Bitcoin Forum
November 19, 2018, 11:26:45 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
   Home   Help Search Login Register More  
Pages: « 1 2 [3]  All
Author Topic: stringwallet  (Read 294 times)
Offline Offline

Activity: 1190
Merit: 1167

View Profile
January 02, 2018, 06:34:52 PM

Is anyone still using brainwallets in earnest?

i don't trust stored data to stay secret.

Why would anyone trust something that can spawn all of your private keys ever out of nowhere? Im still using the old wallet.dat format because im paranoid of the HD format of the new wallet.dat, imagine if I had to trust any of these brainwallets. Why expect your seed isn't going to eventually get bruteforced?

I personally feel safer by holding private keys locally which could never be accessed unless you actually had access to the files and you could always host your file somewhere in an encrypted SHA512 file with a strong password or something, if you really needed to for example move somewhere without carrying your private keys physically.

I just don't like the idea of "you need a couple of data here and there to derive all of you private keys", doesn't sound like a strong model to trust.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Hero Member
Offline Offline

Posts: 1542670005

View Profile Personal Message (Offline)

Reply with quote  #2

Report to moderator
Hero Member
Offline Offline

Posts: 1542670005

View Profile Personal Message (Offline)

Reply with quote  #2

Report to moderator
Offline Offline

Activity: 1960
Merit: 1039

aka tonikt

View Profile WWW
January 02, 2018, 06:46:27 PM

Why expect your seed isn't going to eventually get bruteforced?
Well... don't mean to be mean, but the answer is pretty obvious who anyone who isn't an idiot.

Because brute forcing of such a complex seed would require more computing than brute forcing of a standard bitcoin address.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
Offline Offline

Activity: 1778
Merit: 1059

View Profile
January 02, 2018, 08:53:38 PM

curiosity81, it seems (at a glance) that you are deploying a word generator generated from a decent (i.e. non-human) source of randomness.  Not a syntactically valid phrase, not something the user comes up with, not something from a book you cross your fingers and hope to be really obscure.  Not what most people call a “brainwallet”.

True. That's why I mentioned above that "brainwallet" might be the wrong term.

I have to stress again, that I wanted simple code for generating key pairs from strings, either from a concatenated complex list of words (kind of brainwallet) or a complex set of characters (kind of passphrase). And I want to understand the code. A kind of finger exercise. And maybe some of the code is simple enough to be useful for others.

For instance, to derive the public key of a private key is the only piece of code, which is not a bash script. I found this code somewhere at stackoverflow (the link is given in the source). It is c, but relatively easy to compile. If I remember correctly only libssl-dev is necessary for compilation. This is the only simple (!) piece of code I found! Another example is the bash script for computing base58. The code you can find online uses a lot of bash magic, so that it is virtually impossible for a normal guy to understand. At least I learned what bc is. So it was easier to write the code by myself with the benefit, that I now know how it works.

That raises an obvious question, which I must ask out of—curiosity:  Why don’t you simply use BIP 39?  It was developed by the same experts whose security acumen you trust when you use Bitcoin anyway.  Its wordlists were developed with human use in mind, e.g., all words on the English wordlist are unique within the first four characters.  And it will perfectly encode 128–256 bits of randomness in 12–24 words, without any of the pitfalls of trying to develop your own word randomization scheme.

With your wordlist, I presume not tuned to a power of 2, did you avoid the common mistake of introducing modulo bias?  (I did not review your code.)  Does your wordlist exclude similar, confusable words?  (I am guessing not.)  Etc.

Honestly, I did not take care of the random generator's entropy yet. But I can assure you, that I am paranoid enough to invest (and already invested) a lot of energy to get the maximum entropy into my systems. In the current version, one bash script simply shuffles (shuf) a complete aspell dictionary and takes the head (the n first words) of the output. That's it. Clearly I have to figure out in detail how shuf works and where it gets its entropy. Entropy pool could be filled with additional entropy via randomsound or similar. But how to connect shuf to /dev/random or /dev/urandom is a question for the future. And should be as simple as possible.

I did not wrote my own BIP39 generator, even though I am aware of the proposal. Maybe I even stole some ideas (checksum). Maybe I used them wrongly.

I have released an initial version of the easyseed(1) utility for secure generation of BIP 39 mnemonic seed phrases.

Thanks for the suggestion. I will take a look.

  ▄▄██████▀▀  ▀▀██████▄▄

███████▀          ▀███████
████       ▄▄▄▄     ▄█████
████     ███████▄▄██████▀
████     ██████████████
████     ████████▀██████▄
████       ▀▀▀▀     ▀█████
███████▄          ▄███████
  ▀▀██████▄▄  ▄▄██████▀▀

  ▄████▀▀         ▀▀████▄
 ▄████    ▄▄███▄▄    ████▄
▄████  ▄███▀▀ ▀▀███▄  ████▄
████   ██▌  ▄▄▄  ███   ████
████   ██▌ ▐███████    ████
████   ██▌  ▀▀▀  ███   ████
▀████  ▀███▄▄ ▄▄███▀  ████▀

 ▀████    ▀▀███▀▀    ████▀
  ▀████▄▄         ▄▄████▀

Offline Offline

Activity: 1162
Merit: 1205


View Profile
January 02, 2018, 09:28:34 PM

Hi guys,

during christmas I was thinking about a way to produce my own brainwallets. You find the code below

Clearly, code can also be used to produce more secure brainwallets. E.g. hashing a string more than once and a brute force approach is virtually useless.

