virtualmaster (OP)
|
|
September 18, 2013, 10:06:00 AM |
|
Are deterministic wallets more secure than random wallets ? Using a brain wallet you are not dependent from a random number generator only from mathematically proved hashing. If you use a long and not memorable from hand entered passphrase by a brain wallet you cannot remember any more but you can generate a more superior random wallet which can be broken only if the hashing function is broken.. Security expert Schneier means that random number generators could be targeted by sabotage even on hardware level and this could be very hard detected. https://www.schneier.com/blog/archives/2013/09/surreptitiously.htmlMay be the incident with the Android random generator is not so isolated but part of a much bigger problem.
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3514
Merit: 4894
|
|
September 18, 2013, 10:57:09 AM |
|
Are deterministic wallets more secure than random wallets ? Using a brain wallet you are not dependent from a random number generator only from mathematically proved hashing. If you use a long and not memorable from hand entered passphrase by a brain wallet you cannot remember any more but you can generate a more superior random wallet which can be broken only if the hashing function is broken.. Security expert Schneier means that random number generators could be targeted by sabotage even on hardware level and this could be very hard detected. https://www.schneier.com/blog/archives/2013/09/surreptitiously.htmlMay be the incident with the Android random generator is not so isolated but part of a much bigger problem. You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key. If your random number generator is broken, a hacker is just as likely to calculate your brain wallet private key as they are a random private key. It seems like a deterministic wallet would be even worse. If they calculated multiple private keys from the same deterministic wallet, wouldn't it be possible to calculate the chain code? If so, wouldn't that mean that they'd have ALL private keys from the wallet?
|
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
September 18, 2013, 05:29:24 PM |
|
Are deterministic wallets more secure than random wallets ? Using a brain wallet you are not dependent from a random number generator only from mathematically proved hashing. If you use a long and not memorable from hand entered passphrase by a brain wallet you cannot remember any more but you can generate a more superior random wallet which can be broken only if the hashing function is broken.. Security expert Schneier means that random number generators could be targeted by sabotage even on hardware level and this could be very hard detected. https://www.schneier.com/blog/archives/2013/09/surreptitiously.htmlMay be the incident with the Android random generator is not so isolated but part of a much bigger problem. You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key. Danny, i know this applies to the Android. but it doesn't also apply to other devices like laptops, pc's, right? If your random number generator is broken, a hacker is just as likely to calculate your brain wallet private key as they are a random private key.
It seems like a deterministic wallet would be even worse. If they calculated multiple private keys from the same deterministic wallet, wouldn't it be possible to calculate the chain code? If so, wouldn't that mean that they'd have ALL private keys from the wallet?
seems very likely. Alan or anyone?
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3514
Merit: 4894
|
|
September 18, 2013, 05:41:48 PM |
|
You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.
Danny, i know this applies to the Android. but it doesn't also apply to other devices like laptops, pc's, right? Yes, it does. That's how ECDSA signatures work.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
September 18, 2013, 05:50:56 PM |
|
You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.
Danny, i know this applies to the Android. but it doesn't also apply to other devices like laptops, pc's, right? Yes, it does. That's how ECDSA signatures work. but it was the specific RNG in Android that allowed the exploit. there hasn't been any similar exploits executed on laptops or pc's afaik; thus for now they can be "assumed" safe, the recent NSA revelations not withstanding.
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3514
Merit: 4894
|
|
September 18, 2013, 05:54:14 PM |
|
You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key.
Danny, i know this applies to the Android. but it doesn't also apply to other devices like laptops, pc's, right? Yes, it does. That's how ECDSA signatures work. but it was the specific RNG in Android that allowed the exploit. there hasn't been any similar exploits executed on laptops or pc's afaik; thus for now they can be "assumed" safe, the recent NSA revelations not withstanding. Exactly. That's why I said: If your random number generator is broken, a hacker is just as likely to calculate your brain wallet private key as they are a random private key.
