Bitcoin Forum
December 11, 2017, 07:17:44 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: NoBrainr - a secure and transparent cold address generator in 1024 bytes  (Read 12345 times)
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 06, 2013, 08:06:05 AM
 #41

A 90-bit passphrase, *IF* randomly generated (as this script is doing), has
NEVER been cracked and it will most likely not be in our lifetimes.
Bitcoin has now done ~2^74 hash operations. I'm reasonably confident that it will do 2^90 of them in my lifetime, I am not confident that it will be the only 2^90 search.
Yes bitcoin has done 2^74 operations but at what total cost? In the tens or hundreds of millions USD, if I'm not mistaken.  

Quote
Also the workfactor to break one of your 90 bit keys is less than 2^90 the moment two of your keys have been used... If your scheme were widely used, it would be much easier to find one at random. It may also turn out that your RNG is less uniform than believed and after careful analysis doesn't require a 2^90 search to match even a single key.

The script is feeding straight from /dev/urandom (SystemRandom in python). That's easy to verify from the 25-line source code. Smiley  It will also support another randomness method that totally bypasses the OS provided RNG, which should cater to the most paranoid amongst us...


Quote
In general symmetric cryptography applications 128 bits has arisen as a general standard. Is 128 meaningfully better than 90?  Is it meaningfully better than 120? Meaningfully better than 65?  Part of the purpose of having a standard size is so that you don't have to constantly engage in a complicated tradeoff discussion: you just demand that everything is 128 bits.


The objective of this tool is to provide keys that can be remembered by a normal human being and can't be cracked easily. 2^90 achieves this, which is also the view that many password strength experts hold (eg: agilebits, diceware, Schneier, us gov internal recommendations, etc)

Also as stated earlier, just changing one digit in the code makes it generate much stronger passphrases, if required for whatever reason or belief.

Quote
Your scheme also only generates a single address, so users are stuck reusing it, compromising their privacy.

This is a well-known brainwallet limitation that affects all commonly used brainwallet generators (bitaddress, brainwallet.org, etc). This is why it is recommended to use a brainwallet address only once (just like any other bitcoin address, really). At least NoBrainr provides random generation for brainwallets, which the other approaches don't, and provides strong 90-bit + keys, compared to the 30 to 40 bit (song lyrics, poems, etc) that many people use to generate their brainwallets on those sites. The slightly confusing thing with the "brainwallet" moniker is that it is actually just one address, so not a wallet in the regular bitcoin-client sense.

This is part of the reasons that only advanced users should even consider using brainwallets, and only after researching them properly.

Quote

Is 128 bits more to memorize than 90? Yes. But relying on memorizing keys which can never be recovered via any other means is already skating on thin ice. People are used to it being possible to recover access if you forget— though sometimes with great effort. Crypto is different. Memory is just reliable enough for its unreliability to be surprising, especially since you don't remember all that you've forgotten by definition.

Of course, once you're up to that size you could just use the scheme electrum uses (or the one that it will use). Of course, the implementation isn't 1024 bytes— but neither is yours: The dictionary is an utterly essential part of the implementation.


Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative. This can make all the difference for non-developers or anyone who doesn't have days to waste just to make sure nothing malicious is going on in the source code.

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
1513019864
Hero Member
*
Offline Offline

Posts: 1513019864

View Profile Personal Message (Offline)

Ignore
1513019864
Reply with quote  #2

1513019864
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 06, 2013, 12:02:25 PM
 #42

Just a little example to help measure and understand the safety of a 7-word NoBrainr brainwallet more intuitively:

consider a random 15-character password with upper case, lower case, and digits.
For instance:  uhTmb41M5k9ijWr

this is 89-bit strong (but hard to remember): log((26+26+10)^15,2) == 89.31294465580312
(2^89 = 7.82 x 10^26)

Test it at:
https://www.grc.com/haystack.htm

Quote
Time required by Massively Cracking Array Scenario:
 (Assuming one hundred trillion guesses per second)   
-> 2.48 thousand centuries


At 90 bits, any 7-word NoBrainr brainwallet is at least as safe:
 log(7776^7,2) == 90.47368752524046

Code:
1LGHodpRUXaE4q3Z3LiHSU8TT7czxsxccc == salt dorm reduce fab! truck kind pi!

