Bitcoin Forum
December 12, 2017, 07:04:02 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Safer Brainwallet with Multi-Hash  (Read 2585 times)
Bitcoin++
Full Member
***
Offline Offline

Activity: 180


View Profile
June 26, 2014, 06:57:53 AM
 #1

I suggest an option to hash the passphrase multiple times.
This will be barely noticeable for the user but will make bruteforcing much more expensive.

This tiny code, added at brainwallet.org's HTML at line 9086, does the trick:

Code:
for (var i = 0; i < 100000; i++) {
key = Crypto.SHA256(key, { asBytes: false });
}
1513105442
Hero Member
*
Offline Offline

Posts: 1513105442

View Profile Personal Message (Offline)

Ignore
1513105442
Reply with quote  #2

1513105442
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513105442
Hero Member
*
Offline Offline

Posts: 1513105442

View Profile Personal Message (Offline)

Ignore
1513105442
Reply with quote  #2

1513105442
Report to moderator
1513105442
Hero Member
*
Offline Offline

Posts: 1513105442

View Profile Personal Message (Offline)

Ignore
1513105442
Reply with quote  #2

1513105442
Report to moderator
1513105442
Hero Member
*
Offline Offline

Posts: 1513105442

View Profile Personal Message (Offline)

Ignore
1513105442
Reply with quote  #2

1513105442
Report to moderator
TimS
Sr. Member
****
Offline Offline

Activity: 247


View Profile WWW
June 26, 2014, 01:16:40 PM
 #2

Warpwallet uses 2^18 rounds of scrypt and 2^16 rounds of pbkdf2 (takes a few seconds in the browser). It makes brute forcing very difficult: an 8-character alphanumeric (47.6 bit) password has a 20 BTC bounty on it, expires over two years after it was created, and is still not expected to be cracked (via brute force).
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
June 26, 2014, 06:45:03 PM
 #3

I suggest an option to hash the passphrase multiple times.
This will be barely noticeable for the user but will make bruteforcing much more expensive.

This tiny code, added at brainwallet.org's HTML at line 9086, does the trick:

Code:
for (var i = 0; i < 100000; i++) {
key = Crypto.SHA256(key, { asBytes: false });
}


Electrum does the same thing but uses the concatenation of the original seed with
each iteration to inject entropy all the way through the process in case the hashing
algorithm starts to converge with large repetitions.

smoothie
Legendary
*
Offline Offline

Activity: 2072


LEALANA Monero Physical Silver Coins


View Profile
June 26, 2014, 11:06:39 PM
 #4

Does this have any side effects we may not be aware of?

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.        SMOOTHIE'S HEALTH AND FITNESS JOURNAL          History of Monero development Visualization ★☆ .
LEALANA  PHYSICAL MONERO COINS 999 FINE SILVER.
 
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
June 26, 2014, 11:14:41 PM
 #5

Does this have any side effects we may not be aware of?

Rehashing over and over could somehow lead to loss of entropy although
i think that is just a postulation and there's no known attack right now,
but see my post above on how that is easily mitigated.

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
June 26, 2014, 11:32:33 PM
 #6

Does this have any side effects we may not be aware of?

There is the potential for entropy loss.  I would recommend people not rolling their own cryptography.  There are standardized Key Derivative functions which have been extensively peer reviewed.  PBKDF2, BCrypt, and SCrypt are examples of KDFs.
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
June 26, 2014, 11:56:11 PM
 #7

 I would recommend people not rolling their own cryptography.  

 warpwallet did and no one stole their coins....YET.

jl2012
Legendary
*
Offline Offline

Activity: 1750


View Profile
June 27, 2014, 02:53:39 AM
 #8

The problem of "brainwallet" is the use of weak passpharse. No matter what algorithm you use, people could generate a rainbow table and wait for a hit. A very complex algorithm may slow this process down, but it could be cracked eventually for weak passpharses

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
June 27, 2014, 02:58:54 AM
 #9

The problem of "brainwallet" is the use of weak passpharse. No matter what algorithm you use, people could generate a rainbow table and wait for a hit. A very complex algorithm may slow this process down, but it could be cracked eventually for weak passpharses

another problem of "brainwallet" is the rubber hose attack.

Abdussamad
Legendary
*
Offline Offline

Activity: 1582



View Profile WWW
June 30, 2014, 07:37:28 AM
 #10

  I would recommend people not rolling their own cryptography. 

 warpwallet did and no one stole their coins....YET.

Warp wallet uses scrypt.

jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
June 30, 2014, 07:16:49 PM
 #11

 I would recommend people not rolling their own cryptography.  

 warpwallet did and no one stole their coins....YET.

Warp wallet uses scrypt.

does simply using 2^18 rounds of scrypt qualify as a proper (peer reviewed) KDF?

Abdussamad
Legendary
*
Offline Offline

Activity: 1582



View Profile WWW
July 01, 2014, 06:01:20 AM
 #12

  I would recommend people not rolling their own cryptography. 

 warpwallet did and no one stole their coins....YET.

Warp wallet uses scrypt.

does simply using 2^18 rounds of scrypt qualify as a proper (peer reviewed) KDF?

I don't know. I am not a cryptologist. However, it is not an original algorithm that they are using. They are not rolling their own crypto. It is one of the widely accepted algos listed above. They follow up the scrypt with pbkdf2 as well.

bluemeanie1
Sr. Member
****
Offline Offline

Activity: 280


bluemeanie


View Profile WWW
July 03, 2014, 01:39:58 AM
 #13

I suggest an option to hash the passphrase multiple times.
This will be barely noticeable for the user but will make bruteforcing much more expensive.

