AES

Jacmac_

I think a whole lot depends on this Q* thing. Is it real thai ASI or AGI could break SHA256 and AES256? I don't know, but if it is legit, the crypto world, and a lot more, is going to undergo a dramatic change in "support".

igadjeed

> Are the two situations completely equivalent They're not A recovery mnemonic (if using BIP39) uses a word list chosen for error tolerance. That is, you can make errors when writing the words. Years later, the recovery function can prompt for corrections, because of the way the word list is built The passphrase lacks this error tolerance > PBKDF2 This is just a 512-bit hash created by iterating SHA2 2048 times When PBKDF2 is used for AES key stretching, the purpose of the salt is to avoid key reuse. Key reuse is a mathematical issue, a potential pattern weakness for AES. Salting also defeats rainbow tables of passphrase-key pairs. In this use case, the salt is recorded in the metadata stored with the cipertext. It's not secret. Similarly, when PBKDF2 is used for passphrase-based authentication, the salt is recorded alongside the hash. It's partially secret, depending on whether the shadow file is leaked BIP39 PBKDF2 does not record the salt. It's not necessary to record it. The 512-bit "seed" is nothing more than the starting entropy for BIP32 HD key chains. So the salt and the payload are equal components of PBKDF2's initial SHA2 payload

pgh_ski

Indeed it is. Can use any strong, modern encryption with a very strong, unique, long passphrase. IIRC 7zip supports AES, as does Office. Better yet, use a well vetted password manager or key storage program like KeePass, OnePassword, etc. depending on your threat model. I would only recommend storing encrypted seed phrases for hot wallets (spending money wallets) that are already PC/mobile based. Don't type a cold wallet (hardware wallet) seed into a PC/mobile, even in encrypted form. This is b/c it breaks the security model of generating and storing keys offline and away from general-purpose compting devices.

pgh_ski

That's not quite what obscurity means in the context of cryptography. In crypto, we generally say that an algorithm is secure if all details of the algorithm and its workings are public/known information, and the only *secret* is the key/passphrase. For example, modern symmetric encryption like AES. AES is everywhere, people know all of the very standard operations involved. AES is secure provided proper implementation and a good secret key. Contrast this with "security through obscurity" like the above. Just encoding a seed as base64. If an attacker finds out or guesses the implementation details (that the secret is just encoded as base64) then the "security" is completely broken. All the attacker has to do is decode the base64. I can encrypt a piece of information with AES and publish the ciphertext, and challenge people to decrypt it. They can't, without doing attacks to guess the secret key. If I publish base64 encoded information, tell people nothing about the methods of encoding that information, and someone will be able to extract the plaintext almost immediately.

BastiatF

I would speculate that your speculation about the algorithm that is speculated to have speculatively cracked AES 192 is pure speculation

igadjeed

> AES256 hashing No such thing

WatIsWijsheid

So you're assuming its in a rainbow table which isn't necessarely the case. Same for the password. Both can still have special meaning for me, making them easy to rember. And yes AES256 hashing.

bitsplease_

You can crack easy to remember pass-phrases very fast with rainbow-tables. You would have to use a strong encryption (like AES256) but it doesn't matter if you use an easy to guess password. So you create a strong password. Now you have the same problem: you have to store securely a key.

bchpleez

No, but the claim is that the AI invented new math that lets you reverse AES 192 encryption.... and that's with a KEY. They haven't even bothered trying to 256 hash data backwards... but there is no principal that says it cannot create new math to do it.

SmoothGoing

Elliptic not elliptical. And it's ECDSA, digital signature algorithm, not asymmetric encryption. RSA256 is basically not a thing, too weak. RSA is not in bitcoin at all. AES is not in bitcoin but is used in wallet clients to encrypt the wallet file.

analogOnly

There seems to be a lot of confusion between Eliptical Curve Asymmetric Encryption, SHA256 (Which is a hashing algorithm not an encryption algo), RSA256, and AES encryption in this sub.

uclatommy

It is speculated that Q* is the algorithm that permitted AI to find a way to defeat AES-192.

BastiatF

> But the idea that Q* is a combination of Q-learning and A* pathfinding is entirely plausible What does that have to do with your claim of cracking AES 192? Reading research papers, building your own models and doing your own research will give you a sense of what is scientifically realistic and what is science fiction, futurology and clickbaiting.

BastiatF

David Shapiro didn't say that Q* cracked AES 192 encryption!😆 Admit you read that on some lowbrow infotainment website

uclatommy

I believe in inverse Cramer so much that I'm honestly scared by this. There is an ongoing rumor that OpenAI's Q\* algorithm enabled it to break AES 128-bit encryption in a way that we cannot comprehend. This would normally be impossible because the amount of computing power necessary to brute-force the decryption would take an astronomical amount of time. That means if it's broken by AI, it found a vulnerability in the encryption algorithm beyond human comprehension. If that's true, I can see how it could have a real impact on cryptograpy-based finance like the BTC blockchain.

