Somewhat clueless questions about the Electrum seed, and security in general

[oda.krell]

Hey.

I'm somewhere between "completely clueless" and "mildly informed" on this topic, so please forgive me if I get the terminology wrong or misunderstood something. That said, here's my question:

Electrum uses deterministic key generation, i.e. it derives my private keys "on demand" from the seed generated at the time of installation/wallet creation.

(Roughly) correct so far?

This key is stored *unencrypted* by default inside electrum.dat, but setting a transaction password will make electrum *encrypt* the seed. Correct?

Here's my question: say someone gets physical access of my computer. My hdd is not encrypted, so he will be able to receive a complete copy of all files on my computer.

The seed is encrypted with a 128 bit key, so assuming my password was chosen sufficiently random, the seed should be protected.

But what about the password itself? I realized I have no clue how the password is stored, and if it is a possible attack vector to retrieve the password, and with the help of it, retrieving the seed.

Can you explain how that approach is prevented (note that by "explain" I mean: a bit more technical than "Explain like I'm 5", but not with the full detail of "Explain like I'm an open source encryption software developer" :P)

[1714898883]

1714898883

[al.matic]

But what about the password itself? I realized I have no clue how the password is stored, and if it is a possible attack vector to retrieve the password, and with the help of it, retrieving the seed.

I don't think the password is stored anywhere. When you type the password Electrum derives the wallet encryption/decryption key directly from the password (it does not compare the password or its hash with anything).

[ThomasV]

The seed is 128 bits long. (which is very strong, because it corresponds, in terms of bruteforce iterations, to the strength of a 256 bits ecdsa public key, not to a 128 bits key)
The seed is encrypted with the user chosen password.

Whenever something needs to be signed (for example if you spend bitcoins), then the seed is temporarily decrypted with the user provided password.

[oda.krell]

Okay, I see. My misconception was that I assumed the user password had to be stored somewhere, when in reality, it is itself the key for decrypting the seed. D'oh.

In other words, someone gaining physical access to my (Electrum) files will gain no additional benefit over trying to brute force the user password directly.

[fireduck]

Okay, I see. My misconception was that I assumed the user password had to be stored somewhere, when in reality, it is itself the key for decrypting the seed. D'oh.

In other words, someone gaining physical access to my (Electrum) files will gain no additional benefit over trying to brute force the user password directly.

An attacker needs the seed.  If you are using a password their options are:

If they have physical access to your stuff:
- Read the piece of paper you probably have your seed words on

If they can run things on your computer (malware):
- Read the seed out of your computers RAM when you type in your password
- Read the electrum files off your drive and read your password when you type it
- Read the electrum files off your drive and brute force your password

[bizz]

Okay, I see. My misconception was that I assumed the user password had to be stored somewhere, when in reality, it is itself the key for decrypting the seed. D'oh.

In other words, someone gaining physical access to my (Electrum) files will gain no additional benefit over trying to brute force the user password directly.

If they can run things on your computer (malware):
- Read the seed out of your computers RAM when you type in your password
- Read the electrum files off your drive and read your password when you type it
- Read the electrum files off your drive and brute force your password

To continue: if you create offline Electrum system (http://electrum.org/tutorials.html#offline-mpk) you can remove those risks.