Obfuscation - only to be used by wizards in magic spells, not cryptography

[The Avenger]

to suggest that this is in any way better than a normal password, especially from an entropy standpoint, is downright misleading.

Just one more example why I think this is different to passwords and possible a lot more user friendly:

I said it was different, not better.

I suppose the main question about this approach is whether it can be brute forced in some way? Could you take the encrypted data and somehow brute force it backwards to the original unencrypted key? I don't think it could be, but I'd be glad to hear what others have to say.

I never said I published a paper in "Encryption Monthly" proving this was a scientific fact. I thought about it, tried to explain the idea and then invited people's opinion on it. Where did I mislead anyone?

gavin does an excellent job of not being rude to people.

i, however, am not as buddha-like.

An endearing quality. Your mother must be proud.

Look, now I'm being rude! Does that mean I can be elevated to Senior or Hero member status?

Naw, I'd rather not be considering how most of them replied to me in this thread.

[1714020284]

1714020284

[1714020284]

1714020284

[1714020284]

1714020284

[1714020284]

1714020284

[wtfvanity]

to suggest that this is in any way better than a normal password, especially from an entropy standpoint, is downright misleading.

Just one more example why I think this is different to passwords and possible a lot more user friendly:

I said it was different, not better.

I suppose the main question about this approach is whether it can be brute forced in some way? Could you take the encrypted data and somehow brute force it backwards to the original unencrypted key? I don't think it could be, but I'd be glad to hear what others have to say.

I never said I published a paper in "Encryption Monthly" proving this was a scientific fact. I thought about it, tried to explain the idea and then invited people's opinion on it. Where did I mislead anyone?

gavin does an excellent job of not being rude to people.

i, however, am not as buddha-like.

An endearing quality. Your mother must be proud.

Look, now I'm being rude! Does that mean I can be elevated to Senior or Hero member status?

Naw, I'd rather not be considering how most of them replied to me in this thread.

Even when Gavin replies nicely, you want to argue that you're a genius. I don't think anyone will be able to convince you otherwise.

[fpgaminer]

Forgive me if this has already been mentioned.  The method described is, roughly, what existing encryption schemes do.  They are nothing more than scramblers.  Modern encryption schemes like AES evolved from older methods like the Enigma machine.  That evolved from ancient encryption like the Caesar cipher.

A Caesar Cipher is where you take each letter of the message, and count some number of letters further down the alphabet.  For example, A becomes B, B becomes C, Z becomes A.  The word DOG becomes EPH, if shifting by 1 letter.  As can be seen, this forms a simple mapping from one alphabet to another.  AES also maps from one alphabet to another.  Except with AES, the alphabet is very large (2^128), and the way that it maps from one alphabet to the other is so complex that, without the key, no one can figure it out.  Each key in AES creates a different mapping.

Wrapping back around to the method described in the OP, we can see that if you took the sum total of all the steps, what you're ultimately doing is mapping from one alphabet to another.  Given a certain sequence of steps, we can map from a private key to a scrambled key.  We have an alphabet of private keys, an alphabet of scrambled keys, and the sequence of steps describes the mapping between the two.  As the OP mentioned, one can encode the sequence of steps as a list of words/numbers.  This list of words/numbers describing the steps to take is the key (i.e. the password).

Therefore, this is not fundamentally different than AES or any other modern encryption scheme.  As to whether the method should be used, I would strongly suggest no.  This is because AES is well studied by the best minds mankind has to offer.  We know with high confidence that it is secure.  It is also specifically designed to resist all known crypt-analytic attacks.  The method described in the OP is more akin to the Enigma Machine, which was completely demolished by early crypt-analytic attacks developed by people like Alan Turing.

If what you want is "security through obscurity", use the well studied methods for doing so.  Steganography is a great example.  Encrypt your data with world class encryption schemes like AES, and then use steganography to hide it somewhere.  This is well studied as well, and if someone feels that obscurity adds an extra level of protection, that is the way to do it.

EDIT: Spelling; thanks Meni!

[The Avenger]

Even when Gavin replies nicely, you want to argue that you're a genius.

I already said I'm not an expert. I was trying to draw Gavin out a bit to explain what he meant, I was not trying to pretend I know more than him.

I was hoping someone could explain why something that seems a "good" idea to me is (or is not) a good idea. Did you read this:

There's not a lot of entropy in your obfuscation process, so it can be brute-forced.

