1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
|
Return-Path: <dev@jonasschnelli.ch>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 7D639AF0
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 9 Aug 2017 19:41:55 +0000 (UTC)
X-Greylist: delayed 00:06:21 by SQLgrey-1.7.6
Received: from bitcoin.jonasschnelli.ch (bitcoinsrv.jonasschnelli.ch
[138.201.55.219])
by smtp1.linuxfoundation.org (Postfix) with ESMTP id 22F8B458
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 9 Aug 2017 19:41:55 +0000 (UTC)
Received: from [192.168.0.2] (cable-static-238-67.teleport.ch [213.188.238.67])
by bitcoin.jonasschnelli.ch (Postfix) with ESMTPSA id 465FA15E4209;
Wed, 9 Aug 2017 21:35:33 +0200 (CEST)
From: Jonas Schnelli <dev@jonasschnelli.ch>
Content-Type: multipart/signed;
boundary="Apple-Mail=_986A2EB1-ACA0-4ABE-B314-96DB8B64B688";
protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 9 Aug 2017 21:35:26 +0200
References: <CAJJsNHsiAH3Wc_Fp-8f=5EBg8-jNH8rtEW5+u+PEC7JU+SdCGQ@mail.gmail.com>
<CAJJsNHv_iPNnGgqqogoxGEk+5ipoELfPAnMM0obWUpTjWRZJRQ@mail.gmail.com>
<CAJJsNHvKR+ieYaFYw_KeCmJjWTzBYH9mSSFwtOdoyYB-kA+fLQ@mail.gmail.com>
<CAJJsNHuz17GQkKWsKc0sOJfueEyyJkPM0ErbSNB_A=9Qq9tgTQ@mail.gmail.com>
<CAJJsNHsdcYc7WiLuBSYPfoOvjG-v10zFL1d7_ROxx1HYx-nzHA@mail.gmail.com>
<CAJJsNHuMa9WoWm0_MZ+dDVRM6UxhOA7eNWqNX=NAVw6V7Nb0jg@mail.gmail.com>
<CAJJsNHsn=x-EzAWvRH171uM_8hmX9=_zYrn6yyn_mMP3DQGbbw@mail.gmail.com>
<CAJJsNHvXpeMgxLZZ6JDFX859xnYC30Xvs24=G8-pmE+GUk9prw@mail.gmail.com>
<CAJJsNHu+Rg7-mHY7mBVL6trKAbTfyq_44KjiQjRkU99_DUyCiQ@mail.gmail.com>
<CAJJsNHueWeocmYN7tQZ111wi6GyAf81OBpR0gaqJaq6N0RokSQ@mail.gmail.com>
<CAJJsNHvaeOdhia9bd1b-FTobUvYPsdryRo1U7fPdf=J6Xng1Rw@mail.gmail.com>
<CAJJsNHuWf42Pzz39oH1F+NHxPoeMdoXqT8-5F8B5OLye1o8sFQ@mail.gmail.com>
<CAJJsNHum5CVA7HOL26__WjFAQV09mAxfvDJ3o1Yu3BYNydzdvw@mail.gmail.com>
<CAJJsNHs_aDmuqKpetceM+t_+jQLs8m0hFgtvhCJVvNLBrn3VjQ@mail.gmail.com>
<CAJJsNHsT0VBufwkr4Lk-yRndeKDhchrp5g-UDv-vhcyjpi3-LA@mail.gmail.com>
<CAJJsNHt46qBoihBBojt4Fu7S7Ryrqi-1HpXGiX4_nVMDQBq1oQ@mail.gmail.com>
<CAJJsNHtCDCaW3ZtnNutL9q-PY4b5+eS-zcyfgT1B23gKH+127A@mail.gmail.com>
<CAJJsNHuU3NXGjZ+afUQ_Ct_3y5V7JgZQzemc9SQUGmGjrm8wfQ@mail.gmail.com>
<CAJJsNHt08PbYvtcVbCPw383-93r-NuCV_UPjGZ+moHime4dzFw@mail.gmail.com>
<CAJJsNHvtJ3eUNgpe8apLDoC_UOmk+0ezLiTXkhdG2tndTx=WBA@mail.gmail.com>
<CAJJsNHu+8+42R0jMfLbNZ7K8c0kQR3Tex+xiPH6WE+w_f+ORPQ@mail.gmail.com>
<CAJJsNHubV--c5xJQrrF6F5K5gQ2gexy3x-7pL_Gn7Oe6TpiMbw@mail.gmail.com>
<CAJJsNHvEPWSdquKrOt5kGRFFmLJ3yq2YfxEuQUC9upmKYV4oeg@mail.gmail.com>
<CAJJsNHsMBz06oo-miAkqUC4VenYq1+o08pi=fgDsnaq9B_+KSA@mail.gmail.com>
<CAJJsNHun0bf-TKxOr-WVJ1Tj3zt40OZOZAtzxRhD_+ise_+7=g@mail.gmail.com>
<CAJJsNHvurUUkysWzjbxcXhdaUbL-CRPiBBABFd2HuFD14wZLkQ@mail.gmail.com>
<CAJJsNHsib5VRs4R1N6C6ZhynAGhJ+QxW3d2LbzojEFnwddyyhw@mail.gmail.com>
<CAJJsNHt01LuXqD+V=++6fp_VyW7TZ_1OzrsxZ7brBiqUKHcdng@mail.gmail.com>
<CAJJsNHuZ_iMdeV0jZ618jO7osvUk97uV9Wae9NA_dgRQT=E5uQ@mail.gmail.com>
<CAJJsNHtZ8bEZ-5zfpjzhoxfzaOM1RuZvRx6J+Pcr=r0=zZd=Kg@mail.gmail.com>
<CAJJsNHspUanL7Y1E9RB_4G54Fs3RUy1uqUw8aUq3XYY6os_5ww@mail.gmail.com>
<CAJJsNHtumDA8js_kaagwDHxLy9iF7UXwb5n9yX5cLvwNDDEMaw@mail.gmail.com>
<CAJJsNHss2bW0DqYkvf5W4CMG3gaWFcT4oqXyzT4y93FveR6k4A@mail.gmail.com>
<CAJJsNHuHA_rksFEip9r=hKuHoM9Bag2AmFYr=2miJKzOWJC5dQ@mail.gmail.com>
<CAJJsNHv1QtpDvw_CZKhqryCxD21jtL+MQbZgqG-0HxzBbsnvPw@mail.gmail.com>
<CAJJsNHtNMQGiJwarobHKBau7o_hEnSMKSznKkbfa8y4e4BUA8Q@mail.gmail.com>
<CAJJsNHsX9Za=+8LYTK8mnq8XtuMrL03U2LAXHy15qv+XEKupZA@mail.gmail.com>
<CAJJsNHuyty=i6Mxu_sreVBkqmgDKtp3050=Hh1qy8Hfs8yV2sw@mail.gmail.com>
<CAJJsNHvNRzd0ZCv3QX9cR=JV8eUHF0z2QWdx9CK1v42iz2fOyA@mail.gmail.com>
<CAJJsNHsYjFj-g1RBoRMoTrfjLStCQ8SQrE7ZcM569yW0mxb1qQ@mail.gmail.com>
<CAJJsNHvVEydafdqx7ZwG9XmdNLZzbewVpAMfnvS=ZXNzV1fQYQ@mail.gmail.com>
<CAJJsNHtEqzEg83k_s4Kg0YiJ3tWfCPOTPmnH0D-YiKZ6K5oGGg@mail.gmail.com>
<CAJJsNHt2WydZewhrH5XZ-mpUMGBYvfke1H6F2cORpORv=LxShQ@mail.gmail.com>
<CAJJsNHsCQXkp2uDTMTRJ=2ZVTcUXEPCPNusncACFtGoov5cOzw@mail.gmail.com>
<CAJJsNHusmafTVS3xTyT5hR3ZjLkQ99A9qQK33e05BRdTF7+xhQ@mail.gmail.com>
<CAJJsNHsp8oW=C-yzO5qiF9imZf-5EO+pYUJU6yHZz1wF=nevUA@mail.gmail.com>
<CAJJsNHvOMxE2sBa4TKaazMsRH4OJaN=eS0JDRO81=J1OzGLkcg@mail.gmail.com>
<CAJJsNHu3EZx9c2x99gwSEUNBCEa3SirteUx8+MqWcU_ShjLDRA@mail.gmail.com>
<CAJJsNHsBYgmTmGeqUnvjnomO10m_TXjgt5xS8rROcV2aF=PPsQ@mail.gmail.com>
<CAJJsNHsKSE9ftorgZ4J7YLwz5rMpYq-7WpEtk61JEtxJfneKVQ@mail.gmail.com>
<CAJJsNHuTY+ckfvujru2K4vsOkfHyp1kYMJQAF0rmSeHhv3HdaA@mail.gmail.com>
<CAJJsNHuYfMWGjkw1_RPA5-a6p_EVsv3b4gussi9y9Mb8+WsR_A@mail.gmail.com>