SuleyGul

Not sure as I haven't used a nokia in a decade or more lol. I just have old Samsungs from a few years ago a few of them. I use them. Install any program which has some kind of AES 256 encryption. Put the seed phrase in there and Choose a super a long password with numbers and all sorts of different charactes and that's it. Nothing complicated. I store each phone in seperate locations in case I lose or damage one. So i am sweet. The idea of writing my seed phrase in plain sight terrifies me.

proof-of-conzept

I thought about making a batch encryption bith AES-256 and different passwords. Then base64 so i can write it down. Then each family member gets a letter with an encryption and all the passwords of the other people but not the one for their own encryption. Then if someone would break into their homes and steal the encrypted file they cannot decrypt it. Unless they steal one from another family member. Also it needs two family members to come together in order to recover the seed phrase. How about this?

proof-of-conzept

Have you thought about encrypting your seed phrase with AES-256 for example? Hand out the encryption and give the passwords for decryption to the other one?

proof-of-conzept

I am always affraid that someone can find the seedphrase and use it. I would at least encrypt it with AES-256 and then use base64 so i can write it down.

proof-of-conzept

I also thought about buying a raspberry pi, where I can savely encrypt the seedphrase offline with different passwords using AES-256 and base64. Then I will give each member a letter with instructions on how to decrypt it together with the keys in a letter. The only clue is, that everyone only gets the keys for the other peoples encryptions, but not to the one of their own letter. So if someone breaks into one of their homes and steal the encrypted seedphrase, they cannot decrypt it if they don't break into another persons home as well.

telejoshi

SHA256 is just the hash algorithm used by the miners, the keys are ECC and I'm not sure about that (I see different opinions about whether it's secure or not). A lot of our communication may be broken in the future, that's a real problem. Let's just hope it lasts long enough that most of the data is no longer relevant. I've also heard that AES is considered to be safe. I must dig deeper into this topic because I can only rely on stuff I read somewhere

thegatman-pc

Snark is a cryptographic protocol designed to interact and support only the Ethereum network. It’s not a DES, DDDES, AES, or any other know standard of cryptographic algorithm set by IEEE. Don’t pass off 11 year old software as innovation. It makes you look desperate.

AvatarOfMomus

Even discounting human error I still wouldn't bet that no one ever finds a vulnerability or a trick to make even AES-256 decryptable within a human meaningful amount of time. When the service in question is talking about persisting data for, at a minimum, 200 years then I wouldn't want to take that bet. And of course there's always the far more reliable way of cracking something like this, which is get the key from the user(s). Yeah at that point the encryption algorithm doesn't matter, but it's still a risk when talking about any publicly posted data. The more valuable the data the greater the risk, hence why anyone pushing for stuff like government documents or medical information on the blockchain is a moron!

jawni

>Hard to brute-force algorithms like AES-256 are difficult to crack for specific messages in a timely manner, but they can be broken with enough time and computing power. "Enough time" is still more than millions of years even with a quantum computer. >If there's anything close to a master key then you only need someone to slip up once, or compromise one person's computer, to compromise the entire thing. I said excluding human error, because the keys are going to be an attack vector no matter what encryption you're using. >Plus even if that's not the case it's possible a computing improvements and math and cryptography research may eventually make some attack on these encoding systems feasible. Since the data is public it's basically not a question of "if" but "when". Maybe, but not very likely by the opinion of cryptography experts, even with advances in quantum computing.

uptokesforall

M8 if you can create a quantum computer with 256 qubits you can crack AES encryption in one step.

AvatarOfMomus

Hard to brute-force algorithms like AES-256 are difficult to crack for specific messages in a timely manner, but they can be broken with enough time and computing power. That's the issue with public permanent data like is on a lot of blockchains, and like a lot of idiots want to make happen for things like sensitive personal information. If there's anything close to a master key then you only need someone to slip up once, or compromise one person's computer, to compromise the entire thing. Plus even if that's not the case it's possible a computing improvements and math and cryptography research may eventually make some attack on these encoding systems feasible. Since the data is public it's basically not a question of "if" but "when".

Areshian

The fortification has some cost, so there is an incentive to wait as much as possible. It’s not just that QC safe encryption is more computational intensive, but over the years we’ve invested a lot of effort to optimize our current one. Sure, it is not as crazy as AES, where we basically have a lot of hardware (including basically every cpu out there) optimized for it, but still significant.

north0

Anything really critical is protected by symmetric encryption, and as far as I understand there aren't any algorithms that claim to be able to break AES.

telejoshi

Checked again and it's true, AES256 is believed to be quantum resistant, but it doesn't seem sure. RSA is definitely not resistant.

jawni

Considering this is generally used in a complementary fashion to public immutable ledgers, seems like something that isn't going to be a factor to that many people. Although without human error, you can probably be safe from having the encryption broken for quite a while. In fact, a lot of people think AES-256 will *never* be broken, even with the advent of quantum computers.