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
whiskers75
Hero Member
*****
Offline Offline

Activity: 658


Doesn't use these forums that often.


View Profile
November 07, 2013, 07:02:04 PM
 #43

Could someone with a Raspberry Pi try it out and let me know if it works fine? That would be great.
Code:
whiskers75@WhiskPi ~$ python NoBrainr.py
13PVpJfC1umtPybToQdPbAx81ayqLgzxbU == gnaws smoke amount styx stem spam sews
Wink

Elastic.pw Elastic - The Decentralized Supercomputer
ELASTIC ANNOUNCEMENT THREAD | ELASTIC SLACK | ELASTIC FORUM
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 07, 2013, 08:18:34 PM
 #44

Could someone with a Raspberry Pi try it out and let me know if it works fine? That would be great.
Code:
whiskers75@WhiskPi ~$ python NoBrainr.py
13PVpJfC1umtPybToQdPbAx81ayqLgzxbU == gnaws smoke amount styx stem spam sews
Wink

Great news! Thanks for trying it Smiley

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 07, 2013, 08:33:04 PM
 #45

OK, version 1.052 is out, which has a much-improved dictionary (again!) and adds support for one of the cheapest forms of physical randomness available: dice!   This is the simplest way to apply the diceware method to bitcoin address generation and be totally free of any potentially backdoored RNG.

Required equipment: Six Five regular dice. Or, just one, but five is much more fun, really Smiley

To generate a secure storage address using dice, simply throw them and record the result on the NoBrainr command line as shown below. 5 throws yield a word. Example of a 90-bit strong (seven words) address generated by throwing dice:

Code:
07/11/2013 15:29:32.27> nb_create 35412 13263 66533 45163 13165 41255 62216
18FmQmp5EezkXUv22ZY2PeCpsdAuN1aGV1 == knobs bands future pens bacon aliens unix

Another example: this one's a ridiculously strong 130-bit (10 words) address:

Code:
Thu 11/07/2013 21:36:21.37> nb_create 23541 25631 55422 25321 56411 53151 42323 55221 16246 52131
1FkDV5eRKsoaQfbtb32rfsLLoTWZ1BWjff == duly flop store fennel tear seems mixes 789 ssd roomy

Enjoy!

It would be nice if somebody could make a little video tutorial, or blog post out of this at some point Wink

PS: GPG signatures coming soon.

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
dserrano5
Legendary
*
Offline Offline

Activity: 1848



View Profile
November 08, 2013, 08:50:44 AM
 #46

I know one of NoBrainr's selling points is its reduced size, however: is there any chance to get BIP38 encryption into the mix? Being able to generate an encrypted privkey from real life entropy would be really nice. Right now bitaddress.org doesn't support encrypting arbitrary keys so we can't generate a key with NoBrainr and feed it to ba.org to encrypt it.

RoxxR
Full Member
***
Offline Offline

Activity: 180


View Profile
November 09, 2013, 09:06:35 AM
 #47

Any chance you could release a commented version of the script? Would be great for educational purposes.
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2366



View Profile
November 09, 2013, 04:25:36 PM
 #48

Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative.
Not so, it just means that the security is outsourced.  E.g. your security depends on python randrange doing the right thing. Look how well that worked out for that PHP bitcoin shopping cart interface package.

Quote
This is a well-known brainwallet limitation that affects all commonly used brainwallet generators [...] At least NoBrainr provides random generation for brainwallets, which the other approaches don't, and provides strong 90-bit + keys
Electrum provides a whole wallet, and an easily memorable, strongly generated, 128 bit key which also has strengthening to help preserve security even if someone shoulder surfs the key.  Electrum has an enormous number of users.

Bitcoin will not be compromised
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 10, 2013, 11:43:49 AM
 #49

Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative.
Not so, it just means that the security is outsourced.  E.g. your security depends on python randrange doing the right thing. Look how well that worked out for that PHP bitcoin shopping cart interface package.
Mersenne Twister? That was definitely a pretty poor choice for a cryptographic RNG...
Are you aware of any flaws with python's randrange?  Electrum is using it too, IIRC.
EDIT: Electrum seems to be using the ecdsa randrange.

