irungentoo / toxcore

The future of online communications.
https://tox.chat/
GNU General Public License v3.0
8.74k stars 1.28k forks source link

Deterministic ID #1462

Open SlugFiller opened 9 years ago

SlugFiller commented 9 years ago

When using Skype, if I want to use it on a new device, or if I want to format my harddrive and reinstall, all I need to do is remember my username and password. I can very easily install a new copy, input my username and password, and while I might lose my chat history, I keep my account and contact list with no issues.

When using Tox, however, I need to constantly worry about keeping a copy of my account, including my private key. If that's lost, then my account is lost forever.

This is actually a common issue in any distributed applications which rely on a private key for identity. So it's no surprise that another such has already come up with a solution: Bitcoin. The Bitcoin client Electrum offers something called a "deterministic wallet". You pick or randomly generate a passphrase made of several words (fairly easy to memorize), and this passphrase is used as a seed to generate any necessary private keys. Since the blockchain is a complete ledger, even if you have a critical drive failure, you can always completely recover your wallet (and its contents) on a completely new device from the passphrase. Unlike a complex binary private key, it can be easily memorized. Even if you keep no backups, your wallet is secure.

I suggest a similar system for Tox. While the contact list may be a separate issue, your unique user ID should still be recoverable from a memorized passphrase. It would mean you can at least keep your public ID if you lose your account data, and it would also make it easier to migrate to another device without having to worry about how to copy your account between devices.

quininer commented 9 years ago

How defense brute-force attack?

SlugFiller commented 9 years ago

@quininer https://xkcd.com/936/

A passphrase consisting of 12 or more common words is equally or more secure than a 128 bit private key. Realistically, even a 1024 bit private key will be broken with the appropriate mathematical algorithms long before a 12+ word passphrase is resolved with a brute-force attack. There is no risk of it becoming the easiest attack vector so long as minimal entropy (word count) is ensured.

quininer commented 9 years ago

@SlugFiller You can ensure that all users use a password in accordance with this method? If the password is leaked, the user can modify password?

GrayHatter commented 9 years ago

Did you cite xkcd as a literal source for network security? I cite xkcd all the time, but not when I'm actually trying to defend an argument.

Anyways, no. This is a bad idea. Bitcoin is cool and all. And the blockchain is a neat idea. But Tox != bitcoin. And suggesting that you put privation information into a blockchain is a bad idea. Not only because the blockchain's old data is intended to be public knowledge, where as keys and friend lists are supposed to be private. No one will easily remember 12 words. they'll write in down, and at that point. Backups are a better idea.

SlugFiller commented 9 years ago

When I created my Electrum wallet, it generated a 13 word passphrase for me. I looked at it a sum total of 4 times, and I can already recite it in my sleep if I must. I also feel completely safe saying that it's exactly 13 words, because the relevant entropy is still several orders of magnitude larger than the age of the universe in nanoseconds. So the claim that "no one will easily remember 12 words" is outright false.

My point is, your passphrase is at least as secure as your private key. Yes, there are ways in which your passphrase can leak. But in any such case, the EXACT same method can be used to leak your private key. Wrote down your private key somewhere to not lose it? It can be compromised. Stored your private key on a remote server? It can be stolen. By contrast, a passphrase is something you can actually store in your brain, rather than an easily readable media. You can't do that with a private key. It's not something you could conceivably memorize. And your brain is a heck of a lot harder to compromise than any other media, if only due to the fact that compromising the brain compromises almost any other media (Except maybe biometric or two-factor authentication).

Private keys in Tox are no different from those in Bitcoin. In both, they must be private, and are not shared with the network in any way. In both, the related public keys ARE shared with the network, in some form or another. But in the latter, they are also worth money, meaning people have a bigger motivation to steal them. So you can't claim Bitcoin's security requirements are lower.

As for the XKCD, I often cite that one, because it's the best way to explain password entropy to people who don't understand information theory. While it may be funny to read, it's actually no joke.

quininer commented 9 years ago

Not everyone can easily remember a long password is not repeated, so it appears the keepass, lastpass. "Password" than the "Key" is more likely to leak, the password may be guess, may be social engineering attacks, and even shoulder surfing.

HostFat commented 9 years ago

@quininer These aren't passwords (passphrase) generated by the brain of the user.

