(!) Armory Brain Wallet

[timz]

Hi all!
I like armory a lot. You can make a paper backup and restore whole your wallet in case of hdd failure or pc lost.
It is a great feature, but I really do not trust to paper. The paper could be stolen, lost, confiscated, burned, etc. I want to be sure I can restore my wallet at any time, even if all my papers are lost. I mean brainwallet. The one phrase restoring all my bitcoin addresses.

So I created an open source



Just enter a passphrase and you'll get a Root Key to restore (or create new one) wallet.
It is a client-side javascript application, no data leaves your computer. I use hash256(passphrase) as a base to generate Root Key. The Root Key generation procedure (makeSixteenBytesEasy()) was rewritten to javascript using original Armory code.

You still can make fragmented backup, print root key if you like and use all armory's features. But additionally you can restore your wallet using your passphrase! And we use your password's entropy to create wallet, I think it is not so bad too. Just use long several-words phrases.

Download for local use.

Mirrors:
https://armorybrainwallet.com (10 years domain, hosting paid for 3 years)
http://armorybrainwallet.org/ (10 years domain, freehosting)

Regards,
Tim.

[timz]

Just want to copy here the source code.

brainwallet.js

Code:

/*
      Open source under the BSD License.
      Author: Tim Zakirov, 2014
     */

       function sha256(bits) {
return CryptoJS.SHA256(bits);
}

function hash256(bits) {
return CryptoJS.SHA256(CryptoJS.SHA256(bits));
}

function computeChecksum(binaryStr, nBytes, hashFunc) {
nBytes = typeof nBytes !== 'undefined' ? nBytes : 4;
hashFunc = typeof hashFunc !== 'undefined' ? hashFunc : hash256;
return hashFunc(binaryStr).toString(CryptoJS.enc.Latin1).slice(0, nBytes);
}

function binary_to_hex(b) {
return CryptoJS.enc.Latin1.parse(b).toString();
}

NORMALCHARS = '0123 4567 89ab cdef'.replace(/ /g, '');
EASY16CHARS = 'asdf ghjk wert uion'.replace(/ /g, '');
hex_to_base16_map = {};
base16_to_hex_map = {};
len = NORMALCHARS.length;
for (i = 0; i < len; ++i) {
n = NORMALCHARS[i];
b = EASY16CHARS[i];
hex_to_base16_map[n] = b;
base16_to_hex_map[b] = n;
}

function binary_to_easyType16(binstr) {
return Array.prototype.map.call(binary_to_hex(binstr), function (c) { return hex_to_base16_map[c]; }).join('');
}

function makeSixteenBytesEasy(b16) {
if (b16.length !== 16) {
throw 'Must supply 16-byte input';
}
chk2 = computeChecksum(CryptoJS.enc.Latin1.parse(b16), 2);
et18 = binary_to_easyType16(b16 + chk2);
nineQuads = [];
for (i = 0; i < 9; ++i) {
nineQuads[i] = et18.slice(i * 4, (i+1) * 4);
}
return nineQuads.join(' ');
}

function calc(password) {
var entropy=hash256(password);
var line1=makeSixteenBytesEasy(entropy.toString(CryptoJS.enc.Latin1).slice(0, 16));
var line2=makeSixteenBytesEasy(entropy.toString(CryptoJS.enc.Latin1).slice(16));
document.getElementById('line1').innerHTML=line1;
document.getElementById('line2').innerHTML=line2;

}

index.html

Code:

<!DOCTYPE html>
<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta charset="utf-8" />
    <title>Armory Brainwallet - JavaScript Client-Side Armory Wallet Generator</title>
    <meta content="Client-side passphrase-based ARMORY deterministic wallets generator" name="description" />
    <meta content="width=device-width, initial-scale=1.0" name="viewport" />
    <link href="cs.css" rel="stylesheet" />
    <link href="favicon.ico" rel="shortcut icon" />
<script src="sha256.js"></script>
<script src="brainwallet.js"></script>
 </head>
  <body>
  <div class='logo'></div>
  <div class='tit'>Passphrase</div> 
  <input id='pass' type="text" autofocus onchange="calc(this.value);" onkeypress="this.onchange();" oncut="this.onchange();" onpaste="this.onchange();" oninput="this.onchange();"></input>
<div class='tit1'>Root Key</div> 
<div class='line' id='line1'>&nbsp;</div>
<div class='line' id='line2'>&nbsp;</div>
<div class='comment'>How to use. Enter your long passprase, open your <a target='_blank' href='https://bitcoinarmory.com/'>Armory wallet</a> application <br>and "restore" the wallet using Root Key (select '2 lines Unencrypted')</div>
  </body>

</html>

cs.css

Code:

html {
  font-family: geneva, sans-serif;
  -webkit-text-size-adjust: 100%;
      -ms-text-size-adjust: 100%;
}
body {
  margin: 0; background-color: #fff; text-align: center;
}
.logo {
height: 350px;
background: url('armory.png') no-repeat center; min-height: 100%;
margin: 50px 0 0 0;
}
.tit {
color: #162959;
font-size: 18px;
margin-bottom: 15px;
}
.tit1 {
color: #bc214c;
font-size: 18px;
margin-top: 60px;
margin-bottom: 15px;
}

input {
color: #1c59b4; width: 55%; border:1px solid #162959;font-size: 16px; padding: 5px; text-align: center;
}
.line {font-family: Courier; font-size: 18px; color: #162959; margin-bottom: 10px;}
.comment {
font-size: 12px;
margin-top: 120px;
color: #1c59b4;
}

sha256.js (from google)

/*
CryptoJS v3.1.2
code.google.com/p/crypto-js
(c) 2009-2013 by Jeff Mott. All rights reserved.
code.google.com/p/crypto-js/wiki/License
*/
var CryptoJS=CryptoJS||function(h,s){var f={},t=f.lib={},g=function(){},j=t.Base={extend:function(a){g.prototype=this;var c=new g;a&&c.mixIn(a);c.hasOwnProperty("init")||(c.init=function(){c.$super.init.apply(this,arguments)});c.init.prototype=c;c.$super=this;return c},create:function(){var a=this.extend();a.init.apply(a,arguments);return a},init:function(){},mixIn:function(a){for(var c in a)a.hasOwnProperty(c)&&(this[c]=a[c]);a.hasOwnProperty("toString")&&(this.toString=a.toString)},clone:function(){return this.init.prototype.extend(this)}},
q=t.WordArray=j.extend({init:function(a,c){a=this.words=a||[];this.sigBytes=c!=s?c:4*a.length},toString:function(a){return(a||u).stringify(this)},concat:function(a){var c=this.words,d=a.words,b=this.sigBytes;a=a.sigBytes;this.clamp();if(b%4)for(var e=0;e<a;e++)c[b+e>>>2]|=(d[e>>>2]>>>24-8*(e%4)&255)<<24-8*((b+e)%4);else if(65535<d.length)for(e=0;e<a;e+=4)c[b+e>>>2]=d[e>>>2];else c.push.apply(c,d);this.sigBytes+=a;return this},clamp:function(){var a=this.words,c=this.sigBytes;a[c>>>2]&=4294967295<<
32-8*(c%4);a.length=h.ceil(c/4)},clone:function(){var a=j.clone.call(this);a.words=this.words.slice(0);return a},random:function(a){for(var c=[],d=0;d<a;d+=4)c.push(4294967296*h.random()|0);return new q.init(c,a)}}),v=f.enc={},u=v.Hex={stringify:function(a){var c=a.words;a=a.sigBytes;for(var d=[],b=0;b<a;b++){var e=c[b>>>2]>>>24-8*(b%4)&255;d.push((e>>>4).toString(16));d.push((e&15).toString(16))}return d.join("")},parse:function(a){for(var c=a.length,d=[],b=0;b<c;b+=2)d[b>>>3]|=parseInt(a.substr(b,
2),16)<<24-4*(b%8);return new q.init(d,c/2)}},k=v.Latin1={stringify:function(a){var c=a.words;a=a.sigBytes;for(var d=[],b=0;b<a;b++)d.push(String.fromCharCode(c[b>>>2]>>>24-8*(b%4)&255));return d.join("")},parse:function(a){for(var c=a.length,d=[],b=0;b<c;b++)d[b>>>2]|=(a.charCodeAt(b)&255)<<24-8*(b%4);return new q.init(d,c)}},l=v.Utf8={stringify:function(a){try{return decodeURIComponent(escape(k.stringify(a)))}catch(c){throw Error("Malformed UTF-8 data");}},parse:function(a){return k.parse(unescape(encodeURIComponent(a)))}},
x=t.BufferedBlockAlgorithm=j.extend({reset:function(){this._data=new q.init;this._nDataBytes=0},_append:function(a){"string"==typeof a&&(a=l.parse(a));this._data.concat(a);this._nDataBytes+=a.sigBytes},_process:function(a){var c=this._data,d=c.words,b=c.sigBytes,e=this.blockSize,f=b/(4*e),f=a?h.ceil(f):h.max((f|0)-this._minBufferSize,0);a=f*e;b=h.min(4*a,b);if(a){for(var m=0;m<a;m+=e)this._doProcessBlock(d,m);m=d.splice(0,a);c.sigBytes-=b}return new q.init(m,b)},clone:function(){var a=j.clone.call(this);
a._data=this._data.clone();return a},_minBufferSize:0});t.Hasher=x.extend({cfg:j.extend(),init:function(a){this.cfg=this.cfg.extend(a);this.reset()},reset:function(){x.reset.call(this);this._doReset()},update:function(a){this._append(a);this._process();return this},finalize:function(a){a&&this._append(a);return this._doFinalize()},blockSize:16,_createHelper:function(a){return function(c,d){return(new a.init(d)).finalize(c)}},_createHmacHelper:function(a){return function(c,d){return(new w.HMAC.init(a,
d)).finalize(c)}}});var w=f.algo={};return f}(Math);
(function(h){for(var s=CryptoJS,f=s.lib,t=f.WordArray,g=f.Hasher,f=s.algo,j=[],q=[],v=function(a){return 4294967296*(a-(a|0))|0},u=2,k=0;64>k;){var l;a:{l=u;for(var x=h.sqrt(l),w=2;w<=x;w++)if(!(l%w)){l=!1;break a}l=!0}l&&(8>k&&(j[k]=v(h.pow(u,0.5))),q[k]=v(h.pow(u,1/3)),k++);u++}var a=[],f=f.SHA256=g.extend({_doReset:function(){this._hash=new t.init(j.slice(0))},_doProcessBlock:function(c,d){for(var b=this._hash.words,e=b[0],f=b[1],m=b[2],h=b[3],p=b[4],j=b[5],k=b[6],l=b[7],n=0;64>n;n++){if(16>n)a[n]=
c[d+n]|0;else{var r=a[n-15],g=a[n-2];a[n]=((r<<25|r>>>7)^(r<<14|r>>>18)^r>>>3)+a[n-7]+((g<<15|g>>>17)^(g<<13|g>>>19)^g>>>10)+a[n-16]}r=l+((p<<26|p>>>6)^(p<<21|p>>>11)^(p<<7|p>>>25))+(p&j^~p&k)+q[n]+a[n];g=((e<<30|e>>>2)^(e<<19|e>>>13)^(e<<10|e>>>22))+(e&f^e&m^f&m);l=k;k=j;j=p;p=h+r|0;h=m;m=f;f=e;e=r+g|0}b[0]=b[0]+e|0;b[1]=b[1]+f|0;b[2]=b[2]+m|0;b[3]=b[3]+h|0;b[4]=b[4]+p|0;b[5]=b[5]+j|0;b[6]=b[6]+k|0;b[7]=b[7]+l|0},_doFinalize:function(){var a=this._data,d=a.words,b=8*this._nDataBytes,e=8*a.sigBytes;
d[e>>>5]|=128<<24-e%32;d[(e+64>>>9<<4)+14]=h.floor(b/4294967296);d[(e+64>>>9<<4)+15]=b;a.sigBytes=4*d.length;this._process();return this._hash},clone:function(){var a=g.clone.call(this);a._hash=this._hash.clone();return a}});s.SHA256=g._createHelper(f);s.HmacSHA256=g._createHmacHelper(f)})(Math);

