Best Practice Entropy ( combine multiple sources )

[S0PEX]

Hey,

I have just found your awesome tool and would like to create my own bip39 24 word mnemonic. There I saw that it would be possible to supply my own entropy and I was wondering how the combination of multiple sources would look like. For example:

• I have 10 dices that I could do 10x 10 dices randomly and add them as the entropy in the tool this will give me > 256 bit of entropy.
• Use KeePass built-in password generator (with all entropy settings enabled ) and create an additional string
• Use /dev/urandom and create an random string

What would be the best way of combining this three points of randomness into your tool ? When I created a mnemonic with the dices I just selected Dice [1-6] - 62535634. As the other sets of entropy ( KeePass, urandom) include special chars I am not sure which options to choose. Currently the only method of using these special chars would be to encode the string ( using ascii or utf ) into the bit-string and supply it as the entropy.

It would be interesting to hear your opinion about the whole thing. This could then also be put on the website under information or something similar.

Regards Artur

[wigy-opensource-developer]

If you do not trust any of these sources of entropy on their own, the best way to combine them would be to create 256 bits of entropy with each one of these sources, bitwise XOR them together and enter the result as a hexadecimal number in the advanced entropy input field. This tool does not help you though in XOR-ing the entropies together and how you do that depends on your experience with programming or unix tools. Of course, do not use an online tool for that.

[scscgit]

For reference, in https://github.com/iancoleman/bip39/issues/398 I've mentioned creating an ad-hoc open-source calculator scscgit/StandaloneWalletGenerator exactly for this purpose, so you can consider this implementation as an inspiration. I'm using a third-party "randomness service", which I think is a great idea as long as you XOR it with further secure entropy that you trust; plus a placebo security consisting of typing custom zeroes / ones makes the process even more intuitive ;)

In general, my opinion is that there's a vital collective need for increasing transparency (& internalization of the necessary concepts), so that new users have a "chance" of consciously taking control over their security, rather than blindly trusting all the black-boxes that are being pushed onto them (by all the wallet "clients"). Basically, I think that our priority (as a crypto community that's becoming increasingly responsible for the future of humanity :P) should be to create a proper interface that encourages this kind of approach. Creating a wallet should be like a sacred ritual that's performed carefully & with double-checking that there's no way to intercept or affect the final entropy. After all, if you use HD (hierarchically deterministic) wallets, you're usually creating only one seed to be used over a long term, so it's literally insane to hurry up the process for the sake of comfort. It could be possible to decide on some "principles" that one must follow in order to avoid any reasonable risks; for example, this shouldn't be done on any machine that IS or WILL be connected to the internet (especially once the standardization reaches the point when it's trivial for spyware to expect this behavior), so dedicated cold-wallet computers would be preferred (and there are plenty of virtualization options that can be run without internet access even on Windows), along with some practices to avoid persisting any RAM contents to the hard drive (including the implicit swapping); so live OS boot flash drives probably make the most sense... In any case, such a dream solution wouldn't even require you to prevent tampering with the OS installation, because the algorithm would be so transparent that you'd notice if an attack ever occurred. (Well, the conversion of bits to 12-24 words could still evade the user's capability to double-check their equivalence.)

I hope that this idea will be integrated in some user-friendly & practical way even to this bip39 tool, especially for those of us who are so desperate to have our gulf of execution bridged using standard tools that have already survived a test of time. (Not only does it feel paranoid to manually calculate all 256 bits while ensuring that you destroy all intermediate results, but it's also so damn annoying, isn't it? :P)

[petjal]

does something like this make sense?

1. in "Generate a random mnemonic: GENERATE 15 words, or enter your own below.",
2. change "15" to "24", then click "GENERATE".
3. Click "Show entropy details".
4. In the "Entropy" text box, see the 64 hexadecimal characters.
   • Notice "Event Count" should say "64".
5. From another source of randomness, for example
   • cat /dev/urandom | head --bytes 1024 | sha512sum -b | sha512sum
   • https://www.random.org/cgi-bin/randbyte?nbytes=64&format=h
6. paste 64 or so more hex characters into the "Entropy" text box.
7. The "Mnemonic Length" box will change to "Use raw entropy...". Change that back to 12 words.
8. See your new 12 seed words in the "BIP39 Mnemonic" text box.