SearchingForDelta

Bitcoin doesn’t use AES, it uses SHA-256 for mining and ECDSA for keys. SHA-256 is probably quantum resistant unless there’s an unforeseen development. No issue there. ECDSA on the other hand is vulnerable to quantum attacks. It would be feasible to figure out private keys from public keys and drain people’s wallets. Sure you could fork BTC and upgrade the cryptology but the risk is that by the time this is completed enough private keys for all the high-value wallets have already been figured out and the value tanks. Either way the current chain as we know it would be dead

CrazyTillItHurts

You're the delusional one, homie. AES is quantumproof as far as we can tell, with what we *do* know about the function of quantum computing and how AES and family operate

igadjeed

> I don't see this as a rational response Your claims are not rational. You made them up. There is no risk to AES. A quantum computer is not a cracking tool. RSA is not relevant to Bitcoin. Bitcoin has no encryption > If in 10 years quantum computers can break 32 bit ECC There's no such thing as 32-bit ECC > Peter Shor has already solved the discrete logarithm problem back in 1994, theoretically at least. And it will probably take another 30 years before any practical application of his algorithm can be used Most likely never going to happen. The "30 years from now" estimates are now more than 30 years old. In 30 years, we will still be predicting useful quantum computers in 30 years time. Eventually, the infinite 30-year timeframe leads to a realization that it's not possible > will the bitcoin protocol have time to switch Ask again in 30 years

proof-of-conzept

Then you can store it on paper, in your DollarWallet. In a text file on a computer - which you might want to then encrypt another time with AES or something. Just make sure that you have not used a computer that is traceable to you finding or generating your cypher key that you use for encryption, or invent one by your own. And also make sure that you never type the clear text seed phrace into a computer. Then you should be fine.

kamill85

No, the truncation of 256 bits will not give you GUARANTEE of a unique number translated from a sequence of numbers. Translation via matrix, like in AES, does that. If you keep adding 1 to an input and hash it once with AES, the resulting 128 bits are guaranteed to be unique, with no repetitions, no matter what key you choose. But if you truncate AES output to 66 bits, it is possible number 747374 AESed first 66 bits will be exactly same as +1, so 747375 AESed could in theory result in the same first 66 bits followed by different bits. Next, hashing algos in general are lossy in nature , o by design, you also could have collisions of your sequence inputs resulting in the same 66 bits. The best solution would be getting AES-like 64 bit algo (3DES for example), running it on 0..64bit sequences and the remaining 2 bits reserve for your threading, so choose assign each combo of them to each cracking thread, or if its one, run through them for each sequence number. For a single thread, assuming you're using 3DES it would go like: Input seed value (default 0) -> x For (unsigned int128 i=x, i<=0xffffffffffffffff, i++) { X0=3DESEncrypt(i); X1=3DESEncrypt(i^1<<64); X2=3DESEncrypt(i^2<<64); X3=3DESEncrypt(i^3<<64); ValidateBtckey(X0); ... ValidateBtckey(X3); ... } This way, you run through all sequences of 0..64bit in unique random way, no repetitions possible.

Amber_Sam

I would use it with a computer, running a solid GPU - more processors, less time. You're dealing with a AES 128 (or 256) after all.

kamill85

May I introduce you to the birthday paradox. After a short while chance for hitting same values skyrockets. Random is the least optimal approach. What you need is a psudorandom matrix translation where as input you take seed that you +1 and output is pseudorandom but assured to be unique. It's like AES encryption, but instead of 128bits your target is 66. Goog luck