Okay. Can you explain in a few more sentences exactly what this means? I am genuinely interested to know if this system can be broken easily.

I'm told "entropy". People aren't as smart as they think they are.

It seems it's too much to ask experts to spend a few minutes to explain something. I'm not pretending to be a genius, I'm not in the encryption field, I'm just trying to get an answer that makes sense.

But you can all take your clubs and go back into your caves now, I'm not going to ask anything else. This forum is sick in the amount of abuse it pumps out every day. Thanks to those (very few) that were helpful.

[The Avenger]

Forgive me if this has already been mentioned.  The method described is, roughly, what existing encryption schemes do.  They are nothing more than scramblers.  Modern encryption schemes like AES evolved from older methods like the Enigma machine.  That evolved from ancient encryption like the Caesar cipher.

A Caesar Cipher is where you take each letter of the message, and count some number of letters further down the alphabet.  For example, A becomes B, B becomes C, Z becomes A.  The word DOG becomes EPH, if shifting by 1 letter.  As can be seen, this forms a simple mapping from one alphabet to another.  AES also maps from one alphabet to another.  Except with AES, the alphabet is very large (2^128), and the way that it maps from one alphabet to the other is so complex that, without the key, no one can figure it out.  Each key in AES creates a different mapping.

Wrapping back around to the method described in the OP, we can see that if you took the sum total of all the steps, what you're ultimately doing is mapping from one alphabet to another.  Given a certain sequence of steps, we can map from a private key to a scrambled key.  We have an alphabet of private keys, an alphabet of scrambled keys, and the sequence of steps describes the mapping between the two.  As the OP mentioned, one can encode the sequence of steps as a list of words/numbers.  This list of words/numbers describing the steps to take is the key (i.e. the password).

Therefore, this is not fundamentally different than AES or any other modern encryption scheme.  As to whether the method should be used, I would strongly suggest no.  This is because AES is well studied by the best minds mankind has to offer.  We know with high confidence that it is secure.  It is also specifically designed to resist all known crypt-analytic attacks.  The method described in the OP is more akin to the Enigma Machine, which was completely demolished by early crypt-analytic attacks developed by people like Alan Turing.

If what you want is "security through obscurity", use the well studied methods for doing so.  Stenography is a great example.  Encrypt your data with world class encryption schemes like AES, and then use stenography to hide it somewhere.  This is well studied as well, and if someone feels that obscurity adds an extra level of protection, that is the way to do it.

fpgaminer - this is a brilliant and clear answer. Thank you very much for explaining.

[cp1]

This is far from the simplest, nor the most secure.  An offline or paper wallet are simpler and more secure.

I'm sure this could be brute forced some way.  The private key starts with 5, has a checksum, is exactly 64 characters long, etc.

[fpgaminer]

It seems it's too much to ask experts to spend a few minutes to explain something. I'm not pretending to be a genius, I'm not in the encryption field, I'm just trying to get an answer that makes sense.

I hope my explanation clears things up a bit.  If not, feel free to ask questions.  I did intend my reply to explain more than it chastises; though forgive me if any parts of it come off as chastising.

You probably shouldn't take the replies here as a good measure of this community.  The reason why, is that cryptography is hard, and it is very often that cryptographers and related engineers see developers come along thinking that they know better, but end up implementing something horrifying.  Since this is so common, the natural reaction to anyone cooking their own encryption is to, as you put it, bash them with clubs.  Sure, it's not ideal, but it's understandable.  Anyone with a modicum of knowledge in the field grows quickly jaded by all the horrific pseudo-crypto in the world.

[The Avenger]

I hope my explanation clears things up a bit.  If not, feel free to ask questions.  I did intend my reply to explain more than it chastises; though forgive me if any parts of it come off as chastising.

There was nothing chastising about your explanation. It is probably the most scholarly and thoughtful message ever addressed to me on this forum. And I appreciate you taking the time to help me, I really do.

You probably shouldn't take the replies here as a good measure of this community.

