Electric-Coin-Company / zashi

Issue Tracking and common resources for the Zashi Zcash Wallets
MIT License
3 stars 3 forks source link

Implement User-Defined "25th Word" Passphrase for Enhanced Wallet Security #26

Open y4ssi opened 9 months ago

y4ssi commented 9 months ago

As someone who values keeping my cryptocurrency safe, I believe it's crucial to have robust security measures in place. Currently, the Zashi wallet provides solid security with its 24-word seed phrase. However, I think we can take it up a notch by introducing a feature that allows users to add their own "25th word" passphrase when opening the wallet.

Here's why I think this is important:

Extra Layer of Protection: Adding a custom "25th word" passphrase would give users an additional layer of security beyond the standard 24-word seed phrase. This means even if someone somehow gets hold of the seed phrase, they'd still need the custom passphrase to access the wallet.

User Empowerment: By letting users define their own "25th word" passphrase, we're putting more control in their hands. They can choose a passphrase that's meaningful and memorable to them, making it easier to remember while still keeping their funds secure.

Reduced Risk of Compromise: With this feature, users can ensure that their sensitive information remains safe from unauthorized access. This significantly reduces the risk of compromise and adds peace of mind for users.

Prevents Coercion: In case of coercion, users can utilize the wallet without entering the passphrase, accessing dummy funds instead. This strategy allows users to comply with demands while safeguarding their actual funds, which remain inaccessible without the passphrase. By employing dummy funds, users effectively thwart unauthorized access attempts, enhancing the wallet's security against coercion

By implementing this enhancement, not only do we enhance the overall security of the Zashi wallet, but we also empower users to take more control over their passphrase security. I believe this would be a valuable addition to our wallet and would greatly benefit our users.

str4d commented 9 months ago

For clarity, "25th word" in this context specifically means a BIP 39 passphrase (which is combined with the mnemonic phrase to derive the master seed of a key tree). Existing wallets use the empty string "" (as specified in BIP 39 when a passphrase is not provided).

Extra Layer of Protection: Adding a custom "25th word" passphrase would give users an additional layer of security beyond the standard 24-word seed phrase. This means even if someone somehow gets hold of the seed phrase, they'd still need the custom passphrase to access the wallet.

This needs to be more concretely specified: extra layer of protection against what adversary? A few cases off the top of my head:

User Empowerment: By letting users define their own "25th word" passphrase, we're putting more control in their hands. They can choose a passphrase that's meaningful and memorable to them, making it easier to remember while still keeping their funds secure.

Is the rationale here that because the 24 words are generated for them, they are not necessarily meaningful or memorable? Users are not good at picking secure passphrases, and a BIP 39 passphrase once selected cannot be changed (at least after any wallet address has been given out, because the user might receive funds in that key tree). The mnemonic phrase does provide some level of "passphrase hardening" in that it effectively acts as a salt on the passphrase (ignoring how the BIP 39 seed derivation actually works) that means the adversary can't reuse hash tables, but the inability to rotate is a problem shared by the mnemonic phrase itself, which means that if the BIP 39 passphrase is disclosed even once (or reused by the user in another context like a website account that is subsequently compromised), then it provides no extra layer of protection.

Reduced Risk of Compromise: With this feature, users can ensure that their sensitive information remains safe from unauthorized access. This significantly reduces the risk of compromise and adds peace of mind for users.

There is no meaningful distinction between this and the "Extra Layer of Protection" rationale; they should be merged. This is also not sufficiently specified:

Prevents Coercion: In case of coercion, users can utilize the wallet without entering the passphrase, accessing dummy funds instead. This strategy allows users to comply with demands while safeguarding their actual funds, which remain inaccessible without the passphrase. By employing dummy funds, users effectively thwart unauthorized access attempts, enhancing the wallet's security against coercion

This is IMO the primary reason for supporting BIP 39 passphrases. However, unlike with Bitcoin, we run into a problem: Bitcoin fund discovery is very cheap (you can just ask any block explorer to look up the unspent notes controlled by a given address), so in coercion-prevention cases the wallet would never store information about funds associated with BIP 39 passphrase wallets, and would instead look it up on-the-fly. For Zcash, we need to actively scan the chain to find funds, which requires the viewing keys to be accessible. This results in a few different potential situations:

daira commented 1 week ago

the rationale here that because the 24 words are generated for them, they are not necessarily meaningful or memorable? Users are not good at picking secure passphrases, and a BIP 39 passphrase once selected cannot be changed (at least after any wallet address has been given out, because the user might receive funds in that key tree).

To me the motivation for a 25th word is to provide time to move funds. That is, if you know you've been burgled then you create a new wallet and transfer all the funds from your old wallet. But if the burgler has the whole seed, you might find that your wallet has been emptied out before you can do that.

In theory, you can do that just by not writing down all of the words. But then you are constrained to only using some sequence of BIP 39 words as the thing you need to remember. You are far more likely to forget that, especially over the long term when you're not using it regularly, than a passphrase you've decided on yourself.