William Yager [ARCHIVE] on Nostr: 📅 Original date posted:2014-03-12 📝 Original message:On Wed, Mar 12, 2014 at ...
📅 Original date posted:2014-03-12
📝 Original message:On Wed, Mar 12, 2014 at 4:08 PM, Jean-Paul Kogelman <jeanpaulkogelman at me.com
> wrote:
>
> Agreed, this is a valid concern. This could possibly allow a 3rd party to
> crack the password, but then again, they would not gain access to any key
> material. So yes, you could expose your password, but your key would still
> be safe.
>
> If people feel strongly about this vulnerability, we can revisit step 4
> and adjust it to make password recovery more expensive.
>
>
Just to clarify on J.P.'s comments:
*If* you choose to outsource StrongH calculation, and *If* that machine is
compromised, then the security of your password is reduced to a single
round of salted PBKDF2-HMAC-SHA512. Your private key remains on the trusted
device, no matter what.
Regrettable, but not catastrophic.
Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140312/1929a5bc/attachment.html>;
📝 Original message:On Wed, Mar 12, 2014 at 4:08 PM, Jean-Paul Kogelman <jeanpaulkogelman at me.com
> wrote:
>
> Agreed, this is a valid concern. This could possibly allow a 3rd party to
> crack the password, but then again, they would not gain access to any key
> material. So yes, you could expose your password, but your key would still
> be safe.
>
> If people feel strongly about this vulnerability, we can revisit step 4
> and adjust it to make password recovery more expensive.
>
>
Just to clarify on J.P.'s comments:
*If* you choose to outsource StrongH calculation, and *If* that machine is
compromised, then the security of your password is reduced to a single
round of salted PBKDF2-HMAC-SHA512. Your private key remains on the trusted
device, no matter what.
Regrettable, but not catastrophic.
Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140312/1929a5bc/attachment.html>;