75% of the replies to any thread on this forum are hideous. Nasty, bullying, unhelpful, misleading, unfounded and vicious. It makes me believe that 75% of the community are nasty, bullying, unhelpful, deceitful and vicious. It's hard to get a true measure of the community when this is what you see every day in every thread  

The reason why, is that cryptography is hard, and it is very often that cryptographers and related engineers see developers come along thinking that they know better, but end up implementing something horrifying.  Since this is so common, the natural reaction to anyone cooking their own encryption is to, as you put it, bash them with clubs.  Sure, it's not ideal, but it's understandable.  Anyone with a modicum of knowledge in the field grows quickly jaded by all the horrific pseudo-crypto in the world.

I studied hard subjects at university. And in the area's I am an expert, I would not stomp - like quite a few people did in this thread - on someone who obviously was not an expert, trying to figure something out. I hope I'd be more like you, trying to explain the flaw in the logic or how to think about it differently, see it in a different way, clear up the confusion.

I'd given up trying and then your message answered all my questions. Thanks again fpgaminer. You are a decent person amongst many cavemen.

[fpgaminer]

And in the area's I am an expert, I would not stomp - like quite a few people did in this thread - on someone who obviously was not an expert, trying to figure something out.

Certainly, but a lot of fields don't involve quite the same risks that cryptography does; doubly so when the cryptography is being used to secure large sums of money.  No one is going to die from a bad theory about quantum gravity   Also, cryptography is one of those strange scientific fields where we can't formally prove much of our work*.  We can build "spherical cows" around the work, but that's about it (most of the time).  Really, our best tools are history, paranoid minds, and big scary clubs to fend off the NSA.

Because of those reason, the problem of sophomorism will be more prevalent 'round cryptography.

[The Avenger]

And in the area's I am an expert, I would not stomp - like quite a few people did in this thread - on someone who obviously was not an expert, trying to figure something out.

Certainly, but a lot of fields don't involve quite the same risks that cryptography does; doubly so when the cryptography is being used to secure large sums of money.  

I'm going to horrify you here perhaps, but it's only money.

If people were dying, I'd stand for a lot more shouting and viciousness from doctors looking for medicine or to clamp a ruptured artery.

No one is going to die if some guys thinks he's got an interesting idea, which turns out not to be.

This forum went from a place of ideals and principles to what it is now because of money.

I respect your field - cryptography is VERY hard - I have no doubt about that.

And I'd say a lot of the people who make this forum unbearable are *not* cryptographers, just people interested in money. Making it or stealing it. You just have to look at the amount of scams in the Newbies section every day and the fact that it's allowed.

Anyway, I don't want to keep bumping this thread up to the top of the forum, as it may be "bothering" some people

Best wishes

[calian]

Here's why I dislike your method in a practical sense. It makes the human do the work of a computer. Yes we're very bad at mentally generating true randomness. However we aren't so bad at memorization. Reciting a personal tune or poem composed of nonsense is way easier than running a string of characters through several steps of modifications before accessing your private key. Also this uses up brain power that is probably better spent making sure you don't do something stupid like paying an 80 BTC fee. http://blockchain.info/tx/258478e8b7a3b78301661e78b4f93a792af878b545442498065ab272eaacf035

[DeathAndTaxes]

What you are asking others to do: create your own cryptographic function. This is closest to the worst thing to do here.

This  & /thread.

Asking a user to come up with a password with sufficient entropy is a challenge.  That is why key stretching should be used in any key derivative function.  Asking the end user to ignore trusted and peer review cryptographic systems and "roll his own" almost always ends in catastrophic failure.

It isn't difficulty to come up with a cryptographic system that you (the creator) can't break.  It is very difficult to come up with a system which remains strong in the face of crypto analysis.

[fpgaminer]

Asking a user to come up with a password with sufficient entropy is a challenge.  That is why key stretching should be used in any key derivative function.

On a related note, I know of a way to harden weak passwords well beyond what a KDF could do.  I might make a thread about it later.

[Foxpup]

This scheme can easily be shown to be bogus just by calculating how much entropy each step adds to the "key":

1. Add/Subtract x to each number (e.g. +5)

Zero. x can be trivially derived by subtracting 5 mod 10 from the first digit of the obfuscated private key (since the first digit of the private key is known to be 5).