[dabura667]

Human generated entropy is ALWAYS a good idea. /s

[etotheipi]

Armory Technologies strongly advises against the use of brain wallets under any circumstances.

• For most humans, a wallet with sufficient entropy to be secure would not be memorizable.  Thus, if it is memorizable, you're at significant risk of someone being able to steal your funds with brute-force searching.
• Human-generated passwords have terrible entropy.  You must use a cryptographically-secure random number generator to create your wallets.  Armory provides this for you, but not if you use a brain wallet.
• Humans brains are not well-adapted to remembering such information for long periods of time.  You may remember it now.  You might remember it in 6 months.  What about 3 years?  10 years?  If you've ever forgotten a password, do not use a brain-wallet.
• Even if you think you can get around the three points above, it still means that you take your Bitcoins to your grave with you.  If I was your parent/spouse/kid, I would hope that if something unfortunate happens to you that I'll have a way to get access to your savings.  Brain-wallets have no such mechanism and the coins will be lost forever.

To anyone who wants to better protect their wallets, we strongly encourage you to use a regular Armory wallet with fragmented backups instead.  They provide a flexible combination of physical security, redundancy, will have sufficient entropy, and be recoverabe by family members if needed.  

We can't stop people who are really determined to make brain wallets, just don't say you weren't warned!

[timz]

• For most humans, a wallet with sufficient entropy to be secure would not be memorizable.  Thus, if it is memorizable, you're at significant risk of someone being able to steal your funds with brute-force searching.

That is why you have to use unique several-words phrases, your own ditty etc.

• Human-generated passwords have terrible entropy.  You must use a cryptographically-secure random number generator to create your wallets.  Armory provides this for you, but not if you use a brain wallet.

Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

• Humans brains are not well-adapted to remembering such information for long periods of time.  You may remember it now.  You might remember it in 6 months.  What about 3 years?  10 years?  If you've ever forgotten a password, do not use a brain-wallet.
• Even if you think you can get around the three points above, it still means that you take your Bitcoins to your grave with you.  If I was your parent/spouse/kid, I would hope that if something unfortunate happens to you that I'll have a way to get access to your savings.  Brain-wallets have no such mechanism and the coins will be lost forever.

To anyone who wants to better protect their wallets, we strongly encourage you to use a regular Armory wallet with fragmented backups instead.  They provide a flexible combination of physical security, redundancy, will have sufficient entropy, and be recoverabe by family members if needed.  

You may print fragmented backups as well if you use brain wallet. The brain wallet just an additional feature helps you if goes something wrong with your pieces of paper.

We can't stop people who are really determined to make brain wallets, just don't say you weren't warned!

Thank you for warning. I developed this feature for people who has own brain.

[etotheipi]

Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

The act of hashing a password doesn't increase its entropy.  The number of possible passwords is the total entropy.    You can use sha256¹⁰⁰('bob') as your brain wallet, but anyone who looks at your applet will see that it uses sha256¹⁰⁰(pwd) and will write a program to start guessing through possible passwords passed through that function.   All users that used "bob" as their password will immediately have their coins stolen, regardless of how many times you hash it.