michael676767

I’d like to add some notes for the points and offer alternatives here since some things are actually a little more flexible than mass opinion suggests. - Good tactic, suggest keeping these links stored on password managers. - Another good one, if it’s crypto I suggest to keep the connection restrained to a VPN. Any time you need to visit something anonymously you should be on Tor or if you need to quickly visit somewhere privately - Mullvad Browser paired with a VPN. Do not leave a trace that you were you. - Proton Mail’s the most popular name with good reason. Tutanota and Skiff are also good alternatives. Ultimately ensure the fact your communicative method’s encrypted. Blockchain counts on the same encryption method as Proton and Signal - end to end encryption. Make that your standard. - Password managers are your best friend. Let them make your passwords for you. Bitwarden’s the most affordable password manager out there, Proton Pass is arguably the highest security password manager out there, and 1Password is definitively the easiest to maneuver for most people in a casual limbo between Pass and Bitwarden’s best features. These 3 have pretty good encryption practices as well. Remember to make a good passphrase to avoid a breach if your vault’s stolen and make a habit to export your backups once in a good while - a frequency maybe of a month or 2. If something happens you need to move, don’t lose your accounts. - This will rile some people for sure as I’ve seen it before but this isn’t as hardcore as the general opinion. You CAN store your seed digitally but NOT over a simple solution. If you’re really unwilling to store it physically over a risk that something may happen in your situation where someone physically wants your coins, then I suggest storing it digitally on an encrypted drive. Best solution to still be closer to keeping it offline would be to encrypt a thumb/hard drive with Veracrypt with AES and make a solid passphrase. This will protect against both keyloggers and physical threat actors. Either encrypt the whole drive or make a hidden folder within a drive. Then store your seed there but don’t make a point to constantly open it every time you inject your drive to a computer. To harden insanely - buy a hardware encrypted drive to encrypt its software. Then you have 2 whole layers of encryption protecting your files. If you need a cloud storage, find one that’s encrypted preferrably over a lousy solution like Google Drive or Dropbox. Filen or Skiff Drive are very generous about space unlike Proton Drive but all 3 are very good options. If you feel like you REALLY need to, encrypt the file with Cryptomator if you’re on mobile or encrypt your document yourself before you drop it into Dropbox or Google Drive. Don’t let your files be so easy to access. Think of this as highly as you do for your card info. Most people naturally think so highly that the vigilance is instinctive - treat your seed the same. - SIM Swap is a danger no matter what, so I recommend if you have a phone newer than 2017 to make a PIN on your phone since most new phones have an eSIM. Don’t be a victim of a SIM swap because it just hasn’t happened yet. 2FA solution’s correct but Google and Authy are the worst. Bitwarden and Proton Pass have it better in comparison. Yubikey’s 2FA for normal TOTP is far superior because you need your physical key to access the codes. Dramatic security improvement there. Otherwise, Google keeps a backup on their servers unless you turn on the feature for yourself. Even then, they still keep a copy. Not good. - No notes for that point. If you never interact with social media and just read for your answers - you won’t be a target for asking. - Cold wallets are especially helpful if you think you’re going to be socially engineered. You don’t have access to your own private key yourself and instead trust it to a Ledger or Trezor. It’s a placebo to an extent but it’s just a decimal point better than holding onto your seed yourself with a paper. And about the same as keeping your seed on an encrypted thumb drive really.

boiledpangolin

ELI5: Bitcoin not directly affected Bitcoin uses ECDSA to generate key pairs and sign coins. To deploy this attack in a Bitcoin context you basically need some way to prompt a signer running on a variable time implementation of secp256k1 to get it to leak bits of a private key. Core introduced libsecp256k1 in 2016 (I think), which is a constant time C implementation of secp256k1. Most C/C++ software wallet use it. Anything running on libbtc/libbitcoin uses it too. &#x200B; I don't know if hardware wallets sign in constant time, don't ask me. But then again, this specific attack is about padding a message erroneously and measuring the response time from the signer, which is specific the PKCS #1. I'm not quite sure how to set that up for an attack on Bitcoin signer, we don't really have dynamic padding in Bitcoin sigs. &#x200B; This affects ancient SSL servers, which nobody uses these days. AES-GCM and RSA are too expensive, they eat too much power. End user internet is targetted at mobile nowadays, so the industry has moved to newer crypto, like ed22519 and chacha20poly1305, which is designed to be both lighter and immune to padding attacks. P.S.: I'm mentioning ciphers cause padding oracle attacks originally went after the cipher (the encryption mechanism) instead of the key exchange, which this attack does.

spamz_

If your end goal relies on needing to "educate people" to push them in a direction, you've already lost since both of the following are wrong: 1) You need to understand tech to use it. 2) It's possible to educate a large enough portion of the general public into something technical. You don't even need to look far: billions of devices use things like RSA, AES, ECDH, etc on a daily basis. Yet how many people can explain them? Just even one of them? Rounded to an integer, the number is 0% without question. How many *could* understand it? Well good luck explaining modular arithmetic, finite fields and elliptic curves to people who can't solve a linear equation if their life depended on it.

loksfox

I have this one insane friend that used 3 different usbs and encrypted his seed in AES-256 encryption in them in a offline fresh install linux machine

loksfox

I encrypted 3 usbs that hold my seed with AES 256 in a cold fresh install linux, hid them all in different places to protect myself if a natural disaster ever occur and even if you find any of them good luck it takes at least 1 million years to decrypto AND it's quantum resistant.

loksfox

Just keep it simple, do a cold fresh install of linux, then encrypt 3 usb's with your seed in AES-256, hide them in three diferent locations so you never have to worry about natural disasters and if somebody finds any of them they can try and decrypt them but it will only take 1 million years even if you have a supercomputer, it's also quantum resistant.

loksfox

I have 3 usbs with my seed all of them encrypted with AES-256 on a linux machine, each one on different locations so i don't get rekt by a natural disaster, even if you get one good luck decrypting it.

loksfox

Store your seed phrase inside a safe, inside a vault, inside a volcano The most important way to protect your crypto is by never telling anyone you have it. Never discuss crypto with anyone among your family, friends, neighbors, and co-workers. If no one knows you have crypto, then no one will come looking for your seed phrase. Also, Just boot Tails off a USB to start a secure clean Linux environment and encrypt it with AES-256 with a good password. Nobody will break into that. The worlds biggest secrets are behind encryption, not stored on metal plates under a pillow. People overcomplicate things. You can post the encrypted file on reddit afterwards if you want, nobody will break into it (unless your pass is pass123).

igadjeed

> go through the source code for the wallet and check exactly how it's verifying your password The Schildbach wallet uses libssl from the OpenSSL package to AES encrypt the wallet file. It follows the standard process: * use PBKDF2 with a random salt to derive a symmetric key by multiple rounds of hashing the password and salt * encrypt the entire wallet file using the AES256 cipher and the symmetric key There are dozens of Schildbach recovery tutorials which advise this: openssl enc -d -aes-256-cbc -a -in "backupfile" -out "backupfile.out" -k password or if the file was encrypted with an older OpenSSL, the PBKDF2 hash might be MD5 (this changed about 2013): openssl enc -d -aes-256-cbc -md md5 -a -in "backupfile" -out "backupfile.out" -k password

Black-Raider8

As per Google, a Solana phone has a seed vault feature and AES encryption to protect your private keys. You can also approve transactions using your fingerprint.

extreme_sleepy

what if i zip my seed phrase, encrypted AES-256 and store it in cloud. is it still not safe?

SmoothGoing

Encryption "methods" are transparent. Everybody knows exactly how AES works, every step of it. It is the key that is a secret. Read how coldcard works using dual secure elements and MCU https://blog.coinkite.com/understanding-mk4-security-model/ This device is purpose built and is way more secure than whatever system of shuffling secrets on USBs you can implement.

iCoin_Support

he posted a setup video on YouTube with his actual seed phrase and didn't completely edit out his seed phrase's QR code, anybody could've grabbed it. also the video was made using what appears to be a GoPro, meaning it was on an sd card then edited on a computer. [https://www.reddit.com/r/Bitcoin/comments/15uyl1d/comment/jy55np9/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/Bitcoin/comments/15uyl1d/comment/jy55np9/?utm_source=share&utm_medium=web2x&context=3) the printer communicates via encrypted BT to the wallet, only connects for a fraction of a second, and is AES 128 encrypted

iCoin_Support

The answer to your question is it cannot. There are only two ways Bitcoin could have been removed from the iCoin Wallet- 1) Someone has physical possession of the wallet and knows the pin 2) Someone has possession of the seed phrase There is no way for us to confirm that proper seed phrase custody was practiced. Where was the seed phrase stored? If it was in your home, who had access to your home? Also, if you laminated your thermal paper seed phrase, the heat should blacken the entire page and make it illegible. Perhaps another method for copying the thermal seed phrase was used, like a laser printer with memory that’s publicly used. The timing is very suspicious. The wallet was set up over a year ago, and many Bitcoin transactions were sent to your iCoin Wallet over the last year. We can confirm that the suspect Bitcoin send transactions were not sent from an iCoin Wallet because we checked the API requests to our Bitcoin nodes which would have come from the iCoin Mobile app. This API requests asks for basic UTXO blockchain info to construct a transaction like tx id, script pubkey, output index number, etc.; information a cold wallet can never know without connecting to the Internet. No requests were made for the addresses in question around August 16th. This leads us to believe the seed phrase was loaded onto another wallet and used to transfer your bitcoin to outside “legacy” addresses. Your seed phrase could have been compromised any time during the past year and used to watch the bitcoin loaded into your accounts. When the account balances became substantial, a series of MAX send transactions were used to drain the balances. It is suspicious that this max send occurred 2 days before you checked the wallet. The iCoin Wallet is by definition a cold device that never connects to a network. The companion mobile app acts as a communication gateway that relays that relays public blockchain data and signed raw hex wallet transactions to the blockchain via QR codes. There is no wifi, cellular, or GPS functionality in this device. It is an HD compatible Hardware Wallet so the keys and accounts can be moved to other HD compatible wallets if iCoin goes out of business or newer, better wallets come on the market. All keys are generated on the Wallet when the user selects ‘create new wallet’. No keys are previously loaded on the device, and all private keys generated on the device use a hardened derivation path, so if one key is compromised the entire tree is not. Private Keys never leave the wallet. The thermal printer is an optional purchase and an extremely convenient one. You can also just buy the Wallet standalone and use pencil and paper to write everything down, like all other wallets. Encrypted Bluetooth is the only option to connect the Wallet and printer. The printer has no memory, and no connection to wifi. Bluetooth is a short range, peer-to-peer wireless protocol that has no way to directly connect to the internet. Bluetooth, it is only activated momentarily to send encrypted data to the Printer. Again, that data is encrypted. Even if you try to snatch that data “from around the block”, it is only broadcasting for a fraction of a second and you have to catch it. Then you have to decrypt AES-128 encryption, which is currently impossible. The choice here is that the user is NOT required to use the printer and can choose between convenience and better security. Regarding thermal paper, storing it in a cool dark place can retain its image for 5-7 years. It is a good idea to make a copy of your seed phrase on a more permanent medium at a later time. Again, the printer is an optional convenience. It’s safe and it’s fun, but there is no substitute for exercising general security practices and keeping your seed phrase safe. Our wallet has been on the market for more than one year and no one has reported a stolen seed phrase or lost bitcoin. From this we can conclude user error and seed phrase compromise. Self custody requires users to take responsibility for safe storage of sensitive data such as the seed phrase, so it is not for everybody. [https://www.icointechnology.com/post/a-message-from-the-icoin-founders](https://www.icointechnology.com/post/a-message-from-the-icoin-founders)

Afro_Senpai_AI

I asked them about that and they said the printer channel is AES-128 encrypted.

igadjeed

> What makes Bitcoin so secure lies in its use of Secure Hash Algorithm 256, or SHA-256 (read as sha), which is used for everything from deriving transaction IDs and block hashes to addresses and Merkle trees SHA256 is used in almost every HTTPS connection, including browsing this Reddit page > TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256 Also, Bitcoin is made secure by elliptic curve asymmetric digital signatures, more than by SHA256 > The NSA was also one of the first organizations to describe a Bitcoin-like system in a 1996 paper titled How To Make A Mint: The Cryptography Of Anonymous Electronic Cash Nonsense, Chaum's paper pre-dates the NSA paper by 14 years, and the NSA paper was triggered by Chaum's then-recent launch of eCash > Nakamoto, loosely translated from Japanese, means “central,” while the name Satoshi means “intelligent.” Sure, and "Felix Ng" means lazy troll who does no research, and copy/pastes trash found on random blogs > Speaking of Satoshi, their identity has never been uncovered, prompting some to believe they are likely to have had some form of intelligence training No sign of intelligence from the blogger Felix Ng --- SHA256 is no mystery. It's not secret. It's not restricted to a government-approved binary executable. The early versions of Bitcoin used the SHA256 function available in OpenSSL, a project which always publishes 100% of its source code. In current versions, there are no OpenSSL dependencies. The Bitcoin Core developers created their own source code for implementing SHA256. See it here https://github.com/bitcoin/bitcoin/blob/master/src/crypto/sha256.cpp No backdoors to see there

eatsallthepies

Agreed, as I understand Ironkey uses 256 AES and some people don't expect this to be cracked anytime soon or some even in the next 100 years depending on who you ask. As you say the hardware failing would likely come first. Who knows though, it could be 100 years, it could be 1 day, whenever that happens it will probably be an interesting day for everyone.

EmilyLovs

Stamping the seedphrase on metal introduces another risk vector, thieves stealing your metal backup. Always remove every risk you can in your security setup. Better to encrypt that seedphrase using a cold computer and AES string encryption. Then encode that encrypted string into a QR code. Laser etch the qrcode on metal. But what if you forget the password? Well, create a cipher that you'll never forget. Create a recovery vault that gets its password from your cipher. That way, you only have to remember your cipher. Making a strong cipher you'll never forget is far easier than remembering a password.

coldhotday

If I get the pin code, you are dead man. Funds are stolen. Easy-pezzy. Software is public, so you can know the algorithm to decode any AES encrypted key on the device. This "brute force" method is not that problematic, once you know the protocol of doing it. Video is well showing it. Plus this equipment is not at all expensive to do it. In case of Ledger, you have rentgen + brute-force CPU drilling protection, that is used in the secure MCU + external secure chip for AES & assymetric encryption-decryption reasons. I'd say unless you know all the technical details of these devices, I'm not sure comment has any weight. Sorry, pal.

dowitex

As far as I know, it's really asymmetric encryption and digital signatures that are at risk, for example ECDSA that bitcoin uses, or Key exchanges used in https. I'm not sure Bitcoin was designed to be resistant in which case it would need to change digital signature scheme (may be wrong, feel free to correct me). Symmetric encryption such as AES and hashing is safe on the other hand.