<CAJJsNHv=cEnxg=yTCiDjWRedpBLuXmAyk-mGgQbHMDxFqoiiBw@mail.gmail.com>
<CAJJsNHs90da2u+ufLcVoqyYQ_pkAr55=gL_ZY0mAGCoDmyqMbQ@mail.gmail.com>
<CAJJsNHtni20bBUjLd_KOLnVxnZ4_AdDumLCkWbiU4v-cgXfJcA@mail.gmail.com>
<CAJJsNHtVQ_hSQho2yd_4n8g+sQ5mCZjrG-SALcm1Vrbb3_1oVw@mail.gmail.com>
<CAJJsNHus+SGAfh6SR9uY_VjgSiSsqtsH0=V-ecM8pm=whwSp0g@mail.gmail.com>
<CAJJsNHvruYORGrd--nQayYW28k=F-A9PiP9O25w_1pvR2ABvcw@mail.gmail.com>
<CAJJsNHsTYta-e0S_VZNMHNrEYnfy57U1W_bbzvkS3gQ=qVt75g@mail.gmail.com>
<CAJJsNHv+TyGj=Mg3t2DS5YAW5WMdjckjFZA5KTO=JDtHB9iNCg@mail.gmail.com>
<CAJJsNHukqjvTv-2G0jM8D6c2Bmt0o_uW6cd=GXvJHOzmSRg+BA@mail.gmail.com>
<CAJJsNHv8mnT_GUcHmZy=6=_k1PxBSpfMSTtrz9UbERzhVwSbgw@mail.gmail.com>
<CAJJsNHtb8Zed+5jZKx3oBNP7EMV-OPbuJD9mPjryRuroM=2bnA@mail.gmail.com>
<CAJJsNHsWjUeCUp9jHwzEMMuN9jT2CNocpLyJRJKzDvY5Q_VAaQ@mail.gmail.com>
<CAJJsNHuLfeB_oP+98jteLyr_q=_pdWkJP1+h4fgUBoeG3shBXQ@mail.gmail.com>
<CAJJsNHuM-k1-MKHw-TcP5RFJz7bwg=YuLvjXKzunYcUK7wYhjg@mail.gmail.com>
<CAJJsNHvEttaWfk9FQXA34WskxqU5sTyzvK_a56voWVOb7vtbcQ@mail.gmail.com>
<CAJJsNHukHECFiMj2PFKOMSQmkT1f8Y=N20_9bx2p_3n0ahJKmQ@mail.gmail.com>
<CAJJsNHtZWH4Cy-kpCRrbLeA339uoC3mL0Be2MBNdbW8PqjboJg@mail.gmail.com>
<CAJJsNHvDbPpo+31bN0eYtgARnZe_ZeoVz7=bm9HuAjUM0ztKBA@mail.gmail.com>
To: Colin Lacina <notdatoneguy@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
In-Reply-To: <CAJJsNHvDbPpo+31bN0eYtgARnZe_ZeoVz7=bm9HuAjUM0ztKBA@mail.gmail.com>
Message-Id: <5C198808-A3BB-413D-A793-0107095EFBE9@jonasschnelli.ch>
X-Mailer: Apple Mail (2.3273)
X-Virus-Scanned: clamav-milter 0.99.2 at bitcoinsrv.jonasschnelli.ch
X-Virus-Status: Clean
Subject: Re: [bitcoin-dev] Structure for Trustless Hybrid Bitcoin Wallets
Using P2SH for Recovery Options
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 19:41:55 -0000
--Apple-Mail=_986A2EB1-ACA0-4ABE-B314-96DB8B64B688
Content-Type: multipart/alternative;
boundary="Apple-Mail=_7920C06E-0982-44B4-8DDF-9A9DDF407611"
--Apple-Mail=_7920C06E-0982-44B4-8DDF-9A9DDF407611
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Hi Colin
> In case the server goes rogue and starts refusing to sign, the user =
can use their userRecoveryPrivKey to send the funds anywhere they =
choose. Because if this, the userRecoveryPrivKey is best suited to cold =
wallet storage.
