Armory - Discussion Thread

[etotheipi]

Shuffle a single deck of cards very well. Write out the ordering using whatever scheme works for you, and hash256(). Repeat if you are unsure about the quality of your shuffle.

Cool, I like it.  225 bits of entropy if your shuffle is perfect.  And a lot less noisy, too!

[1713862768]

1713862768

[1713862768]

1713862768

[1713862768]

1713862768

[maaku]

It's also a very innocuous way to smuggle keys, using a pre-'shuffled' deck. See also: solitaire encryption algorithm.

[Ente]

Okay guys, I am sure this whole random source discussion is totally exaggerated.
Quit it.
Right now.

You see, I am already thinking about combining that rasbpi and that old radiation source from a smokedetector for a secure, true random, convenient randomness-server.
Which may or may not collect additional randomness sources and XOR them all together.

Any, wtf, they found a hardware rng in the rasbpi:
http://hsmmpi.wordpress.com/2013/09/05/enabling-the-hardware-random-number-generator/

..still want my very own source, though..

Alan, whatdaya think?

Ente

[Ente]

Also, on an unrelated note:
I split up funds from one address to several addresses in a different wallet. When entering the outputs, Armory wrote the wallet name at the first five output addresses, but then not any more for the next addresses. And finally, in the tx list of the main window, a wrong tx size is displayed.
Let's say it was 1.0005 BTC transferred to ten addresses, 0.1 BTC each, with 0.005 BTC fees. Then the main window only shows a tx of 0.9 BTC, missing the tenth one. Everything arrived where it should, though.
You can imagine these two symptoms got me slightly sweatin' ;-)

Ente

[superbit]

I'm confused with all this entropy randomness stuff?  Can't I just use armory and encrypt my wallet?

[K1773R]

I'm confused with all this entropy randomness stuff?  Can't I just use armory and encrypt my wallet?

you can create a new encrypted armory wallet without to know/read anything from the above. the talk is more tech/freak related and not ment for normal end users

[K1773R]

...
Any, wtf, they found a hardware rng in the rasbpi:
http://hsmmpi.wordpress.com/2013/09/05/enabling-the-hardware-random-number-generator/
...
Ente

{HW,T}RNG for Pi is awesome, ty for sharing!

[flipperfish]

I'm confused with all this entropy randomness stuff?  Can't I just use armory and encrypt my wallet?

Actually, you can. The discussion is about the case, where the random number of which the private key is derived at the time the wallet is created is not so random as it should be. For example, if there is no input of random external events to the linux-kernel's /dev/random, it will spit out 00000... as random number. But fortunately on a usual desktop computer, there are external random events. Every movement of mouse, every keypress on the keyboard, every ethernet-package and the current time are considered. However there are ways to improve the randomness even further. For example one could use the audiorecording of the environment. Or a video of you jumping randomly in front of the camera.

In my opinion, these advanced measures are only needed, if there is demand for a high throughput of random numbers, which is not the case for the wallet creation. But on webservers for example, where there is a lot of ssl-traffic, the pool of randomness may deplete (of course this is also exacerbated by the fact, that usually there are no mouse or keyboard events on a server).

[picobit]

In my opinion, these advanced measures are only needed, if there is demand for a high throughput of random numbers, which is not the case for the wallet creation.

Agreed, there should be more than enough entropy available on a normal desktop/laptop computer for wallet generation.  I guess part of the reason for generating the seed yourself is that some people worry that the NSA or others have subverted the random number generation process to generate less-than-ideally random numbers.  Such worries are in my opinion reasonably paranoid, but perhaps not totally without foundation.  NIST (the National Institute of Standards and Technology) recently withdrew one of their recommended random number generation algorithms due to worries about NSA subversion of it (incidentally, an algorithm partly based on the same math as bitcoin, elliptic curves.  Not that the NSA subversion would be relevant for bitcoin, it was just relating to using elliptic curves to generate random numbers).

[etotheipi]

Update:  0.89.99.8-testing

https://bitcointalk.org/index.php?topic=299684.msg3439894#msg3439894


With respect to entropy:  I think it's justified to want to supply your own high-quality entropy.  If the real, analog entropy is generated properly, there's almost no reason for a reasonably-paranoid user not to do it, besides convenience.  It may not be substantially better than the system RNG, but it wont' be worse (again, if you do it right).  You immediately remove all uncertainties about the PRNG algorithms, etc, and know that you are producing analog, memory-less entropy that can't be reproduced no matter how broken it turns out the system RNG is.

