Very bad practice with pbkdf2Sha512 salt
#13
Comments
cryshado
changed the title
pbkdf2Sha512 saltpbkdf2Sha512 salt
|
I also suggest documenting this point very well and recommending that wallets provide instructions on how to generate private keys to their users |
|
No problem stated: this repo is not going anywhere soon and not going to change it’s code by obvious reasons. instead of documentation improvements proposed to change code. Why? |
At least using salt with non-printing characters is not a good example. It is suggested that we follow the example of other developers who set the salt to |
|
How it is different from putting documentation on ton.org? Why change the code? |
Please read my posts above more attentively. If a particular resource is not available, it can be problematic |
|
ton.org? And all forks of all wallets are unavailable? I suppose ton is dead then. |
|
Agree with issue author. In my subjective opinion, all potential problems with cryptographic algorithms have to be solved in the bud, because this may cause problems with cryptography in future applications. The algorithm in the current repository must be replaced by the correct one. |
|
What’s not correct? |
|
'TON default seed' was originally used as a salt in tonlib and is used in all standard native wallets. TonWeb uses the same salt. For the password option, we can use 'TON default seed' + passphrase. So you offer just another string ('mnemonic' instead of 'TON default seed'). It doesn't increase security. We can’t just change the salt, because a huge number of users are already using wallets. All source codes are open and anyone can see how the mnemonic is generated. On ton.org/docs we really should add the mnemonic algorithm and the salt constant. If you just like a different constant, then we won't change code. If I missed something, please reply |
|
@tolya-yanot thanks for the reply in this issue For first most likely Even if there is no decision to change the default values to the new ones, I am very glad that you think it is a good decision to add information about the key pair generation algorithms to the official documentation. But I have some another question about this case. How can you explain |
|
I agree that there are quite a few questionable design choices regarding mnemonic generation and processing, namely:
While it is obvious that there's no way one can guess full 24-words of the mnemonic sentence, this means that we are not utilizing salt to further strenghten security
My proposed solution would be as follows:
|
|
Using word Changing mnemonic generation algorithm is a serious and cumbersome process. It can be justified in case of security issue, but not form aesthetic reason. |
|
I would like to respectfully point out that the implementation of the mnemonic generation process seems to have been done incorrectly. The current approach appears to involve the random selection of 24 words from a dictionary, which are then used to create a seed. (source) However, the correct method would be to first generate entropy and then derive the words based on this entropy. The seed should also be obtained using the generated entropy.
Use the BIP39 standard for recover: {
bitOfWord: 11,
wordCount: 24,
bitChecksumCount: 8,
bitEntropyCount: 256,
byteCount: 32,
entropy: Uint8Array(32) [
113, 167, 137, 94, 49, 150, 115, 231,
8, 146, 34, 219, 83, 250, 65, 118,
123, 81, 191, 221, 147, 174, 153, 110,
101, 36, 81, 233, 129, 82, 30, 84
],
hexEntropy: '71a7895e319673e7089222db53fa41767b51bfdd93ae996e652451e981521e54',
hexChecksum: '6f',
bitEntropy: '011100011010011110001001010111100011000110010110011100111110011100001000100100100010001011011011010100111111101001000001011101100111101101010001101111111101110110010011101011101001100101101110011001010010010001010001111010011000000101010010000111100101010001101111',
bitChecksum: '01101111',
wordIndexList: [
909, 482, 700, 793, 825,
1948, 274, 546, 1754, 1278,
1154, 1895, 1448, 1791, 946,
942, 1227, 921, 584, 1310,
1216, 1352, 970, 1135
],
wordList: [
'immune', 'detail', 'fiscal',
'glimpse', 'grunt', 'vicious',
'car', 'dust', 'swap',
'panther', 'motion', 'undo',
'relax', 'that', 'iron',
'into', 'offer', 'industry',
'empower', 'phrase', 'object',
'poverty', 'junk', 'mistake'
]
}Please note that there is a crucial difference in the last word of the phrase when attempting to use the BIP39 standard for entropy recovery from a phrase generated by the current algorithm. When generating 24 random words, the entropy checksum is not calculated correctly. That is why it is essential to first generate entropy, add the checksum, and then derive the corresponding words from the dictionary based on the resulting data. Following this correct approach will ensure compatibility with the BIP39 standard and improve the overall reliability of the mnemonic generation process. solutionA possible solution to this issue could be the implementation of entropy generation according to the standard, and using a trigger mechanism to determine the algorithm for secret recovery based on the compliance of the input mnemonic with the BIP39 standard. If the mnemonic does not adhere to the standard, the current, incorrect algorithm can be used for recovery; otherwise, the standard algorithm should be applied. Additionally, it would be beneficial to include the option for users to derive keys using a specific path, such as |
|
I don't see much merit in being "just" compatible with other networks:
Thus, in contrast with some other blockchains where compatibility means access to whole ecosystem of tools and software, TON gains next to nothing from the compatibility of its key with the standard of other networks: developers who are reluctant to make minor adjustments (or use ready implementations) here will never implement (de)serialization, signing algo, checking message processing in the network (all very different from other networks). What are cons of changing algo?
