I’m working with a company that is developing a wallet for crypto currencies. There is a lot of consternation about the friction introduced by asking the user to back up their private key using 12 words, as is common with BIP39. The concern is that most of the users targeted by this wallet will not be familiar with the concept, and that it will feel burdensome to them to have to keep 12 words safe somewhere. I’ve been asked multiple times to “fix the 12-words problem” but frankly, 12 words IS the fix.
What is BIP39?
BIP39 is a bitcoin improvement proposal for a mnemonic mechanism for backing up a private key. Bitcoin and other cryptocurrencies use asymmetric cryptography to sign transactions which prove ownership, and therefore the ability to spend, bitcoin. Therefore, securing your private key is paramount to the security of your bitcoin, as anyone with the private key can create a valid signature and spend your funds.
A private key is simply a 256-bit random number, which means it is between 0 and about 1.158*1077. There are various mechanisms for creating that random number, which I won’t go into. But that number can be represented by 78 decimal digits, which is terribly long, or in hexadecimal it is 64 characters long, like this:
You can also display the private key in WIF-compressed format (Base58 +checksum), which would be something like this:
Each of these is even worse than the computer-generated WiFi password at my mom’s house, and she struggles enough with that. Imagine me telling her to write down either of the above, and if she doesn’t do it right, or loses it, then her retirement is gone. The chance of a transcription error in attempting to keep the above is large because neither representation has any sort of meaning to the human mind.
Keeping it simple, BIP39 is a protocol that takes the private key, and instead of printing it in one of the above formats, maps it to 12 words. There’s a little more to it than that, but that’s the gist. Now, instead of either of the above formats, you get something more like this:
army van defense carry jealous true garbage claim echo media make crunch
Which of these is easiest to transcribe? What about memorize? Which could you tell someone over the phone (don’t do that with your private key!)? Which would be easier to type when restoring your wallet?
The 12-words problem
The “12 words problem” then becomes a problem in mindset around private keys. Users are used to being bailed out by the service provider. The internet industry has trained people not to keep their secrets. Every “forgot password” button has taught us that it’s actually not important to keep that one bit of information that authenticates us to our banking provider safe or secret. I can forget it and they will send me a new one. I can authenticate by simply reading back a number sent via text to my phone, or to the email address I use. I now rely on the security of my phone or email address for the security of every other service I attempt to authenticate to.
This mindset has opened vectors of attack to all sorts of services through social engineering. From stealing coveted twitter accounts to crypto wallets secured via 2-factor authentication (again… tied to your phone number). Phone port attacks are becoming more common in the world of cryptocurrency because it gives access to the 2FA mechanism, which then gives access to a user’s exchange account. Yes, I’m simplifying, but all of that has happened.
Things Worse Than 12 Words
So, if I want to fix the 12-words-problem, what are some options? If the 12 words are meant to allow a human to store this computer generated random data, what other representations could be used?
The strengths of 12 words include:
- Maps to known concepts for humans
- Easier to transcribe
- Easier to communicate
- Easier to input
What if the bits were encoded into music? Perhaps the bits could represent timing and notes. BIP39 has a small dictionary of commonly used words. The music BIP could include notes that harmonize well so it’s always pleasant. The bits could represent some combination of notes and timing, creating a ditty that is your private key. It maps well to humans. It’s difficult to transcribe, difficult to communicate, especially for the tone deaf, and difficult to input. While you may be able to recognize your key if it was played back to you, you would likely have difficulty recreating it exactly.
What if the bits were encoded into a collection of images? There could be a small dictionary of simple clip-art style pictures. Your private key would create a sequential comic panel. Again, it maps well to humans, is difficult to transcribe or communicate, and would be very difficult to input correctly. Imagine if in order to restore your wallet you had to select 12 images out of a collection of 2096 options.
Alternately, it could be a single picture with multiple characters in it. Maybe the bits represent the characters and their extremity positions. For instance, my private key would be a bear, standing on his left leg, with his right arm in the air and left arm by his side. Next to that is a pig on all fours, with its tail out straight. This is probably even worse than the clip-art example.
