Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: [Proposal] Deterministic Initial Wallet Key Generation  (Read 483 times)

0 Members and 1 Guest are viewing this topic.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
[Proposal] Deterministic Initial Wallet Key Generation
« on: November 07, 2014, 07:29:08 AM »

As we had some issues with newcomers not backup up their wallets properly (the passphrase is not a brainwallet as in NXT) .. I'd like to propose a new initial scheme for the generation of the wallet master key (which is used to derive account keys)
It's quite simple and those of you that have a keyhotee founder id should be pretty familiar with it:

1) the first time a user opens up the wallet he will be asked to enter the following information:
  - first name
  - last name
  - id number
  - mail address
  - birthday
  - BRAINWALLET / passphrase / secret .. or something else that is SOLELY used to generate the key
2) generate the private key according to
   HASH(first name + last name + id number + mail + birthday + brainwallet)
3) Further ask for a passphrase to encrypt the private key after generation
  store ENCRYPT(HASH)
4) done

This way you can force the user initially to make a backup of the most important private key (the wallet master key) and thus also makes a backup of all further used keys as they are hierarchically derived from it!

Note, that basically all (except one) user input can be considered OPTIONAL .. they are only there to increase the entropy ..
the user should be told that no information he enters is stored anywhere ..

Thoughts?
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline bytemaster

Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #1 on: November 07, 2014, 07:41:34 AM »
I think that assuming the user is downloading the full wallet and taking personal responsibility for their keys they can be expected to learn enough to understand the value/complexity of doing this. 

I think we need to train users to treat their wallets with respect and care rather than attempting to make it so "easy" that they take it for granted. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #2 on: November 07, 2014, 07:47:13 AM »
I think we need to train users to treat their wallets with respect and care rather than attempting to make it so "easy" that they take it for granted.
Now THAT would be ideal .. but I am not sure if everyone is .. let's say "capable" .. of understand the value of bits and bytes ..

some people just won't understand that you can make you funds unaccessible (read:lose) by deleting your bits and bytes .. or destroying your computer ... not having a backup ..
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BTS: arhag
  • GitHub: arhag
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #3 on: November 07, 2014, 07:53:01 AM »
I think there can be a GUI option for generating a brainwallet (rather than only a CLI-only method available to do that like there is now). But I don't like the idea of it being the default system. I don't think typical users can be trusted to generate a passphrase with enough entropy to be resistant to bruteforce attacks. While the personal information does make it more difficult for an attacker attempting to bruteforce all keys out there at once, an attacker targeting a particular user can very easily get the victim's basic personal information and likely be successful in bruteforcing their most likely weak passphrase to get the wallet private key. And all of this would be possible without needing to accomplish the relatively difficult task of stealing the exported JSON file containing the encrypted wallet private key (which can be on a flash drive, on the user's computer, or a cloud storage service).

I think the GUI just needs to be updated to make it absolutely clear to the user that they need to safely backup the initial exported JSON file (or at least just the encrypted wallet private key) or else they could lose access to their funds and identity.
« Last Edit: November 07, 2014, 07:54:55 AM by arhag »

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #4 on: November 07, 2014, 07:54:03 AM »
reminds me I wanted to write a wiki page about best practices for end users concerning security of private keys ..
maybe I will find some time next week for that
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #5 on: November 07, 2014, 07:56:17 AM »
I think there can be a GUI option for generating a brainwallet (rather than only a CLI-only method available to do that like there is now). But I don't like the idea of it being the default system. I don't think typical users can be trusted to generate a passphrase with enough entropy to be resistant to bruteforce attacks. While the personal information does make it more difficult for an attacker attempting to bruteforce all keys out there at once, an attacker targeting a particular user can very easily get the victim's basic personal information and likely be successful in bruteforcing their most likely weak passphrase to get the wallet private key. And all of this would be possible without needing to accomplish the relatively difficult task of stealing the exported JSON file containing the encrypted wallet private key (which can be a flash drive, on the user's computer, or a cloud storage service).

I think the GUI just needs to be updated to make it absolutely clear to the user that they need to safely backup the initial exported JSON file (or at least just the encrypted wallet private key) or else they could lose access to their funds and identity.

That issue can be solved by letting the computer through some 128 bits of randomness for the brainwallet .. and let the user note it down ..and maybe reenter it in a second step to verify the "backup" ..

an initial export of the JSON file might end up being stored just on the computer .. once the disk crashes you lose both .. the wallet and the backup ..

and yes .. people are that stupid
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BTS: arhag
  • GitHub: arhag
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #6 on: November 07, 2014, 08:00:54 AM »
That issue can be solved by letting the computer through some 128 bits of randomness for the brainwallet .. and let the user note it down ..and maybe reenter it in a second step to verify the "backup" ..

