NXT Coin Security

[Eadeqa]

How is weak security a "feature"?
It is made on purpose.

That's bad design.  It should have been at least 80 bits. That  would have made bruteforce 65 thousand times slower.  

What site? NXT is decentralized, there is no official site for it.

No, there is "official" site where you can download the official software/client. The network is decentralized.

Have you any math for how fast it can be done? Or are your words a fantasy?

No, it's not a fantasy. 64-bit is 2^64 and that is not a strong enough number in 2014 against brute force -- especially where off line attacks is possible (like wifi password or truecrypt container).  64-bit is good for online accounts (like gmail) where brute force is detectable.


Instead of idiotically defending it, you should demand that Nxt developers increase the security to 128-bits

[1715660096]

1715660096

[1715660096]

1715660096

[Eadeqa]

What you fail to understand is that in order to brute force an unsecured account requires not only SHA asics, but also curve ASICS, which there are none of now.  but like as has been stated many times for you already here, this is intentional; to allow 'mining' of lost NXT in the future.

Really?

How on earth would you know if these are "lost" coins and not someone coins who has been saving them for say his grand kids?

[opticalcarrier]

What you fail to understand is that in order to brute force an unsecured account requires not only SHA asics, but also curve ASICS, which there are none of now.  but like as has been stated many times for you already here, this is intentional; to allow 'mining' of lost NXT in the future.

Really?

How on earth would you know if these are "lost" coins and not someone coins who has been saving them for say his grand kids?

RIF.  Ill repeat it since you didnt get it the first time

...We are actively trying to educate people of the risk of not having any transaction associated with an account....

so just dont let it sit like that

[Eadeqa]

...We are actively trying to educate people of the risk of not having any transaction associated with an account....
so just dont let it sit like that

If you are doing it actively, then good, but I found out about it only in this thread. I have been to official site. Saw nothing about it on main page or in their forum.

[starik69]

I have been to official site.

Why we have to repeat you simple things? There is no official site.

No, it's not a fantasy. 64-bit is 2^64 and that is not a strong enough number in 2014 against brute force -- especially where off line attacks is possible (like wifi password or truecrypt container).  64-bit is good for online accounts (like gmail) where brute force is detectable.

Sorry, you provided no math, only fantasies.

[Eadeqa]

There is official site where you download the official softwares from the developer.

If you don't understand that  2 ^64  is small number for 2014 security demands,  then you need  more help than I can offer

[Eadeqa]

n/a

[starik69]

There is official site where you download the official softwares from the developer.

It is this site - BTT, but here is not official site, only official thread.

If you don't understand that  2 ^64  is small number for 2014 security demands,  then you need  more help than I can offer

If you cannot prove your words with math then they are bs.

[Come-from-Beyond]

There is official site where you download the official softwares from the developer.

If you don't understand that  2 ^64  is small number for 2014 security demands,  then you need  more help than I can offer

This proves that 2^64 is safe - http://en.wikipedia.org/wiki/Wheat_and_chessboard_problem

Now, prove me wrong.

[Zahlen]

A custom built machine can break all these unused accounts with money in it (but have never been used to send transactions) with a week  

Show us the math.

64-bit is only 8 times stronger than 56-bit.

256 times.

It''s irrelevant whether algorithm is DES or BBC or NBC or ZZZ ... the attack is brute force.  

It is relevant. To estimate the amount of time needed to compute something, you don't simply estimate the number of operations (2^64). You also estimate the time needed per operation. Show us your estimates.

You make a claim, that

If you don't understand that  2 ^64  is small number for 2014 security demands,  then you need  more help than I can offer

The burden of proof of that claim lies with you.

Earlier Jean-Luc posted an estimate of 8000 per second based on his Java van-gen. (Sorry, I don't have the post handy to quote). But that's a bad estimate, an attacker is not going to be generating addresses using Java! In practice, it will be much higher.


A lot of what's in the protocol seems dangerous for casual users. That's how I felt at first too. But as I understand it now, the design philosophy is to keep the protocol clean. Protections are then placed at the client level instead, to prevent people from screwing things up. I've been helping with some of these (e.g. future account numbers will have a different format, with error detection and correction). It's just at the current stage of dev, folks aren't seeing all these client-level protections yet.

Ultimately, the purpose of only 64bit protection for accounts without outgoing transaction is to allow nxt owned by folks who got in early, but don't have any real interest in it (e.g. they just saw it as another free crypto being given out in a giveaway thread) to be recovered in future, rather than forever be inaccessible. There's still plenty of time (imo, even months is plenty of time) for folks to secure their accounts before their nxt is at any real risk.

Someone might just invest a few thousand dollars, never send a transactions, and that account then is open to brute forcing 64-bit

Yeah, that's an additional risk one would have to accept, if one invested without doing their homework. It used to be clear that this is beta software with a lot of risks, but I think the marketing side has gained a lot of steam lately. But we're not trying to scam people. This is an unfortunate side-effect of our decentralized organization (which again should be clear to anyone who did their homework before buying in).

...We are actively trying to educate people of the risk of not having any transaction associated with an account....
so just dont let it sit like that

If you are doing it actively, then good, but I found out about it only in this thread. I have been to official site. Saw nothing about it on main page or in their forum.

