Return-Path: <hugo@nunchuk.io> Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id A11A8C013A for <bitcoin-dev@lists.linuxfoundation.org>; Thu, 11 Feb 2021 19:11:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 8817386E44 for <bitcoin-dev@lists.linuxfoundation.org>; Thu, 11 Feb 2021 19:11:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L2jgTUCUnx2F for <bitcoin-dev@lists.linuxfoundation.org>; Thu, 11 Feb 2021 19:11:23 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ua1-f43.google.com (mail-ua1-f43.google.com [209.85.222.43]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 92A5586DDA for <bitcoin-dev@lists.linuxfoundation.org>; Thu, 11 Feb 2021 19:11:23 +0000 (UTC) Received: by mail-ua1-f43.google.com with SMTP id f10so2099587uaa.8 for <bitcoin-dev@lists.linuxfoundation.org>; Thu, 11 Feb 2021 11:11:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nunchuk-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lWBXfKjbhg8wyx4OGGCHy2R6SZaIrwTaeXjq1SwyJtE=; b=zeipiAzP/VUkUFmw0zdyGrEBJdojNuFCZGIg6wSVmze7BCA3broWuwMXqIK7lQ/7er CXUiRDUjj1yJiIRJxo/cHAXnfJaSe4AXS8B31nIxfm83g303abStiLCaKTIbaSW6hen+ 0ISKqe3g2eAlxyyie6Ld9u1iVUkAbuZ1j3F92G5y1Yfzv3i31XR/RcYxmH9QW2G0+KFx QhlyN2DoQ5pifUGxTLOsagGqqjja//mXZGcg65dCRwwBzCq9lY9hn1ADzfGXM9nQIBHV Q5IP76RFUi7NxlznkeRQoRbkS7UaOmIbaRLewEGvXo3BNPUJXGZT9MRlbeqCoMr9MaBv sEkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=lWBXfKjbhg8wyx4OGGCHy2R6SZaIrwTaeXjq1SwyJtE=; b=evbTJ1qxAVuGZxLlBwBHaREbefJEhZz76jCTgXm1MvSTS7DzZOY0VCILEXs2D5pFv0 LfYSUEAwQtLX71+pbfI+FVyoIZ6bJ3f9hrzKqzo+5mU39NH60BLE+CKVYv3zfCEGuWEZ eQwACHdk8qPYJkJor/PyAxxxVEMC4ptSBoeZ0HwOke7OhxDt0UnqkcyBY1zWhWBm4F1d PJ3pQ1areG8crSreSxf+VIRdKphF1/swR4VYT7CTypJk6FKfrT2wvXaPk4tM8/TCcoqR +Eca3Gh/8QH/xObuc4JjaqB66nHbhAHyLEGAloa14LnYEO1/BJT8qziEhbfKl9XbI4Ke gnoA== X-Gm-Message-State: AOAM532jixhUAkQ+amNr8gsUFsc1oE97pGsncwWSIDzhd3nJ1ofwaYs4 CUcEoplW+WXNb3k0sc/mvvXMpd3bSzZaG1ecmWFYZGKvH7EJBOgqK6DWog== X-Google-Smtp-Source: ABdhPJwVjqcj6+e0T8F6r6vb59r6q3vyOHN7Yq4/GJpRn7Qznibt3DhBMI8F38AE513vtNVeNa5d4B8wUEwSUBDe9gM= X-Received: by 2002:ab0:41e3:: with SMTP id 90mr6278285uap.128.1613070682658; Thu, 11 Feb 2021 11:11:22 -0800 (PST) MIME-Version: 1.0 References: <CAPKmR9uyY70MhmVCh=C9DeyF2Tyxibux1E_bLPo00aW_h+OjLw@mail.gmail.com> <CACrqygA1JRA293joYOxxpSepiuFD=uVvQQy3wpuosYyLQHff-A@mail.gmail.com> <CAPKmR9tcR7gBfJ=EqJ60J=XvsreZgByL+HEfR0_YvwadJRWNhg@mail.gmail.com> <CACrqygDhuateDtJMBSWd9sGRu1yzrZBw2yZ75OyKD1Xmzix3Cw@mail.gmail.com> <CAPKmR9sUFJqsxKQS_x9rYZzkEO7hXr6vwAyPnysQPzA91TDjMA@mail.gmail.com> <CAF90AvkeG53o5H2dZsdsG_c4PxxooMgx-Fv47RWpNNwm_su-hg@mail.gmail.com> <CAPKmR9vg1BMDQWNDk41N4i4cJ8J6K9GuqSpstFpMFwyiVBYw-w@mail.gmail.com> <20210211172910.3b550706@simplexum.com> In-Reply-To: <20210211172910.3b550706@simplexum.com> From: Hugo Nguyen <hugo@nunchuk.io> Date: Thu, 11 Feb 2021 11:11:11 -0800 Message-ID: <CAPKmR9udiK+2gC2qUueAfKm7VBf8csM-3WOz1+-bMNR0iVeGew@mail.gmail.com> To: Dmitry Petukhov <dp@simplexum.com>, Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> Content-Type: multipart/alternative; boundary="00000000000009b13005bb144908" X-Mailman-Approved-At: Thu, 11 Feb 2021 20:29:40 +0000 Subject: Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Thu, 11 Feb 2021 19:11:24 -0000 --00000000000009b13005bb144908 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Pavol, On Thu, Feb 11, 2021 at 8:25 AM Dmitry Petukhov via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > =D0=92 Thu, 11 Feb 2021 05:45:33 -0800 > Hugo Nguyen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> > wrote: > > > > > ENCRYPTION_KEY =3D SHA256(SHA256(TOKEN)) > > > > > > This scheme might be vulnerable to rainbow table attack. > > > > > > > Thank you for pointing this out! Incidentally, Dmitry Petukhov also > > told me the same privately. > > My thought was that if TOKEN has the characteristics of a password > (short ASCII string), then it would be better to use key derivation > function designed for passwords, like PBKDF2. > > The counter-argument to this is that this adds another code dependency > for vendors, if the device firmware does not already have the required > key derivation function. > > Maybe this could be solved by going into opposite direction - make the > "token" even longer, use the mnemoic. > > The issue is that entering long data of the shared key into the device > manually is difficult UX-wise. > > Hww vendors that allow to enter custom keys into their device already > have to face this issue, and those who allow to enter custom keys via > mnemonic probably tackled this somehow. > > Maybe the shared key for multisig setup can be entered in the same way > ? (with maybe additional visual check via some fingerprint). > You just gave me a great idea! We can reuse the BIP32 seed words list! Perhaps the encryption key can just be 6 words, but it'll be derived the same way. BIP39 also uses PBKDF2 as a key derivation function, so it matches with what you described here. And all HWW should have this functionality already. Best, Hugo > > Although we would then have another issue of potential confusion > between two procedures (entering the main key and entering the shared > key for multisig setup), and the measures has to be taken to prevent > such confusion. > > The approaches can be combined - specify a key derivation function > suitable for passwords; via secure channel, share a password and/or the > derived key. If hww supports derivation function, it can derive the key > from password. If hww supports only keys, the key can be entered raw or > via mnemonic. > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000009b13005bb144908 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>Hi Pavol,</div><br><div class=3D"gmail_quote"><div di= r=3D"ltr" class=3D"gmail_attr">On Thu, Feb 11, 2021 at 8:25 AM Dmitry Petuk= hov via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation= .org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><blockq= uote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1p= x solid rgb(204,204,204);padding-left:1ex">=D0=92 Thu, 11 Feb 2021 05:45:33= -0800<br> Hugo Nguyen via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfo= undation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&g= t;<br> wrote:<br> <br> > > > ENCRYPTION_KEY =3D SHA256(SHA256(TOKEN))=C2=A0 <br> > ><br> > > This scheme might be vulnerable to rainbow table attack.<br> > >=C2=A0 <br> > <br> > Thank you for pointing this out! Incidentally, Dmitry Petukhov also<br= > > told me the same privately.<br> <br> My thought was that if TOKEN has the characteristics of a password<br> (short ASCII string), then it would be better to use key derivation<br> function designed for passwords, like PBKDF2.<br> <br> The counter-argument to this is that this adds another code dependency<br> for vendors, if the device firmware does not already have the required<br> key derivation function.<br> <br> Maybe this could be solved by going into opposite direction - make the<br> "token" even longer, use the mnemoic.<br> <br> The issue is that entering long data of the shared key into the device<br> manually is difficult UX-wise.<br> <br> Hww vendors that allow to enter custom keys into their device already<br> have to face this issue, and those who allow to enter custom keys via<br> mnemonic probably tackled this somehow.<br> <br> Maybe the shared key for multisig setup can be entered in the same way<br> ? (with maybe additional visual check via some fingerprint).<br></blockquot= e><div><br>You just gave me a great idea! We can reuse the BIP32 seed words= list! Perhaps the encryption key can just be 6 words, but it'll be der= ived the same way. BIP39 also uses=C2=A0PBKDF2 as a key derivation function= , so it matches with what you described here.<br><br>And all HWW should hav= e this functionality already.<br><br>Best,<br>Hugo<br>=C2=A0</div><blockquo= te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px = solid rgb(204,204,204);padding-left:1ex"> <br> Although we would then have another issue of potential confusion<br> between two procedures (entering the main key and entering the shared<br> key for multisig setup), and the measures has to be taken to prevent<br> such confusion.<br> <br> The approaches can be combined - specify a key derivation function<br> suitable for passwords; via secure channel, share a password and/or the<br> derived key. If hww supports derivation function, it can derive the key<br> from password. If hww supports only keys, the key can be entered raw or<br> via mnemonic.<br> _______________________________________________<br> bitcoin-dev mailing list<br> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">= bitcoin-dev@lists.linuxfoundation.org</a><br> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" = rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev</a><br> </blockquote></div></div> --00000000000009b13005bb144908--