CrazyTillItHurts

There is definitely skepticism that AES can even be broken with an operational quantum computer. You make it sound like satoshi left security issues behind with the decision to disable that opcode

Aussiehash

If the AES encrypted mnemonic was created on Coldcard, and then transferred to the cloud that should be safe (although since the first hardware wallet TrezorOne the security premise of hardware wallets being hacker proof was that the mnemonic seed never ever exists in digital form outside of the hardware wallet)

Quiet_International

sure, but presuming they did that in a secure way. then how is it insecure to keep the AES encrypted file in the cloud?

Aussiehash

Unless on an airgapped coldcard, users would be typing in their mnemonic seed into the computer to AES encrypt and decrypt. That computer may have malware.

Aussiehash

Newbies have enough trouble writing down on paper their 12-24 seed words on the card that ships with a hardware wallet. There are reddit posts every month about people having their hardware wallet's funds stolen, who either typed their mnemonic seed words into trojan malware they downloaded "to recover", or by entering their mnemonic into PGP/AES encryption and storing it in their cloud. Even a Passphrase is not for everyone.

Aussiehash

If you used a password then it is AES encrypted

zoomercoomer9000

Yes it seems to have encrypted your seed phrase using the AES-128-ctr cipher.

zoomercoomer9000

My only experience with TON was when they started allowing people to sell their Telegram usernames. Some people made a fortune: https://i.imgur.com/Ip6Wd5j.jpg This was back when TON Coin traded for $2 Anyway, the article didn't mention this but in their documentation there is mention of using HMAC-SHA512 and AES-256, which by my understanding are pretty solid algorithms. https://github.com/toncenter/ton-wallet/blob/master/src/js/util/encryption.js

zoomercoomer9000

Bitwarden uses AES-256 to encrypt your vault. While this is a strong encryption scheme, the information inside the vault will only be as secure as your master password. This isn't the most advisable approach, but if you insist on storing the seed this way, consider two things: 1. set up an email address that is only used for Bitwarden, and use a very strong, unique master password. This will help to mitigate credential stuffing attacks. 2. the seed must be obscured in such a way that if someone did gain access to your vault they would not know what they were looking at.

lanjelin

Since the way forward is sabotaged by the users and OP doesn't seem to be around, I thought I'd share my notes and solutions. As linked by /u/warwingz, [https://cryptoji.com/](https://cryptoji.com/) is an AES-256 emoji decrypter created by OP.The solutions seems to revolve around this, and the other sites/tools linked from cryptoji.com ## First clue: A whole lot of emojis. Entering the emojis at >!publicnote.com!< gives an url to a discord server, that doesn't seem related to any of the solutions (might be a user chainging the note to this) Entering the emojis at >!cryptoji.com!< along with the word >!reddit!< as secret, and it returns >!U2FsdGVkX19I8Vz/o/Ti8dClxS4iYIDDfj+MU5+ZlWpMQaV8nuZ+IZekrctpCY2igC4W8Zd5F6sl0WuGtSrjOicP2x7ZWSpKkdetpuH4xyo68P7fDnmEMiGtDuS0Rqiu!< ## Second clue: Weird string Entering the string at >!publicnote.com!< returned >!What do we like the most? :) (This is the second and the last clue)!< OP also gave a hint in this post: >!the second key is a sarcastic version of the first.!< To the observant, they'll recognize >!U2FsdGVkX1!< at the start of the string, it translates to >!Salted\_\_!< that tells us we're dealing with a >!salted AES256 encrypted string!< Clicking the links on cryptoji.com we find >!ncrypt.org - just the tool we're looking for!< To find the secret key needed; there are two ways of >!displaying sarcasm online, /s and alternating uppercase and lowercase letters in words!< Knowing this, using >!rEdDiT!< as the secret key, we get >!Nice job! The next clue is hidden at publicnote.com Your clue is: numbers!< ## Third clue: numbers Entering >!numbers!< at >!publicnote.com!< gave lot of random garbage, no idea whether there should be any interesting stuff here. Lokking at the previous clue, and previous solutions one can deduce that >!numbers!< might be applied to >!reddit!<, and alas - entering >!r3dd1t!< at >!publicnote.com!< returned another >!AES256 encrypted!< string. ## Fourth clue: where it all stops The string from previous clue seems to have been tampered with, and since the notes on >!publicnote.com!< can be edited by everyone, it seems someone wanted to throw off the competition. I've seen two slightly different strings in the note.>!U2FsdGVkX1ejbghYGJ67GPn2Zo7jSj5Aasr7YqJTL8NONshvfceu0QteUocRjK4eNrU2FsdGVkX1ejbgh/YGJ67GPn2Zo7jSj5Aasr7YqJTL8NONshvfceu0QteUocRjK4eNr!< Without any other hints, bruteforcing this could take anywhere from ages to forever, especially when one don't even know if the >!AES256 encrypted!< string is correct. Like this [puzzle](https://wiki.gamedetectives.net/index.php?title=Sombra_ARG#Narrowing_Down_Ciphers) from blizzard that was never solved.

