KIP-0026: Key Derivation and Mnemonic encoding methods #55
Conversation
|
|
||
| ## Key Derivation | ||
|
|
||
| We recommend following the widely adopted standard for deriving ED25519 keypairs: [SLIP-0010](https://github.com/satoshilabs/slips/blob/master/slip-0010.md). |
There was a problem hiding this comment.
I don't think the KIP itself should be stated as a recommendation. Rather, I'd state directly what anyone following the KIP should follow, and then later we can say to a wallet provider that "We recommend you follow KIP-26".
kip-0026.md
Outdated
| - Allows interoperability. | ||
| - Few wallets implement encrypted mnemonic recovery. | ||
| - Encrypting a mnemonic with a passphrase may provide a sense of security, but: | ||
| - A leaked encrypted mnemonic phrase can be quickly brute-forced offline ([BIP-39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed): 2048 round PBKDF2 using salted HMAC-SHA512). |
There was a problem hiding this comment.
❗ ❓ 😮
Are you sure that a (good) password derived with a SHA256-2048 PBKDF2 can be quickly brute-forced ?
There was a problem hiding this comment.
more specifically the assertion that it can be quickly brute-forced is not backed by the reference as far as I can see.
There was a problem hiding this comment.
Perhaps "significant speed" is more accurate than "quickly", but I think the essence of the statement holds.
A good password could withstand MD5, but it would probably end up looking like another seed phrase to be stored securely, away from the encrypted seedphrase. An average user password would succumb reasonably quickly, especially if the seed was compromised on their machine, where a lot of information could be used to build up a dictionary.
For the current BIP39 spec of HMAC-SHA-512 [1] I estimate that an off-the-shelf 4090 can do about ~1521 kH/s[2] which would map to:
- rockyou.txt wordlist (14M): 9 seconds
- crackstation wordlist (1.2B): 13 minutes
- crackstation * 100 masks (121B): 22 hours
- bruteforce alpha/lower 8 letters (208B): 38 hours
- bruteforce alpha/lower + numeric 8 letters (2.8T): 21 days
And so on. It is not exactly a done-deal given enough entropy, but I'd still call it a fast enough attack with consumer hardware, which will only become cheaper and more accessible in the future[3][4].
I would consider "slow" here to be something like LUKS2/argon2i which is molasses-slow to dictionary attack or bruteforce, or pbkdf2/sha512 with a very large number of rounds (600K+.)
All that said, it should probably read "bruteforced with significant speed", instead of "quickly", so I will change that.
[1] HMAC-SHA-256 would be even faster: A 4090 should do 2048 rounds @ ~4170 kH/s
[2] Extrapolating from the speed given for 999 iterations here of 3120.9 kH/s - rounds to speed should be ~linear
[3] Consider the lastpass situation where some of their early accounts were stuck at < 10K iterations and were cracked after a disasterous leak. Not sure what their hashing function is though.
[4] We don't even know what the "cracking station" state of the art is at the moment. It would not surprise me to learn that there are GPU farms or even custom ASICs that can smoke these numbers.
There was a problem hiding this comment.
OK,
We are not speaking about the same thing... I was speaking about good passwords...
In crypto, people are not supposed to use passwords from the dictionary, lol. 😉
|
@Takadenoshi here is my resposne to your queries |
@dfordivam Thanks! Q: The not-default part is regarding Ledger not enforcing hardened child keys/segments, right? Is the derivation algorithm is still identical to SLIP-0010 for hardened keys? |
No, the algorithm is different and incompatible with the default algorithm (currently in use in ledger-app-kadena) |
Introduces a standard for key derivation and encoding mnemonic phrases.
Summary from abstract:
m/44'/626'/a'.Pending: test cases, backwards compatibility section