|
|
|
|
virtualmaster (OP)
|
|
September 19, 2013, 05:43:21 AM |
|
Are deterministic wallets more secure than random wallets ? Using a brain wallet you are not dependent from a random number generator only from mathematically proved hashing. If you use a long and not memorable from hand entered passphrase by a brain wallet you cannot remember any more but you can generate a more superior random wallet which can be broken only if the hashing function is broken.. Security expert Schneier means that random number generators could be targeted by sabotage even on hardware level and this could be very hard detected. https://www.schneier.com/blog/archives/2013/09/surreptitiously.htmlMay be the incident with the Android random generator is not so isolated but part of a much bigger problem. You still need to use the random number generator every time you send a transaction. The random number generator is used to sign the transaction with the private key. If your random number generator is broken, a hacker is just as likely to calculate your brain wallet private key as they are a random private key. It seems like a deterministic wallet would be even worse. If they calculated multiple private keys from the same deterministic wallet, wouldn't it be possible to calculate the chain code? If so, wouldn't that mean that they'd have ALL private keys from the wallet? Sorry but this sounds like double Dutch. 1. Even if your transaction will be broken in 1 hour after the transaction is done the Bitcoins are already sent to the destination and if you don't reuse the same address you cannot loose anything. And to keep your Bitcoins in a deterministic generated address you don't need any random generator. 2. " wouldn't it be possible to calculate the chain code?" you mean the passphrase ? NO Not even by type 1 deterministic wallet as far as I know. passphrase+1->(private key 1, address1) passphrase+2->(private key 2, address2) If you found the private key 1 you need to reverse the SHA256 hash to find out the passphrase otherwise you cannot find out the private key 2.
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3514
Merit: 4894
|
|
September 19, 2013, 02:33:02 PM |
|
- snip - if you don't reuse the same address you cannot loose anything. - snip -
Sorry, when I read this, I thought you were talking about the problem that occurred with Android wallets: - snip - May be the incident with the Android random generator is not so isolated but part of a much bigger problem.
The problem with Android wallets occurred because people WERE reusing the same address. The problem with password based private keys (if they are chosen by the user) is that they aren't very random and they tend to have a lot less than 160 bits of variability. The result is that with a large enough pool of users, you eventually have multiple users choosing the same password. Therefore most deterministic wallets (such as Armory and Electrum) generate the "secret phrase" for the user. If you don't allow the user to choose their own password, then you need a good random number generator to choose the password for the user. In that case, you haven't eliminated the dependence on the random number generator.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
September 19, 2013, 03:06:57 PM |
|
- snip - if you don't reuse the same address you cannot loose anything. - snip -
Sorry, when I read this, I thought you were talking about the problem that occurred with Android wallets: - snip - May be the incident with the Android random generator is not so isolated but part of a much bigger problem.
The problem with Android wallets occurred because people WERE reusing the same address. just to be clear here, if you're talking about Bitcoin Spinner or what is now Mycelium, you don't have a choice to not reuse the same private key for the most part as that is the default. i noticed that Mycelium does now allow you to generate a new key but you manually have to invoke it. The problem with password based private keys (if they are chosen by the user) is that they aren't very random and they tend to have a lot less than 160 bits of variability.
in Mycelium's case are you talking about their PIN? The result is that with a large enough pool of users, you eventually have multiple users choosing the same password. Therefore most deterministic wallets (such as Armory and Electrum) generate the "secret phrase" for the user. If you don't allow the user to choose their own password, then you need a good random number generator to choose the password for the user. In that case, you haven't eliminated the dependence on the random number generator.
Armory doesn't generate a pwd for you afaik. i thought the problem with the prng in Android was that it was too often reusing the same "n", not that ppl were using the same pwd?
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3514
Merit: 4894
|
|
September 19, 2013, 04:45:56 PM |
|
A whole lot of confusion.
You've taken two different concepts and blended them together, creating a whole lot of confusion for yourself. just to be clear here, if you're talking about Bitcoin Spinner or what is now Mycelium, you don't have a choice to not reuse the same private key for the most part as that is the default. i noticed that Mycelium does now allow you to generate a new key but you manually have to invoke it.
You are correct, Bitcoin Spinner (Mycelium) re-used a bitcoin address. This is why I initially suggested that a broken RNG would be a problem for "deterministic" addresses as well. I thought that the OP was using the Android problem as a model and suggesting that if the addresses were generated without a RNG, then they would be secure for re-use. Since the OP later indicated that they were talking about wallets where addresses are not re-used, I'm not sure why they even brought up the Android issue. That seems to just confuse the discussion and isn't relevant. in Mycelium's case are you talking about their PIN?
No. Mycelium does not use deterministic addresses. It uses randomly generated addresses. Therefore there is no password based private key. The OP is talking about a "brain wallet". Specifically they appear to be talking about the type of brain wallet where you start with a password, then generate a SHA256 hash of that password, and use the result of the hash as your private key. Armory doesn't generate a pwd for you afaik.
Yes, it does. It just doesn't call it a pwd. With Armory, the deterministic addresses are calculated from a "Root Key" and a "Chain Code". If you know both of these, then you have full access to the wallet. That essentially makes the combination of these two pieces of information a "password". i thought the problem with the prng in Android was that it was too often reusing the same "n", not that ppl were using the same pwd?
Correct. The problem with Android was that the wallet re-uses addresses (which is a bad idea), AND that the RNG was broken which sometimes allowed the calculation of the private key after two transactions were signed with the same private key. Using the same pwd is a problem with "deterministic addresses" when they are determined in the way that the OP suggested: passphrase+1->(private key 1, address1) passphrase+2->(private key 2, address2)
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
September 19, 2013, 05:01:18 PM |
|
A whole lot of confusion.
You've taken two different concepts and blended them together, creating a whole lot of confusion for yourself. please explain.
|
|
|
|
Odalv
Legendary
Offline
Activity: 1414
Merit: 1000
|
|
September 19, 2013, 07:51:17 PM |
|
A whole lot of confusion.
You've taken two different concepts and blended them together, creating a whole lot of confusion for yourself. please explain. 1. generating random private key using "bad RNG" can be brute forced, because "bad RNG" generates "only" 2^64 (for example) random private keys (not 2^256). => I can use brute force attack to check all possible generated addresses. 2. if your private key is really random but you sign a message using "bad RNG" then I can use brute force attack on public_key+signed_message (data are stored in the blockchain) - in case you are using deterministic wallet and I'm able to crack more of your private keys (even empty addresses) then it is possible than I'll know how to compute your next addresses. (e.g. PKey2/Pkey1=seed => PKey2*seed=PKey3 ... but I'm not sure :-) )
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3514
Merit: 4894
|
|
September 19, 2013, 07:53:59 PM |
|
please explain.
I did. The entire rest of my post explains your confusion and attempts to straighten it out for you. Specifically you say: in Mycelium's case are you talking about their PIN?
Which is blending the discussion about Andriod based wallets (which re-use addresses) and the discussion about password based "deterministic wallets" that don't re-use addresses. At this point there are two completely separate discussions going on here. One is about Android based wallets. These reuse addresses, and are vulnerable to the possibility of a faulty RNG which can allow someone to potentially calculate the private key after multiple transactions. These are randomly generated addresses and would not be considered "deterministic". The other discussion is about the OP's suggestion that "deterministic wallets" would be more secure than randomly generated addresses. In that discussion, which has nothing to do with the vulnerability that effected Android wallets, the concerns are that the source of the deterministic address could either be subject to collision due to multiple people choosing the same "password", or would not overcome RNG vulnerabilities since the deterministic "password" would be generated by a RNG (as in Electrum and Armory).
|
|
|
|
Odalv
Legendary
Offline
Activity: 1414
Merit: 1000
|
|
September 19, 2013, 08:13:58 PM Last edit: September 19, 2013, 08:30:19 PM by Odalv |
|
2^64 = 18 446 744 073 709 551 616
So I think no one (and or except NSA) knows if SHA-256 is really random (in terms of 256 bits) or only some 2^64(72 or 80) permutation :-) ... no one can backtest such a big numbers.
Edit:
Q: Is there 100% good RNG A: No, bugs are everywhere.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
September 19, 2013, 08:35:30 PM |
|
please explain.
I did. The entire rest of my post explains your confusion and attempts to straighten it out for you. Specifically you say: in Mycelium's case are you talking about their PIN?