This can be two good example of this: https://brainwallet.io/ https://keybase.io/warp

quininer commented 9 years ago

@HostFat So, this is more like a key can remember, rather than a password...

HostFat commented 9 years ago

Yep.

SlugFiller commented 9 years ago

Just to note that an encrypted KeePass password file is at least as secure as an encrypted backup of your account, if not more (Since KeePass, being fully aware of the need to make backups, use extra measures to increase the computational difficulty of reversing the encryption).

But, again, as I've mentioned, I was able to memorize a 13 word passphrase with no issues. Before you say "people will not be able to-" I suggest you actually try, and see just how long it takes you to memorize a randomly generated high-entropy passphrase. It's precisely the sort of thing our brain is wired to memorize.

quininer commented 9 years ago

This is a good key recovery program. In the foreseeable future if it does not become a short board. :D

GrayHatter commented 9 years ago

When I created my Electrum wallet, it generated a 13 word passphrase for me. I looked at it a sum total of 4 times, and I can already recite it in my sleep if I must. I also feel completely safe saying that it's exactly 13 words, because the relevant entropy is still several orders of magnitude larger than the age of the universe in nanoseconds. So the claim that "no one will easily remember 12 words" is outright false.

I love xkcd, so here's one on your sampling bais https://xkcd.com/674/

I don't care if you can do it, I need my grandma to do it.

My point is, your passphrase is at least as secure as your private key.

[citation needed]

Yes, there are ways in which your passphrase can leak. But in any such case, the EXACT same method can be used to leak your private key.

No, social engineering will much more easily get you a passphrase then a Private Key.

Wrote down your private key somewhere to not lose it? It can be compromised. Stored your private key on a remote server? It can be stolen.

Your solution doesn't fix this.

By contrast, a passphrase is something you can actually store in your brain, rather than an easily readable media. You can't do that with a private key. It's not something you could conceivably memorize.

But you think 13 random words in order is?

And your brain is a heck of a lot harder to compromise than any other media, if only due to the fact that compromising the brain compromises almost any other media (Except maybe biometric or two-factor authentication).

Look, more xkcd https://xkcd.com/538/

Private keys in Tox are no different from those in Bitcoin.

In concept? maybe not. In application and use they ABSOLUTELY are!

In both, they must be private, and are not shared with the network in any way. In both, the related public keys ARE shared with the network, in some form or another.

Not really. You should read how the DHT and onion work.

But in the latter, they are also worth money, meaning people have a bigger motivation to steal them. So you can't claim Bitcoin's security requirements are lower.

No, because if I steal your money, I can't find and kill you. How ever if I get your private key, I could use that to locate, impersonate, dox, almost anything.

In bitcoin. No one is using it thinking it's private, (unless you've been misled). The whole blockchain is public knowledge. Everyone knows this. That's why it can be trusted, because you don't actually need trust, you can verify the whole thing yourself.

As for the XKCD, I often cite that one, because it's the best way to explain password entropy to people who don't understand information theory. While it may be funny to read, it's actually no joke.

No, you're correct. But xkcd is nice for explaining a concept. Not for arguing for the implementation of a network security system.

SlugFiller commented 9 years ago

I don't care if you can do it, I need my grandma to do it.

Show me how your grandma memorizes a private key. Show me how you explain to her the concept of securely backing up your account.

Also, don't underestimate your grandma's memory. If she remembered your phone number long before smartphones had contact lists, she can sure as heck remember 12+ lousy words.

No, social engineering will much more easily get you a passphrase then a Private Key.

Because "Read to me these words which you know are supposed to be your super-secret passphrase" is SO much easier than "send me this binary file which you don't know what it does". If you were pretending to be tech support, etc, the latter would actually be easier to pull off.

Your solution doesn't fix this.

But it doesn't make the situation any worse than it already is, and offers an alternative that DOES fix that.

But you think 13 random words in order is?

"Think"? I empirically KNOW that you can memorize it. You want a bigger sample size? Sure, let's grab 50 random people, give each a random passphrase to memorize, and see how long it takes them. Then repeat the process with a private key, or even the public ID, and see how well THAT works.

No, because if I steal your money, I can't find and kill you. How ever if I get your private key, I could use that to locate, impersonate, dox, almost anything.

