1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
Return-Path: <dp@simplexum.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 5EDC5C013A
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 12 Feb 2021 17:36:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 378956F644
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 12 Feb 2021 17:36:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eBgYtYXrIjFg
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 12 Feb 2021 17:36:53 +0000 (UTC)
Received: by smtp3.osuosl.org (Postfix, from userid 1001)
id 01B766F760; Fri, 12 Feb 2021 17:36:53 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from mail.ruggedbytes.com (mail.ruggedbytes.com [88.99.30.248])
by smtp3.osuosl.org (Postfix) with ESMTPS id D798A6F644
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 12 Feb 2021 17:36:50 +0000 (UTC)
Received: from mail.ruggedbytes.com (localhost [127.0.0.1])
by mail.ruggedbytes.com (Postfix) with ESMTPS id D2C50260023D;
Fri, 12 Feb 2021 17:36:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=simplexum.com;
s=mail; t=1613151407;
bh=p5q0sCEDm1f75vFmMhlre6ZI7i8FCaVaq54pZLUwxaM=;
h=Date:From:To:Cc:Subject:In-Reply-To:References;
b=QAFdpG3Ocs3uV+es/KryqZHDJbGssHGvB7lSRM8OGhuHTqctEB3/109TVP9FN09g1
t7w2R5GV8bnMSQEXDG4Qh1eIZRcLAUBPpO277Yg5cie7DkQOIbL8npQzxdVJsSwx/O
soV417Rns1uYN4qBkZmY87SBLRPXugycsRUonDgg=
Date: Fri, 12 Feb 2021 18:42:31 +0100
From: Dmitry Petukhov <dp@simplexum.com>
To: Hugo Nguyen <hugo@nunchuk.io>
Message-ID: <20210212184231.22b517aa@simplexum.com>
In-Reply-To: <CAPKmR9v5jzsu7siuyAu42XOCdtXqMXmKzmiDzjEy_bVNbSPyyw@mail.gmail.com>
References: <CAPKmR9uyY70MhmVCh=C9DeyF2Tyxibux1E_bLPo00aW_h+OjLw@mail.gmail.com>
<CACrqygA1JRA293joYOxxpSepiuFD=uVvQQy3wpuosYyLQHff-A@mail.gmail.com>
<CAPKmR9tcR7gBfJ=EqJ60J=XvsreZgByL+HEfR0_YvwadJRWNhg@mail.gmail.com>
<CACrqygDhuateDtJMBSWd9sGRu1yzrZBw2yZ75OyKD1Xmzix3Cw@mail.gmail.com>
<CAPKmR9sUFJqsxKQS_x9rYZzkEO7hXr6vwAyPnysQPzA91TDjMA@mail.gmail.com>
<CAF90AvkeG53o5H2dZsdsG_c4PxxooMgx-Fv47RWpNNwm_su-hg@mail.gmail.com>
<CAPKmR9vg1BMDQWNDk41N4i4cJ8J6K9GuqSpstFpMFwyiVBYw-w@mail.gmail.com>
<20210211172910.3b550706@simplexum.com>
<CAPKmR9v5jzsu7siuyAu42XOCdtXqMXmKzmiDzjEy_bVNbSPyyw@mail.gmail.com>
Organization: simplexum.com
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Fri, 12 Feb 2021 18:29:59 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 17:36:54 -0000
If HUMAN_READABLE_TITLE is the additional secret, the user would need
to enter it on the device in addition to the nonce, wouldn't it defeat
the advantage in UX that was gained by using (relatively) short nonce ?
Is 64 bit nonce not enough ?
It seems that to crack this with fixed Pwd and 64 bit nonce, the
attacker will need to be about 10^15 more powerful than 80Mhz MCU:
(2^64)/(0.3*10^15)/3600 =3D 17 hours. I don't know if 10^15 is realistic
scale. Average desktop cpu seems to be about 10^3 more powerful than
the mentioned MCU for this task.
Maybe for the UX it would be better to choose the number of rounds to
use in PBKDF2, instead of using variable Pwd. Number of rounds will be
easier to enter on the device (or just choose it from a set of
pre-defined values). The more money is at stake, the higher number of
rounds could the coordinator choose (taking into account the
characteristics of the participant devices)
=D0=92 Fri, 12 Feb 2021 08:55:55 -0800
Hugo Nguyen <hugo@nunchuk.io> wrote:
> Thanks everyone who has provided inputs so far!
>=20
> This is the new proposal for the encryption aspect of the scheme,
> based on all the feedback.
>=20
> The key derivation function would be PBKDF2, with PRF =3D SHA512. This
> should be readily available on today's hardware already, as they are
> used for BIP39.
>=20
> DK =3D PBKDF2(PRF, Password, Salt, c, dkLen)
> PRF =3D SHA512
> Pwd =3D HUMAN_READABLE_TITLE
> Salt =3D NONCE
> c =3D 2048
> dkLen =3D 256
>=20
> HUMAN_READABLE_TITLE is in ASCII format, minimum length =3D 8, maximum
> length =3D 20.
> NONCE is a 64-bit number.
>=20
> Reason for going with SHA512 is due to legacy support on some
> hardware. c=3D2048 also mimics BIP39. It takes about ~3 seconds to
> derive the encryption key on a 80Mhz MCU. We feel like this is a good
> enough tradeoff for this use case. The assumption here is that the
> secure session is only needed temporarily for a few hours, maybe up
> to one day.
>=20
> The Coordinator and Signers agree and exchange these 2 secrets prior
> to the setup. The NONCE can be converted to either:
> (a) a 6-word phrase using BIP39 wordlist
> (b) a 20-digit decimal number
> (c) a QR code
>=20
> Depending on the vendor. This flexibility in the data format allows
> each vendor to customize the UX based on their respective device
> capabilities.
>=20
> Best,
> Hugo
>=20
> On Thu, Feb 11, 2021 at 8:25 AM Dmitry Petukhov via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>=20
> > =D0=92 Thu, 11 Feb 2021 05:45:33 -0800
> > Hugo Nguyen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
> > wrote:
> > =20
> > > > > ENCRYPTION_KEY =3D SHA256(SHA256(TOKEN)) =20
> > > >
> > > > This scheme might be vulnerable to rainbow table attack.
> > > > =20
> > >
> > > Thank you for pointing this out! Incidentally, Dmitry Petukhov
> > > also told me the same privately. =20
> >
> > My thought was that if TOKEN has the characteristics of a password
> > (short ASCII string), then it would be better to use key derivation
> > function designed for passwords, like PBKDF2.
> >
> > The counter-argument to this is that this adds another code
> > dependency for vendors, if the device firmware does not already
> > have the required key derivation function.
> >
> > Maybe this could be solved by going into opposite direction - make
> > the "token" even longer, use the mnemoic.
> >
> > The issue is that entering long data of the shared key into the
> > device manually is difficult UX-wise.
> >
> > Hww vendors that allow to enter custom keys into their device
> > already have to face this issue, and those who allow to enter
> > custom keys via mnemonic probably tackled this somehow.
> >
> > Maybe the shared key for multisig setup can be entered in the same
> > way ? (with maybe additional visual check via some fingerprint).
> >
> > Although we would then have another issue of potential confusion
> > between two procedures (entering the main key and entering the
> > shared key for multisig setup), and the measures has to be taken to
> > prevent such confusion.
> >
> > The approaches can be combined - specify a key derivation function
> > suitable for passwords; via secure channel, share a password and/or
> > the derived key. If hww supports derivation function, it can derive
> > the key from password. If hww supports only keys, the key can be
> > entered raw or via mnemonic.
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > =20
|