A while back there was a user here who write a program to do a brute force search of brainwallets that use sha256(sha256()).  I believe they found in excess of 100 BTC.  Because people pick memorizable passwords and wanted to believe that no one would find it.   And in reality, people don't realize just how fast computers are at guessing and how weak their own entropy is.  For your reddit login, the stakes aren't very high.  For $100,000 bitcoin wallet, I would be horrified if someone used a brain wallet.

Admittedly, your little javascript applet is very slick.  But Armory Technologies will not be supporting the functionality since it so easily leads to lost coins.  Our job is to not only create secure software, but to promote best security practices.  Having a solid backup solution is one of those best practices.

[timz]

Just don't use 'bob' as a password. Use something like 'Two beer, or bottle of wine? That is the question of my silly brain.'
Do you have even one reasons why I shouldn't use not-bruteforceable password combined with fragmented backups? All your previous arguments are untenable to this usage.

[goatpig]

Do you have even one reasons why I shouldn't use not-bruteforceable password

Think of entropy as search space:

1) By using brain wallets you will most likely reduce your search space per byte from 2^8 to 2^6 (A-Z a-z 0-9 and some punctuation signs). On a 32 bytes/characters passphrase that's significant, and that's assuming people use passphrases that long.

2) To support such long passphrases people will probably resort to mnemonics. This will crush the search space to brute force your key, opening up the way for dictionary attacks and rainbow tables.

3) People who would rather not resort to mnemonics will reduce their passphrase length and expose themselves that way instead.

4) 2 sha iterations for a password derivation function is terribly weak. It's not unusual to see forum passwords hashes at 10k+ iterations. At least use something like scrypt to involve some RAM in the derivation function (like it's done in Armory as an example)

Overall you are taking these comments as attacks directed at you, when they state a couple simple truths: not everyone understands entropy and it's consequences, and less informed/involved users will usually turn towards the simplest solution.

Also you fail to see our standpoint. We can't support a tool that will have users do stupid things and lose coins, because we'll end up being liable in some way. We are an open source company. We don't have the resources to support customers who won't follow the proper security guidelines, so we simply won't promote bad practices.

[timz]

I understand your position. Actually I made this for myself. I'm waiting for 2 years for passphrase determined wallet, but nothing appears. So I'm going to use Armory with my password addition. Of course this solution for people who understand what is password entropy, what password is secure.

[spin]

I understand your position. Actually I made this for myself. I'm waiting for 2 years for passphrase determined wallet, but nothing appears. So I'm going to use Armory with my password addition. Of course this solution for people who understand what is password entropy, what password is secure.

But from your comments, it's not clear that you do understand. For example this comment:

Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

[timz]

But from your comments, it's not clear that you do understand. For example this comment:

Oh, REALLY??? Could you please prove the terrible entropy of sha256(sha256('any password'))? I think predetermined computer's random is worse.

If we are talking about entropy of string, sha256() always has good entropy. Example:
3333333377777777444444443333333377777777444444443333333333333 - Bad entropy.
7ba996c43e44eb1976019d31960bf21873d6d24ba469ccc03f626f8a2a856137 - Good entropy.
You may evaluate the entropy by compressing string. If you can zip the string, the string has bad entropy.

I guess you mean entropy of password, not sha256 string. It is the also object of dictionary brute forcing besides low entropy of real languages.

About brute forcing. Why I didn't make more iterations? If Armory does complicated scrypt-like work to restore wallet's private key from the Root Key, I really don't need more. Because brute-forcer have to do this work too. So our password is additionally protected from brute-forcing by Armory's algorithm.

[spin]

entropy of sha256(sha256('3333333377777777444444443333333377777777444444443333333333333'))
is the same as the entropy of '3333333377777777444444443333333377777777444444443333333333333'

[goatpig]

About brute forcing. Why I didn't make more iterations? If Armory does complicated scrypt-like work to restore wallet's private key from the Root Key, I really don't need more. Because brute-forcer have to do this work too. So our password is additionally protected from brute-forcing by Armory's algorithm.

We use a precursor to scrypt and a target derivation time on the extend wallet passphrases, that are used to encrypt the entries in your wallet if you choose to encrypt the wallet, on disk.

Wallet passphrases are completely different from root keys. Root keys come from a CSPRNG. Passphrases are created by users, so they are extended properly for added security.

[timz]

entropy of sha256(sha256('3333333377777777444444443333333377777777444444443333333333333'))
is the same as the entropy of '3333333377777777444444443333333377777777444444443333333333333'

Only in case of password. And in case of low-cost brute forcing. But generally no. I mean if entropy of '3333333377777777444444443333333377777777444444443333333333333' is low, for example equal to 2^3 bytes phrase, it doesn't mean you may find the 8-bytes phrase that
hash256(8-byte-phrase)=hash256('3333333377777777444444443333333377777777444444443333333333333').

[timz]

Wallet passphrases are completely different from root keys. Root keys come from a CSPRNG. Passphrases are created by users, so they are extended properly for added security.

Could you tell the algorithm for generate chain key and first private key from Root Key? The restoring wallet takes a time, I though it is complicated procedure.

[goatpig]

Address chain extension:

https://github.com/etotheipi/BitcoinArmory/blob/master/armoryengine/PyBtcWallet.py#L1047

Deriving the first key:

https://github.com/etotheipi/BitcoinArmory/blob/master/armoryengine/PyBtcWallet.py#L912

[spin]

entropy of sha256(sha256('3333333377777777444444443333333377777777444444443333333333333'))
is the same as the entropy of '3333333377777777444444443333333377777777444444443333333333333'

Only in case of password. And in case of low-cost brute forcing. But generally no. I mean if entropy of '3333333377777777444444443333333377777777444444443333333333333' is low, for example equal to 2^3 bytes phrase, it doesn't mean you may find the 8-bytes phrase that
hash256(8-byte-phrase)=hash256('3333333377777777444444443333333377777777444444443333333333333').

Users often chose low entropy passwords, x.
If entropy of x is low then entropy of sha256(sha256(x)) is also low...
Which means people can easily crack their wallets.

This is why everyone thinks brain wallets are a bad idea.

[picobit]

Use something like 'Two beer, or bottle of wine? That is the question of my silly brain.'

One year from from now, typing 'Two beer, or a bottle of wine? That is the question of my silly brain.'  Wait??? Where are all my coins???  I am sure I remembered my password.

This is the other reason brain wallets are such a terrible idea.

[timz]

One year from from now, typing 'Two beer, or a bottle of wine? That is the question of my silly brain.'  Wait??? Where are all my coins???  I am sure I remembered my password.

This is the other reason brain wallets are such a terrible idea.

Well, I don't remember the password, but I still have my paper fragmented backup.
But if papers were lost, you may try to recall the password. It is just additional possibility to restore wallet.

[picobit]

Well, I don't remember the password, but I still have my paper fragmented backup.
But if papers were lost, you may try to recall the password. It is just additional possibility to restore wallet.

That actually makes sense - at least if your passphrase is long and cryptic enough to be secure. 

The demands for a brain wallet is many orders of magnitude higher than for a password, since you do not need access to anything other than the block chain to break it - and can attack all the world's brain wallets in parallel at no extra cost.  A lot of people have a lot of specialized hardware for doing rapid hashes - and they no longer pay for themselves mining bitcoin.  Some of these are going to try for brainwallets instead.  And since "Two beer, or bottle of wine? That is the question of my silly brain." is (almost) grammatically correct and uses sensible punctuation, it has much lower entropy than one would expect.  I *think* it is barely out of reach of a brute force search, but honestly I have no clue.