We still need HDKD, though, probably we can use compatible implementation of that. |
|
While I understand your perspective on the limited benefits of compatibility with other networks and the unique aspects of TON, I would like to emphasize that adopting widely-accepted cryptographic standards offers more advantages than simply facilitating interoperability.
In conclusion, the goal of adopting established cryptographic standards is not merely to be compatible with other ecosystems but to provide a solid foundation of security, trust, and future-proofing for TON. While it may require some adjustments and additional work, the long-term benefits of adhering to proven standards far outweigh the potential drawbacks. I would like to point out that my proposal does not involve changing the number of PBKDF2 iterations currently used in TON, which is set at 100,000, deviating from standard values and purportedly increasing security. While the effectiveness of this increased iteration count can be debated, my primary goal is focused on standardizing the entropy recovery process. By adhering to a standard entropy recovery method, we can maintain the current PBKDF2 iteration count as a parameter for the existing cryptographic processes without disrupting the system. This approach allows for compatibility with industry standards while preserving TON's unique security measures. Additionally, adopting a standard for private key derivation can further enhance our system's interoperability and compatibility with other tools and frameworks. This change would provide users and developers with a more familiar and widely accepted method for managing their keys, without sacrificing the platform's distinct features. In summary, my proposal aims to strike a balance between preserving TON's unique security measures, such as the increased PBKDF2 iteration count, and adhering to industry standards for entropy recovery and key derivation. This approach can foster trust, security, and compatibility, while still retaining the platform's distinct characteristics. |
|
This "industry standards" picked a curve that is not fully secure and continues to use it.
…________________________________
From: Ilyar ***@***.***>
Sent: Wednesday, April 19, 2023 11:42 AM
To: toncenter/tonweb-mnemonic ***@***.***>
Cc: Steve Korshakov ***@***.***>; Comment ***@***.***>
Subject: Re: [toncenter/tonweb-mnemonic] Very bad practice with `pbkdf2Sha512` salt (Issue #13)
While I understand your perspective on the limited benefits of compatibility with other networks and the unique aspects of TON, I would like to emphasize that adopting widely-accepted cryptographic standards offers more advantages than simply facilitating interoperability.
1. Security: Adhering to established standards reduces the risk of implementing insecure or error-prone cryptographic algorithms. Cryptography is a highly specialized field, and creating custom algorithms without thorough peer review and testing can lead to vulnerabilities that may compromise the security of the entire system.
2. Trust: Using industry-standard cryptography can increase the trustworthiness of the system in the eyes of potential users and developers. It demonstrates a commitment to best practices and ensures that the platform is built upon proven and secure foundations.
3. Easier integration with existing tools: Although TON may have unique aspects, compatibility with established standards can still simplify integration with existing tools, libraries, and frameworks, reducing the learning curve and development time for developers working with the platform.
4. Future-proofing: As the blockchain ecosystem evolves, compatibility with widely-accepted standards will become more critical. By adopting these standards now, you can ensure that your platform is better prepared for future developments and potential collaborations.
In conclusion, the goal of adopting established cryptographic standards is not merely to be compatible with other ecosystems but to provide a solid foundation of security, trust, and future-proofing for TON. While it may require some adjustments and additional work, the long-term benefits of adhering to proven standards far outweigh the potential drawbacks.
I would like to point out that my proposal does not involve changing the number of PBKDF2 iterations currently used in TON, which is set at 100,000, deviating from standard values and purportedly increasing security. While the effectiveness of this increased iteration count can be debated, my primary goal is focused on standardizing the entropy recovery process.
By adhering to a standard entropy recovery method, we can maintain the current PBKDF2 iteration count as a parameter for the existing cryptographic processes without disrupting the system. This approach allows for compatibility with industry standards while preserving TON's unique security measures.
Additionally, adopting a standard for private key derivation can further enhance our system's interoperability and compatibility with other tools and frameworks. This change would provide users and developers with a more familiar and widely accepted method for managing their keys, without sacrificing the platform's distinct features.
In summary, my proposal aims to strike a balance between preserving TON's unique security measures, such as the increased PBKDF2 iteration count, and adhering to industry standards for entropy recovery and key derivation. This approach can foster trust, security, and compatibility, while still retaining the platform's distinct characteristics.
—
Reply to this email directly, view it on GitHub<#13 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AADB2E23O2YD4JI25THT5CLXB66QNANCNFSM5NC7KLHA>.
You are receiving this because you commented.Message ID: ***@***.***>
|
What has been noticed
I noticed that the tonweb source code uses a specific salt in the
mnemonicToSeedfunction. The salt (which for some reason is named seed) is defined as'TON default seed'. Other wallets, applications, and services set the same salt value inpbkdf2Sha512to maintain compatibility.The main problem and motivation
In the case that any of the wallet applications close and/or this repository becomes unavailable, users do not have a full understanding of how to recover private keys from the mnemonic phrase.
Problem solution
Only changing the salt value in this repository can fix the problem, since this repository is the basis for future applications. I suggest using
"mnemonic" + passphrase, as a salt, as many popular crypto wallets do for other coins."mnemonic"it's just a string. It is also possible to suggest that the user setpassphraseto create additional "hidden" wallets to his mnemonic phrase.The text was updated successfully, but these errors were encountered: