Bitcoin Forum
November 15, 2024, 01:22:05 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Making a brain wallet "cheat sheet"  (Read 3369 times)
Peter Todd
Legendary
*
Offline Offline

Activity: 1120
Merit: 1160


View Profile
August 06, 2012, 12:01:18 PM
 #21

retep -

If that works for you, more power to you.  I won't deny that it is possible to commit a large amount of information to memory in a fairly short time.  I just don't trust myself enough to rely on that to hold a secret without a backup.  If you get confused over one character, your coins may be lost forever.  The mental anguish that would put someone through just isn't worth it to me.

Then put a copy in your safe deposit box. Heck, encrypt it with the key of someone you trust. It's a perfectly legit solution.

The point is, all these crazy salting schemes people are coming up probably aren't going to work, and on top of that, what if you forget the scheme? Why not just do things right and practice in the first place?

Topazan (OP)
Sr. Member
****
Offline Offline

Activity: 354
Merit: 250


View Profile
August 06, 2012, 12:41:26 PM
 #22

retep -

If that works for you, more power to you.  I won't deny that it is possible to commit a large amount of information to memory in a fairly short time.  I just don't trust myself enough to rely on that to hold a secret without a backup.  If you get confused over one character, your coins may be lost forever.  The mental anguish that would put someone through just isn't worth it to me.

Then put a copy in your safe deposit box. Heck, encrypt it with the key of someone you trust. It's a perfectly legit solution.

The point is, all these crazy salting schemes people are coming up probably aren't going to work, and on top of that, what if you forget the scheme? Why not just do things right and practice in the first place?
What makes your method "right"? Huh

I never said it wasn't a legit solution, it's just not for me.

As I said before, the plan is to write down the "scheme" in multiple places, and consult the record when necessary.

Save the last bitcoin for me!
Peter Todd
Legendary
*
Offline Offline

Activity: 1120
Merit: 1160


View Profile
August 06, 2012, 10:00:55 PM
 #23

retep -

If that works for you, more power to you.  I won't deny that it is possible to commit a large amount of information to memory in a fairly short time.  I just don't trust myself enough to rely on that to hold a secret without a backup.  If you get confused over one character, your coins may be lost forever.  The mental anguish that would put someone through just isn't worth it to me.

Then put a copy in your safe deposit box. Heck, encrypt it with the key of someone you trust. It's a perfectly legit solution.

The point is, all these crazy salting schemes people are coming up probably aren't going to work, and on top of that, what if you forget the scheme? Why not just do things right and practice in the first place?
What makes your method "right"? Huh

I never said it wasn't a legit solution, it's just not for me.

As I said before, the plan is to write down the "scheme" in multiple places, and consult the record when necessary.

Ah, yeah, I'll admit once you're writing down the scheme in multiple places it's not so bad. Although you have to think who the attacker is: an adversary scanning the whole block chain with a key brute-forcing script to try to break *everyones* key? Or this this an adversary targetting you? Do they have a court order to seize your funds and already have access to the multiple places where you scheme is written?

Lets suppose your adversary is purely targeting every key: why not just generate a random key and write it down? Or generate a long random salt, and append to that a password you can remember?

If your adversary is targeting you specifically once they get access to your scheme they can start targeting that using what they know about you. For instance the "where did I get bitten by a snake" question can be narrowed down pretty quickly, and then brute forced. Similarly for movie quotes and the like. What's worse is they may be targetting multiple people at once using similar schemes, which means the brute force effort can be amortized over every person to some extent.

Unfortunately I suspect the most fruitful approach is password strengthening functions. For an offline key waiting a few minutes for the function to crunch is acceptable and really will make the adversaries job difficult. Also while sipa, for example, has argued for functions that use a variable number of iterations depending on the key content I'd argue that it is quite ok for the iterations to be fixed or semi-fixed. Ultimately a brute force attempt with key strengthening consists of three stages: combinatorially generate a password, strengthen, check. Even if the iterations is different for each individual key, if the scheme to pick that number is known, the final brute force difficulty is still just the average number of iterations required for all possible keys.

