Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4082BC0001 for ; Thu, 6 May 2021 13:19:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 1A92B832FF for ; Thu, 6 May 2021 13:19:44 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.402 X-Spam-Level: X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=q32-com.20150623.gappssmtp.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4ISOjOM4CvY for ; Thu, 6 May 2021 13:19:43 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) by smtp1.osuosl.org (Postfix) with ESMTPS id 2E3FF832AA for ; Thu, 6 May 2021 13:19:43 +0000 (UTC) Received: by mail-pf1-x42c.google.com with SMTP id p4so5156927pfo.3 for ; Thu, 06 May 2021 06:19:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=FtNtSOwyn9MnRKr7hKxfE7T431liMgmG+6WRG20q5go=; b=smeEqf0tQ2bizLxjy/QV0CujzPl5CTS3/tK5SscrEzPJSukwo3oHcazU7me+p/KlZJ 0N+2ZswICW6cWyHQJKECI1qWr4bX6/cBiEvevsCQd7EbKfShEGrkijPr+y/85apxP1AZ 0LUri3QLZp0BUIj0YNousBSBopHWItHvuliUiIGN/QbKBMKCFdjb7EANv58v6lZc6SPK d07OM9makONgEpR/8iMoFENO9I+fVtzETJgdCnLrWdFRrHVyUY5Gya88YfYF1v9PW/fw ALLCAK4BgPA8sPlOczAVMCil8wJNnovIgkCTpaCdTmxgp/UapneQp5uJ16xdQ7P3Ap2n rCEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=FtNtSOwyn9MnRKr7hKxfE7T431liMgmG+6WRG20q5go=; b=GHWNe/spzwrdTlteZ9xUt7mtfX56jo+DZjvNy1aAMR2zp72iR/iVRQm/wK4pSd44M4 TDhbTYG82ILzUcXrRIJh7ToxX1sfSytCm5IcXDFOmh1xNWlcEGW74G6nfDL/pMhlghqO M/KCvmRNvFYMFastXVNQr+bIEmpLlnJcI6AkASciLsx+TbJqChSzKrgrjNWrAIeGxZD5 KQ9dou02VDyq4dJzZS+tN0XNWOs2fwrKXIV4IQCEierstkSw+7SdcVHe5+HqMuWc88mG 8PknrS2fRLD/wcYjcdW6XT/wcs9Fc79sSI3QzBIIL5Qd2xHrGitYegf0WpHZJfvyNzgz G3Tw== X-Gm-Message-State: AOAM533tki+Dif2FDeGZB4MuuPH1V972yPYSKx45f+AtBdKtHo8OZxin 4Ds0QbJ4ChZNlQ6futkvMZKICpFQTHToaYrt1kaEHQ+S3/JB3IgNOg== X-Google-Smtp-Source: ABdhPJyfwoDIO4yK5grZTp3lQM07FJGNUVfhiG3gIWBJ/PPw9QgQJelyinDerNSx6PNOkZZ42rZBiUrAi5KQM5HECW4= X-Received: by 2002:a63:3204:: with SMTP id y4mr4360972pgy.3.1620307182472; Thu, 06 May 2021 06:19:42 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Erik Aronesty Date: Thu, 6 May 2021 09:19:31 -0400 Message-ID: To: Tobias Kaupat , Bitcoin Protocol Discussion Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Thu, 06 May 2021 15:48:29 +0000 Subject: Re: [bitcoin-dev] Encryption of an existing BIP39 mnemonic without changing the seed X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 May 2021 13:19:44 -0000 i would stretch the password, with pbkdf2 or argon2 with like 30k rounds or something first, rather than "just hashing it". remember, it's pretty easy to validate these seeds - not like you lock someone out after 9 guesses! On Wed, May 5, 2021 at 3:38 PM Tobias Kaupat via bitcoin-dev wrote: > > Hi all, > I want to start a discussion about a use case I have and a possible solut= ion. I have not found any satisfying solution to this use case yet. > > Use case: > An existing mnemonic (e.g. for a hardware wallet) should be saved on a pa= per backup in a password encrypted form. The encrypted form should be a mne= monic itself to keep all backup properties like error correction. > > Suggested solution: > 1) Take the existing mnemonic and extract the related entropy > 2) Create a SHA526 hash (key) from a user defined password > 3) Use the key as input for an AES CTR (empty IV) to encrypt the entropy > 4) Derive a new mnemonic from the encrypted entropy to be stored on a pap= er backup > > We can add some hints to the paper backp that the mnemonic is encrypted, = or prefix it with "*" to make clear it's not usable without applying the pa= ssword via the algorithm above. > > To restore the original mnemonic, one must know the password and need to = follow the process above again. > > An example implementation in GoLang can be found here: > https://github.com/Niondir/go-bip39/blob/master/encyrption_test.go > > Why not use the existing BIP-39 Passphrase? > When generating a mnemonic with passphrase, the entropy is derived from t= he passphrase. When you have an existing mnemonic without a passphrase, any= attempt to add a passphrase will end up in a different seed and thus a dif= ferent private key. What we actually need is to encrypt the entropy. > > I'm open for your feedback. All encryption parameters are up to discussio= n and the whole proposal needs a security review. It's just the first draft= . > > Existing solutions > One solution I found is "Seedshift" which can be found here: https://gith= ub.com/mifunetoshiro/Seedshift > > But I consider it less secure and I would like to suggest a solution base= d on provably secure algorithms rather than a "rot23 derivation". Also usin= g a date as password seems not very clever to me. > > Kind regards > Tobias > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev