📅 Original date posted:2014-03-12
📝 Original message:On Mar 12, 2014, at 01:24 PM, Pavol Rusnak <stick at gk2.sk> wrote:
On 03/12/2014 09:10 PM, William Yager wrote:
implement this is to allow semi-trusted devices (like desktop PCs) to do
all the "heavy lifting". The way the spec is defined, it is easy to have a
more powerful device do all the tough key stretching work without
significantly compromising the security of the wallet.
By disclosing "preH" to compromised computer (between steps 4 and 5) you
make further steps 5-9 quite less important.
Agreed, this is a valid concern. This could possibly allow a 3rd party to crack the password, but then again, they would not gain access to any key material. So yes, you could expose your password, but your key would still be safe.
If people feel strongly about this vulnerability, we can revisit step 4 and adjust it to make password recovery more expensive.
jp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140312/d6e4f9ca/attachment.html>;
Jean-Paul Kogelman [ARCHIVE] /
npub1sa…8y304
2023-06-07 15:15:17
in reply to nevent1q…55m7
Author Public Key
npub1sa86gng3pvs3jgyt5majwcrhn8ck5qxgy9pjqxkh79u638cd7dys28y304Published at
2023-06-07 15:15:17Event JSON
{
"id": "57d2876e58b62a1df45edc8bf410431911b1b8677e6eccb5e689518474754d5e",
"pubkey": "874fa44d110b2119208ba6fb27607799f16a00c82143201ad7f179a89f0df349",
"created_at": 1686150917,
"kind": 1,
"tags": [
[
"e",
"e2b06c13dda090fd765a6fae17847c84821995c150a37c86a1dca89140911552",
"",
"root"
],
[
"e",
"2969043d5d55e0b3bd586f53f62090397fc03ad421340749eab267a8becfd7d5",
"",
"reply"
],
[
"p",
"dac5021a7b00b2588f37695f479d6d47ad5dbacbb4f6beec1ddd295ae976e83c"
]
],
"content": "📅 Original date posted:2014-03-12\n📝 Original message:On Mar 12, 2014, at 01:24 PM, Pavol Rusnak \u003cstick at gk2.sk\u003e wrote:\n\nOn 03/12/2014 09:10 PM, William Yager wrote:\nimplement this is to allow semi-trusted devices (like desktop PCs) to do\nall the \"heavy lifting\". The way the spec is defined, it is easy to have a\nmore powerful device do all the tough key stretching work without\nsignificantly compromising the security of the wallet.\n\nBy disclosing \"preH\" to compromised computer (between steps 4 and 5) you\nmake further steps 5-9 quite less important.\n \nAgreed, this is a valid concern. This could possibly allow a 3rd party to crack the password, but then again, they would not gain access to any key material. So yes, you could expose your password, but your key would still be safe.\n\nIf people feel strongly about this vulnerability, we can revisit step 4 and adjust it to make password recovery more expensive.\n\njp\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140312/d6e4f9ca/attachment.html\u003e",
"sig": "9b8402d74f6695d99d1b56ea7cc7c6aecc6122d12b7db265c1fb16d18370697d1751169061c0beae9c30c31c86c4ef065b4e88d918e2c0602da97f1f31e9788b"
}