Nice codes, i just take a looks and is a great code, i have done my bash to brain wallet codes in the past, will search them, and if i can find them, i will post it here.

Thanks for share.

.BitDice.               ▄▄███▄▄
           ▄▄██▀▀ ▄ ▀▀██▄▄
      ▄▄█ ▀▀  ▄▄█████▄▄  ▀▀ █▄▄
  ▄▄██▀▀     ▀▀ █████ ▀▀     ▀▀██▄▄
██▀▀ ▄▄██▀      ▀███▀      ▀██▄▄ ▀▀██
██  ████▄▄       ███       ▄▄████  ██
██  █▀▀████▄▄  ▄█████▄  ▄▄████▀▀█  ██
██  ▀     ▀▀▀███████████▀▀▀     ▀  ██
██  ▄     ▄▄▄███████████▄▄▄     ▄  ██
██  █▄▄████▀▀  ▀█████▀  ▀▀████▄▄█  ██
██  ████▀▀       ███       ▀▀████  ██
██▄▄ ▀▀██▄      ▄███▄      ▄██▀▀ ▄▄██
  ▀▀██▄▄     ▄▄ █████ ▄▄     ▄▄██▀▀
      ▀▀█ ▄▄  ▀▀█████▀▀  ▄▄ █▀▀
           ▀▀██▄▄ ▀ ▄▄██▀▀
    ████▀▀       ▀▀████
   ████▀           ▀████
   ████             ████
   ████ ▄▄▄▄▄▄▄▄▄▄▄ ████
████                   ████
████                   ████
████                   ████
████                   ████
████                   ████
████▄                 ▄████
████████▄▄▄     ▄▄▄████████
█████                            █████
█████                            █████
█████                            █████
█████                            █████
█████                     ▄▄▄▄▄▄▄▄▄▄
█████                   ▄█▀▀▀▀▀▀▀▀▀▀█▄
█████                   ██          ██
█████                   ██          ██
█████                   ██          ██
██████████████████▀▀███ ██          ██
 ████████████████▄  ▄██ ██          ██
   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ██          ██
             ██████████ ██          ██
           ▄███████████ ██████▀▀██████
          █████████████  ▀████▄▄████▀
Online Online

Activity: 2058
Merit: 1084

View Profile
January 02, 2018, 10:54:13 PM

No data stays secret for ever.
The most glaring error with "brain wallet" is the many various ways we have of spelling virtually identical words, capitalizing or not, hyphenating, punctuating...

This makes it possible to "remember" a brain wallet and still not be able to type it in and get it right. What is "remembered" is fundamentally imprecise.

Hence I think a predefined word list is a Very Good Idea with anything that would have the beginnings of BrainWalleticity.

Next I'm going to say the last word needs to be a checksum.

Keeping on going, looking like I'm reinventing Bitcoin Improvement Protocols, doesn't it?

Hero Member
Offline Offline

Activity: 924
Merit: 805

the forkings will continue until morale improves

View Profile
January 03, 2018, 12:06:16 AM

You'll likely have to use a combination of different hashes in varying rounds (eg., 10x Sha256 => 2x Scrypt => Bcrypt => etc) requiring an attacker to reproduce your exact hashing steps. Let's not forget that anyone who is scanning for brainwallets has a lot of time to do so and thus can account for multiple hashing rounds as well.

Question being, whether a simple obfuscation algorithm that can be done in your head or with a piece of paper is sufficient, as opposed to a computer-supported one. Unless you can mentally sha256 Tongue

Given the amount of possible simple obfuscation algorithms I guess one can achieve sufficient security without computer support, assuming you don't rely on any well known methods (rot13 anyone?). In other words, this could be a use case where rolling your own "crypto" and security by obscurity might be a good thing.

Using the word “algorithm” loosely, if you can’t design an algorithm which remains secure when your adversary knows it, then you will certainly be unable to design an algorithm which is secure when “unknown”.

Note the subtle difference from what you usually hear.

Maybe I misunderstand you, but the obfuscation algorithm itself doesn't need to be secure. After all the attacker doesn't want to derive the original message from your obfuscated passphrase. That's were "security by obscurity" would fail.

Instead, my rationale is based on the potential attacker having two choices:

a) Derive your obfuscated passphrase from either your BTC address or your public key -- obviously unviable right now, otherwise we'd have other problems.

b) Brute force your original passphrase AND the correct steps with which you obfuscated it -- the latter of which there are effectively infinite possibilities, even when limiting yourself to pen-and-paper algorithms (eg. uppercase every nth letter, insert a special character according to the fibonacci sequence, apply multiple rounds of rot26... etc etc).

Combine a strong passphrase with some layered weird-ass obfuscation steps and you should get yourself enough entropy for decades to come.

On the other hand I just stumbled upon a fairly recent Def Con talk about cracking brainwallets, maybe it makes me rethink my assumptions.

Here's the link, without knowing yet whether it's going to be any good:

Edit: The talk above covers nothing that hasn't been discussed in this thread already. Keeping the link for reference though.

Pages: « 1 2 [3]  All
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!