From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id E1AFAC013A for ; Thu, 11 Feb 2021 19:12:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id C32F6600CC for ; Thu, 11 Feb 2021 19:12:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NPm6Pd-oMP4k for ; Thu, 11 Feb 2021 19:11:59 +0000 (UTC) Received: by smtp3.osuosl.org (Postfix, from userid 1001) id 85ACE6F5D8; Thu, 11 Feb 2021 19:11:59 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from mail-ua1-f45.google.com (mail-ua1-f45.google.com [209.85.222.45]) by smtp3.osuosl.org (Postfix) with ESMTPS id 53E28600CC for ; Thu, 11 Feb 2021 19:11:57 +0000 (UTC) Received: by mail-ua1-f45.google.com with SMTP id i3so2108183uai.3 for ; Thu, 11 Feb 2021 11:11:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nunchuk-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ZbnIVCEFpRiUgr92TqTmIDNc9wNXPYhbBbQIOJ/X0JY=; b=DqX6ajkm9Sz85sn15bCZhnYoFeKbZO5HaFlg3Gyg0G3YPw2grJ1eq6iexbJzykFR2G 6P86zG39vo/IVnQ73IWc8icZU/50ebvEt0rnqRZ0NBVRjAPorGgss0jRR4N04vcDc5F4 eXBNwIMhNkDA6ikZPAWJd0OsFuFl347eFSdx382K2WPMxFavOaOXPPjX52wZ8X+k+51l 2fU22D+Hpryx36DATRYjtC6XdxPp9Bh3xJrjUAq2vuzfCW4UoctU1OZsAWGEzNYo6EVv /+QeiEgATFZelC80ubGloma9ka0cTJFLid7DvZJ1dkxjn+qPuhNoQeO29cmCma275Qf7 2I6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ZbnIVCEFpRiUgr92TqTmIDNc9wNXPYhbBbQIOJ/X0JY=; b=UwiNLS5zZLP2yqX3k6sDN8gzGjYfsKb/NlmMj36Cdr0mBdXlEpwOuT+TUEnpeLvdQL yWrf4r2wm+iPHxqJ2a53zVk1wOAdgB2UE4XgRQBhI/INxEG0YbTSzph7jG6XxJUwNg2b CiIlkMa/UkvGhhgrC1zAX7jjGRhz4vfn1Btaf7HE4wzjO1s6nUFlmsQLwxKyLZabiXMj bMC9/+I7PYeBOUcjnoSBYUUY1uqdZr8jfULBaav0/KLB559npbP4xkV7mZYILNJEZ2Ay Cq/RciSZ6BA4uWEkTD6VF2k0mBP3pmLRrFOZkbEE7X0tLyhG29jbD4tDYH1Wu4ON5cT8 wzOg== X-Gm-Message-State: AOAM530NSVmK1LULGbK/u60GIFu+sBUpWOqPO5uhES3UfxFYTgIuIAv7 yu/ubOQyyPrAuKwotgvEQuzohU5WqiZxa6lvwWO8IiJXIfyUsSLSyZE= X-Google-Smtp-Source: ABdhPJxrWK9RQokRvFqtPXunIJS5og5tY8D39FUGOHp1kOJrDXdZrxQszXRHHmA87W0U7LeogpX8RtsugaUrZcG141U= X-Received: by 2002:ab0:274f:: with SMTP id c15mr6718189uap.12.1613070716211; Thu, 11 Feb 2021 11:11:56 -0800 (PST) MIME-Version: 1.0 References: <20210211172910.3b550706@simplexum.com> In-Reply-To: From: Hugo Nguyen Date: Thu, 11 Feb 2021 11:11:45 -0800 Message-ID: To: Dmitry Petukhov , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000009ab9505bb144b62" X-Mailman-Approved-At: Thu, 11 Feb 2021 20:29:40 +0000 Subject: Re: [bitcoin-dev] Proposal: Bitcoin Secure Multisig Setup X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2021 19:12:01 -0000 --00000000000009ab9505bb144b62 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable *BIP39 seed words list. On Thu, Feb 11, 2021 at 11:11 AM Hugo Nguyen wrote: > Hi Pavol, > > On Thu, Feb 11, 2021 at 8:25 AM Dmitry Petukhov via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> =D0=92 Thu, 11 Feb 2021 05:45:33 -0800 >> Hugo Nguyen via bitcoin-dev >> wrote: >> >> > > > ENCRYPTION_KEY =3D SHA256(SHA256(TOKEN)) >> > > >> > > This scheme might be vulnerable to rainbow table attack. >> > > >> > >> > Thank you for pointing this out! Incidentally, Dmitry Petukhov also >> > told me the same privately. >> >> My thought was that if TOKEN has the characteristics of a password >> (short ASCII string), then it would be better to use key derivation >> function designed for passwords, like PBKDF2. >> >> The counter-argument to this is that this adds another code dependency >> for vendors, if the device firmware does not already have the required >> key derivation function. >> >> Maybe this could be solved by going into opposite direction - make the >> "token" even longer, use the mnemoic. >> >> The issue is that entering long data of the shared key into the device >> manually is difficult UX-wise. >> >> Hww vendors that allow to enter custom keys into their device already >> have to face this issue, and those who allow to enter custom keys via >> mnemonic probably tackled this somehow. >> >> Maybe the shared key for multisig setup can be entered in the same way >> ? (with maybe additional visual check via some fingerprint). >> > > You just gave me a great idea! We can reuse the BIP32 seed words list! > Perhaps the encryption key can just be 6 words, but it'll be derived the > same way. BIP39 also uses PBKDF2 as a key derivation function, so it > matches with what you described here. > > And all HWW should have this functionality already. > > Best, > Hugo > > >> >> Although we would then have another issue of potential confusion >> between two procedures (entering the main key and entering the shared >> key for multisig setup), and the measures has to be taken to prevent >> such confusion. >> >> The approaches can be combined - specify a key derivation function >> suitable for passwords; via secure channel, share a password and/or the >> derived key. If hww supports derivation function, it can derive the key >> from password. If hww supports only keys, the key can be entered raw or >> via mnemonic. >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > --00000000000009ab9505bb144b62 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
*BIP39 seed words list.