Pin or Unlock Pattern
What if the user could drag their finger across dots like a mobile phone unlock pattern, or enter a PIN? Since the private key is already 77 digits long, you would expect that the PIN-type entry would simply be those 77 digits. Trying to remember that is the problem we are trying to solve originally. If we translated that to a pattern, you would be dragging across 77 points… again, burdensome and error prone.
What if I could give part of my key to my friends and require them to come together to restore my key in case I lose it? With Shamir’s secret sharing, it is possible to split a key into parts, and then require any subset of the parts to recreate the key. I could give part of the key to my four siblings and ask them to keep it safe. When I lose my key, I could require that three of them divulge their part and then I could reconstruct the key.
Chances are three of my family members would not collude to steal my funds because I think they’re good people. But this still requires the trust of multiple third parties. I’m also now assuming they won’t lose the key, like I did. One nice aspect of this kind of key-splitting is that having a single slice of the key does not reveal anything about the key itself, so it does not actually help any brute force attack.
Making 12 Words Easier
If we decide that the 12 words mechanism is actually the best representation, then what could we do to ease that pain?
What if the 12 words were stored “in the cloud” because you can store everything securely in the cloud?! Some people will take a picture of their twelve words. Taken with their phone, it may have been uploaded to google photos without them even knowing. And then what if it accidentally slips into a public folder? That’s a quick way to lose all of your funds.
How about asking a trusted third party to keep it safe for me? Maybe my wallet has a “backup in the cloud” button. I click it, setup my password, and it heads to the cloud. Maybe it’s even encrypted with my password so the third party can’t even read it. Now that third party is a wonderful target for hackers. Humans are terrible at choosing passwords. Somehow, I still know people that use the same password on all of the sites they hit. Your favorite password is in a rainbow table somewhere, and will be used to recover your private key when the hackers get that database of private keys, and you know they will get that database (Experian, Target, Home Depot, everyone…)
Some will say that there are two types of companies. Those that know they’ve been hacked, and those that don’t. Storing your private key online is a terrible idea if you have anything more than play money involved.
Partial Online Backup
What if I don’t store 12 words online. What if I store 6 here and 6 there? Some are already arguing that 12 words is not enough and are using 24 words instead. Now, if you want to cut it to 6 you are further weakening the security of your private key.
For a brute force attack, you basically have a 1 in 1077 chance of picking correctly. You may assume that getting 6 of the 12 words would cut that in half. No, dividing 1077 by two yields 576. Cutting in half would hardly reduce the security. Revealing half of the private key (via 6/12 words) cuts the difficulty down to 1 in 1038 because you have gone from having to guess 256 bits, to only having to guess 128 bits.
Secret Sharing Online Backup
What if I used secret sharing and stored the Shamir slices in different online locations? With Shamir secret sharing, the user could select multiple online locations to store Shamir secret sharing slices of the private key. When they need to restore their wallet, they could retrieve the required number of slices from Amazon S3, dropbox, and google drive. This is similar to the 12 words partial online backup, except the slices don’t help an attacker narrow down a brute force attack.
Once again, users are not so good at selecting passwords, and too-often share them amongst services. You are now tying the security of your private key, which for all I know is storing your entire life-savings in bitcoin, to your password selection for your amazon, dropbox, and google accounts.
Security Vs. Convenience
I’ve had the luxury of working with a wonderful security department for the last 8 years of my career. They understand the security concerns, but also the tradeoffs of implementing some forms of control. In many aspects they will educate the business owner of the risk, and then defer the decision to that owner. They will also exercise their right to stop a deploy or feature if the security risk is simply too great. They exercise that right sparingly, so when they do, business knows it’s important.
Some providers, like the Edge wallet, do allow for backing up your key in the cloud. They have put precautions in place to attempt to mitigate many of the security concerns of storing keys in the cloud. It’s a decision they have made as a business, and it will work for some people.
The currency of security is convenience. High security costs a lot of convenience. BIP39 IS the convenience trade-off to the security of users storing their own private keys. By converting a 256 but random number to a stream of known words, the user at least has a chance of keeping, and being able to restore their private key.