4. Store files B and C at isolated locations

Can you XOR  and end up with B, C, D, E, F & G and then just need any 2 of them to restore?

That's why I mentioned Shamir's Secret Sharing. That is designed for that purpose, and well known.



You shouldn't just create your own schemes, how do you know it is secure? Use publicly known schemes that are known to researchers worldwide for decades.


EDIT: Shamir's Sharing is proven to be information-theoretically secure. If you have one part less than required, you don't get a single bit of information about the secret.

[1714997055]

1714997055

[1714997055]

1714997055

[1714997055]

1714997055

[Dirt Rider]

EDIT: Shamir's Sharing is proven to be information theoretically secure. If you have one part less than required, you don't get a single bit of information about the secret.

Seems like what I have come up with is similar to Shamir's Secret Sharing scheme with K=2 and N=6.  Thanks for that link.

[bcearl]

EDIT: Shamir's Sharing is proven to be information theoretically secure. If you have one part less than required, you don't get a single bit of information about the secret.

Seems like what I have come up with is similar to Shamir's Secret Sharing scheme with K=2 and N=6.  Thanks for that link.

It has similar properties, but you don't have a prove that your's is secure.

Shamir's is secure because it is based on polynomial functions. If you have a polynomial function of degree N, you need at least N+1 points on the curve to reconstruct it. If you have one point less, the secret could be everything.



EDIT: Btw, Shamir is the guy, who the S of RSA stands for. Not an unknown person in the world of cryptography.

[Dirt Rider]

Seems like what I have come up with is similar to Shamir's Secret Sharing scheme with K=2 and N=6.  Thanks for that link.

It has similar properties, but you don't have a prove that your's is secure.

Shamir's is secure because it is based on polynomial functions. If you have a polynomial function of degree N, you need at least N+1 points on the curve to reconstruct it. If you have one point less, the secret could be everything.

Ok so any suggestions for how I go about implementing Shamir's scheme into my concept?  It would seem that there are no implementations that allow you turn a file (a TrueCrypt volume in this case) into a bunch of shares, just a password/string.  Granted, I could use this instead of my six seperate key files but still a goal is that the TrueCrypt volume also get split up and spread across the 6 storage locations such that no one location contains the entire volume file.

EDIT:  I am just trying to understand why simply splitting the file is "stupid".

[bcearl]

EDIT:  I am just trying to understand why simply splitting the file is "stupid".

It is not stupid. But you should not trust it until you have a reason to assert that it is secure. If you don't know whether it is secure, assert that it isn't. That's the only proper way to do security.

[Dirt Rider]

EDIT:  I am just trying to understand why simply splitting the file is "stupid".

It is not stupid. But you should not trust it until you have a reason to assert that it is secure. If you don't know whether it is secure, assert that it isn't. That's the only proper way to do security.

I recall a previous reply from you indicating that "splitting is stupid", guess I missunderstood that.

If something is made up of 6 parts, and you only have 5 of the parts, and each part is unique, you do not have the whole thing.  That is not something I am just hoping, that is fact, I know that if you don't have all 6 parts you don't have all 6 parts.

The core concept here is that there are 6 volume parts and 6 encryption key parts.  All are required in order to access the wallet.  Each media only has 5 of the volume parts and 5 of the key parts.  Don't you think it's safe to say that there is pretty much no way to derive the missing part of either, if you only have 5 of the 6 parts?  And to compromise the wallet, you'd have to somehow come up with BOTH of the missing parts.  BTW I have decided I like the number 6, this could be done the same as long as there's 3 or more parts.

I realize this seems overly complex but so far I do feel confident that it provides a fairly high level of both security and redundancy and in many regards, this approach is me keeping it simple. 

I very much appreciate the feedback, information, and opportunity to discuss.  And I'm happy so far anyway, nothing has come up that suggests to me that this is a bad approach.  I think we (the community) should try to put together several guides for keeping bitcoin wallets safe and each one would have a different paranoia level associated with it

[bcearl]

If something is made up of 6 parts, and you only have 5 of the parts, and each part is unique, you do not have the whole thing.  That is not something I am just hoping, that is fact, I know that if you don't have all 6 parts you don't have all 6 parts.