I've been writing wiki pages on how to verify the SHA256 checksum and how to choose secure password. IMO these are greater priority that 64 bit address collisions, since nxt has been stolen due to spoofed clients and insecure passwords, but I've not heard any report of nxt lost to address collision.

My time and energy are limited (and I haven't received a single nxt for my work so far). Personally, I've found the education about this sufficient (in proportion to the risk). I've also found it to be not a big deal yet. I let my (at the time) ~250 USD worth of nxt sit for many weeks in an unprotected account, with full knowledge of the situation and consequences, before I registered an alias and secured it.

If you feel that this issue needs more attention, you could help us by editing the wiki, or telling the webmasters, increasing awareness of this issue through other means

[Eadeqa]

There is official site where you download the official softwares from the developer.

If you don't understand that  2 ^64  is small number for 2014 security demands,  then you need  more help than I can offer

This proves that 2^64 is safe - http://en.wikipedia.org/wiki/Wheat_and_chessboard_problem

Now, prove me wrong.

 64-bit is not considered secure.  56 bit DES was broken in 22 hours in 1999. 64-bit would be 256 times stronger but we are in 2014 now

I agree that it depends on how fast curve25519 can be performed. SHA 2 has specialized ASIC hardware due to bitcoin mining popularity so the bottleneck would be curve25519.

If it was just SHA2, this thing

http://www.butterflylabs.com/monarch/

would break every single unused account in database in less than one year

curve25519 part will slow this down, and I don't know how fast curve25519 is on GPUs/CPUs

[opticalcarrier]

Ive actually put in a feature request to the NXT devs to print a warning upon opening an acct that doesnt have a public key associated with it.  There are already some other similar operations in the source code that do similar things upon opening an account, so this wont be too complex to get put in.

[Come-from-Beyond]

64-bit is not considered secure.

It's still secure enough for a couple of years. This was the point - to use security that could be broken in foreseeable future.

[Zahlen]

Eadeqa, you have not answered this:

It''s irrelevant whether algorithm is DES or BBC or NBC or ZZZ ... the attack is brute force.  

It is relevant. To estimate the amount of time needed to compute something, you don't simply estimate the number of operations (2^64). You also estimate the time needed per operation. Show us your estimates.

As you said:

I agree that it depends on how fast curve25519 can be performed.

If you want to make the case that unprotected account numbers will be broken soon (sooner than what we think), you should provide estimates of this. i.e. how fast hardware accelerators will reach the market, how fast will they grow fast (pardon the pun). There is currently little economic incentive in this, only a fraction of the total ~70 mil USD worth of nxt is unprotected. Compare that to the huge numbers of people doing bitcoin mining and propping up the SHA256 ASIC manufacturers.

[Brangdon]

Ive actually put in a feature request to the NXT devs to print a warning upon opening an acct that doesnt have a public key associated with it.  There are already some other similar operations in the source code that do similar things upon opening an account, so this wont be too complex to get put in.

I just got that warning, and eventually found this thread explaining it. It seems to make creating an account more complex. You can't just create it and send a ton of money to it. You have to:

• Create the account.
• Send a small amount of money to it, that you wouldn't mind losing.
• Wait for it to confirm so you can spend it.
• Spend it.
• Send the rest of the money to it, like you wanted to do in the first place.
  

Five steps instead of one, plus it costs you a transaction fee. Is that intentional? Do you not want it to be free to start using NXT securely? If it were free, then clients could register the public key automatically without bothering the user.

Incidentally, one of the nice features of Bitcoin is that sending coins to an address does not reveal that address's public key. Only spending from it does. Where-as with NXT, every account's public key is known. It's a tiny bit less secure; or will be, if anyone ever cracks elliptical curve cryptography (as with the legendary quantum computer). I guess you aren't worried about it, but to me it does seem like a small step backwards.

[EvilDave]

Brangdon:

First of all, welcome to NXT, mate.

Second, this is Grandmas thread, last post was at the end of Jan and some things have changed since then, particularly now that NXT has 2 really good, much more secure clients available.

Have a look at NXT's new forum:
https://nxtforum.org/index.php

and take a look at the NXT clients section.

[Eadeqa]

• Create the account.
• Send a small amount of money to it, that you wouldn't mind losing.
• Wait for it to confirm so you can spend it.
• Spend it.
• Send the rest of the money to it, like you wanted to do in the first place.
  

You can skip step 2, 3, 4, and add step 6 "create an alias". Cracking a single 64-bit account still takes a long time (300  years with 1 billion searches per second)  so it's not as if your account will be in danger of getting cracked after 1 minute of confirmation wait. 

[Brangdon]

You can skip step 2, 3, 4, and add step 6 "create an alias".

Creating an alias is what I did in step 4. It charged me a 1 NXT fee, so surely I had to transfer some money in first?

[achimsmile]

You can skip step 2, 3, 4, and add step 6 "create an alias".

Creating an alias is what I did in step 4. It charged me a 1 NXT fee, so surely I had to transfer some money in first?

1. Create account
2. Fund it
3. spend anything (atm 1NXT minimum)

done

no need to partially send funds