Would you then assume that userWalletPubKey is a hot key (stored on the =
users computer eventually in a browser based local storage container)?
In case of an attack on the server responsible for serverWalletPubKey =
(where also the personal information of the user are stored [including =
the xpub =3D=3D amount of funds hold by the user)), wound=E2=80=99t this =
increase the users risk of being an possible target (False sense of =
multisig security, comparing to cold storage / HWW keys)?
> In the more likely event that the user forgets their password and/or =
looses access to their userWalletPrivKey as well as loses their recovery =
key, they rely on the serverRecoveryPrivKey.
>=20
> When the user first sets up their wallet, they answer some basic =
identity information, set up a recovery password, and/or set up recovery =
questions and answers. This information is explicitly NOT sent to serve =
with the exception of recovery questions (although the answers remain =
with the user, never seeing the server). What is sent to the server is =
it's 256 bit hash used to identify the recovery wallet. The server then =
creates a 1025 bit nonce, encrypts it, stores it, and transmits it to =
the user's client.
I guess this will result in protecting the funds stored in this =
transaction entirely on the users identity information and eventually =
the optional recovery password, though I guess you are adding additional =
security by protecting via the server nonce from brute-forcing.
Why 1025bit for the nonce?
Why SHA512 instead of SHA256 (I guess you need 256bit symmetric key =
material for the key encryption)?
Considered using a (H)KDF for deriving the symmetric key (even if the =
server based nonce reduces the possibility of brute-forcing)?
Your modal has probably the TORS (trust on recovery setup) weakness =
(compared to a HWW where you [should] be protected on compromised =
systems during private key creation).
</jonas>
--Apple-Mail=_7920C06E-0982-44B4-8DDF-9A9DDF407611
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Hi Colin<div class=3D""><br class=3D""><div =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D""><div =
dir=3D"auto" class=3D""><div dir=3D"auto" class=3D""><span =
style=3D"font-family:sans-serif" class=3D"">In case the server goes =
rogue and starts refusing to sign, the user can use their =
userRecoveryPrivKey to send the funds anywhere they choose. Because if =
this, the userRecoveryPrivKey is best suited to cold wallet =
storage.</span></div></div></div></blockquote><div><br =
class=3D""></div>Would you then assume that <font face=3D"sans-serif"=
class=3D"">userWalletPubKey is a hot key (stored on the users computer =
eventually in a browser based local storage =
container)?</font></div><div><font face=3D"sans-serif" class=3D"">In =
case of an attack on the server responsible for serverWalletPubKey =
(where also the personal information of the user are stored =
[including the xpub =3D=3D amount of funds hold by the user)), =
wound=E2=80=99t this increase the users risk of being an possible =
target (False sense of multisig security, comparing to cold storage =
/ HWW keys)?</font></div><div><br class=3D""><blockquote type=3D"cite" =
