Bitcoin Forum
December 15, 2018, 05:35:00 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bitcoin seed mnemonic one-time pad tool  (Read 129 times)
brndnmtthws
Newbie
*
Offline Offline

Activity: 11
Merit: 7


View Profile
December 06, 2018, 01:47:55 PM
Merited by DarkStar_ (5), NeuroticFish (1), ETFbitcoin (1)
 #1

I posted this in an old thread, but the post got deleted. I guess the mods didn't appreciate me digging up on old thread Cheesy.

Anyway, I created a Python tool for using a one-time pad for seed phrase storage:

https://github.com/brndnmtthws/seed-otp

There's a fairly detailed discussion of the pros/cons of using this on the github readme.

I hope someone finds it useful!
1544895300
Hero Member
*
Offline Offline

Posts: 1544895300

View Profile Personal Message (Offline)

Ignore
1544895300
Reply with quote  #2

1544895300
Report to moderator
1544895300
Hero Member
*
Offline Offline

Posts: 1544895300

View Profile Personal Message (Offline)

Ignore
1544895300
Reply with quote  #2

1544895300
Report to moderator
1544895300
Hero Member
*
Offline Offline

Posts: 1544895300

View Profile Personal Message (Offline)

Ignore
1544895300
Reply with quote  #2

1544895300
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
ETFbitcoin
Legendary
*
Offline Offline

Activity: 1526
Merit: 1345

Use SegWit and enjoy lower fees


View Profile WWW
December 06, 2018, 05:35:24 PM
 #2

Interesting idea, even though BIP39 already have optional encryption. But IMO this only change the problem since you need to keep your OTP secure.
If i were to use your software, i'd encrypt the OTP with my own passphrase that i could remember and store it together with encrypted words.

Your readme.md is very neat BTW Smiley

I posted this in an old thread, but the post got deleted. I guess the mods didn't appreciate me digging up on old thread Cheesy.

It's against forum rules, unless there's good reason to do it.

NeuroticFish
Legendary
*
Offline Offline

Activity: 1694
Merit: 1110


The real one is http://bitcoin.ORG


View Profile
December 06, 2018, 08:53:55 PM
 #3

One minus I see is that the user has to store safely a string like AAwCnwGIAe0EWABWAI4AkAMjAFQBLgZjB1T1PJtz too. This is not that far from safekeeping a private key and you risk - then your trezor breaks (I didn't forget the use case) - that you don't remember what this AAwCnwGIAe0EWABWAI4AkAMjAFQBLgZjB1T1PJtz was for.

One plus is that one can safely keep the new seed at hand because it will not work with Trezor, Electrum or whatever.

I also have to say something about the word lists:

1. Keep one word list. If somebody will try to use a non-standard 65535 word list and will forget after some years what he used you may have some odd sort of bug reports there.
2. Keep one country. People will forget they've used this or that. Even worse, some will use incorrect files and will lose diacritics or other special characters and won't remember what they have to do to fix.

My mother tongue is not English, but on computers I stick to English because it reduce the chances for headaches.

.BITSLER.                 ▄███
               ▄████▀
             ▄████▀
           ▄████▀  ▄██▄
         ▄████▀    ▀████▄
       ▄████▀        ▀████▄
     ▄████▀            ▀████▄
   ▄████▀                ▀████▄
 ▄████▀ ▄████▄      ▄████▄ ▀████▄
█████   ██████      ██████   █████
 ▀████▄ ▀████▀      ▀████▀ ▄████▀
   ▀████▄                ▄████▀
     ▀████▄            ▄████▀
       ▀████▄        ▄████▀
         ▀████▄    ▄████▀
           ▀████▄▄████▀
             ▀██████▀
               ▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄            
▄▄▄▄▀▀▀▀    ▄▄█▄▄ ▀▀▄         
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄      
█  ▀▄▄  ▀█▀▀ ▄      ▀████   ▀▀▄   
█ █▄  ▀▄   ▀████       ▀▀ ▄██▄ ▀▀▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█  ▀▀       ▀▄▄ ▀████      ▄▄▄▀▀▀  █
█            ▄ ▀▄    ▄▄▄▀▀▀   ▄▄  █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█ ▄▄   ███   ▀██  █           ▀▀  █ 
█ ███  ▀██       █        ▄▄      █ 
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
▀▄            █        ▀▀      █  
▀▀▄   ███▄  █   ▄▄          █   
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀    
▀▀▄   █   ▀▀▄▄▄▀▀▀         
▄▄▄▄▄▄▄▄▄▄▄█▄▄▀▀▀▀              
              ▄▄▄██████▄▄▄
          ▄▄████████████████▄▄
        ▄██████▀▀▀▀▀▀▀▀▀▀██████▄
▄     ▄█████▀             ▀█████▄
██▄▄ █████▀                ▀█████
 ████████            ▄██      █████
  ████████▄         ███▀       ████▄
  █████████▀▀     ▄███▀        █████
   █▀▀▀          █████         █████
     ▄▄▄         ████          █████
   █████          ▀▀           ████▀
    █████                     █████
     █████▄                 ▄█████
      ▀█████▄             ▄█████▀
        ▀██████▄▄▄▄▄▄▄▄▄▄██████▀
          ▀▀████████████████▀▀
              ▀▀▀██████▀▀▀
            ▄▄▄███████▄▄▄
         ▄█▀▀▀ ▄▄▄▄▄▄▄ ▀▀▀█▄
       █▀▀ ▄█████████████▄ ▀▀█
     █▀▀ ███████████████████ ▀▀█
    █▀ ███████████████████████ ▀█
   █▀ ███████████████▀▀ ███████ ▀█
 ▄█▀ ██████████████▀      ▀█████ ▀█▄
███ ███████████▀▀            ▀▀██ ███
███ ███████▀▀                     ███
███ ▀▀▀▀                          ███
▀██▄                             ▄██▀
  ▀█▄                            ▀▀
    █▄       █▄▄▄▄▄▄▄▄▄█
     █▄      ▀█████████▀
      ▀█▄      ▀▀▀▀▀▀▀
        ▀▀█▄▄  ▄▄▄
            ▀▀█████
[]
brndnmtthws
Newbie
*
Offline Offline

Activity: 11
Merit: 7


View Profile
December 07, 2018, 12:56:49 PM
 #4

Interesting idea, even though BIP39 already have optional encryption. But IMO this only change the problem since you need to keep your OTP secure.
If i were to use your software, i'd encrypt the OTP with my own passphrase that i could remember and store it together with encrypted words.

