Introduce derivation passphrases #16
Replies: 6 comments 8 replies
-
If there is interest, I can provide a patch before the end of the year. |
Beta Was this translation helpful? Give feedback.
-
Cool idea! I like the idea of an option for generating an encrypted version of the recovery phrase. Our goals will be distinct from BIP39's goals though, because plausible deniability wouldn't be a realistic use case for PGP. Reasoning for this is simple: Unlike a bitcoin wallet, PGP keys are intentionally tied with your identity, usually in a very public way (keyservers). If someone finds your recovery phrase and also knows your public key, there's no phony passphrase you could provide which would fool them. However, encrypting the seed would be adequate protection for a case like you've described, acting as a stopgap measure against seed exposure. This might be an opportunity to kill two birds with one stone, as I've lately been planning to add a run of a PBKDF like Scrypt or Argon into the Mnemonikey derivation procedure. The PBKDF run would be a perfect place to insert a user-chosen decryption password into the key derivation process. Pitfalls to AvoidIn my experience working with BIP39 crypto wallets in the past, those who utilize BIP39 passphrases tend to make several common mistakes which we should try to mitigate with our design for Mnemonikey:
We can solve problem 1 can solve by embedding information inside the recovery phrase somehow. Maybe we flip one specific bit in the version number which says 'this is an encrypted recovery phrase'. For problem 3, the implementation should simply double-check the passphrase with the user before generating a recovery phrase for the first time. Problem 2 is harder. We need a way for a Mnemonikey implementation to validate the user's supplied decryption password is probably correct. This doesn't need to be a 100% guarantee of correctness, even a few bits of checksum would be sufficient. The passphrase checksum should actually be a checksum on the key derived from the PBKDF, not a checksum of the passphrase itself (for security). Currently we use a 5-bit checksum for the phrase itself, and we don't really have any extra room for another one. We could replace the 5-bit phrase checksum with a 5-bit passphrase checksum but that loses the benefits of the phrase checksum. My first instinct is to add a 16th word so we'd have space to encode an extra checksum of perhaps 8 bits, and retain the remaining 3 bits of extra space for versioning information. |
Beta Was this translation helpful? Give feedback.
-
Another path we could take is to have a completely separate spec and tool to encrypt any set of words from the BIP39 word list. This would be totally disconnected from the Mnemonikey spec, reusable for other systems which use BIP39 word lists. It would conceptually be wholly separate. I'm gonna think about this for a day or two, I appreciate your feedback! I wouldn't recommend starting work on anything just yet |
Beta Was this translation helpful? Give feedback.
-
Opened an issue to add Argon2id into the key derivation pipeline: #17 Once that and #18 are completed (probably in the same PR), I'll move on to adding a 16th word to the phrase. This will give us enough space to include extra versioning and checksum information we need to support encrypted recovery phrases. |
Beta Was this translation helpful? Give feedback.
-
This excellent suggestion from a friendly reddit user also is suggesting the possibility of password encryption as a separate step:
The point i want to isolate and emphasize from among his suggestions is that Mnemonikey should allow users to change the password they use to encrypt their key backup phrase. This is critical as it rules out derivation passwords like in BIP39. Rather, we should make password-based-seed-encryption a separate step from key derivation, so that users can convert back and forth between encrypted and unencrypted phrases. |
Beta Was this translation helpful? Give feedback.
-
Issue minted for the implementation: #27 |
Beta Was this translation helpful? Give feedback.
-
BIP-0039 has a the feature that an additional piece of user-supplied entropy can be mixed in with the seed at derivation time. Other software might call it things like "seed rotation" or "second factor". As a result, both are needed to reconstruct the correct master key, which can enable different recovery routines.
Motivation
Consider for example the recent case of a person who was pulled over by police with bodycams and as a result, had their mnemonic phrase exposed to the public as the footage was released. A passphrase acts as a stopgap in this situation since any attacker would need to also guess this passphrase, which can buy the legitimate owner quite a bit of time even for a passphrase that would be considered insecure if used standalone.
When cryptoassets are involved, there also exists a technique whereby the users leaves a smaller decoy or bribe amount with the plain seed so as to serve as an alarm if the mnemonic phrase is compromised. They then use the seed combined with a passphrase as their main wallet. However, it is not clear how to apply this to OpenPGP.
Finally, we note that
paperkey
tool also allows storing encrypted private key packets, which provides equivalent functionality.Specification
If a passphrase is supplied, it is appended to the
info
parameter to the master key derivation process. Otherwise, theinfo
parameter stays the same as the current specification, which is equivalent to an empty passphrase. (This is based on the BIP-0039 way.)Downsides
#. This feature might create a false sense of security if users select trivial passphrases with it.
#. There already exists an output password parameter, which could result in confusion.
As a result, it might make sense to gatekeep this functionality behind some type of "expert" or "advanced" mode. But that also makes it less accessible.
Compatibility
The functionality does not affect recovery of existing keys. They can be treated as having an empty passphrase. As a result, it could be introduce as part of a minor 1.x release.
However, this introduces a concern that HKDF is too fast to feed user-selected password into, even though it is salted.
Beta Was this translation helpful? Give feedback.
All reactions