I think a better scheme is as follows:

Code:
strengthened_password = password
exponent = 1
while strengthened_password is not in blockchain:
    strengthen password with (2^exponent-2^(exponent-1)) iterations
    exponent += 1

The security level of the brain wallet is now a function of the exponent picked on creation, yet the user doesn't need to remember that exponent as the system will automatically, and without wasting work, try all the possible ones in turn. The user interface will need some work, but essentially we can pick a reasonable upper bound exponent and have the software try up to that exponent first, and prompt the user if the key still isn't found, while allowing compatibility with later versions of the software that will up the exponent as computers increase in power.

Topazan (OP)
Sr. Member
****
Offline Offline

Activity: 354
Merit: 250


View Profile
August 07, 2012, 06:56:16 AM
 #24

Yeah, I've considered the possibility that someone targeting me could brute force the answers they don't know.  I think that choosing the questions carefully, so that at least some of them have a large number of possible answers will help.

That is a really interesting idea.  It never occurred to me to make some guess-and-check a necessary element of retrieving the coins.  I need to think about the implications of this.

Save the last bitcoin for me!
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1014

Let's talk governance, lipstick, and pigs.


View Profile
August 07, 2012, 01:29:10 PM
 #25

I'm not really sure what benefit a "cheat sheet" offers. I like to think of a brain wallet is something you can use in a prison without internet access or something to cross borders with nothing in hand. It's not that I want something "torture proof" because that's just unrealistic, but having a little extra security never hurt.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
Topazan (OP)
Sr. Member
****
Offline Offline

Activity: 354
Merit: 250


View Profile
August 07, 2012, 02:00:46 PM
 #26

I'm not really sure what benefit a "cheat sheet" offers. I like to think of a brain wallet is something you can use in a prison without internet access or something to cross borders with nothing in hand. It's not that I want something "torture proof" because that's just unrealistic, but having a little extra security never hurt.
I just want to have a backup in case my memory fails without compromising too much security.

As I said, I'm intrigued by the idea of using guess-and-check for additional security like retep touched on.

How about this.  Instead of a huge sprawling list of questions, we limit it to smaller number x.  We then run an algorithm that makes a random combination of y (repetition allowed) keys and a random iteration# within a fixed range and generates the address based on that but doesn't store the combination.  When we want to retrieve the private key, we have to run an algorithm to brute force the correct combination of keys.

Memory failure?  Check.  The keys could be answers to personal questions and the algorithm could be recorded in a semi-secret way.
Random dictionary attack?  Check.  The hash key will be too long.
Finding the list and brute forcing the answers you don't know?  Check.  The existing brute force makes this impractical.

This would be much more secure than my first idea, and much easier to remember too.

The only question would be the optimal values of x, y, and iteration range.  Hmm...

Save the last bitcoin for me!
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1014

Let's talk governance, lipstick, and pigs.


View Profile
August 07, 2012, 02:08:50 PM
 #27

I'm not really sure what benefit a "cheat sheet" offers. I like to think of a brain wallet is something you can use in a prison without internet access or something to cross borders with nothing in hand. It's not that I want something "torture proof" because that's just unrealistic, but having a little extra security never hurt.
I just want to have a backup in case my memory fails without compromising too much security.

As I said, I'm intrigued by the idea of using guess-and-check for additional security like retep touched on.

How about this.  Instead of a huge sprawling list of questions, we limit it to smaller number x.  We then run an algorithm that makes a random combination of y (repetition allowed) keys and a random iteration# within a fixed range and generates the address based on that but doesn't store the combination.  When we want to retrieve the private key, we have to run an algorithm to brute force the correct combination of keys.

Memory failure?  Check.  The keys could be answers to personal questions and the algorithm could be recorded in a semi-secret way.
Random dictionary attack?  Check.  The hash key will be too long.
Finding the list and brute forcing the answers you don't know?  Check.  The existing brute force makes this impractical.

This would be much more secure than my first idea, and much easier to remember too.

The only question would be the optimal values of x, y, and iteration range.  Hmm...
Using questions to create keys is the method I use in Buried Keys. So far nobody has answered my questions correctly, heh.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!