Monday, July 25, 2011

Encryption = Security ?


Advice on securing the bitcoin wallet has always centred on isolating the wallet.dat file either within an encrpyted volume or by physically separating it from an internet connection. Some users may feel this is no longer neccesary as the upcoming version 0.4 of the official bitcoin client promises to include encryption for the wallet. However, encrypting the wallet will not stop trojans from accessing the file.Users are therfor relying on the strength of their password and the cryptographic implementation to protect them.


Given that Bitcoin is founded on crptography it would be easy, although incorrect, to assume that an encrypted wallet would be impervious to attacks. The greatest weakness of any passworded system is unsuprisingly the password rather than the encryption. So concerning is this issue that Hotmail recently banned the use of some of the most common passwords because in their own words: "Hotmail has built-in defenses against standard dictionary attacks, but when someone can guess your password in just a few tries, it hardly constitutes “brute force!”[1]. More worrying still is the list of the most commonly used passwords. A recent study[2] by security group Imperva of a security breach which revealed some 32 million passwords showed the top 5 passwords to be 123456, 12345, 123456789, Password, and iloveyou! In fact further analysis of these types of breaches has showed that more than 60% of passwords are derived either from numeric sequences, names, places, or dictionary words [3]. Password crackers are in fact even more sofisticated than that with venerable tools such as 'Crack' for unix[4] having exceptional permutation filters which can easily pick up word variations such as p@ssword. The addition of personal information, such as date of birth and holiday destinations, available on sites such as facebook only adds to the issue.

There is a further twist to this story though. When 'Crack' was released in 1991, a regular workstation cpu could test about 35 passwords a second[4], at the time this was a staggering acehivment. It meant if you left your workstation running over a weekend, you could test in excess of 6 million passwords. Compare that to a recent Tom's Hardware article [5] which estimated that with a pair of Radeon HD 6990's you could now expect to check over 3 million passwords per second against AES encryption. To put that in perspective, there are less than 1 million words in the english language. The icing on the cake of course, is that many miners have considerably more than two GPUs at their disposal. For example the SkepsiDyne Integrated Node, a Bitcoin Mining Company currently has twenty six 5850's running and is aiming to double this[6]. If a miner such as this should go rogue they would have significant processing power at their disposal. In fact as mining become less lucrative, there are already examples of mining systems being made avaialable for GPU intensive calculations with "no questions asked"[8].

All these concerns of course highlight the importance of a strong password, but more than this, they suggest that encryption of the wallet is not enough by itself. There are of course many ways of isolating your wallet from potential theft, from the simple use of encrypted volumes [9] or using online services such as mybitcoin.com, through to the more complex recording of keys on phyiscal media to remove any electronic trace of them as is offered by Bitbills[9]. Perhaps the best advice is that of splitting your coins between a savings wallet and a spending wallet as energetically described on the bitcoin forums [10]. This allows you ease of access to your normal spending money which will be encrypted (with your strong password!) in the upcoming bitcoin client release, whilst giving your savings the maximum security.

A final thought is that Bitcoins are in many ways very similar to cash. You would not keep your life savings in a wallet on your (physical) desktop. It is equally foolish to keep your savings of Bitcions on your (virtual) desktop. The implementation of wallet encryption could be viewed as the equivalent of keepying your physical wallet in a zip pocket. A zip pocket may well keep your wallet safe from pick pockets, but it only works if you keep it well zipped, and even then it would not be an alternative to keeping savings in a bank account!


Please remember! Brands or companies named here are only examples, they are not endorsed by Brief Bitcoin news!

[1]http://windowsteamblog.com/windows_live/b/windowslive/archive/2011/07/14/hey-my-friend-s-account-was-hacked.aspx
[2]http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
[3]http://www.troyhunt.com/2011/07/science-of-password-selection.html
[4]http://dropsafe.crypticide.com/article/733
[5]http://www.tomshardware.com/reviews/password-recovery-gpu,2945.html
[6]http://www.skepsidyne.com/
[7]http://forum.bitcoin.org/index.php?topic=18203.0
[8]http://forum.bitcoin.org/index.php?topic=24235.msg340118#msg340118
[9]http://bitbills.com/
[10]http://forum.bitcoin.org/index.php?topic=17240.0

1 comment:

  1. Recovery password
    Fast, high-quality recovery of your forgotten password. Inexpensive!
    communicate http://recoverywallet.com/

    ReplyDelete