You technically can use a wallet's private key to impersonate a person on Bitcoin, since it has message signing support. But that's besides the point, we're getting into tinfoil territory here. Having real-life money stolen is a real-life case, that actually happens and has happened in real-life, and not just in film noir.

The whole blockchain is public knowledge.

But the private keys are not, otherwise anyone could use anyone else's money. If you don't understand that basic concept, then YOU'RE the one who needs to learn more.

No, you're correct. But xkcd is nice for explaining a concept. Not for arguing for the implementation of a network security system.

But if you're arguing with a laymen, you need to explain the concept first. And it certainly feels like I'm arguing with a laymen. Do I really need to write a scroll with detailed explanations and Wikipedia citations to explain basic concepts of information entropy and the basic capabilities of the human brain? Is it too much to expect that an intelligent reader would simply take the 5 minutes to look into it, or just the crash-course that the xkcd strip offers?

Or do you want to challenge how the 3000 most commonly used non-particle words cover at least 11 bits of entropy, and, multiplied by 13, cover 143>128 bits of entropy? Or how that entropy is higher than keys of equal length limited to the prime number density within the 2^keylength range? Or maybe you want to claim that it's easier to remember 20+ completely random letters and numbers (I'm being generous and assuming the key is a weaker 128 bit key, and not something even HARDER to memorize) along with alternating case, than to remember 13 words? Or do you want to claim that storing away data-you-can't-remember X is somehow more secure than storing away data-you-can't-remember Y, assuming you employ that "memorization" strategy?

I'm trying to figure out, what is your actual claim here, security-wise?

HostFat commented 9 years ago

Anyway, this feature is most likely client-side, so if it will be not added on some of the official clients, it will be easily to have on some forks.

Maybe it is even possible to generate the key with a simple dedicated software, and then import it on Tox.

GrayHatter commented 9 years ago

@HostFat, The ToxID is handled by core alone. Clients have effectively no input.

GrayHatter commented 9 years ago

@SlugFiller

If you'd like I can go point by point again. But you've only rehashed what you said before without any additional citations, so It'd be just my same responses with slightly different phrasing. Only I wouldn't call you a layman....

So I'll just hit two of your points.

I can very easily install a new copy, input my username and password, and while I might lose my chat history, I keep my account and contact list with no issues.

You want to put the private key, and friends list into a a blockchain.

I'm trying to figure out, what is your actual claim here, security-wise?

That's a HORRIBLE idea, for a systems created to be secure and private.

Because "Read to me these words which you know are supposed to be your super-secret passphrase" is SO much easier than "send me this binary file which you don't know what it does". If you were pretending to be tech support, etc, the latter would actually be easier to pull off.

I disagree. Assuming that you were going to get someone to release information to you. Would it be easier to get them to send you a secret file hidden away on their computer (ideally also password protected), or to read you 13 words that they were once told to memorize?

I think you're assuming that users have something near your level of technical understanding. Skype users, and facebook users don't.

SlugFiller commented 9 years ago

You want to put the private key, and friends list into a a blockchain.

Where, in my suggestion, did I ever say that? What even HINTS that? The private key is deterministically determined, using a mathematical algorithm, from your passphrase. It's never shared.

Or do you believe that private keys in Bitcoin are simply pasted into the blockchain? That would have been a HUGE security flaw, that would allow anyone to obtain millions of dollars worth of bitcoins at literally no effort.

That's a HORRIBLE idea, for a systems created to be secure and private.

Not gonna go [citation needed] here, but I will do the more polite thing of asking for details. What is the suggested attack vector, exactly?

Mind you, I'm not saying that there aren't attack vectors, just that any such attack vector could be equally used against the current private key system.

So, show me ONE attack vector that is possible with a 12+ word passphrase that isn't possible with a private key. Also, you must make the exact same assumptions: You can't assume that someone would take the time to write down their passphrase, but would be A-OK with having absolutely no backup of their private key.

I think you're assuming that users have something near your level of technical understanding. Skype users, and facebook users don't.

On the contrary. "Send me your configurations", or "email me this trace dump" is a standard process in tech support. You tell the user the location of the file, they right click, and send it. The thing is, they never know what that file is for. Someone without technical knowledge wouldn't know which files are safe to send, and which aren't.

