3

With no server and only in the browser I'm generating an a bip39 key and giving the user the mnemonic to store some place safe for restoring, I also want the user to be able to login with a password.

1) Could I encrypt the mnemonic with a password?

2) If I do encrypt the mnemonic, which algorithm should I use?

Will-In-China
  • 468
  • 2
  • 4
  • 11

1 Answers1

3

Bip39 has an optional "encryption" over PBKDF2 (passphrase-to-key) used as salt (this allows possible deniability). https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed

The weakness there is that BIP39 uses only 2048 rounds during KDF. Which is easy to bruteforce.

If you store it in a cloud (or similar), I recommend to do a AES-256-CBC encryption of the mnemonic with a strong password and a strong KDF (maybe use PBKDF2 with at least 30'000 rounds).

Jonas Schnelli
  • 6,052
  • 1
  • 21
  • 34
  • Jonas, thank you for your reply. Please can you help me understand the benefits of AES-256-CBC over AES-256-GCM? Specifically in relation to encrypting a mnemonic in the browser – Will-In-China Apr 10 '17 at 11:55
  • 1
    That's a difficult question with probably multiple answers. GCM has serval advantages (HMAC) and some disadvantages (small IV) over CBC. It depends on your use-case. For purely disk encryption, CBC seems to be the most common choice. – Jonas Schnelli Apr 10 '17 at 12:01

  • The weakness there is that BIP39 uses only 2048 rounds during KDF. Which is easy to bruteforce. An attacker would have to take the mnemonic + append a password guess + do KDF rounds + get HD master key + derive a set of address keys + query the blockchain for balances. Is this not enough of a slowdown? I see that the salt is capped at 64-bit entropy :( One could put some balance with master keys resulting from dummy weak passwords, to detect a compromised seed and be alerted to move funds.

    Here's an interesting read: https://coldbit.com/can-bip-39-passphrase-be-cracked/

     – bca-0353f40e Dec 17 '22 at 10:00