Quote
Quote
This is a well-known brainwallet limitation that affects all commonly used brainwallet generators [...] At least NoBrainr provides random generation for brainwallets, which the other approaches don't, and provides strong 90-bit + keys
Electrum provides a whole wallet, and an easily memorable, strongly generated, 128 bit key which also has strengthening to help preserve security even if someone shoulder surfs the key.  Electrum has an enormous number of users.

Certainly Electrum is a great client, but the latest versions have been a little unstable, the codebase is growing at fast rate and hard to constantly review, and wallets generated with it unfortunately can't be  
used in other clients (yet.)  That said, of course I'm not claiming that NoBrainr can compete with a full-fledged client.

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 10, 2013, 12:00:07 PM
 #50

I know one of NoBrainr's selling points is its reduced size, however: is there any chance to get BIP38 encryption into the mix? Being able to generate an encrypted privkey from real life entropy would be really nice. Right now bitaddress.org doesn't support encrypting arbitrary keys so we can't generate a key with NoBrainr and feed it to ba.org to encrypt it.

The BIP38 spec is still not final and has been reported to be a little flaky on slower devices.
We have no plans to implement this right now, although it certainly has a lot of potential.

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 16, 2013, 07:50:30 AM
 #51

Of course the dictionary is essential, but the point is that 1024 bytes / 25 lines of code makes NoBrainr orders of magnitude easier to audit and review, compared to any other alternative.
Not so, it just means that the security is outsourced.  E.g. your security depends on python randrange doing the right thing. Look how well that worked out for that PHP bitcoin shopping cart interface package.
Mersenne Twister? That was definitely a pretty poor choice for a cryptographic RNG...
Are you aware of any flaws with python's randrange?

I'm not aware of any flaws with python's randrange. But I haven't reviewed the code for it, either. I'd say it's misleading to say that there are only 25 lines of code to review.


Yes, of course all applications re-use existing code to a certain extent. Perhaps I should have said 25 "unique" or "non-library" lines of code.

That said, I don't think there are many open-source projects that receive more expert scrutiny than Python, and especially its security related libraries. I for one consider it even more trustable and robust than any major web browser.

Also, there's a new bounty program that gives you nice rewards (starting at USD 5000, IIRC) for finding a security bug anywhere in Python (and reporting it responsibly.)

Quote
I'm still looking for something really simple that runs on stock ubuntu and can give me a private key in WIF format and a public address, given a sha256 hash.

So far it looks like bitaddress.org in offline mode is going to be the best I can do.

I'm surprised you couldn't find any such tools. I thought I'd seen some on this forum. Actually, this should be rather quick to cook up in a few lines of Python as well. I guess it would take me a day or two to do it, if you're ok with the ecdsa dependency - it's much smaller than the bitaddress source code anyway.  

[EDIT] Just some additional info on the python ecdsa library that we are using:
  it is part of the official python repository,
  it is maintained by a non-anonymous Mozilla engineer
  it is getting close to 200,000 downloads per month
  it is extensively used by Electrum
  it is very small
  
[EDIT2] Check out the hexwif script by bkkcoins on github. It's just 10 lines and has no dependencies, but only outputs the WIF - for the bitcoin address you would still need to use ecdsa.

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
Financisto
Hero Member
*****
Offline Offline

Activity: 552

0=m


View Profile WWW
November 17, 2013, 11:12:29 PM
 #52

Nice app.

Congratulations!

Just posted an idea here https://bitcointalk.org/index.php?topic=251037.msg3526933#msg3526933 that might give you (or anyone else) some additional insights!  Roll Eyes

Keep up the good work in order to provide security enhancement to brainwallets.

BTC BitcoinTalk's Escrow Providers: Ranking & Blacklist BTC Brainwallet & Paper Wallet projects BTC If you think privacy matters, please help keeping these projects alive (donating some coins): Tor BTC Tails BTC Qubes OS BTC Whonix BTC ProtonMail BTC Tutanota BTC VeraCrypt BTC PrivacyTools.io BTC
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 18, 2013, 07:25:04 AM
 #53

Nice app.

Congratulations!

Just posted an idea here https://bitcointalk.org/index.php?topic=251037.msg3526933#msg3526933 that might give you (or anyone else) some additional insights!  Roll Eyes

Keep up the good work in order to provide security enhancement to brainwallets.

Thanks, we'll check it out.