As such, I approve using your own entropy as long as you have made the process as high-quality as possible, and you don't mind the inconvenience.  However, I also don't believe that it's necessary for 99% of users.  Possibly 100%.  But it doesn't hurt.  

[cp1]

I'm confused with all this entropy randomness stuff?  Can't I just use armory and encrypt my wallet?

It's only for people who don't trust their computer.

[go1111111]

Backing up your wallet to a shared service like Dropbox is like buying a bullet-proof vest, and then asking a random person to shoot you in the chest.  Yes, there's a very good chance your bullet-proof vest will survive, especially if you got a good one (strong passphrase), but if they happen to be hardcore and have military-grade firearms, you might be in trouble.  You'd be best not to test it.

Let's say that you had to give a wallet encrypted with Armory to the NSA, and you knew the NSA would spend their entire budget for one year on trying to crack your wallet and steal your bitcoins. All their employees would devote 100% of their time to this project, and all their computing resources would be used for this project. What's your estimate of the probability that they would succeed in stealing your bitcoins? Does that change if you were forced to create your wallet using Bitcoin-QT? (QT doesn't give options for encryption settings like Armory does, so many password guessing would be significantly faster with a QT wallet?).

I haven't switched to Armory yet, because it looks from this thread like the Armory code is in a lot of upheaval and the QT wallet code is more stable. I'm basically estimating that the increased chance of a bug in Armory which results in me somehow losing my money offsets any theoretical security benefit I'd get from it. I haven't really studied the risks though. What would you say to people who shared my concern?

[cp1]

I haven't switched to Armory yet, because it looks from this thread like the Armory code is in a lot of upheaval and the QT wallet code is more stable. I'm basically estimating that the increased chance of a bug in Armory which results in me somehow losing my money offsets any theoretical security benefit I'd get from it. I haven't really studied the risks though. What would you say to people who shared my concern?

The stable version of armory is fine.  It's just the beta version that's... beta.

[etotheipi]

Let's say that you had to give a wallet encrypted with Armory to the NSA, and you knew the NSA would spend their entire budget for one year on trying to crack your wallet and steal your bitcoins. All their employees would devote 100% of their time to this project, and all their computing resources would be used for this project. What's your estimate of the probability that they would succeed in stealing your bitcoins? Does that change if you were forced to create your wallet using Bitcoin-QT? (QT doesn't give options for encryption settings like Armory does, so many password guessing would be significantly faster with a QT wallet?).

It depends on the password size and the key-stretching settings.  Let's make some assumptions:

• You use default Armory settings, which means it takes about 0.25 sec per guess on an i5-2500K CPU
• The NSA has no real advantages or shortcuts -- no SHA512 shortcuts, no clue what your password is or might be
• The password is 12 characters long, including all uppercase, lowercase, numbers and special symbols... so the password has an alphabet of approximately 70 letters.
• Since passwords are usually chosen by humans (and not proper randomness), let's assume that your password is good but doesn't have full 12 characters of entropy.  Let's say 9 characters of real randomness spread across the 12 characters of password. (this is actually a tad optimistic, but we can scale the results based on any change in assumptions)
• Armory's key-stretching is designed to be GPU-resistant, since it requires 4-32MB of dedicated RAM per process/thread doing password checking.  GPUs normally get something like 1,000x speedup at password guessing, but we'll assume 10x here.

Then to guess the password on a single GPU, it would require:

70⁹ * 0.25sec / 10(GPUadvantage) = 1,008,840,175,000,000 seconds = 31,990,112 years

Okay, so 32 million years on a single strong GPU.   If we assume that they have 1,000,000 GPUs to throw at it, then it's 32 years to break that encryption using all of their resources for an entire generation of humans.  It's actually a bit longer if they don't know how many characters it is and have to search through passwords shorter than 12 letters.  That's fairly prohibitive, and requires the agency to divert all resources to you. 

If you up it to 16 characters with approximately 12 characters of entropy, then it goes from 32 years to 11,000,000 years.  At most points in this process, they have better things to do with their resources than attempt this.  In fact, they'd be much more likely to just go searching your house for paper backups or sticky notes that might just have the password on it, and then give up if they can't find it.

[go1111111]

etotheipi, thanks for the detailed description of the math.