This tiny code, added at brainwallet.org's HTML at line 9086, does the trick:

Code:
for (var i = 0; i < 100000; i++) {
key = Crypto.SHA256(key, { asBytes: false });
}



for even better security, the user can specify a hashing exponent.  This makes brute forcing incredibly difficult because it's adds an entirely new dimension to the search space.

Code:
for (var i = 0; i < exponent; i++) {
key = Crypto.SHA256(key, { asBytes: false });
}

where exponent is an input variable.

thus they can specify a very high number for better security.  Of course they must be able to remember this number as well.

-bm

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
July 03, 2014, 01:42:24 AM
 #14

I suggest an option to hash the passphrase multiple times.
This will be barely noticeable for the user but will make bruteforcing much more expensive.

This tiny code, added at brainwallet.org's HTML at line 9086, does the trick:

Code:
for (var i = 0; i < 100000; i++) {
key = Crypto.SHA256(key, { asBytes: false });
}



for even better security, the user can specify a hashing exponent.  This makes brute forcing incredibly difficult because it's adds an entirely new dimension to the search space.

Code:
for (var i = 0; i < exponent; i++) {
key = Crypto.SHA256(key, { asBytes: false });
}

where exponent is an input variable.

thus they can specify a very high number for better security.  Of course they must be able to remember this number as well.

-bm


Did you even read the thread?  This whole approach is flawed due to potential loss of entropy, regardless of
whether you use a variable or fixed exponent.


bluemeanie1
Sr. Member
****
Offline Offline

Activity: 280


bluemeanie


View Profile WWW
July 03, 2014, 01:49:15 AM
 #15

JF,

 Could you point us to the explanation of entropy loss in this situation?

 we do double hashing elsewhere in Bitcoin btw- http://bitcoin.stackexchange.com/questions/8443/where-is-double-hashing-performed-in-bitcoin/8461#8461

 certainly entropy loss could be a potential problem.

thanks, -bm

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
bluemeanie1
Sr. Member
****
Offline Offline

Activity: 280


bluemeanie


View Profile WWW
July 03, 2014, 01:55:06 AM
 #16

there was this thread:  Double hashing: less entropy?

-bm

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
July 03, 2014, 01:57:28 AM
 #17

JF,

 Could you point us to the explanation of entropy loss in this situation?

 we do double hashing elsewhere in Bitcoin btw- http://bitcoin.stackexchange.com/questions/8443/where-is-double-hashing-performed-in-bitcoin/8461#8461

 certainly entropy loss could be a potential problem.

thanks, -bm

Please read what DeathandTaxes said about KDFs.

If you take the first one he mentions,  PBKDF2,
you can see that the salt is used at each stage
of iteration.

http://en.wikipedia.org/wiki/PBKDF2

I'm far from an expert, but the principle here
is that constant re-hashing introduces
the possibility of convergence.

Now whether that is just a theoretical possibility,
or has been shown to actually occur, I have no
idea.  But, by re-introducing entropy at each
round, that problem is mitigated.

2 hashes are fine, but 100,000 hashes might not be.

Electrum uses the same principle -- although
it is not using a peer-reviewed KDF, it does
a concatenation of the original seed with
each hashing round.

You could use your idea of a variable exponent
but it should be using this principle, not merely
using the simple loop the OP suggested.

bluemeanie1
Sr. Member
****
Offline Offline

Activity: 280


bluemeanie


View Profile WWW
July 03, 2014, 02:04:52 AM
 #18

JF,

 Could you point us to the explanation of entropy loss in this situation?

 we do double hashing elsewhere in Bitcoin btw- http://bitcoin.stackexchange.com/questions/8443/where-is-double-hashing-performed-in-bitcoin/8461#8461

 certainly entropy loss could be a potential problem.

thanks, -bm

Please read what DeathandTaxes said about KDFs.

If you take the first one he mentions,  PBKDF2,
you can see that the salt is used at each stage
of iteration.

http://en.wikipedia.org/wiki/PBKDF2

I'm far from an expert, but the principle here
is that constant re-hashing introduces
the possibility of convergence.

Now whether that is just a theoretical possibility,
or has been shown to actually occur, I have no
idea.  But, by re-introducing entropy at each
round, that problem is mitigated.

2 hashes are fine, but 100,000 hashes might not be.


yes, this looks like the right standard for this.  Of course this invites in the 'NSA conspiracy' discussion but certainly standards are favorable to 'roll ur own'.

in the case of PBKDF2 you have a 'c' parameter similar to the exponent I just described.  I'll try and read D&T closer next time.

-bm

Just who IS bluemeanie?    On NXTautoDAC and a Million Stolen NXT

feel like your voice isn't being heard? PM me.   |   stole 1M NXT?
coinsolidation
Sr. Member
****
Offline Offline

Activity: 294

Bitmark Developer


View Profile WWW
July 03, 2014, 02:11:02 AM
 #19

Does this have any side effects we may not be aware of?

Nobody has mentioned the human element, the software or website you use with a custom algorithm may change their algorithm, or disappear, leaving you wondering how to rehash your pass phrase to make it work...

Bitmark (reputation+money) : Bitmark v0.9.4 (release)
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
July 03, 2014, 02:14:11 AM
 #20

Does this have any side effects we may not be aware of?

Nobody has mentioned the human element, the software or website you use with a custom algorithm may change their algorithm, or disappear, leaving you wondering how to rehash your pass phrase to make it work...

I've already solved that problem for Electrum users:

https://bitcointalk.org/index.php?topic=612143.0

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!