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 19, 2013, 11:47:57 PM
 #54

New release of NoBrainr: 1.07

Main changes:
 - improved handling of "leading 1s" in bitcoin addresses
 - removed *tons* of obscure words from dictionary


GPG sig for Windows executable:

Code:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQBSi/7m0dQqIfkZdf4RAsxhAJ4gvGNpwo3p0ym9Sg0byML1aP9KDgCePFLq
FAAM1SPBdnsYAkQPkiX6TO8=
=6JDj
-----END PGP SIGNATURE-----

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
Dabs
Staff
Legendary
*
Offline Offline

Activity: 1890



View Profile
November 20, 2013, 02:48:09 AM
 #55

Suggestions:

1. Have it print or save the private key in WIF format as well, as an option.
2. Make it generate compressed keys (private keys begin with letter L or letter K instead of number 5.)

If size is a problem (to fit in 30 lines), make it a separate app?

Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 20, 2013, 08:18:02 PM
 #56

Suggestions:

1. Have it print or save the private key in WIF format as well, as an option.
2. Make it generate compressed keys (private keys begin with letter L or letter K instead of number 5.)

If size is a problem (to fit in 30 lines), make it a separate app?

Great suggestions. We'll look into that - or anyone can contribute a patch, of course.

Also you may want to have a look at Urandom2Wif - it has a small WIF format function (courtesy of JeromeS), which could very easily be added to NoBrainr:
 https://bitcointalk.org/index.php?topic=338219.0  

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
flatfly
Legendary
*
Offline Offline

Activity: 1008


View Profile
November 20, 2013, 09:04:12 PM
 #57

Suggestions:

1. Have it print or save the private key in WIF format as well, as an option.
2. Make it generate compressed keys (private keys begin with letter L or letter K instead of number 5.)

If size is a problem (to fit in 30 lines), make it a separate app?

Great suggestions. We'll look into that - or anyone can contribute a patch, of course.

Also you may want to have a look at Urandom2Wif - it has a small WIF format function (courtesy of JeromeS), which could very easily be added to NoBrainr:
 https://bitcointalk.org/index.php?topic=338219.0  


Shouldn't this sort of application be using /dev/random rather than /dev/urandom?

It's a good question, and one which I've actually researched quite a bit. I won't elaborate on this too much right now, but the short answer is no - it doesn't make a difference in practice, at least for this tool.

1111127SpvabYpoeDoiz5L7QPkfiSh2Q. Only donate if you have a reason to.
moderate
Member
**
Offline Offline

Activity: 70

nearly dead


View Profile
November 20, 2013, 09:50:28 PM
 #58

Suggestions:

1. Have it print or save the private key in WIF format as well, as an option.
2. Make it generate compressed keys (private keys begin with letter L or letter K instead of number 5.)

If size is a problem (to fit in 30 lines), make it a separate app?

Great suggestions. We'll look into that - or anyone can contribute a patch, of course.

Also you may want to have a look at Urandom2Wif - it has a small WIF format function (courtesy of JeromeS), which could very easily be added to NoBrainr:
 https://bitcointalk.org/index.php?topic=338219.0  


Shouldn't this sort of application be using /dev/random rather than /dev/urandom?

It's a good question, and one which I've actually researched quite a bit. I won't elaborate on this too much right now, but the short answer is no - it doesn't make a difference in practice, at least for this tool.

You might not want to elaborate too much, but at least elaborate a little then.

I will start it. urandom may reuse the entropy pool or whatever else a specific OS might want to do to ensure a call to that never blocks. Why do you say it doesn't make a difference when compared to /dev/random which doesn't reuse the pool and is thus considered safer for crypto purposes ?
Dabs
Staff
Legendary
*
Offline Offline

Activity: 1890



View Profile
November 21, 2013, 01:17:17 AM
 #59

I'm guessing, this should be run offline. When you turn off the offline computer immediately after generating the cold wallet address, then how much does the reuse of entropy pool matter?

Let it run a few hundred times, pick one or two in the middle and use those.

I still prefer the compressed private key shown in WIF (with corresponding compressed public key or bitcoin address.)

Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
moderate
Member
**
Offline Offline

Activity: 70

nearly dead


View Profile
November 21, 2013, 01:37:47 AM
 #60

When you turn off the offline computer immediately after generating the cold wallet address, then how much does the reuse of entropy pool matter?

That has no meaning whatsoever.
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!