class=3D""><div class=3D""><div dir=3D"auto" class=3D""><div dir=3D"auto" =
class=3D""><span style=3D"font-family:sans-serif" class=3D"">In the more =
likely event that the user forgets their password </span><span =
style=3D"font-family:sans-serif" class=3D"">and/or looses access to =
their userWalletPrivKey </span><span style=3D"font-family:sans-serif"=
class=3D"">as well as loses their recovery key, they rely on the =
serverRecoveryPrivKey.</span></div><div dir=3D"auto" class=3D""><span =
style=3D"font-family:sans-serif" class=3D""><br =
class=3D""></span></div><div dir=3D"auto" class=3D""><span =
style=3D"font-family:sans-serif" class=3D"">When the user first sets up =
their wallet, they answer some basic identity information, set up a =
recovery password, and/or set up recovery questions and answers. This =
information is explicitly NOT sent to serve with the exception of =
recovery questions (although the answers remain with the user, never =
seeing the server). What is sent to the server is it's 256 bit hash used =
to identify the recovery wallet. The server then creates a 1025 bit =
nonce, encrypts it, stores it, and transmits it to the user's =
client.</span></div></div></div></blockquote><br class=3D""></div><div>I =
guess this will result in protecting the funds stored in this =
transaction entirely on the users identity information and eventually =
the optional recovery password, though I guess you are adding additional =
security by protecting via the server nonce from =
brute-forcing. </div><br class=3D""></div></div><div class=3D"">Why =
1025bit for the nonce?</div><div class=3D"">Why SHA512 instead of SHA256 =
(I guess you need 256bit symmetric key material for the key =
encryption)?</div><div class=3D"">Considered using a (H)KDF for deriving =
the symmetric key (even if the server based nonce reduces the =
possibility of brute-forcing)?</div><div class=3D""><br =
class=3D""></div><div class=3D"">Your modal has probably the TORS (trust =
on recovery setup) weakness (compared to a HWW where you [should] be =
protected on compromised systems during private key creation).</div><div =
class=3D""><br class=3D""></div><div =
class=3D""></jonas></div></body></html>=
--Apple-Mail=_7920C06E-0982-44B4-8DDF-9A9DDF407611--
--Apple-Mail=_986A2EB1-ACA0-4ABE-B314-96DB8B64B688
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEyhopCNzi8TB0xizeHrd2uwPHki0FAlmLY/4ACgkQHrd2uwPH
ki2wcg//QiQoPUO2p536Nq64Yqfiw2vJc3ZAO9tzHhUnErbJ+zqgd9F7gd+uLG8K
maWWnpHDfZqXtzjYCgsw5nlt9AmufppW2bW6hqguZvrh6q1FYG2pzFd1+sC6uBFS
7wPlazJbVzyAVyLfkTPC+yUAiBlj4REGOy5fnjF299o5c5WY6F6w6LSBKTuhitjl
opyIOTiTKQ7lwm89b2Mx6qj5MGJhcVJ33v2KUAZlX/C7Da87f+K5o5cH9PWsDiOX
y/VpqXNnIolteCU0e7CwXto8EaD6e4d6zPIOZJBhRv1orSdL+K1uvg976z5yzP9i
00V0SA1VCntfURRR+rsEKaJNGa03DItqsOtQPMK+ejvy5gmitUHpP6iMepBZjZOb
Id8vyo0ebczoiRGelPOkz37RxF3aBmFRkKxSqWlmxO5tNjQLm6b9iHc7ox96MfAC
VwiXm5AEoSImqu3TI3++MZlQ7Wu8lncphfJTHFufhiEoWwq+rpsZXg73turkufPD
i9WcbDpjcrXWyeuyXNcbxASJYDe91pdvoFRMUUulyO6T1EKnhmTbUUch1t/1ADhJ
YbUPECAl8A5gfC+dxhPzgWebn1kKFLyVeHt8TtjC0DL7mR0xMPedleOm1D9njzog
JAX9aJ5hYVK8nKIMOk4IiOgC2FDu3d0h5LpHZx23HuoH+Ea+fYs=
=Guse
-----END PGP SIGNATURE-----
--Apple-Mail=_986A2EB1-ACA0-4ABE-B314-96DB8B64B688--
|