Well then it is no longer a brain wallet if the computer is generating the entropy is it? If the user forgets to write it down, or they do and then lose the piece of paper they wrote it down on, then they will be just as screwed as when they forget to backup the exported JSON file.

an initial export of the JSON file might end up being stored just on the computer .. once the disk crashes you lose both .. the wallet and the backup ..

That's why the GUI should educate the users on how to properly backup the file.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #7 on: November 07, 2014, 08:03:16 AM »
That's why the GUI should educate the users on how to properly backup the file.
I agree .. let's do it that way ..

Maybe some day we will have something like TreZor to help out security-wise.

Thanks for the discussion anyway.
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BTS: arhag
  • GitHub: arhag
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #8 on: November 07, 2014, 08:18:47 AM »
By the way this is another place multisig would be incredibly useful. You can have all your balances be secured by a 2-of-4 multisig where one key is the one on the hot client (which could also update votes and claim yield for convenience), another key is one stored on a paper wallet / flash drive and only used with an offline live Linux environment, another key is one controlled by some multisig security company, and the fourth one is a key that was generated on an offline computer, split into multiple parts using a secret sharing algorithm, each part of the key was encrypted on the offline computer specifically for a particular trusted BTS user (like friends and family), and then the encrypted key fragments were broadcast to the respective users.

If you lose your hot client key, you can use your offline backup and the multisig company's keys to get access to your funds.

If you lose both your hot client key and your offline backup (say your house burns down or it was robbed, and also you didn't have any encrypted cloud backups), then you can still get access by going to your friends and family, getting the key fragments from them, putting it back together and using that along with the multisig company's key to get back access to you funds.

If the multisig company disappears and your house was robbed, but you still have your phone that has the hot client key on it, you can use that and the reconstructed key from your friends and family to get access back to your funds.

If you die and the hot client key is inaccessible because no one alive knows the password. Your friends and family could recover the funds using the plaintext paper backup in your home and their reconstructed fourth key. If the paper backup was also encrypted, they can prove to the multisig company that you are dead, prove to them that they are the beneficiaries of the deceased, and use the company's signature along with the reconstructed key to get access to the funds.

So many possibilities become available with multisig.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #9 on: November 07, 2014, 08:22:39 AM »
So we need an easy way to let users kno of these possibilities ..

paging @cass ;)

Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline cass

  • Hero Member
  • *****
  • Posts: 4328
  • /(┬.┬)\
    • View Profile
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #10 on: November 07, 2014, 08:23:30 AM »
wass up!? how i can help?  :D
█║▌║║█  - - -  The quieter you become, the more you are able to hear  - - -  █║▌║║█

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12242
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #11 on: November 07, 2014, 08:26:58 AM »
:) that was fast ... when i have time i will sketch something for you about multisig .. we'd like to have sth. easy to understand for end users .. and also an easy implementation for the GUI ..
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline cass

  • Hero Member
  • *****
  • Posts: 4328
  • /(┬.┬)\
    • View Profile
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #12 on: November 07, 2014, 08:32:33 AM »
:) that was fast ... when i have time i will sketch something for you about multisig .. we'd like to have sth. easy to understand for end users .. and also an easy implementation for the GUI ..

that's how we do it  +5%
█║▌║║█  - - -  The quieter you become, the more you are able to hear  - - -  █║▌║║█

Offline monsterer

Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #13 on: November 07, 2014, 09:23:11 AM »
I actually think brain wallets are a nice idea, but I wouldn't ask the user to type in all that personal information.

Instead you could just ask for a username and password, then hmac them together to create the private key. The extra entropy of the user name will make it safer than the NXT brain wallet single password.

Cheers, Paul.
My opinions do not represent those of metaexchange unless explicitly stated.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline pc

  • Hero Member
  • *****
  • Posts: 1130
    • View Profile
    • Bitcoin - Perspektive oder Risiko?
  • BTS: cyrano
  • Witness: cyrano
  • Payrate: 100%
Re: [Proposal] Deterministic Initial Wallet Key Generation
« Reply #14 on: November 07, 2014, 09:37:00 AM »
2) generate the private key according to
   HASH(first name + last name + id number + mail + birthday + brainwallet)

Someone should do some research to find out how much entropy each of these components provide. Which probably is rather difficult because one should expect a certain correlation between for example first name and birthday, or either name and mail.
Please vote for my BitShares witness "cyrano" and for my STEEM witness "cyrano.witness"!
Bitcoin - Perspektive oder Risiko? ISBN 978-3-8442-6568-2 http://bitcoin.quisquis.de

 

Google+