Which is blending the discussion about Andriod based wallets (which re-use addresses) and the discussion about password based "deterministic wallets" that don't re-use addresses. At this point there are two completely separate discussions going on here. One is about Android based wallets. These reuse addresses, and are vulnerable to the possibility of a faulty RNG which can allow someone to potentially calculate the private key after multiple transactions. These are randomly generated addresses and would not be considered "deterministic". The other discussion is about the OP's suggestion that "deterministic wallets" would be more secure than randomly generated addresses. In that discussion, which has nothing to do with the vulnerability that effected Android wallets, the concerns are that the source of the deterministic address could either be subject to collision due to multiple people choosing the same "password", or would not overcome RNG vulnerabilities since the deterministic "password" would be generated by a RNG (as in Electrum and Armory). you may call the combination of the Armory seed and chain code a "password" but nobody else does including it's author. that's where the confusion is.
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3514
Merit: 4894
|
|
September 19, 2013, 09:04:07 PM |
|
you may call the combination of the Armory seed and chain code a "password" but nobody else does including it's author. that's where the confusion is.
Yes, the confusion is that the OP suggested using "deterministic wallets" (which typically use a RNG to generate the seed or root key and chain code), and then suggested that the deterministic addresses be calculated by a method of "passphrase+1->(private key 1, address1)". As such the OP blended the concept of a deterministic wallet and a brain wallet. I'm not the one who suggested that the seed and chain code should be called a "password". I specifically stated: If they calculated multiple private keys from the same deterministic wallet, wouldn't it be possible to calculate the chain code? If so, wouldn't that mean that they'd have ALL private keys from the wallet?
It was the OP who then confused things by suggesting that a "deterministic wallet" would not use a randomly generated seed or chain code and instead would use a passphrase: 2. " wouldn't it be possible to calculate the chain code?" you mean the passphrase ? NO Not even by type 1 deterministic wallet as far as I know. passphrase+1->(private key 1, address1) passphrase+2->(private key 2, address2) If you found the private key 1 you need to reverse the SHA256 hash to find out the passphrase otherwise you cannot find out the private key 2.
Now, if you take a look at what the OP is suggesting, the "passphrase" serves the purpose of a "seed", and the incrementing number acts as a multiple of the "chain code". So he is suggesting a new kind of deterministic wallet where the "seed" (or "Root Key") is no longer a randomly generated piece of data, and is instead a user chosen passphrase, and the chain code is essentially 1. As such, to communicate with the OP using the terms that he was using so as to make sure that I addressed things the way he presented it, I stated: The problem with password based private keys (if they are chosen by the user) is that they aren't very random and they tend to have a lot less than 160 bits of variability.
This is specifically describing the OP's imaginary "deterministic wallet" that uses " passphrase+1->(private key 1, address1)" to generate an address and has absolutly nothing to do with the Andriod based wallets that you keep asking about. I go on to state: Therefore most deterministic wallets (such as Armory and Electrum) generate the "secret phrase" for the user.
Notice the quotation marks around the words "secret phrase"? This is to indicate that neither Armory nor Electrum use the words "secret phrase", but rather that they have a randomly generated secret that takes the place of the password that the OP is suggesting be used.
|
|
|
|
virtualmaster (OP)
|
|
September 21, 2013, 09:38:25 AM |
|
Yes. You have raised all valid points and the confusion was maybe because I didn't considered all possible aspects of the deterministic wallets and I have formulated my question just generally. Especially I didn't considered cases where you generate a deterministic chain from a random passphrase(from generator suggested). I would say this is not a completely deterministic wallet. I am considering really deterministic where you(human factor) make the passphrase input from your brain(which is unpredictable - if not using some banal words) and the keypair chain is generated from this input given by you. So I reformulate my considerations/questions (please tell me if you don't agree): - 1. Casual user with little knowledge is safer with a random wallet.(like Satoshi client with random generated keypairs) (thousands of transactions on the "correct horse battery staple" passphrase, using banal or short passphrases) - 2. Careful user with at least moderate knowledge can use full-deterministic keypairs generation with higher security than wallets with randomly generated keypairs. You create a chain yourself using passphrase+n input or using a chaingenerator with your own unpredictable passphrase(not by the generator suggested) Two advantages: - resistance against eventually random number function defect/sabotage and therefore predetermined pseudorandom numbers or low level entropy - eventually better resistance against wallet lost if automatic chain generation used (only one backup necessary), this part is heavy disputed - 3. Users which using the deterministic wallet as brainwallet a with memorable but unpredictable and strong passphrase: - resistance again random number function defect/sabotage as above - used in wallet the brainwallet passphrase will be an additional backup against loosing coins
All above considerations are on PC level. The Android random function security issue was only mentioned as example. Android cases are very wallet specific because of some reduced functionality so it wouldn't help there to make general considerations and I looked on all Android wallets but I never put Bitcoins in any of them. I used only brainwallet with browser on Android. So many of you know much better the Android wallet applications. But of course you can add your Android specific considerations also. Thank you for your inputs.
