š
Original date posted:2021-02-11
š Original message:Hi Pavol,
On Thu, Feb 11, 2021 at 8:25 AM Dmitry Petukhov via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> Š Thu, 11 Feb 2021 05:45:33 -0800
> Hugo Nguyen via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org>
> wrote:
>
> > > > ENCRYPTION_KEY = SHA256(SHA256(TOKEN))
> > >
> > > This scheme might be vulnerable to rainbow table attack.
> > >
> >
> > Thank you for pointing this out! Incidentally, Dmitry Petukhov also
> > told me the same privately.
>
> My thought was that if TOKEN has the characteristics of a password
> (short ASCII string), then it would be better to use key derivation
> function designed for passwords, like PBKDF2.
>
> The counter-argument to this is that this adds another code dependency
> for vendors, if the device firmware does not already have the required
> key derivation function.
>
> Maybe this could be solved by going into opposite direction - make the
> "token" even longer, use the mnemoic.
>
> The issue is that entering long data of the shared key into the device
> manually is difficult UX-wise.
>
> Hww vendors that allow to enter custom keys into their device already
> have to face this issue, and those who allow to enter custom keys via
> mnemonic probably tackled this somehow.
>
> Maybe the shared key for multisig setup can be entered in the same way
> ? (with maybe additional visual check via some fingerprint).
>
You just gave me a great idea! We can reuse the BIP32 seed words list!
Perhaps the encryption key can just be 6 words, but it'll be derived the
same way. BIP39 also uses PBKDF2 as a key derivation function, so it
matches with what you described here.
And all HWW should have this functionality already.
Best,
Hugo
>
> Although we would then have another issue of potential confusion
> between two procedures (entering the main key and entering the shared
> key for multisig setup), and the measures has to be taken to prevent
> such confusion.
>
> The approaches can be combined - specify a key derivation function
> suitable for passwords; via secure channel, share a password and/or the
> derived key. If hww supports derivation function, it can derive the key
> from password. If hww supports only keys, the key can be entered raw or
> via mnemonic.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210211/ed0f8b95/attachment-0001.html>;
Hugo Nguyen [ARCHIVE] /
npub1jqā¦5jqeg
2023-06-07 18:28:34
in reply to nevent1qā¦x96h
Author Public Key
npub1jqxs4ftunmm8qjyw9s80hpcayewkjfhpxund29l9qvzy7xqx4duq85jqegPublished at
2023-06-07 18:28:34Event JSON
{
"id": "ea6fc3869f1d34c84578e5800f655ed451c6ba197a2737b9de30bd60117163c6",
"pubkey": "900d0aa57c9ef670488e2c0efb871d265d6926e13726d517e503044f1806ab78",
"created_at": 1686162514,
"kind": 1,
"tags": [
[
"e",
"86ad6c37ed92954d8359f9dbcd43bb8becf51e4b072d4e707f08909fe0306de5",
"",
"root"
],
[
"e",
"17f473b7f3152db78f286010e339dcb826730ad80d3609959ee77513145da30a",
"",
"reply"
],
[
"p",
"78f5a82a0b64fb3c18bd33a69c53b1af612b3ac8dd81e12f74ba62f3793dac05"
]
],
"content": "š
Original date posted:2021-02-11\nš Original message:Hi Pavol,\n\nOn Thu, Feb 11, 2021 at 8:25 AM Dmitry Petukhov via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e Š Thu, 11 Feb 2021 05:45:33 -0800\n\u003e Hugo Nguyen via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e\n\u003e wrote:\n\u003e\n\u003e \u003e \u003e \u003e ENCRYPTION_KEY = SHA256(SHA256(TOKEN))\n\u003e \u003e \u003e\n\u003e \u003e \u003e This scheme might be vulnerable to rainbow table attack.\n\u003e \u003e \u003e\n\u003e \u003e\n\u003e \u003e Thank you for pointing this out! Incidentally, Dmitry Petukhov also\n\u003e \u003e told me the same privately.\n\u003e\n\u003e My thought was that if TOKEN has the characteristics of a password\n\u003e (short ASCII string), then it would be better to use key derivation\n\u003e function designed for passwords, like PBKDF2.\n\u003e\n\u003e The counter-argument to this is that this adds another code dependency\n\u003e for vendors, if the device firmware does not already have the required\n\u003e key derivation function.\n\u003e\n\u003e Maybe this could be solved by going into opposite direction - make the\n\u003e \"token\" even longer, use the mnemoic.\n\u003e\n\u003e The issue is that entering long data of the shared key into the device\n\u003e manually is difficult UX-wise.\n\u003e\n\u003e Hww vendors that allow to enter custom keys into their device already\n\u003e have to face this issue, and those who allow to enter custom keys via\n\u003e mnemonic probably tackled this somehow.\n\u003e\n\u003e Maybe the shared key for multisig setup can be entered in the same way\n\u003e ? (with maybe additional visual check via some fingerprint).\n\u003e\n\nYou just gave me a great idea! We can reuse the BIP32 seed words list!\nPerhaps the encryption key can just be 6 words, but it'll be derived the\nsame way. BIP39 also uses PBKDF2 as a key derivation function, so it\nmatches with what you described here.\n\nAnd all HWW should have this functionality already.\n\nBest,\nHugo\n\n\n\u003e\n\u003e Although we would then have another issue of potential confusion\n\u003e between two procedures (entering the main key and entering the shared\n\u003e key for multisig setup), and the measures has to be taken to prevent\n\u003e such confusion.\n\u003e\n\u003e The approaches can be combined - specify a key derivation function\n\u003e suitable for passwords; via secure channel, share a password and/or the\n\u003e derived key. If hww supports derivation function, it can derive the key\n\u003e from password. If hww supports only keys, the key can be entered raw or\n\u003e via mnemonic.\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210211/ed0f8b95/attachment-0001.html\u003e",
"sig": "655d0af19b78515dab6145a20f33c14cb64b96da354ecae4f37d1b1a6dfc179a1de2a1f20fca3c4880a6bf4b26c26136d01112055eedab9f518208736989d781"
}