Could you please explain what you found suspicious about my Brainwallet edits?
Same Ryan Castelluci from DEFCON talk?
First, if you're the same Ryan from the DEFCON talk on Brainwallets, thanks for publishing your research and increasing awareness of the issues. Your talk was one of the inspirations for adding Warpwallet to BitKey.
However if you're the same Ryan that leaves me confused, because you recommended Warpwallet yourself in your talk, and you should know the Warpwallet challenge for an unsalted 8 character password lasted for 2.5 years before it expired.
Do you disagree that using Warpwallet with a strong passphrase (e.g., eight diceware words) and an e-mail salt would provide very good security, unlike bitaddress-style brainwallets of old?
The problem with trusting RNGs to generate your wallet keys are very real:
Yes, that is me. In my talk, my comment about WarpWallet was intended to mean "if you still want to do something like this, at least use warpwallet instead". I regret that it was not phrased more clearly. WarpWallet is merely a bad idea (without a seed, it's about 60,000 times more work to crack on CPU) rather than a catastrophically foolish one.
Even if WarpWallet with eight diceware words is secure, I don't think that should be recommended because I believe people will not follow passphrase creation advice.
I am aware of the challenge wallet the WarpWallet creators made. A large botnet (several million nodes) could crack it in a few months (assume 10 guesses per second per node).
Tools that provide a random seed and do not allow free text entry are fine because it would take a lot of effort to use insecurely. WarpWallet is easy to use insecurely, electrum, armory, and bip39 are hard to use insecurely.
As far as bad RNGs go... I think people are safer trusting the RNG of reputable bitcoin wallets than trying to provide their own entropy. If a widespread vulnerability in those wallets is found, it would pose an existential threat to bitcoin.
Warpwallet security analysis
Hi Ryan. Thanks for replying.
What I like about Warpwallet's use of KDFs + salt is that it has the potential to raise the cost of attack beyond the point where it is worth's an attacker's trouble to attempt. You don't spend $100M cracking a $1M safe.
Whether or not that is true depends on the validity of the underlying assumptions and a bit of basic math. You're the brainwallet cracking expert so I'm very much interested in your viewpoint on this.
A few questions:
1) You estimated that a large botnet could crack the unsalted 8-character Warpwallet challenge within several months. What if the challenge was salted with an unknown email? Would it still be feasible in your opinion for a salted Warpwallet 8-character challenge to be cracked?
2) How much faster in your experience is a low-level (e.g., C) implementation of Warpwallet than the in-browser version? On an 3.2 GHz Core i5 the JS WarpWallet implementation takes about 20 seconds to generate a key from a passphrase. A C implementation would have to be 8X faster and run on all 4 cores to get to 10/reqs a second. Does that about match up with your real-world testing?
3) Are there any mistakes in maxtaco's cost cracking calculator: http://maxtaco.github.io/bitcoin/2014/01/16/how-jason-bourne-stores-his-bitcoin/
The calculator estimates that cracking the unsalted random 8-character Warpwallet challenge would cost $1.2M.
Here's my analysis, please correct me where you think I've got it wrong.
Assuming Max's calculation is about right, if the challenge narrowed down the salts to 2 possible e-mails then cracking cost would be $2.4M. If it provided a list of 100 e-mails then the cost would be $120M.
What that seems to imply is that even with the largest botnets and advances in future hardware a truly global search is impossible and even narrowing that down to large number of target e-mails would be unprofitable for attackers. If this is true a warpwallet cracking botnet is unlikely to be worth anyone's trouble to run in the first place.
And that's for a passphrase with just 47 bits of entropy.
If a user generated the recommended 8 words with diceware that's about 100 bits of entropy, raising the cost of attack to a million trillion trillion USD for an unsalted warpwallet, well well above what any wallet is worth under the most optimistic usage scenario.
You pointed out that users make mistakes, and we know humans are notoriously poor sources of entropy. All true, but that kind of security in depth seems to provide quite a bit of room for error. Users are not just bad at choosing passphrases, they're bad at understanding security in general. If you're not a security expert you're likely to do a poor job keeping your wallet keys secret in the face of determined attackers, regardless of how they were originally generated. In that case, a Warpwallet is not going to be the weakest link. If you know enough to create a strong passphrase, a Warpwallet is not going to be the weakest link.
Either way, a Warpwallet doesn't seem like that bad an idea. Does it really deserve to be guilty by association with naive Brainwallet implementations?
Especially when the alternative is to just trust a blackbox process to generate keys for you. I agree that a global RNG failure would be devastating to Bitcoin and cryptography in general. But a local failure like the ones that have already happened would just result in your coins getting stolen.
Why should we place any more faith in the ability of a non expert to verify the integrity of the software they are using than in their ability to generate a secure passphrase?
Generating a secure passphrase with a verifiably secure source of entropy is actually vastly more simple than trying to rule out all the places a backdoor in the automatic seed generation process could be hiding. And so is explaining how to generate a secure passphrase vs how to verify that you're using a faithful wallet.
This touches the heart of the issue because the Bitcoin wiki is an educational resource for non-experts. If we overestimate the risks of a Warpwallet while underestimating the risks of unfaithful software we may end up giving users bad advice and increase the probability they will lose coins.