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3710
Merit: 1586
|
|
September 21, 2013, 11:25:17 AM |
|
Yes. You have raised all valid points and the confusion was maybe because I didn't considered all possible aspects of the deterministic wallets and I have formulated my question just generally. Especially I didn't considered cases where you generate a deterministic chain from a random passphrase(from generator suggested). I would say this is not a completely deterministic wallet. I am considering really deterministic where you(human factor) make the passphrase input from your brain(which is unpredictable - if not using some banal words) and the keypair chain is generated from this input given by you. So I reformulate my considerations/questions (please tell me if you don't agree): - 1. Casual user with little knowledge is safer with a random wallet.(like Satoshi client with random generated keypairs) (thousands of transactions on the "correct horse battery staple" passphrase, using banal or short passphrases) - 2. Careful user with at least moderate knowledge can use full-deterministic keypairs generation with higher security than wallets with randomly generated keypairs. You create a chain yourself using passphrase+n input or using a chaingenerator with your own unpredictable passphrase(not by the generator suggested) Two advantages: - resistance against eventually random number function defect/sabotage and therefore predetermined pseudorandom numbers or low level entropy - eventually better resistance against wallet lost if automatic chain generation used (only one backup necessary), this part is heavy disputed - 3. Users which using the deterministic wallet as brainwallet a with memorable but unpredictable and strong passphrase: - resistance again random number function defect/sabotage as above - used in wallet the brainwallet passphrase will be an additional backup against loosing coins
All above considerations are on PC level. The Android random function security issue was only mentioned as example. Android cases are very wallet specific because of some reduced functionality so it wouldn't help there to make general considerations and I looked on all Android wallets but I never put Bitcoins in any of them. I used only brainwallet with browser on Android. So many of you know much better the Android wallet applications. But of course you can add your Android specific considerations also. Thank you for your inputs.
1. Safer depends on what you are trying to be safe from. Most coins are lost not because of malicious individuals hacking wallets but because of a) mistakes made by the users themselves such as accidental reformats or file deletions and b) hardware failure. Deterministic wallets can be backed up once and you can restore your complete wallet from that backup at any time in the future so they are safer for most people. 2. & 3. Electrum used to allow people to enter their own seeds. But as Danny said above human beings are not very good at picking random words/numbers. So that is why computer generated random numbers/seeds are better and that is what we use now.
|
|
|
|
Boussac
Legendary
Offline
Activity: 1221
Merit: 1025
e-ducat.fr
|
|
September 22, 2013, 10:07:37 AM |
|
This might be off topic but a deterministic wallet is more secure thant a random wallet with respect to man-in-the-middle attacks. If a webshop using a deterministic wallet makes its master public key public (as it should), then a paranoid shopper can verify that the payment address associated with her invoice belongs to the merchant's wallet. I dvelopped two apps to demonstrate this use case (those are RoR apps that I intend to open source when I fidn the time to do so): the webshop is deployed on microbitcoin.net and the address verification app (still in beta) is on bitcoinrad.io. You can try out bitcoinrad.io with your own electrum master public key and addresses. The bitcoinrad.io service should be duplicated so that multiple verification sources are available to merchants using deterministic wallets. Multiple verification sources, possibly exposing a unified API, would greatly reduce the risks of a MITM attack.
|
|
|
|
|