Jump to content
Sign in to follow this  
Coolio

Improve the level of security of a xrp account

Recommended Posts

Posted (edited)

How to improve the level of security of my xrp account?

In my opinion it is very unsecure, when I can access my account only by using the secret key. If someone has access to the secret key, then you can already execute transactions. This is unsecure.

Solutions:

1.       Set up MultiSigning.  How much key pairs is preferred?

2.       Set up 2FA for accessing the account and for all transactions.

I would prefer a 2FA method. But this is currently not supported for XRPL. Is it possible to implement such a function in upcoming release of rippled?

Edited by Coolio

Share this post


Link to post
Share on other sites
4 minutes ago, Coolio said:

In my opinion it is very unsecure, when I can access my account only by using the secret key. On a decent modern computer it only take max of 2 to 3 years to brute force the secret key.

No. A brute force attack is not practical. There is not enough energy in our universe to reliably guess the key with the currently available hardware.

1. Yes. If you feel paranoid you can use 5 or even more keys.
2. You should use 2FA whenever possible. Most exchanges and many mail providers offer it and it would be stupid not to take advantage of the extra security.

Share this post


Link to post
Share on other sites
Posted (edited)
41 minutes ago, Sukrim said:

Who would be the counterparty who verifies your factor(s)?

I would like to see 2FA implemented on XRPL without counterparty.

Save the encrypted secret of the 2FA in a field (e.g. memo field) of the account.

Than use google authenticator.

Such a function should be implemented directly on XRPL without a counterparty.

Validator verifies??

Edited by Coolio

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, Coolio said:

Validator verifies??

No.

That's not how TOTP works.

Please read up on how 2FA schemes work and then you'll understand why storing an encrypted secret in a memo field won't cut it for the use case of denying yourself access to your account secrets.

 

Edit:

Also this statement is completely and utterly false if you use enough entropy when generating your key pair:

"On a decent modern computer it only take max of 2 to 3 years to brute force the secret key."

Edited by Sukrim

Share this post


Link to post
Share on other sites

Look, this is just people being freaked out, after Gatehub - it's not about cryptology, cryptography, 2fa, hashes, salts, peppers, or herbs and spices.  The methods already exist:

We still have the problem of no "user friendly (and secure)" wallet...  No pictures, no buttons, no GUI - whatever.  Nerds don't get this and don't think it's important - "just install node.js and then build this binary thingie off github, you rubes!" - I'm sorry, but that's just the ground truth and someone needs to say it, because that's what most people hear.

Wietse Wind has come closest to user-friendly multi-sign thingie, but even that attempt - from like a year ago - was not simple enough and required people to use the testnet - like they know what that is - so that they could familiarize themselves with it such that they wouldn't **** anything up.  Anyway, point being, LACK OF USER FRIENDLY TOOLS.

Share this post


Link to post
Share on other sites

It is quite trivial to build a horribly insecure but user friendly interface to crypto, google for "burner wallet" for example. Unlike other systems, RCL however also charges users directly for state pollution, so the "just for fun" wallet already costs you ~8 USD just to not be able to do anything with it.

Gatehub was a quite user friendly system that even stored your account secret for you. They were intransparent though and not really attractive for "nerds" like me to take a deeper look - apparently until someone did take a deeper look and discovered that user friendliness also helps to be cracker friendly...

Anyways: This is the technical section - so if you want to build these friendly tools, feel free to ask further, otherwise pleas take the discussion to the general section.

Share this post


Link to post
Share on other sites

0) Don't be offended by the nerd reference.

1) Can you point me to a wallet interface I can install on an airgapped computer and punch pretty pictures to set a ledger address up for multi-sign and then submit the tx?  (And all I'd have to type in, maybe twice each, to make sure I didn't screw it up, is the keys?)

It was really depressing/disheartening reading the post-GH hack threads and nobody being able to recommend anything non-technical enough that "normal" people could set multisign up, without "make sure you've got ripple-lib installed and, etc, etc..."  If "setup multisign for dummies" exists, great.  If it doesn't, there's clearly some market demand.

Share this post


Link to post
Share on other sites

Create multi signing is easy to create with bithomp tools.

But I think it is more user-friendly to have 2FA without counterparty direct on XRPL. Is it possible to do that with rippled? You could use some fields to store some encrypted information, which are necessary for 2FA.  I think such a function should be implemented in future rippled.

Share this post


Link to post
Share on other sites
7 hours ago, Coolio said:

On a decent modern computer it only take max of 2 to 3 years to brute force the secret key.

Where did you get that from?

Last stats I saw for 24 word mnemonic key was BILLIONS of years, assuming you had all the computing power in the world combined at your disposal.

Share this post


Link to post
Share on other sites
Posted (edited)
23 minutes ago, Coolio said:

According PSD II the 2FA is mandatory in europe from September 2019.

That is most likely correct, but this has to be implemented on the client side banking frontend: The GUI / website where you log in with your password.

Edited by DavyJones

Share this post


Link to post
Share on other sites
1 hour ago, Coolio said:

I think you’ve misread what he said....  he is saying that the Gatehub encryption was forced but the ledger could not be.

Put it this way....  all interested hackers know the wallets where 55 billion XRP have sat for years...   if there ever was a bigger honeypot,  out in the open,   then I’d be surprised.  If the ledger was able to be forced don’t you think they would have done so on the billions of coins held by Ripple?

Share this post


Link to post
Share on other sites
15 hours ago, Coolio said:

On a decent modern computer it only take max of 2 to 3 years to brute force the secret key.

Uhm... what?

Assuming a brute force attack is the most efficient way, then if you had a trillion computers, each capable of testing 1 trillion keys per second, it would (on average) take them almost 6 million years to find the key.

Don’t hold your breath.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...