Bitcoin++ (OP)
|
|
June 26, 2014, 06:57:53 AM |
|
I suggest an option to hash the passphrase multiple times. This will be barely noticeable for the user but will make bruteforcing much more expensive. This tiny code, added at brainwallet.org's HTML at line 9086, does the trick: for (var i = 0; i < 100000; i++) { key = Crypto.SHA256(key, { asBytes: false }); }
|
|
|
|
TimS
|
|
June 26, 2014, 01:16:40 PM |
|
Warpwallet uses 2^18 rounds of scrypt and 2^16 rounds of pbkdf2 (takes a few seconds in the browser). It makes brute forcing very difficult: an 8-character alphanumeric (47.6 bit) password has a 20 BTC bounty on it, expires over two years after it was created, and is still not expected to be cracked (via brute force).
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
June 26, 2014, 06:45:03 PM |
|
I suggest an option to hash the passphrase multiple times. This will be barely noticeable for the user but will make bruteforcing much more expensive. This tiny code, added at brainwallet.org's HTML at line 9086, does the trick: for (var i = 0; i < 100000; i++) { key = Crypto.SHA256(key, { asBytes: false }); } Electrum does the same thing but uses the concatenation of the original seed with each iteration to inject entropy all the way through the process in case the hashing algorithm starts to converge with large repetitions.
|
|
|
|
smoothie
Legendary
Offline
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
|
|
June 26, 2014, 11:06:39 PM |
|
Does this have any side effects we may not be aware of?
|
███████████████████████████████████████
,╓p@@███████@╗╖, ,p████████████████████N, d█████████████████████████b d██████████████████████████████æ ,████²█████████████████████████████, ,█████ ╙████████████████████╨ █████y ██████ `████████████████` ██████ ║██████ Ñ███████████` ███████ ███████ ╩██████Ñ ███████ ███████ ▐▄ ²██╩ a▌ ███████ ╢██████ ▐▓█▄ ▄█▓▌ ███████ ██████ ▐▓▓▓▓▌, ▄█▓▓▓▌ ██████─ ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌ ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─ ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩ ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀ ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀` ²²² ███████████████████████████████████████
| . ★☆ WWW.LEALANA.COM My PGP fingerprint is A764D833. History of Monero development Visualization ★☆ . LEALANA BITCOIN GRIM REAPER SILVER COINS. |
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
June 26, 2014, 11:14:41 PM |
|
Does this have any side effects we may not be aware of?
Rehashing over and over could somehow lead to loss of entropy although i think that is just a postulation and there's no known attack right now, but see my post above on how that is easily mitigated.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
June 26, 2014, 11:32:33 PM |
|
Does this have any side effects we may not be aware of?
There is the potential for entropy loss. I would recommend people not rolling their own cryptography. There are standardized Key Derivative functions which have been extensively peer reviewed. PBKDF2, BCrypt, and SCrypt are examples of KDFs.
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
June 26, 2014, 11:56:11 PM |
|
I would recommend people not rolling their own cryptography.
warpwallet did and no one stole their coins....YET.
|
|
|
|
jl2012
Legendary
Offline
Activity: 1792
Merit: 1111
|
|
June 27, 2014, 02:53:39 AM |
|
The problem of "brainwallet" is the use of weak passpharse. No matter what algorithm you use, people could generate a rainbow table and wait for a hit. A very complex algorithm may slow this process down, but it could be cracked eventually for weak passpharses
|
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY) LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC) PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
June 27, 2014, 02:58:54 AM |
|
The problem of "brainwallet" is the use of weak passpharse. No matter what algorithm you use, people could generate a rainbow table and wait for a hit. A very complex algorithm may slow this process down, but it could be cracked eventually for weak passpharses
another problem of "brainwallet" is the rubber hose attack.
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3668
Merit: 1579
|
|
June 30, 2014, 07:37:28 AM |
|
I would recommend people not rolling their own cryptography.
warpwallet did and no one stole their coins....YET. Warp wallet uses scrypt.
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
June 30, 2014, 07:16:49 PM |
|
I would recommend people not rolling their own cryptography.
warpwallet did and no one stole their coins....YET. Warp wallet uses scrypt. does simply using 2^18 rounds of scrypt qualify as a proper (peer reviewed) KDF?
|
|
|
|
Abdussamad
Legendary
Offline
Activity: 3668
Merit: 1579
|
|
July 01, 2014, 06:01:20 AM |
|
I would recommend people not rolling their own cryptography.
warpwallet did and no one stole their coins....YET. Warp wallet uses scrypt. does simply using 2^18 rounds of scrypt qualify as a proper (peer reviewed) KDF? I don't know. I am not a cryptologist. However, it is not an original algorithm that they are using. They are not rolling their own crypto. It is one of the widely accepted algos listed above. They follow up the scrypt with pbkdf2 as well.
|
|
|
|
bluemeanie1
|
|
July 03, 2014, 01:39:58 AM |
|
I suggest an option to hash the passphrase multiple times. This will be barely noticeable for the user but will make bruteforcing much more expensive. This tiny code, added at brainwallet.org's HTML at line 9086, does the trick: for (var i = 0; i < 100000; i++) { key = Crypto.SHA256(key, { asBytes: false }); } for even better security, the user can specify a hashing exponent. This makes brute forcing incredibly difficult because it's adds an entirely new dimension to the search space. for (var i = 0; i < exponent; i++) { key = Crypto.SHA256(key, { asBytes: false }); } where exponent is an input variable. thus they can specify a very high number for better security. Of course they must be able to remember this number as well. -bm
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
July 03, 2014, 01:42:24 AM |
|
I suggest an option to hash the passphrase multiple times. This will be barely noticeable for the user but will make bruteforcing much more expensive. This tiny code, added at brainwallet.org's HTML at line 9086, does the trick: for (var i = 0; i < 100000; i++) { key = Crypto.SHA256(key, { asBytes: false }); } for even better security, the user can specify a hashing exponent. This makes brute forcing incredibly difficult because it's adds an entirely new dimension to the search space. for (var i = 0; i < exponent; i++) { key = Crypto.SHA256(key, { asBytes: false }); } where exponent is an input variable. thus they can specify a very high number for better security. Of course they must be able to remember this number as well. -bm Did you even read the thread? This whole approach is flawed due to potential loss of entropy, regardless of whether you use a variable or fixed exponent.
|
|
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
July 03, 2014, 01:57:28 AM |
|
Please read what DeathandTaxes said about KDFs. If you take the first one he mentions, PBKDF2, you can see that the salt is used at each stage of iteration. http://en.wikipedia.org/wiki/PBKDF2I'm far from an expert, but the principle here is that constant re-hashing introduces the possibility of convergence. Now whether that is just a theoretical possibility, or has been shown to actually occur, I have no idea. But, by re-introducing entropy at each round, that problem is mitigated. 2 hashes are fine, but 100,000 hashes might not be. Electrum uses the same principle -- although it is not using a peer-reviewed KDF, it does a concatenation of the original seed with each hashing round. You could use your idea of a variable exponent but it should be using this principle, not merely using the simple loop the OP suggested.
|
|
|
|
bluemeanie1
|
|
July 03, 2014, 02:04:52 AM |
|
Please read what DeathandTaxes said about KDFs. If you take the first one he mentions, PBKDF2, you can see that the salt is used at each stage of iteration. http://en.wikipedia.org/wiki/PBKDF2I'm far from an expert, but the principle here is that constant re-hashing introduces the possibility of convergence. Now whether that is just a theoretical possibility, or has been shown to actually occur, I have no idea. But, by re-introducing entropy at each round, that problem is mitigated. 2 hashes are fine, but 100,000 hashes might not be. yes, this looks like the right standard for this. Of course this invites in the 'NSA conspiracy' discussion but certainly standards are favorable to 'roll ur own'. in the case of PBKDF2 you have a 'c' parameter similar to the exponent I just described. I'll try and read D&T closer next time. -bm
|
|
|
|
coinsolidation
|
|
July 03, 2014, 02:11:02 AM |
|
Does this have any side effects we may not be aware of?
Nobody has mentioned the human element, the software or website you use with a custom algorithm may change their algorithm, or disappear, leaving you wondering how to rehash your pass phrase to make it work...
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
July 03, 2014, 02:14:11 AM |
|
Does this have any side effects we may not be aware of?
Nobody has mentioned the human element, the software or website you use with a custom algorithm may change their algorithm, or disappear, leaving you wondering how to rehash your pass phrase to make it work... I've already solved that problem for Electrum users: https://bitcointalk.org/index.php?topic=612143.0
|
|
|
|
|