Permalink
Switch branches/tags
Nothing to show
Find file Copy path
8f2cc2a Jul 6, 2018
1 contributor

Users who have contributed to this file

28 lines (14 sloc) 1.88 KB

Monero seed "encryption" is vulnerable to known-plaintext key recovery

TLDR section

Adding a random number to your plaintext is not encryption unfortunately… I wish it was that simple. If you are using Monero's seed encryption feature and you are unsure about the implications of this weakness you should generate a new wallet, send all your funds to it and encrypt your seed using gpg's symmetric encryption feature.

Where is the bug?

https://github.com/monero-project/monero/blob/master/src/cryptonote_basic/cryptonote_format_utils.cpp#L1100

Why is it a problem?

Adding a random number which represents the password to the paintext compromises any other ciphertext that shares the same password if a plaintext is ever revealed. In cryptographic parlance this is known as a key recovery attack.

How can it be fixed?

The problem is caused by shoehorning security into an old format - 25 word format does not have enough room to fit an initialization vector. Encrypted seed should be extended by 6 words to include a 64-bit IV and a proper encryption algorithm should be used to protect it. Alternatively a GPG-like message format should replace words.

Why not report it though Monero’s VRP or HackerOne?

Monero project has a fairly long-standing tradition of attacking security researchers [ 1 ] [ 2 ] [ 3 ]. I don't consider the money to be worth the aggro. If that position ever changes in the future, I will be happy to work with them.

Is this bug present in Ryo?

No, we removed the seed encryption feature for now.