But everyone, with even no technical knowledge, knows what a "password" or "passphrase" is. Or what a "secret" is. One line of text going "Never share this with anyone. No technical support should ever ask you for this" above the text-box showing you your passphrase is all it takes. Even the biggest layman would know what THAT means.

(Also, there have been much bigger barriers to migrating Skype users, but that flamewar already happened elsewhere, and I don't want to pollute this thread with it. But let's just say that requiring manual backup of your account sure isn't helping "sell" Tox to Skype and Facebook users)

GrayHatter commented 9 years ago

Also, after reading this a second time I don't think you actually understand how entropy works... you say that of the 3000 most common words, you're guaranteed 11 bits of entropy. You actually not, not even close. Any linguist will tell you that words follow predictable patterns, and anyone you find over the age of 5 will tell you patterns aren't random.

You'd be much better off thinking of it as a base set, instead of trying to convert back and forth from letters to bits. So you should be comparing 3000(word list)^13 = 1.59e45 vs 2^128(good random data) = 3.402e38

GrayHatter commented 9 years ago

@SlugFiller

Where, in my suggestion, did I ever say that? What even HINTS that?

When you said you would be able to get your private key and contact list back. I even quoted you

I can very easily install a new copy, input my username and password, and while I might lose my chat history, I keep my account and contact list with no issues.

(edited)

GrayHatter commented 9 years ago

That's a HORRIBLE idea, for a systems created to be secure and private. Not gonna go [citation needed] here, but I will do the more polite thing of asking for details. What is the suggested attack vector, exactly?

If you put information into a blockchain, and I break that blockchain, I get that information. If I keep information on my local system, and you break the blockchain... you don't get that information.

SlugFiller commented 9 years ago

you say that of the 3000 most common words, you're guaranteed 11 bits of entropy. You actually not

2^11 = 2048 < 3000. Picking a random word out of 3000 gives you that.

"Patterns" don't exist in randomly generated phrases. They may exist in custom generated ones, but if you require that no particles or overly common words (e.g. yes/no/what) are used, you still get a sufficiently distributed random.

So you should be comparing 3000(word list)^13 = 1.59e45 vs 2^128(good random data) = 3.402e38

e45 [snip] e38

SEVEN ORDERS OF MAGNITUDE HIGHER! I don't need to make an argument, here, you've just made it for me.

When you said you would be able to get your private key and contact list back. I even quoted you

You can get the private key back by inputting the passphrase, and going through the same deterministic calculation that generated the private key in the first place. Hence "Deterministic ID". It doesn't need to be stored in a blockchain, nor did I ever suggest using a blockchain for private key storage.

As for the friends list, my exact quote is:

While the contact list may be a separate issue

And, indeed, there's a separate issue for friends list storage: #181 Note, however, that this separate suggestion (made 2 years ago by a completely separate person) is only useful if you can recover your private key to begin with.

If you put information into a blockchain, and I break that blockchain

First, I didn't suggest adding a blockchain. But even if I did, "breaking" the block chain is computationally equivalent or tougher to reversing a private key from a public key. For each user. If you've given your ToxID to ANYONE, they would have the same ability to "break" the blockchain. If you use it for DHT searches or publish (making yourself available for contact), the node in charge of that segment of the network gets your public ID.

So, once again, even if it was suggested, and even if you assume an attack vector there, the exact same attack vector is available in the current system.

I think you have some seriously strange opinion regarding the security of the blockchain and private keys in it. You seem to live in a world where anyone can steal Bitcoins at little to no effort. Given the presence of suitable monetary incentive, one must wonder how Bitcoin survived as long as it did, given your perspective on network security.

Scratch-net commented 9 years ago

How about slowing down the hashing to a several seconds(minutes) ? KDF/scrypt should be ok for that, that would slow down hackers also

srkunze commented 9 years ago

I remember Nxt doing such things that @SlugFiller describes: http://nxt.org/get-started/step-2/ The newbie setup generates a list of 12 words from which your actual private key and public key is generated then.

So, it seems as if this kind of setup is viable.

SkyzohKey commented 9 years ago

Hmm, if i understand this issue well you would obtain something like that ?

