public
/
keyfork
5
0
Fork 0
Code Issues 19 Pull Requests 1 Packages Projects Releases Wiki Activity

keyfork mnemonic recover should accept words in a randomized pattern #1

New Issue
Open
opened 2023-08-18 00:09:26 +00:00 by ryan · 8 comments
ryan commented 2023-08-18 00:09:26 +00:00
Owner
Copy Link

Rationale: Prevent shoulder surfing as well as keyfork mnemonic generate | keyfork mnemonic recover, ensuring users write down their mnemonic.

cc @lrvick

Rationale: Prevent shoulder surfing as well as `keyfork mnemonic generate | keyfork mnemonic recover`, ensuring users write down their mnemonic. cc @lrvick
ryan commented 2023-08-18 00:52:20 +00:00
Author
Owner
Copy Link

additional: attacker-known 24 words only provides about 90 bits of entropy, 12 words even less. have the user type in 36 words regardless, which provides 36! permutations which is more than 2^128 / 128 bits of entropy. purpose: keylogger brute forcing based on words tracked.

additional: attacker-known 24 words only provides about 90 bits of entropy, 12 words even less. have the user type in 36 words regardless, which provides 36! permutations which is more than 2^128 / 128 bits of entropy. purpose: keylogger brute forcing based on words tracked.
ryan commented 2023-08-18 00:56:11 +00:00
Author
Owner
Copy Link

36 looks nicer than 35, which is the actual smallest number whose permutation count (factorial) is > 2^128

36 looks nicer than 35, which is the actual smallest number whose permutation count (factorial) is > 2^128
ryan commented 2023-08-18 01:07:37 +00:00
Author
Owner
Copy Link

Assumption is that each word is unique but this is only average case, not every case

Assumption is that each word is unique but this is only average case, not every case
snail commented 2023-08-18 01:14:51 +00:00
Copy Link

Since an attacker only needs to select 24 of the 36 words, they can let the remaining 12 words take any order.

You'd be looking for (X choose 24)*24! > 2^128, which puts X at 53 for selecting 24 words.

However, since the checksum word is determined from the other 23, the attacker really only needs to find 23 words, which puts the required inputs at 59.

Note: This is ignoring duplicate words in the input, and cases where none of the possible checksum words are in the users input. So the actual answer is likely higher.

Since an attacker only needs to select 24 of the 36 words, they can let the remaining 12 words take any order. You'd be looking for `(X choose 24)*24! > 2^128`, which puts X at 53 for selecting 24 words. However, since the checksum word is determined from the other 23, the attacker really only needs to find 23 words, which puts the required inputs at 59. Note: This is ignoring duplicate words in the input, and cases where none of the possible checksum words are in the users input. So the actual answer is likely higher.
👍 1
ryan commented 2023-08-18 01:14:59 +00:00
Author
Owner
Copy Link

Figuring out the math for the possibility a 24 word mnemonic has duplicate words, using some rough birthday-problem math (https://en.wikipedia.org/wiki/Birthday_problem#Calculating_the_probability):

Vnr = words! / (words - wordcount)! = 2048! / (2048 - 24)! = 25892008055647378700916274834106651525738683598033725572049016676308484096000000
Vt = words ^ wordcount = 2048 ^ 24 = 29642774844752946028434172162224104410437116074403984394101141506025761187823616
P(A) = Vnr / Vt =~ 0.873468
P(B) = 1 - P(A) =~ 0.126532, or 12%

12% chance that we have a shared word.

Figuring out the math for the possibility a 24 word mnemonic has duplicate words, using some rough birthday-problem math (https://en.wikipedia.org/wiki/Birthday_problem#Calculating_the_probability): ``` Vnr = words! / (words - wordcount)! = 2048! / (2048 - 24)! = 25892008055647378700916274834106651525738683598033725572049016676308484096000000 Vt = words ^ wordcount = 2048 ^ 24 = 29642774844752946028434172162224104410437116074403984394101141506025761187823616 P(A) = Vnr / Vt =~ 0.873468 P(B) = 1 - P(A) =~ 0.126532, or 12% ``` 12% chance that we have a shared word.
ryan commented 2023-08-18 04:16:35 +00:00
Author
Owner
Copy Link

The math says this should be 12%. snail's Python code says this should be 12%. My Rust code - even with OS RNG - says this should be 12%. And yet, for some reason, this test stops at 1%.

https://git.distrust.co/public/keyfork/src/branch/main/keyfork-mnemonic-generate/src/main.rs#L236-L250