On Thu, Feb 11, 2021 at 11:11 AM Hu= go Nguyen <hugo@nunchuk.io> wr= ote:
Hi Pavol,

On Thu, Feb 11, 2021 at 8:25 AM Dmitry Petukhov via bit= coin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
=
=D0=92 Thu, 11 Feb 2021 0= 5:45:33 -0800
Hugo Nguyen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org&g= t;
wrote:

> > > ENCRYPTION_KEY =3D SHA256(SHA256(TOKEN))=C2=A0
> >
> > This scheme might be vulnerable to rainbow table attack.
> >=C2=A0
>
> Thank you for pointing this out! Incidentally, Dmitry Petukhov also > told me the same privately.

My thought was that if TOKEN has the characteristics of a password
(short ASCII string), then it would be better to use key derivation
function designed for passwords, like PBKDF2.

The counter-argument to this is that this adds another code dependency
for vendors, if the device firmware does not already have the required
key derivation function.

Maybe this could be solved by going into opposite direction - make the
"token" even longer, use the mnemoic.

The issue is that entering long data of the shared key into the device
manually is difficult UX-wise.

Hww vendors that allow to enter custom keys into their device already
have to face this issue, and those who allow to enter custom keys via
mnemonic probably tackled this somehow.

Maybe the shared key for multisig setup can be entered in the same way
? (with maybe additional visual check via some fingerprint).

You just gave me a great idea! We can reuse the BIP32 seed words= list! Perhaps the encryption key can just be 6 words, but it'll be der= ived the same way. BIP39 also uses=C2=A0PBKDF2 as a key derivation function= , so it matches with what you described here.

And all HWW should hav= e this functionality already.

Best,
Hugo
=C2=A0

Although we would then have another issue of potential confusion
between two procedures (entering the main key and entering the shared
key for multisig setup), and the measures has to be taken to prevent
such confusion.

The approaches can be combined - specify a key derivation function
suitable for passwords; via secure channel, share a password and/or the
derived key. If hww supports derivation function, it can derive the key
from password. If hww supports only keys, the key can be entered raw or
via mnemonic.
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000009ab9505bb144b62--