[question] Password protected qr codes with sensitive info

[libert19]

You could create password protected qr code with sensitive info, print, laminate and keep it wherever you like, you could even keep it in open since no one would be able to access it without password known to you.

What's your opinion on this?

[jackg]

Isn't this what bip38 was for? Anything password protected is as strong as the password and your ability to recall it.

If you've got a good password and can recall it well/know where it's written then yes - also you light want to note down the algorithm used to encrypt it as it might not be a cross platform thing - although bip38 ciphertext is represented by an initial U. .

[ranochigo]

Depends on what you're storing. QR code has a limited size that could hinder whatever you're doing.

The effectiveness of this depends on what you're using to encrypt the information. The password has to be a random and non-guessable passphrase with sufficient length. The encryption algorithm should be one that is preferably slow and secure. I'll probably use AES as a cipher.

Ideally, if you were to put anything that you intend to keep as a secret in plain sight, you're just asking for it. It'll be the most secure if you deliberately keep it that way and not expose it around.
Try exploring steganography, it's definitely way more obscure than a QR code.

[pooya87]

I don't see the significance of QR code here, QR is just another form of encoding data like hexadecimal or base64 but it creates a picture. It also has a checkusm which you could have added to the string encoding too (like what base58 has). It also adds a challenge since you have to now be able to read the QR code with another device with camera whereas reading plain text or raw data is so much simpler.

Isn't this what bip39 was for?

I think you mean BIP-38

[libert19]

..It also adds a challenge since you have to now be able to read the QR code with another device with camera whereas reading plain text or raw data is so much simpler.

Yes but it's more about security, mobiles phones with camera are not that hard to find/buy lol

[bob123]

Yes but it's more about security, mobiles phones with camera are not that hard to find/buy lol

This doesn't invalidate his statement: Qr codes are just a form of encoding.

It doesn't matter whether you have something encrypted and then encoded into hex or encrypted and encoded into a QR.
The information stays the same, the data (which represents the information) changes.

Security-wise there is no advantage or disadvantage. It is just a different representation of the information (the secret, e.g. a private key).

[libert19]

Yes but it's more about security, mobiles phones with camera are not that hard to find/buy lol

This doesn't invalidate his statement: Qr codes are just a form of encoding.

It doesn't matter whether you have something encrypted and then encoded into hex or encrypted and encoded into a QR.
The information stays the same, the data (which represents the information) changes.

Security-wise there is no advantage or disadvantage. It is just a different representation of the information (the secret, e.g. a private key).

I never invalidated his statement either, I quoted specific part I was replying too.

The idea behind encrypted qr codes is to remove that risk of anyone can scan it and access the info.

[bob123]

The idea behind encrypted qr codes is to remove that risk of anyone can scan it and access the info.

But again, a QR is just a representation of data.

You don't "encrypt a QR code". You encrypt information and then represent it as a QR code.
That's the same as encrypting a number and representing it in hex or binary or as characters. There is no difference. In the end, each data is binary.

If you encrypt the information, it is encrypted. Afterwards it doesn't matter whether you represent it as a hex string or as a QR code.


I don't know what exactly you want to accomplish, but the general flow would be:

• Encrypt your information (e.g. private key, mnemonic code, ...)
• Save the QR code

[hatshepsut93]

Isn't this what bip38 was for? Anything password protected is as strong as the password and your ability to recall it.

If you've got a good password and can recall it well/know where it's written then yes - also you light want to note down the algorithm used to encrypt it as it might not be a cross platform thing - although bip38 ciphertext is represented by an initial U. .

I'd choose password-protected seed over a password-protected QR code, because QR codes might have lower tolerance to data loss than the seed phrases, even with QR code's error correction. With seed words, you can still bruteforce your phrase if you lost a few words, and a loss of individual letters is not a problem, because it's easy to get the words from them. With QR codes, if there's too much damage, your key will be impossible to recover.

[jackg]

Isn't this what bip39 was for?

I think you mean BIP-38

BIP 39 also have optional passphrase option (usually as 13/25th word), even though i think it require large QR code.

It probably depends on how you store it and how big the encryption text is.

A stardard 12 word seed could take up less space if encoded in base58 imo as that is 128 bits and a private key is normally below 256 bits. If you had a 12 word passphrase, you'd still take up the same space as a private key (this is assuming you convert the words to numbers and remember what it's for - or leave a note). 

[khaled0111]

You can save up to 3kb of data on a QR Code depending on the level of error correction you choose. Since you are going to save a highly sensitive data then you should opt for the highest error correction level to ensure keeping your encrypted private key/seed safe.
I have to agree with the replies above. The security of your funds here, relies only on the encryption type you will use and I don't see the benifit of storing the encrypted data on a QR Code.

[pooya87]

Isn't this what bip39 was for?

I think you mean BIP-38

BIP 39 also have optional passphrase option (usually as 13/25th word), even though i think it require large QR code.

But that does NOT encrypt your mnemonic, it just extends it. Also considering the fact that PBKDF2 is a weak KDF and on top of that a very low iteration count (<10mil) is used, it is not really providing decent security.

The QR code size is not that big though.
Here is the last test vector of BIP39 with 24 words: https://i.imgur.com/eSdMuMA.jpg

[OcTradism]

Try to protect sensitive information is good but Antonopolous warned (and I think he is right) that don't try anything that exceeds your ability and if your tries don't help you manage the whole process. Simple protection is good if you keep all things safely and secretly. Complicated protection does not mean better protection regards to the recovery process.

Crypto security: Passwords and Authentication (Livestream -aantonop)