1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
Return-Path: <earonesty@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
by lists.linuxfoundation.org (Postfix) with ESMTP id 4082BC0001
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 6 May 2021 13:19:44 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 1A92B832FF
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 6 May 2021 13:19:44 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=q32-com.20150623.gappssmtp.com
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id V4ISOjOM4CvY
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 6 May 2021 13:19:43 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com
[IPv6:2607:f8b0:4864:20::42c])
by smtp1.osuosl.org (Postfix) with ESMTPS id 2E3FF832AA
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 6 May 2021 13:19:43 +0000 (UTC)
Received: by mail-pf1-x42c.google.com with SMTP id p4so5156927pfo.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 06 May 2021 06:19:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=q32-com.20150623.gappssmtp.com; s=20150623;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:content-transfer-encoding;
bh=FtNtSOwyn9MnRKr7hKxfE7T431liMgmG+6WRG20q5go=;
b=smeEqf0tQ2bizLxjy/QV0CujzPl5CTS3/tK5SscrEzPJSukwo3oHcazU7me+p/KlZJ
0N+2ZswICW6cWyHQJKECI1qWr4bX6/cBiEvevsCQd7EbKfShEGrkijPr+y/85apxP1AZ
0LUri3QLZp0BUIj0YNousBSBopHWItHvuliUiIGN/QbKBMKCFdjb7EANv58v6lZc6SPK
d07OM9makONgEpR/8iMoFENO9I+fVtzETJgdCnLrWdFRrHVyUY5Gya88YfYF1v9PW/fw
ALLCAK4BgPA8sPlOczAVMCil8wJNnovIgkCTpaCdTmxgp/UapneQp5uJ16xdQ7P3Ap2n
rCEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:content-transfer-encoding;
bh=FtNtSOwyn9MnRKr7hKxfE7T431liMgmG+6WRG20q5go=;
b=GHWNe/spzwrdTlteZ9xUt7mtfX56jo+DZjvNy1aAMR2zp72iR/iVRQm/wK4pSd44M4
TDhbTYG82ILzUcXrRIJh7ToxX1sfSytCm5IcXDFOmh1xNWlcEGW74G6nfDL/pMhlghqO
M/KCvmRNvFYMFastXVNQr+bIEmpLlnJcI6AkASciLsx+TbJqChSzKrgrjNWrAIeGxZD5
KQ9dou02VDyq4dJzZS+tN0XNWOs2fwrKXIV4IQCEierstkSw+7SdcVHe5+HqMuWc88mG
8PknrS2fRLD/wcYjcdW6XT/wcs9Fc79sSI3QzBIIL5Qd2xHrGitYegf0WpHZJfvyNzgz
G3Tw==
X-Gm-Message-State: AOAM533tki+Dif2FDeGZB4MuuPH1V972yPYSKx45f+AtBdKtHo8OZxin
4Ds0QbJ4ChZNlQ6futkvMZKICpFQTHToaYrt1kaEHQ+S3/JB3IgNOg==
X-Google-Smtp-Source: ABdhPJyfwoDIO4yK5grZTp3lQM07FJGNUVfhiG3gIWBJ/PPw9QgQJelyinDerNSx6PNOkZZ42rZBiUrAi5KQM5HECW4=
X-Received: by 2002:a63:3204:: with SMTP id y4mr4360972pgy.3.1620307182472;
Thu, 06 May 2021 06:19:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAPyCnfvqVT00C2TZ86GXf856jNJqPXY0duRa1CfdCqC0ecC6xA@mail.gmail.com>
In-Reply-To: <CAPyCnfvqVT00C2TZ86GXf856jNJqPXY0duRa1CfdCqC0ecC6xA@mail.gmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Thu, 6 May 2021 09:19:31 -0400
Message-ID: <CAJowKg+bpobZq3KfqwO6Rb-tKNw_N-tXoXFE84SdE0jjnc6i3g@mail.gmail.com>
To: Tobias Kaupat <Tobias@kaupat-hh.de>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 06 May 2021 15:48:29 +0000
Subject: Re: [bitcoin-dev] Encryption of an existing BIP39 mnemonic without
changing the seed
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2021 13:19:44 -0000
i would stretch the password, with pbkdf2 or argon2 with like 30k
rounds or something first, rather than "just hashing it". remember,
it's pretty easy to validate these seeds - not like you lock someone
out after 9 guesses!
On Wed, May 5, 2021 at 3:38 PM Tobias Kaupat via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Hi all,
> I want to start a discussion about a use case I have and a possible solut=
ion. I have not found any satisfying solution to this use case yet.
>
> Use case:
> An existing mnemonic (e.g. for a hardware wallet) should be saved on a pa=
per backup in a password encrypted form. The encrypted form should be a mne=
monic itself to keep all backup properties like error correction.
>
> Suggested solution:
> 1) Take the existing mnemonic and extract the related entropy
> 2) Create a SHA526 hash (key) from a user defined password
> 3) Use the key as input for an AES CTR (empty IV) to encrypt the entropy
> 4) Derive a new mnemonic from the encrypted entropy to be stored on a pap=
er backup
>
> We can add some hints to the paper backp that the mnemonic is encrypted, =
or prefix it with "*" to make clear it's not usable without applying the pa=
ssword via the algorithm above.
>
> To restore the original mnemonic, one must know the password and need to =
follow the process above again.
>
> An example implementation in GoLang can be found here:
> https://github.com/Niondir/go-bip39/blob/master/encyrption_test.go
>
> Why not use the existing BIP-39 Passphrase?
> When generating a mnemonic with passphrase, the entropy is derived from t=
he passphrase. When you have an existing mnemonic without a passphrase, any=
attempt to add a passphrase will end up in a different seed and thus a dif=
ferent private key. What we actually need is to encrypt the entropy.
>
> I'm open for your feedback. All encryption parameters are up to discussio=
n and the whole proposal needs a security review. It's just the first draft=
.
>
> Existing solutions
> One solution I found is "Seedshift" which can be found here: https://gith=
ub.com/mifunetoshiro/Seedshift
>
> But I consider it less secure and I would like to suggest a solution base=
d on provably secure algorithms rather than a "rot23 derivation". Also usin=
g a date as password seems not very clever to me.
>
> Kind regards
> Tobias
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|