Score:1

Crypto

How much computation it takes to crack a PBKDF2's secret salt when the passphrase meterial has been leaked

zjmo

11/11/23, 6:40 PM

Given the following code, extracted from a Bip39 implementation for Android by Zcash

PBKDF2SHA512(
    passphrase = veryHighEntropy secret bytearray,
    salt = pontentiallyLowEntropy secret bytearray,
    iterations = 2024,
)

What happen if the passphrase gets leaked? is the total entropy of the hash reduced to the entropy of the salt?

If I understand correctly the secret salt should functions as a password when for example a new wallet is generated togheter with the mnemonic words. So is it possible to run a bruteforce knowing the mnemonic words?

Example: What if I create a wallet get the 24 words and set the optional password. Then decide to share the 24 words with my wife. Now what happen if she decides to betray or she get social hacked and a third person get to know the 24 words?

Is it possible to crack the password with a gt 640?

186

2 + 0

pbkdf-2

password-hashing

Score:4

Crypto

Gilles 'SO- stop being evil'

11/12/23, 11:47 AM

There is no way to find the salt other than trying all possible guesses and checking the result. Although PBKDF2-HMAC does not treat the password and the salt in the same way, it has the same essential security properties with respect to both.

If you know the password (passphrase, mnemonic words, whatever you want to call it), and the salt has low entropy, then the derived hash is guessable, just like if you know the salt and the password has low entropy.

The salt is typically not indented to be secret, because it has to be stored. A non-secret salt doesn't have to be unguessable, it only needs to be mostly unique, because the point is to make it not worth the effort to do mass precomputation of PBKDF over common passwords. However, if you do have a place to store a secret securely, then making the salt secret is a bonus, and then you should make it high-entropy. A secret salt is typically called a “pepper” (but often the pepper is shared between multiple accounts whereas the salt is public but per-account; a shared pepper can't be a salt on its own). Regardless of how the salt is stored, taking a random salt is both easy and cheap, so there's no good reason to not have a high-entropy salt.

P.S. ~2000 iterations is ridiculously small. OWASP currently recommends ~100,000 iterations for authentication, and key derivation should use more iterations than authentication because it can be done offline without a time constraint (whereas for authentication, the attacker has to first breach the database and there's a chance that users can update their passwords if the breach is noticed).

+ 6

zjmo

11/12/23, 11:53 AM

I guess that implementation of bib39 is used to store offline crypto wallet. So it is possible to crack the pepper very easily when the mnemonic words are leake. I think that completely nullify the purpose of the password(pepper)

Gilles 'SO- stop being evil'

11/12/23, 4:31 PM

@zjmo The salt or pepper isn't a password. A public salt (distinct for each user, but not secret) is useful. Without that, a thief could pre-compute derived keys, and just indistinctly try to attack lots of wallets, just stealing from people with the weakest passwords.

zjmo

11/12/23, 4:38 PM

are you sure? i've tought that the salt in this case is the additional optional password required to unlock a wallet with the recovery mnemonic seed

Gilles 'SO- stop being evil'

11/12/23, 8:20 PM

@zjmo I'm familiar with cryptography, but not with cryptocurrency or with how BIP 39 is used in practice. What I can tell is that to find the result of the PBKDF calculation, you need to know (possibly by guessing) both the password and the salt. Using a human-memorable salt is technically possible, but it would be extremely weird: the whole point is for it _not_ to be chosen by humans, unlike the password.

zjmo

11/13/23, 5:30 AM

i've updated the question, about usability of the password

samuel-lucas6

11/13/23, 12:17 PM

The [spec](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed) says the PBKDF2 salt is "mnemonic" + passphrase (in UTF-8 NFKD), with the mnemonic sentence (in UTF-8 NFKD) as the password. That is weird.

Score:1

Crypto

samuel-lucas6

11/13/23, 12:47 PM

I'm going to change some of your terminology because passphrase makes things confusing. What we're talking about is a randomly generated mnemonic sentence and an optional user-specified password.

What happens if the mnemonic sentence gets leaked?

Based on the specification, if you have no password, an attacker could generate the seed because the salt is merely "mnemonic".

If you specify a password, the attacker doesn't know the salt because it becomes "mnemonic" || password. Thus, they have to guess the password repeatedly.

Is the total entropy of the hash reduced to the entropy of the salt?

No, the mnemonic sentence is still high in entropy.

Is it possible to crack the password with a gt 640?

That's a very specific question. How difficult it is to crack a password depends on the strength more than anything. If the password is "password", it can be cracked immediately regardless of your hardware. Similarly, if the password is "/x]ku@"aJ%!]3"(k|xH0C4Kyr{1%r?", it won't be cracked by anything.

+ 2

zjmo

11/13/23, 1:43 PM

i think nobody is going to use a very hard password because they think the seed is already strong. I was expecting that knowing the seed I can just bruteforce the password as if the entropy given by the words is 0 since they are not secret anymore. Not sure if exlplained myself...the gt 640 was just to say, but clearly could be any easy to access system

samuel-lucas6

11/13/23, 4:42 PM

I wouldn't say so since the purpose is to protect the mnemonic. An attacker can just bruteforce the password, but the entropy of the hash is not crippled. I think you're talking about entropy in terms of how difficult it is to crack the password, but your question was about the PBKDF2 output. Lastly, this doesn't mean easy access because a strong enough password cannot be bruteforced. The iteration count is terrible though.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How much computation it takes to crack a PBKDF2's secret salt when the passphrase meterial has been leaked

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.