This is your passphrase. Read and remember it (or write it on a secure paper).
The passphrase permit you to recover your account if you loose it.
Please note that your passphrase **MUST** stay known by only you, never share it !

mobile visual above derive camp wind heat random read buck domain sound wisdom
SlugFiller commented 9 years ago

@SkyzohKey Yup, that's about right.

I also want to add that having support for this in the core, rather than simply allowing clients to support it, could also help in terms of ensuring a common hashing function, which would make it easier to migrate between different clients, while keeping the same key.

SkyzohKey commented 9 years ago

@SlugFiller commented on 24 Nov 2015, 16:33 GMT+1:

@SkyzohKey Yup, that's about right.

I also want to add that having support for this in the core, rather than simply allowing clients to support it, could also help in terms of ensuring a common hashing function, which would make it easier to migrate between different clients, while keeping the same key.

So i :+1: this suggestion

cleverca22 commented 9 years ago

even if you can generate the same keypair on another system, without the friend list (accepted pubkeys), you will have to re-accept every friend, and they havent sent new friend requests, so it wont prompt

Ferk commented 9 years ago

Imho, this would be nice addition. Even if friend lists would have to be synced some other way, this seems like a clever approach to be able to port private keys from one device to another, even if file transfer was not possible or straightforward. At the moment using tox is a bit of a pain because of all the low-level management for keys and users that you have to do, so imho this would be a step in the right direction.

SlugFiller commented 9 years ago

@cleverca22 As I've mentioned, there's already a suggestion (#181) for storing the friends list remotely. There's also a suggestion (https://github.com/tux3/qTox/issues/2551) for adding contacts from public ID without nospam (No request), if you have some alternate backup. There are also several ideas for list synchronizations in multi-device proposals.

But all of these require, as a foundation, the ability to pass around your private key, as a sort of "master key", between devices. In other words, you can view this as "blocking" any of those other suggestions.

Renha commented 8 years ago

@SlugFiller

A passphrase consisting of 12 or more common words is equally or more secure than a 128 bit private key.

Wow, if so - you could just convert 128bit private key to 12 or more common words.

P.S.> 12 or more common words is more secure than anything with constant security. Because "more" could be very much more.

ProMcTagonist commented 8 years ago

let's make the private key generatable from thirteen words

why does this have any replies

srkunze commented 8 years ago

@ProMcTagonist Because tox would not be the first project choosing this approach. If that qualifies for "good enough" I leave to crypto experts.

Ferk commented 8 years ago

Is 1 kg of steel heavier than 1kg of feathers??

128bit worth of entropy expressed as random words from a determined pool is as safe as 128bit worth of entropy expressed as characters from a determined ASCII subset. Or as 128bit worth of 1's and 0's. It's basically a different representation of the same data... one is digits, another is characters and the other one is words.

It's silly that there's even a discussion about it...

SlugFiller commented 8 years ago

@Renha Possible, but it would require a pre-built dictionary, with a sufficient number of words. This dictionary would have to be uniform, distributed with any Tox client. In fact, to allow cross-client migration, that dictionary would have to be standardized, most likely by embedding it into tox core. If you want to not alienate non-English speakers, you'll also need a standard dictionary for each language.

So, possible, but it becomes a minefield, once you realize people don't all use the same words.

A generator that takes X words (randomized from a non-standard pool, or manually inputted by the user) and digests the resulting string, in a uniform way, down to 128 bits, is far easier to implement and pass around.

cleverca22 commented 8 years ago

and once color vs colour comes into the mix, have fun getting the same key

Renha commented 8 years ago

@SlugFiller we could use any international language, for example, esperanto. And fixed dictonary isn't so big, much less than megabyte - look at what3words's project info. Gzipped dictonary would be even smaller.

LuccoJ commented 8 years ago

Because Esperanto words are easier for common people to remember than whether "color" is being spelled "color" or "colour"...? Anyway, of course you'd have to use a vetted English wordlist with the problematic words weeded out. There are libraries for this.

Scratch-net commented 8 years ago

https://en.wikipedia.org/wiki/PGP_word_list ?

LuccoJ commented 8 years ago

There's a good example! Although I'd favor a longer wordlist, because with that one, IDs would still be very long. I'm pretty sure you can have a much longer list where words are still not too ambiguous. I happen to know about https://github.com/NebulousLabs/entropy-mnemonics for instance.