-How many ms/RAM per guess would be required on the same hardware, using the default Bitcoin-QT settings? I'm trying to get a sense of how much better the default Armory encryption settings are than the default QT encryption settings. I'm betting you know this off the top of your head. I'll handle all the math in the future now that you've shown me how

-I've noticed that when discussion security risks, no one ever talks about probabilities. People always use vague terms to express how likely something is. I am very curious what actual probabilities security experts assign to the events I asked about, taking into account unknowns (and the risk of unknown unknowns). The NSA may have a way to crack AES-256 encryption, even if the probability is small, so that has to be factored in. Can you give your actual estimate of the probability of the NSA cracking your encrypted wallet within a year if (a) you had to use the version of Armory on the main download page right now, and if (b) you used the default settings of QT client? You can use whatever process you want to generate passwords. Assume you simply have to give them a USB stick with the encrypted wallets on them 24 hours after you read this.

My estimates (without being any sort of crypto or security expert) are 0.1% chance of my bitcoins being stolen in both cases.

[go1111111]

The stable version of armory is fine.  It's just the beta version that's... beta.

As mentioned in my last post, people are very vague about security risk probabilities. Words like "fine" aren't that helpful when we're talking about extremely low probabilities. In general, people are not designed to reason well about low probability events.

I would guess that the Armory wallet code is at least 2x as likely to contain a bug that will somehow result in me losing bitcoins than the QT code (without me looking at either codebase, just based on the # of eyeballs that have looked at each codebase and the fact that QT has had more usage). What I'm trying to figure out is if the added theoretical security of Armory is worth my estimated 2x bug risk, but it's hard because I haven't seen anyone do a detailed enough analysis when discussing this.

[etotheipi]

The stable version of armory is fine.  It's just the beta version that's... beta.

As mentioned in my last post, people are very vague about security risk probabilities. Words like "fine" aren't that helpful when we're talking about extremely low probabilities. In general, people are not designed to reason well about low probability events.

I would guess that the Armory wallet code is at least 2x as likely to contain a bug that will somehow result in me losing bitcoins than the QT code (without me looking at either codebase, just based on the # of eyeballs that have looked at each codebase and the fact that QT has had more usage). What I'm trying to figure out is if the added theoretical security of Armory is worth my estimated 2x bug risk, but it's hard because I haven't seen anyone do a detailed enough analysis when discussing this.

"2x as likely to contain a bug" is really meaningless.  Both applications have been around for a very long time, and have been thoroughly tested by thousands of people.  Armory is used by some of the biggest bitcoin investors and holders, because it was created for exactly that purpose.  I tested the bejeezuz out of the wallet code before I ever released it for use, and that code continues to remain almost entirely untouched without issue, even after  almost 2 years.  So far there's never been a report of any problems losing coins that couldn't have been avoided if the user had made a paper backup (and tested it).   Make a paper backup and test it.   

You can make your own decisions about it.  But it's got a pretty solid reputation for being secure and robust.  What's not awesome about it is the time needed to get it running and the resources it uses.   So far, I've swept that under the rug as "the cost of security."  Luckily, a lot of the usability issues should be resolved that soon.  But it's not stopping people who really want to use it, from using it. 

[cp1]

The stable version of armory is fine.  It's just the beta version that's... beta.

As mentioned in my last post, people are very vague about security risk probabilities. Words like "fine" aren't that helpful when we're talking about extremely low probabilities. In general, people are not designed to reason well about low probability events.

I would guess that the Armory wallet code is at least 2x as likely to contain a bug that will somehow result in me losing bitcoins than the QT code (without me looking at either codebase, just based on the # of eyeballs that have looked at each codebase and the fact that QT has had more usage). What I'm trying to figure out is if the added theoretical security of Armory is worth my estimated 2x bug risk, but it's hard because I haven't seen anyone do a detailed enough analysis when discussing this.

Talk about not being designed to reason well about probabilities...

[go1111111]

I tested the bejeezuz out of the wallet code before I ever released it for use, and that code continues to remain almost entirely untouched without issue, even after  almost 2 years. 

Good to hear -- thanks for the details.

Talk about not being designed to reason well about probabilities...

Any feedback about how you'd reason differently about this stuff?

[RoadStress]

Noob armory user here. I recently had some problems with the bitcoin-qt client and i would like to switch to Armory, but i need a bit of info first. From what i know using wallets from bitcoin-qt i need to make a backup every time i spend money from that wallet(is this true?). Does this apply to wallets from Armory? If not then all i need to backup is the .wallet file right?
I made 2 transactions to a newly created Armory wallet, but i only see one. Why? Was the first one sent without any fees or why i can't see it? Address is 1ARkEy4NMhEzvrSQCWCKnqBgBkN6fg2xb3
Can i choose from which address i send money?
Any other tips for wallet safety?
Thank you.