You can't get information about the sixth part, but you still may get information about the secret without it.

The core concept here is that there are 6 volume parts and 6 encryption key parts.  All are required in order to access the wallet.  Each media only has 5 of the volume parts and 5 of the key parts.  Don't you think it's safe to say that there is pretty much no way to derive the missing part of either, if you only have 5 of the 6 parts?  And to compromise the wallet, you'd have to somehow come up with BOTH of the missing parts.  BTW I have decided I like the number 6, this could be done the same as long as there's 3 or more parts.

I realize this seems overly complex but so far I do feel confident that it provides a fairly high level of both security and redundancy and in many regards, this approach is me keeping it simple.  

I very much appreciate the feedback, information, and opportunity to discuss.  And I'm happy so far anyway, nothing has come up that suggests to me that this is a bad approach.  I think we (the community) should try to put together several guides for keeping bitcoin wallets safe and each one would have a different paranoia level associated with it

Yes, I think your idea is worth a try. But I think is not reviewed enough to advice people in a forum to do that, or only for experiments.

In my opinion everybody is free to do as he likes, but when people start to spread their unproven ideas to other users (who may be noobs who just follow the advice without having the capabilities to review it themselves) I get a little upset.

Your thread is very valuable for a discussion here, I just wanted to say that unexperienced users should prefer the better tested ideas.

I also appreciate the very fact that you share your ideas with us in the first place! I also appreciate that you take criticism seriously and review your work.


That's how we get closer to the solutions for our problems.

[ben-abuya]

Ok so any suggestions for how I go about implementing Shamir's scheme into my concept?  It would seem that there are no implementations that allow you turn a file (a TrueCrypt volume in this case) into a bunch of shares, just a password/string.  

http://point-at-infinity.org/ssss/

I'm not sure I'd go with the truecrypt for this. You can generate a random passphrase with enough bits to be more secure than the original private key. Then encrypt your wallet with that using gpg, then run ssss on the secret key. I'd do this all in memory and only write out the individual ssss parts to the usb keys, never write out more than one key to any media.

This distro looks like a good choice: https://www.privacy-cd.org/

It disables all network and hard drives so you don't have to worry about accidentally writing stuff to something persistent.

and with the one in my safe deposit box I will include a note with my password.

There are important tradeoffs here. You're putting almost all your trust into the safe deposit box. That might make sense, but if that's the case why not just put the full key in there without a passphrase? The passphrase is sitting right next to it so it doesn't really serve a purpose in this scenario. Each extra piece is also a risk because you could lock yourself out even without a thief. You could forget the passphrase, forget where you put the drives, something could happen to them. In my case, I've decided that I need either a pass phrase or 2 out of 2 usb drives to get in, but I'll never write the pass phrase down anywhere, and the usb drives don't require any pass phrases in case i forget it.

The important thing is you're putting a lot of thought into this, and posting your ideas and getting feedback is the best way to do security.

[bcearl]

Thank you for that link, I couldn't find any implementations either! I didn't know whether it was practical with long strings at look. Seems to work!

[Vladimir]

A miniature carrot shaped laser which projects your bitcoin keys as QR code on a wall. This laser is surgically implanted in your hip. This in combination with a few decades of intense hapkimudo (http://www.youtube.com/watch?v=GOCgfuajpJs http://www.youtube.com/watch?v=M64skAfLIZc http://www.youtube.com/watch?v=NrWCYk6_4cg ohh and of course this one too http://www.youtube.com/watch?v=1PMhkUH8ARU   ) training should make it fairly secure.

Than if someone tries to take your bitcoin QR laser you do this http://www.youtube.com/watch?v=kg8lDZXyvMQ

[Dirt Rider]

http://point-at-infinity.org/ssss/

Thanks for the link!  It is for Linux only apparently but there are other implementations at the bottom of the wiki page previously referenced by bcearl:  http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

... You're putting almost all your trust into the safe deposit box.... The passphrase is sitting right next to it so it doesn't really serve a purpose in this scenario...

