Bitcoin Forum
April 18, 2024, 01:49:48 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Protection against keyloggers
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Protection against keyloggers  (Read 1063 times)
beckspace (OP)
Hero Member
*****
Offline Offline

Activity: 931
Merit: 500


View Profile
October 11, 2011, 03:40:07 PM
Last edit: June 29, 2012, 05:51:39 AM by beckspace
 #1
Idea for online wallets, bitcoin client wallet encryption or 2-way authentication.

How my online bank prevents keyloggers from stealing the 6-digit PIN code:

[image removed]

Although this is just another step to access my account (tokens, etc.).

It's a virtual keyboard with two numbers for each "click". Ramdomly placed.

My thinking is that with enough length, any PIN code can be relatively safe, even on public computers, BUT, nobody wants to click a 24 characters passphrase at a virtual keyboard, so it has to be combined with another security measures:

6 or 8 numeric digit PIN-code plus passphrase field.

I wonder how many "screen captures" the attacker has to have to guess the PIN-code. Anyone care to make that odd calculation?


edit:

It doesn't work. Take the usual precautions: don't get compromised, use Unix, don't use public computers.
1713448188
Hero Member
*
Offline Offline

Posts: 1713448188

View Profile Personal Message (Offline)

Ignore
1713448188
1713448188
Reply with quote  #2
1713448188
Report to moderator
1713448188
Hero Member
*
Offline Offline

Posts: 1713448188

View Profile Personal Message (Offline)

Ignore
1713448188
1713448188
Reply with quote  #2
1713448188
Report to moderator
1713448188
Hero Member
*
Offline Offline

Posts: 1713448188

View Profile Personal Message (Offline)

Ignore
1713448188
1713448188
Reply with quote  #2
1713448188
Report to moderator
Every time a block is mined, a certain amount of BTC (called the subsidy) is created out of thin air and given to the miner. The subsidy halves every four years and will reach 0 in about 130 years.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1713448188
Hero Member
*
Offline Offline

Posts: 1713448188

View Profile Personal Message (Offline)

Ignore
1713448188
1713448188
Reply with quote  #2
1713448188
Report to moderator
1713448188
Hero Member
*
Offline Offline

Posts: 1713448188

View Profile Personal Message (Offline)

Ignore
1713448188
1713448188
Reply with quote  #2
1713448188
Report to moderator
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1136


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
October 11, 2011, 04:05:27 PM
 #2
For 6 digits, I would say that someone who knows what was clicked will have 64 possibilities, only 1 of which is the actual PIN.  It's 2^n where n=length of PIN.
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
nibor
Sr. Member
****
Offline Offline

Activity: 438
Merit: 291


View Profile
October 11, 2011, 09:13:21 PM
 #3
The reason it works for your bank is that if you get it wrong 3 times they lock your account. So the criminal has little chance of get through.

Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer.
So password needs to be much longer.
beckspace (OP)
Hero Member
*****
Offline Offline

Activity: 931
Merit: 500


View Profile
October 12, 2011, 01:04:53 AM
Last edit: October 12, 2011, 10:24:55 AM by beckspace
 #4
Quote from: casascius on October 11, 2011, 04:05:27 PM
For 6 digits, I would say that someone who knows what was clicked will have 64 possibilities, only 1 of which is the actual PIN.  It's 2^n where n=length of PIN.

Actually, I was asking how many sessions an attacker would have to log to be able to crack the PIN code exactly, with one or two chances, at max.

As a rough guess, a 6 PIN code can be cracked if an attacker has 10 - 30 sessions logged to study for patterns.

So, I think this idea don't work (a virtual keyboard with dual random numeric characters) well enough, because it will be only a matter of time...

Quote from: nibor on October 11, 2011, 09:13:21 PM
Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer.
So password needs to be much longer.

That's right, edited.

Quote from: nibor on October 11, 2011, 09:13:21 PM
The reason it works for your bank is that if you get it wrong 3 times they lock your account. So the criminal has little chance of get through.

And you have to go there in person to reactivate it. This idea won't even works for online wallets, since the semi anonymous feature is inherent in the bitcoin's system, unless you prefer to identify yourself (not so much of a concern for some folks).

Heavily edited the head of the original post. This only neither works well with physical banks (because of the "10-30 sessions logged pattern recognition" problem)!
vv01f
Sr. Member
****
Offline Offline

Activity: 314
Merit: 250


View Profile
October 12, 2011, 06:28:42 AM
 #5
The only way I can imagine a real protection:
Some external Hardware-Keyboard integrated with the App using kind of OTR (per session created keys for message-sending, similar to TLS in terms of website-security).

But that would be expensive to create (at least the hw-part).
Any other, perhaps "cheaply" achievable Ideas?
donations to me please send via bitcoin 1vvo1FDwSAwNdLVA1mFkM7v76XPZAAUfb
a good European exchange: bitcoin.de (ref-link)
Pieter Wuille
Legendary
*
qt
Offline Offline

Activity: 1072
Merit: 1174


View Profile WWW
October 12, 2011, 09:27:11 AM
 #6
Quote from: beckspace on October 12, 2011, 01:04:53 AM
Quote from: nibor on October 11, 2011, 09:13:21 PM
Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer.

The encryption mechanism in the bitcoin client uses key strengthening to make sure an attempt costs around 0.1s (on your own system). It's possible that the attacker has thousands of units of specialized hardware for cracking passwords, but in general he won't be able to take a million guesses a second.
I do Bitcoin stuff.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4158
Merit: 8382



View Profile WWW
October 12, 2011, 09:51:25 AM
 #7
Quote from: Pieter Wuille on October 12, 2011, 09:27:11 AM
Quote from: beckspace on October 12, 2011, 01:04:53 AM
Quote from: nibor on October 11, 2011, 09:13:21 PM
Problem with encrypting wallet is that the user can take millions of guesses a second if they have stolen a copy of if off your computer.
The encryption mechanism in the bitcoin client uses key strengthening to make sure an attempt costs around 0.1s (on your own system). It's possible that the attacker has thousands of units of specialized hardware for cracking passwords, but in general he won't be able to take a million guesses a second.

Still— the point remains, you can't get away with a six digit numeric pin here... Smiley
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Protection against keyloggers
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!