The math says this should be 12%. snail's Python code says this should be 12%. My Rust code - even with OS RNG - says this should be 12%. And yet, for some reason, this test stops at 1%. https://git.distrust.co/public/keyfork/src/branch/main/keyfork-mnemonic-generate/src/main.rs#L236-L250
ryan commented 2023-08-18 04:21:56 +00:00
Author
Owner
Copy Link
use std::io::Read;
use rand::prelude::*;

fn get_u32_os(file: &mut std::fs::File) -> u32 {
    let mut bytes = [0u8; 4];
    file.read_exact(&mut bytes).unwrap();
    u32::from_le_bytes(bytes)
}

fn get_u32_trng(trng: &mut rand::rngs::ThreadRng) -> u32 {
    trng.next_u32()
}

const MNEMONIC_MAX: u32 = 2048;
const MNEMONIC_SIZE: usize = 24;
const ITERATIONS: usize = 100_000;

fn os_rng() {
    let total = ITERATIONS;
    let mut count = 0;
    let mut file_handler = std::fs::File::open("/dev/urandom").unwrap();
    for _ in 0..ITERATIONS {
        let mut data = [0; MNEMONIC_SIZE];
        for d in &mut data {
            *d = get_u32_os(&mut file_handler) % MNEMONIC_MAX;
        }
        let set = std::collections::HashSet::from(data);
        if set.len() < MNEMONIC_SIZE {
            count += 1;
        }
    }
    dbg!("OS", total, count, total - count);
}

fn thread_rng() {
    let mut rng = rand::thread_rng();
    let total = ITERATIONS;
    let mut count = 0;
    for _ in 0..ITERATIONS {
        let mut data = [0; MNEMONIC_SIZE];
        for d in &mut data {
            *d = get_u32_trng(&mut rng) % MNEMONIC_MAX;
        }
        let set = std::collections::HashSet::from(data);
        if set.len() < MNEMONIC_SIZE {
            count += 1;
        }
    }
    dbg!("Thread RNG", total, count, total - count);

}

fn main() {
    os_rng();
    thread_rng();
}
```rust use std::io::Read; use rand::prelude::*; fn get_u32_os(file: &mut std::fs::File) -> u32 { let mut bytes = [0u8; 4]; file.read_exact(&mut bytes).unwrap(); u32::from_le_bytes(bytes) } fn get_u32_trng(trng: &mut rand::rngs::ThreadRng) -> u32 { trng.next_u32() } const MNEMONIC_MAX: u32 = 2048; const MNEMONIC_SIZE: usize = 24; const ITERATIONS: usize = 100_000; fn os_rng() { let total = ITERATIONS; let mut count = 0; let mut file_handler = std::fs::File::open("/dev/urandom").unwrap(); for _ in 0..ITERATIONS { let mut data = [0; MNEMONIC_SIZE]; for d in &mut data { *d = get_u32_os(&mut file_handler) % MNEMONIC_MAX; } let set = std::collections::HashSet::from(data); if set.len() < MNEMONIC_SIZE { count += 1; } } dbg!("OS", total, count, total - count); } fn thread_rng() { let mut rng = rand::thread_rng(); let total = ITERATIONS; let mut count = 0; for _ in 0..ITERATIONS { let mut data = [0; MNEMONIC_SIZE]; for d in &mut data { *d = get_u32_trng(&mut rng) % MNEMONIC_MAX; } let set = std::collections::HashSet::from(data); if set.len() < MNEMONIC_SIZE { count += 1; } } dbg!("Thread RNG", total, count, total - count); } fn main() { os_rng(); thread_rng(); } ```
ryan commented 2023-08-18 05:29:59 +00:00
Author
Owner
Copy Link

Resolved. Vec::dedup only removes sequential duplicates.

Resolved. Vec::dedup only removes sequential duplicates.
lrvick added this to the Custody Framework project 2024-11-25 10:21:10 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
ryansquared/quick-and-dirty-prompt
ryan/recover-shardholder-hardware
keyfork-shard-v0.2.2
keyfork-v0.2.3
keyfork-derive-openpgp-v0.1.2
keyfork-v0.2.2
keyforkd-models-v0.2.0
keyforkd-client-v0.2.0
keyforkd-v0.1.1
keyfork-shard-v0.2.0
keyfork-qrcode-v0.1.1
keyfork-prompt-v0.1.1
keyfork-mnemonic-util-v0.3.0
keyfork-entropy-v0.1.1
keyfork-derive-util-v0.2.0
keyfork-derive-path-data-v0.1.1
keyfork-derive-openpgp-v0.1.1
keyfork-derive-key-v0.1.1
keyfork-v0.2.0
keyfork-v0.1.0
smex-v0.1.0
keyfork-bug-v0.1.0
keyfork-bin-v0.1.0
keyfork-slip10-test-data-v0.1.0
keyfork-derive-util-v0.1.0
keyfork-frame-v0.1.0
keyforkd-models-v0.1.0
keyforkd-client-v0.1.0
keyfork-derive-openpgp-v0.1.0
keyfork-entropy-v0.1.0
keyfork-crossterm-v0.27.1
keyfork-prompt-v0.1.0
keyfork-zbar-sys-v0.1.0
keyfork-zbar-v0.1.0
keyfork-qrcode-v0.1.0
keyfork-shard-v0.1.0
keyfork-derive-path-data-v0.1.0
keyforkd-v0.1.0
keyfork-derive-key-v0.1.0
keyfork-mnemonic-util-v0.2.0
keyfork-mnemonic-util-v0.1.0
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Custody Framework
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/keyfork#1
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?