Actually no, because there is only 1 USB in that safe deposit box and it does not include all required pieces, I will need 2 of the 6 to have everything needed to access the wallet.

Each extra piece is also a risk because you could lock yourself out even without a thief...

In order to lose a wallet or lock myself out, I would need to lose 5 of the USBs or 5 would have to go bad or be otherwise unusable, or I would have to lose the passphrase, but that will be stored in a few different locations (separate from the USBs with the exception of the one in the safe box).  Or as you suggested, I could just not use a passphrase at all.

Thanks for the response and feedback!

[Dirt Rider]

In my opinion everybody is free to do as he likes, but when people start to spread their unproven ideas to other users (who may be noobs who just follow the advice without having the capabilities to review it themselves) I get a little upset.

Hence why the word "Hopefully" is included in the thread title, and why I worded the OP as I did.  I am sorry that my thread has "upset" you.  But regardless of who I might upset, I don't have any qualms about throwing out an idea that I have personally tested, that I personally have faith in, and I believe provides more security and redundancy than many of the other concepts that other's have presented.  Is this forum not the ideal place to present such ideas to the community for feedback?

And, unless I am missing something, we have yet to come up with a reason why this concept should specifically NOT be used.  I for one would never suggest that ANY of the concepts presented to date are perfect and are ideal for anyone and everyone to use.

[Dirt Rider]

Than if someone tries to take your bitcoin QR laser you do this http://www.youtube.com/watch?v=kg8lDZXyvMQ

Other then the few decades of training, I like this idea - maybe I can hire a hapkimudo bodyguard!  Know any that will work for BTC?


Hey bcearl, will this pass as a "proven" approach?

[Sottilde]

Why not just create a split WinRAR archive with a strong password and do the same with the USB keys?  Seems an awful lot easier to me than messing with TrueCrypt.

[Dirt Rider]

Why not just create a split WinRAR archive with a strong password and do the same with the USB keys?  Seems an awful lot easier to me than messing with TrueCrypt.

That would work just fine also - how the wallet is encrypted and split is a matter of personal preference.  However, the hidden volume option with TrueCrypt is interesting - allows you to essentially have 2 different passwords, one would only allow access to a decoy wallet, with a tiny amount of BTC and no way to prove the hidden volume (with the real savings wallet) even exists.

[EricJ2190]

As mentioned by others, simply splitting the wallet, or even an encrypted volume or archive containing the wallet, is not secure. An attacker does not need a whole wallet file to steal from you. All they is a whole private key to an individual address (or enough of it that they can brute force the missing piece) to steal any coins received by that address. With the OP's method, chances are an attacker could steal most if not all of your coins with only one flash drive and your password.

[bcearl]

Why not just create a split WinRAR archive with a strong password and do the same with the USB keys?  Seems an awful lot easier to me than messing with TrueCrypt.

That would work just fine also - how the wallet is encrypted and split is a matter of personal preference.  However, the hidden volume option with TrueCrypt is interesting - allows you to essentially have 2 different passwords, one would only allow access to a decoy wallet, with a tiny amount of BTC and no way to prove the hidden volume (with the real savings wallet) even exists.

Except that the hidden volume isn't actually hidden.

[Dirt Rider]

Except that the hidden volume isn't actually hidden.

Based on my understanding it is hidden, hence it's name, hidden volume.  Do you have some information that suggests otherwise?

[Dirt Rider]

As mentioned by others, simply splitting the wallet, or even an encrypted volume or archive containing the wallet, is not secure. An attacker does not need a whole wallet file to steal from you. All they is a whole private key to an individual address (or enough of it that they can brute force the missing piece) to steal any coins received by that address. With the OP's method, chances are an attacker could steal most if not all of your coins with only one flash drive and your password.

If you don't have the entire encrypted volume file, and you don't have all of the encryption key files that the volume was encrypted with, how exactly do you go about unencrypting the volume and accessing what data is there?

[bcearl]

Except that the hidden volume isn't actually hidden.

Based on my understanding it is hidden, hence it's name, hidden volume.  Do you have some information that suggests otherwise?

It is an unsupported claim of TrueCrypt, you should not trust it.