warwingz

In case it helps anyone, there are 246 emojis posted. I think we need an AES-256 emoji decrypter - for which [https://cryptoji.com/](https://cryptoji.com/) created by OP used to have. I've tried a few other decrypter sites with various attempts at passphrases like 'bitcoin' but with no luck. Based on the length of the clue, it's a reasonably long clue, like a sentence. Good luck everyone!

brianddk

That all went down a few years ago, and it has been fixed the latest firmware. My previous rebuttal to this old FUD since I don't really want to type it all out again... *** > Trezor is simply an inferior product. I suppose everyone has an opinion. Since you are (properly) addressing some of the Ledger FUD, let me address some of the Trezor FUD that Trezor is trivial to hack with physical access. First off, there seems to be the impression that the 2020 `wallet.fail` presentation went unpatched since Ledger claimed it's unpatchable. This is patently false. After the original `wallet.fail` presentation Trezor firmware rolled three updates. 1. AES256 bit encryption on Trezor-T NAND (`sd-protect`) 2. Support for insanely long PINs on all products 3. Glitch exposure greatly reduced First, as Ledger states, this whole attack assumes there is no BIP39-passphrase enabled, or the passphrase is something stupid like "passphrase". With that out of the way, onto the updates. ## NAND Copy The `wallet.fail` attack requires the part receive a voltage glitch while it is in "flash mode". This unlocks the protected memory to allow the NAND copy. On the older firmware this only required a few days to hit, but with the updates the amount of time the part was left in flash mode was reduced to the actual time the part was being programed instead of the original "fingerprint display" where most of the attacks took place. The reduced window makes hitting the glitch incredibly difficult, simply as a statistical problem. Expect most attackers to spend months trying to glitch the part. ## NAND Encryption Normally, the NAND is encrypted with the PIN, but for Trezor-T it can be encrypted with a 256bit salt file `sd-protect`. This makes PIN brute forcing impossible. No... no one is able to brute force 256bit AES encryption. This is just FUD. ## PIN Weakness EVERY exploit I've seen is performed on a 4-digit PIN since that is the smallest allowed by firmware. And even those take 15 seconds. From a computation point of view that is slow as molasses. The reason it is so slow is two fold. First, the NAND uses ChaCha20 encryption which is designed to be slow to hinder brute force attacks. Second, the ChaCha20 encryption requires the full 1.5MB part to be decrypted before it can be tested. You should see that this is not going to scale well for the attacker. If 10,000 cycles takes 15 seconds, 1,000,000,000 (9 digits) cycles will take over two weeks and 10 or 11 digits will require months or years. ## Conclusion Simply get a $10 sd-card and your Trezor becomes immune to all these exploits. The idea of requiring "something you know" (aka PIN) and "something you have" (aka sd-card) to unlock a secret is a very old and common concept of data security. We all know it is two-factor authentication, but rarely stop to think about it.

hrvbrs

Isn’t AES-256 a symmetric encryption algorithm, meaning it uses the same key to encrypt and decrypt your seed? If so, wouldn’t that be less secure than an asymmetric algorithm? Forgive me, I still have a lot to learn about cryptography.

MoneroArbo

I thought you were implying a password with the AES+ string encryption part Not to sound full of myself, I'm sure you know more on this topic than me, but I think if your advice isn't clear to me it won't be clear to most others either. But remembering "which cypher" anyway seems like it would be 1) just as hard as a password or 2) brute forcable. I'm far from an encryption expert though.

EmilyLovs

Cold computer -> Seed -> Cipher -> AES256+ string encryption -> QR code generator -> printer Bonus: Laser etcher on titanium. Never store your seed anywhere unencrypted. Never let your seed touch a hot computer unencrypted.

GoblinsStoleMyHouse

Self hosted is a great option as long as you don't mind managing the infrastructure yourself. I like google drive because I know my files are always gunna be there, and it's zero responsibility for me. And if the someone finds a way to break AES... then we are gunna have other problems! LOL!

GoblinsStoleMyHouse

Guys, just encrypt your wallet, upload it to google drive, and save a copy to your computer. It’s not rocket science, you don’t need a fancy hardware wallet to be secure. AES-256 or RSA-4096 is plenty secure as long as your encryption key good. Sometimes the simplest solution really is the best one. Don’t waste your money on these scam wallets.