2. Shift characters along x places (e.g. +7)

Although it may appear at first glance that all values of x from 0 to 52 are equally likely, we know that only transpositions that put a number at the start are valid, and on average, there will be 9 possibilities.
log2(9)

3. Take a memorable name and swop first with last letter and add symbol to the first letter. So if your cat is called fluffy, you could replace every "F" with "y$". You could mix it up by having a personal rule to alternate the symbol with case, so F->y$ and f->y#

We only need to guess the first letter, since we know what the last letter is - it's the one with the symbol after it.
log2(52)

4. Replace a number with a line break (e.g. 4).

log2(10)

5. Transpose lines (e.g. 3 and 2)

log2(3)

Which gives us a grand total of log2(9) + log2(52) + log2(10) + log2(3) = 13.8 bits of entropy. Which is less than a password consisting of 3 lowercase letters. It can be bruteforced with a pencil and paper in only a few days!

Please leave designing cryptosystems to the experts, okay?

EDIT: Typo

[mezzomix]

You know BIP 0038? The only thing that is missing is a bitaddress.org integration or a simple platform independant tool (like bitaddress.org) to encrypt/decrypt a key.

[Meni Rosenfeld]

Stenography is a great example.  Encrypt your data with world class encryption schemes like AES, and then use stenography to hide it somewhere.

You mean "steganography". Stenography means transcribing in shorthand.

There's not a lot of entropy in your obfuscation process, so it can be brute-forced.

Okay. Can you explain in a few more sentences exactly what this means? I am genuinely interested to know if this system can be broken easily.

However unique you think your method is, there is always the chance the attacker will think the same as you, The only thing giving you a guarantee of security is true randomness. If you randomly choose one method out of 1000, there's no way the attacker will pick the same one as you by thinking like you, because you didn't choose by thinking, but by leaving it to chance. It is mathematically impossible to guess your method without 500 attempts on average.

"Entropy" is a measure of how much randomness there is in the process used to generate the method. (It is assumed the final choice is uniformly random among some options.) A process with x bits of entropy means there are 2^x different equally likely choices, and the attacker can't do any better than guessing until he finds the right one.

Foxpup gives an estimate for the amount of entropy in your process.

[coastermonger]

Let's imagine a challenge with 4 facts:

1.) There is a merchant out in the world who is offering something you want, (something truly amazing, like an Enzo Ferrari) for 1,000 BTC.

2.) Fortunately, I'm about to give you 1,000 BTC because I owe ya.

3.) Using a wallet of your design, your job is to create a new address to receive this bitcoin into your wallet, and then subsequently spend this bitcoin into the merchant's 3rd party address.  

4.) Unfortunately, the computer you are using is infected with undetectable and unremovable keylogging Malware and screencapture technology.  It's designed to immediately intercept and re-spend bitcoins to a thief's address.  You don't even know its infected.  In other words, as soon as the malware is able to see either your password or your private key, any funds in your wallet will immediately be stolen.

So how can you receive this bitcoin onto the computer's wallet and spend it again without the thief intercepting ANY of it?  AND without changing the current bitcoin protocol?

(Hint: easier than you think, don't spend too much time on it, I will reply with the correct solution in about 12 hours time.)

[mezzomix]

If memory is not infected use no password at all and write a script to transfer the incoming BTC to the third party. If memory is infected as well you can pay the third party for me. If that is not an option everything is lost.

[Geddi]

Let's imagine a challenge with 4 facts:

1.) There is a merchant out in the world who is offering something you want, (something truly amazing, like an Enzo Ferrari) for 1,000 BTC.

2.) Fortunately, I'm about to give you 1,000 BTC because I owe ya.

3.) Using a wallet of your design, your job is to create a new address to receive this bitcoin into your wallet, and then subsequently spend this bitcoin into the merchant's 3rd party address.  

4.) Unfortunately, the computer you are using is infected with undetectable and unremovable keylogging Malware and screencapture technology.  It's designed to immediately intercept and re-spend bitcoins to a thief's address.  You don't even know its infected.  In other words, as soon as the malware is able to see either your password or your private key, any funds in your wallet will immediately be stolen.

So how can you receive this bitcoin onto the computer's wallet and spend it again without the thief intercepting ANY of it?  AND without changing the current bitcoin protocol?

(Hint: easier than you think, don't spend too much time on it, I will reply with the correct solution in about 12 hours time.)

iirc it is possible to send the coins to me using a multisig transaction (CHECKMULTISIGVERIFY), requiring 2 signatures to spend them: Mine and the merchant's.
The malware only knows my key so it can't steal the(se) coins!

[cp1]

Secretly program your computer to use morse code via the caps lock key, so that screen capture is useless.