Your readme.md is very neat BTW Smiley

I posted this in an old thread, but the post got deleted. I guess the mods didn't appreciate me digging up on old thread Cheesy.

It's against forum rules, unless there's good reason to do it.

I don't think any of the wallet vendors implement the encryption part, AFAIK. But yes, you would have to store the key somewhere. You could actually write it down on paper as well, but that defeats the purpose. The point is to store the key and the seed differently, making it rather difficult to get both (or infer any information about the other).
hatshepsut93
Hero Member
*****
Online Online

Activity: 994
Merit: 607


Vires in numeris


View Profile
December 07, 2018, 06:23:41 PM
 #5

You can take it one step further and convert both one-time pad and the resulting ciphertext into the same mnemonic format as the original seed. This will allow users to enjoy the benefits of mnemonic format - ability to memorize it, being easy to write down on paper and easy to transfer from paper back to computer.

brndnmtthws
Newbie
*
Offline Offline

Activity: 11
Merit: 7


View Profile
December 07, 2018, 11:56:22 PM
 #6

You can take it one step further and convert both one-time pad and the resulting ciphertext into the same mnemonic format as the original seed. This will allow users to enjoy the benefits of mnemonic format - ability to memorize it, being easy to write down on paper and easy to transfer from paper back to computer.
That's a cool idea, I hadn't thought of that. It's definitely possible!

The only downside I can think of is that if you forget which is the key and which is the seed it might take a few attempts to figure it out. I suppose that's a reasonable trade off since you normally wouldn't have to restore from a backup very frequently.
hatshepsut93
Hero Member
*****
Online Online

Activity: 994
Merit: 607


Vires in numeris


View Profile
December 08, 2018, 12:39:24 AM
 #7

You can take it one step further and convert both one-time pad and the resulting ciphertext into the same mnemonic format as the original seed. This will allow users to enjoy the benefits of mnemonic format - ability to memorize it, being easy to write down on paper and easy to transfer from paper back to computer.
That's a cool idea, I hadn't thought of that. It's definitely possible!

The only downside I can think of is that if you forget which is the key and which is the seed it might take a few attempts to figure it out. I suppose that's a reasonable trade off since you normally wouldn't have to restore from a backup very frequently.

It actually wouldn't make any difference, since decryption is just addition modulo 2048 and both parts are of the same length, so ciphertext + key and key + ciphertext both yield the plaintext.

Also, the cool side effect is that you can use both the key and the ciphertext as some sort of decoy wallets. Providing you have copies and backups, you can give them up to physical attackers to lose only a fraction of your coins.

MagicByt3
Member
**
Offline Offline

Activity: 112
Merit: 25

Ten Zehn Dix 十 दस


View Profile
December 08, 2018, 12:55:31 AM
 #8

Looks good but I would have to warn users to read this before installing anything in PyPi...

There has been a massive malware push with repos from PyPi..

https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/


I don't need Legendary status.   I'm already Legendary!
Blessed is the man who finds wisdom..
brndnmtthws
Newbie
*
Offline Offline

Activity: 11
Merit: 7


View Profile
December 08, 2018, 01:56:26 AM
 #9

You can take it one step further and convert both one-time pad and the resulting ciphertext into the same mnemonic format as the original seed. This will allow users to enjoy the benefits of mnemonic format - ability to memorize it, being easy to write down on paper and easy to transfer from paper back to computer.
That's a cool idea, I hadn't thought of that. It's definitely possible!

The only downside I can think of is that if you forget which is the key and which is the seed it might take a few attempts to figure it out. I suppose that's a reasonable trade off since you normally wouldn't have to restore from a backup very frequently.

It actually wouldn't make any difference, since decryption is just addition modulo 2048 and both parts are of the same length, so ciphertext + key and key + ciphertext both yield the plaintext.

Also, the cool side effect is that you can use both the key and the ciphertext as some sort of decoy wallets. Providing you have copies and backups, you can give them up to physical attackers to lose only a fraction of your coins.
That's true, but it also depends on how you encode the values.

I'm not sure it would work as decoy keys, because there is actually a checksum built into the BIP39. When you run the keys through the OTP it breaks the checksum. Unless you have a wallet that ignores the checksum, the words wouldn't work as a proper key (or at least, it's extremely unlikely they would work).
brndnmtthws
Newbie
*
Offline Offline

Activity: 11
Merit: 7


View Profile
December 08, 2018, 02:04:03 AM
 #10

Looks good but I would have to warn users to read this before installing anything in PyPi...

There has been a massive malware push with repos from PyPi..

https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/


You can always grab the source off GitHub if you're worried about it.

And strictly speaking, this problem exists with all software distribution, not just npm or pypi packages Smiley Unless you audit the source code and compile it yourself, there's no way to be 100% certain the code isn't compromised in some way, even if the binaries/packages themselves are signed. You can compile Linux from scratch if you want, but it takes a while: http://www.linuxfromscratch.org/ (oh and some hardware these days requires binary firmware blobs without any source code, such as wireless drivers)
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!