diff --git a/38c3.md b/38c3.md index 6f16ce7..6d3648b 100644 --- a/38c3.md +++ b/38c3.md @@ -5,16 +5,6 @@ permalink: /38c3/ --- # Milk Sad at 38C3 -## Talk Info -We'll present a talk at the 38th Chaos Communication Congress (38C3) which takes place in Hamburg on 27–30 Dec 2024. -[https://fahrplan.events.ccc.de/congress/2024/fahrplan/talk/PEN9QU/](https://fahrplan.events.ccc.de/congress/2024/fahrplan/talk/PEN9QU/) - -Talk starts **2024-12-30 11:00 CET** (_= 11am on "day 4"_) in hall `GLITCH`. -The talk will be in English and streamed live via [media.ccc.de](https://streaming.media.ccc.de/). - -After the official short Q&A on-stage, we have an extended [Q&A workshop session](https://events.ccc.de/congress/2024/hub/en/event/qa-dude-wheres-my-crypto/) right after the talk (no registration required). - -In case you're reading this before the talk takes place, feel free to ask for us at the [Church of Cryptography](https://events.ccc.de/congress/2024/hub/en/assembly/CoC/) assembly, where our team member and talk speaker John Naulty (aka `sather`) will host [a number of cryptography related sessions](https://events.ccc.de/congress/2024/hub/en/user/sather/) on topics adjacent to Milk Sad. We're interested in your questions and comments on our work!

Table of Contents

@@ -24,6 +14,17 @@ In case you're reading this before the talk takes place, feel free to ask for us
+## Talk Info +We presented a talk at the 38th Chaos Communication Congress (38C3) which takes place in Hamburg on 27–30 Dec 2024. + +Links: +[Talk recording](https://media.ccc.de/v/38c3-dude-where-s-my-crypto-real-world-impact-of-weak-cryptocurrency-keys), [Talk schedule entry](https://fahrplan.events.ccc.de/congress/2024/fahrplan/talk/PEN9QU/) + +After the official short Q&A on-stage, we had an extended [Q&A workshop session](https://events.ccc.de/congress/2024/hub/en/event/qa-dude-wheres-my-crypto/) without recording right after the talk. + +_In case you're reading this before the talk takes place, feel free to ask for us at the [Church of Cryptography](https://events.ccc.de/congress/2024/hub/en/assembly/CoC/) assembly, where our team member and talk speaker John Naulty (aka `sather`) will host [a number of cryptography related sessions](https://events.ccc.de/congress/2024/hub/en/user/sather/) on topics adjacent to Milk Sad. We're interested in your questions and comments on our work!_ + + ## Talk Notes ### Intro If you're here, you probably saw our presentation (or a copy of the slides) and followed the QR code link here. Welcome! @@ -37,7 +38,7 @@ From there, a smaller subgroup continued the research into wallet details, real ### The July 2023 Theft -The best place to start on this topic is our initial [disclosure writeup]({% link disclosure.md %}), which tells the initial story and context of wallet security, how we got involved, and how the initial events unfolded from our perspective. +The best place to start on this topic is our initial [disclosure writeup]({% link disclosure.md %}), which tells the initial story and context of wallet security, how we got involved, and how the first events unfolded from our perspective. If you want to jump ahead to the code snippets that explain how `bx seed` was vulnerable, go [here]({% link disclosure.md %}#our-cryptocurrency-is-gone-but-how). If you would like to see the security research and disclosure from Ledger Donjon that preceded ours in early 2023 on a very similar vulnerability in `Trust Wallet`, go [here]({% link disclosure.md %}#not-even-the-second-hack-mersenne-twister-use-in-trust-wallet ). @@ -46,10 +47,10 @@ The [disclosure timeline]({% link disclosure.md %}#basic-timeline-of-thefts-and- ) and our notes on the [libbitcoin team's response]({% link disclosure.md %}#basic-timeline-of-thefts-and-our-disclosure ) give some context on why the disclosure was extra difficult for us, in addition to the inherent complexities of quickly disclosing a serious vulnerability that is exploited in the wild. -Instead of trying to update the initial writeup article with all the new information, we switched to a different and more incremental format. On the [research updates](/updates.html) page, you find a list of separate articles on our progress and different topics. +Instead of trying to update the first writeup article with all the new information, we switched to a different and more incremental format. On the [research updates](/updates.html) page, you find a list of separate articles on our progress and different topics. For example, [update #1]({% link _posts/2023-11-22-research-update-1.md %}) from November 2023 shows details on the key sizes, address formats and path usage of the discovered wallets in the weak range associated with `libbitcoin-explorer`. There, we also describe weak wallets in that range which don't use the `BIP39` standard, and outline how much Ethereum we think was stolen in the July 2023 attack. -In [update #5]({% link _posts/2024-01-23-research-update-5.md %}#involvement-in-the-2023-07-12-theft), we described some additional data on how many Bitcoins were stolen in July 2023, and where they came from. +In [update #5]({% link _posts/2024-01-23-research-update-5.md %}#involvement-in-the-2023-07-12-theft), we described some additional data on how many Bitcoins were stolen in July 2023, and where they came from. ### Technical Background @@ -76,11 +77,11 @@ milk sad wage cup reward umbrella raven visa give list decorate bulb gold raise In the absence of other shortcuts, trying all possible combinations is one of the most basic attacks and basically applies to all security systems out there which use secrets. -Modern symmetric key cryptography uses key sizes of over 112 bit, and the NIST recommendation for usage beyond 2030 is 128 bit. Through this, they benefit from the exponentially increasing complexity of naive brute-force attacks. Key sizes are different for some asymmetric key algorithms, so it's easier to think about AES than about RSA here. Correctly generated keys of such sizes (without other severe flaws) are thoroughly infeasible to brute-force, even with extreme amounts of computation power or special hardware and decades of patience. +Modern symmetric key cryptography uses key sizes of over 112 bit, and the NIST recommendation for usage beyond 2030 is 128 bit. Through the exponentially increasing number space of longer binary values, naive brute-force attacks also get exponentially more complex. Note that the "bit" sizes of keys are different and not directly comparable for some asymmetric key algorithms, so it's easier to think about symmetric encryption standards like AES than about asymmetric standards like RSA here. Correctly generated keys of sizes equivalent with the NIST recommendations are thoroughly infeasible to brute-force (in the absence of other severe flaws), even with extreme amounts of computation power or special hardware and decades of patience. By weakening cryptocurrency wallets from their supposed key strength of between 128 bit to 256 bit (depending on the chosen BIP39 variant) down to 32 bit, they turn from "unbreakable" to "everyone knows they're trivial to break", cryptographically speaking. -When researching weak wallets, the main challenge and computational effort is not in generating the weak initial PRNG data, but the BIP39 key derivation (SHA512 hashing) and the BIP32 key derivations with multiple child keys, which vary based on the evaluated derivation path. Additionally, finding wallets with actual usage on the blockchain requires pre-computing, storing and quickly checking information on wallet addresses - per blockchain (coin type)! Compared to this, generating relevant addresses from public keys is usually fairly cheap. +When researching weak wallets, the main challenge and computational effort is not in generating the weak initial PRNG data, but in the BIP39 key derivation (SHA512 hashing) and in the BIP32 key derivations with multiple child keys, which vary based on the evaluated derivation path. Additionally, finding wallets with actual usage on the blockchain requires pre-computing, storing and quickly checking information on wallet addresses - per blockchain (coin type)! Compared to this, the last step of generating relevant addresses from public keys is usually fairly cheap. Some context on the practical aspects are in the [initial writeup]({% link disclosure.md %}#searching-for-wallets---implementation ). Our [update #3]({% link _posts/2023-12-06-research-update-3.md %}) goes into some depth on our data sources and the bloom filter we used for fast space-efficient lookups of addresses in memory. In [update #8]({% link _posts/2024-04-29-research-update-8.md %}), we further described the necessary work and how we were able to speed up the BIP32 computations by **6x** on our machine via changes to some core libraries via unorthodox changes (our code forks for this are public). @@ -102,12 +103,14 @@ That's a wild one, we know. See [update #7]({% link _posts/2024-04-20-research-u ### Cake Wallet The Cake Wallet vulnerability has been public for years, and so we mentioned it in the [initial writeup]({% link disclosure.md %}#not-the-first-hack-weak-entropy-in-cake-wallet -). However, after some persistent digging and some luck, we were able to go further in the analysis and wallet recovery efforts than other people before us, leading to new results and a lengthy road to publication due to concerns about some remaining funds. +). However, after some persistent digging and some luck, we were able to go further in the analysis and wallet recovery efforts than other people before us, leading to new results and a lengthy road to publication due to concerns about some remaining funds. See [update #6]({% link _posts/2024-02-13-research-update-6.md %}), [update #9]({% link _posts/2024-05-19-research-update-9.md %}), [update #10]({% link _posts/2024-10-12-research-update-10.md %}). ### Ethical Challenges +See the talk recording. + ### Statistics Details on the wallet numbers and usage statistics: @@ -121,7 +124,7 @@ Details on the wallet numbers and usage statistics: ### Defense For wallet users, one particular mechanism we can recommend is to use a BIP39 passphrase. This is a separate secret from the BIP39 mnemonic phrase, and can be seen as an additional encryption layer. An attacker has to know both to derive the correct wallet keys and steal funds. -In the context of wallets generated from weak PRNGs, the use of a sufficiently complex BIP39 passphrase basically hides these keys from the attacker, giving the victim a lot more time and opportunities to learn about the problem and move their funds to a more secure wallet. +In the context of wallets generated from weak PRNGs, the use of a sufficiently complex BIP39 passphrase basically hides these keys from the attacker, giving the victim a lot more time and opportunities to learn about the wallet problem and move their funds to a more secure wallet. Weak passphrases can still be broken, but since the attacker has to try this for every potentially interesting wallet, any reasonably strong passphrases add a significant additional amount of work for attackers. ### Research Outlook @@ -131,7 +134,7 @@ New exploratory wallet-related research is currently on hold. We still have some See [update #11]({% link _posts/2024-12-19-research-update-11.md %}). -If you want to get hands-on and investigate some of the discovered weak wallets on your own, the easiest place to start are our [published lists](https://git.distrust.co/milksad/data) of weak Bitcoin and Ethereum addresses. +If you want to get hands-on and investigate some of the discovered weak wallets on your own, the easiest place to start are our [published lists](https://git.distrust.co/milksad/data) of weak Bitcoin and Ethereum addresses. ## Contact