AirBitz Crypto

Building Blocks● Cryptographic hashes

– Data in → number out● Symmetric encryption

– Key & data in → box out– Key & box in → data out

Cryptographic Hash● Output number is big

– 256 bits is common (77 digits)– The universe has ~1080 atoms

● Changing even one input bit changes the whole output

● There is no way to guess the input● There is no way to fake the input

Cryptographic Hash● Hashes are great for verifying files$ sha256sum < cat.jpg9818c3a0a106bbefbbede8da7969c74203fe1f3ea290023a3f2bd415f41f8c24

● If the hash matches, the file hasn't been changed

Example Hash● echo -n "Satoshi" | sha256sum

002688cc350a5333a87fa622eacec626c3d1c0ebf9f3793de3885fa254d7e393

● echo -n "satoshi" | sha256sum

da2876b3eb31edb4436fa4650673fc6f01f90de2f1793c4ec332b2387b09726f

Typical Encryption

Password

Hash

Key

Data BoxSymmetric Encryption

Passwords are Special● Normally, hashes should be fast● But not for passwords!

Passwords are Special● Passwords are easy to guess

– Just try every possible combination– If the hash matches, you guessed the

password– Faster hash = more guesses per second

Password Hashing● Password hashes should be slow &

eat lots of RAM– GPU's and FPGA's can try 1000's of

combinations at once– RAM makes this harder

Scrypt● Password hashing function

– Adjustable time– Adjustable memory– AirBitz targets about ½ second– Needs a salt

Why Salt?● Hash once, try many accounts

– Pre-compute a big table of common passwords

– Now just scan the database for matches

– Odds are, something will match– Mainly a problem on hacked servers

Salt● A salt makes every hash different

– sha256(“bad-password” + “salt1”)– sha256(“bad-password” + “salt2”)– An attacker needs to try each row

individually now– The salt needs to be saved somewhere

Login Process

Getting the Salt● Brand-new phone

– Doesn't know the salt– Can't hash the key without the salt– Can't decrypt without the key

Getting the Salt● Hash the username & send to the server

– AirBitz doesn't know the username– Uses a fixed salt compiled into the code

● Server returns the salts for this account– passwordAuthSnrp– passwordKeySnrp

● “Snrp” = Salt + Scrypt difficulty

Getting the Box● Hash the password & send to server

– Uses passwordAuthSnrp● Server returns encrypted box

– The server won't give the encrypted box to just anybody

– We can limit guesses per second

Opening the Box● Hash the password to make a key

– Uses passwordKeySnrp– Different hash from what we send to

the server– AirBitz can't decrypt the data

● The key unlocks the Box

Master Key● What's in the box?

– Another key!– This is the “master key”– Grants full access to the account– Generated randomly– Stays the same, even if the password

changes

Getting the Data● The master key tells us where to find

the user data– The data is on a different server from

the login stuff– AirBitz doesn't know which data goes

with which account– The data servers are actually Git

servers

Bitcoin Time● Download the data● Decrypt the data● Bitcoins! (finally)

Password Recovery

PasswordRecoveryAnswers

Hash Hash

Master Key

Multiple boxes,each with amaster keycopy inside

PIN Login● Similar idea

– Server returns a box with the PIN inside– PIN's are too weak to use for crypto– The key to unlock the box is just saved

on the phone– Need an already logged-in phone

PIN Authentication● The PIN is weak, so how can the

server verify who we are?– Use hash(pinKey + PIN)– pinKey is on the phone, and impossible

to guess– Even stronger than password hashing!

Bitcoins Keys

Bitcoin Keys● What are we trying to protect?

– Bitcoins are secured using keys– Anyone who controls the keys controls

the Bitcoins

Secret & Safe● If somebody learns the keys, they

can steal the funds● If you lose the keys, you lose the

funds

Public-Key Crypto● Two keys, one public, on private● The private key controls everything

– Keep it secret, keep it safe● The public key can be shared with

anybody

Public Key● Like an open padlock● Anybody can encrypt● The private key is needed to decrypt● “Public key” is a stupid name

– Should be called “lock” or something

Bitcoins & Public Keys● A Bitcoin address is a public key

– … well, a hashed public key● Anybody can send funds to a bitcoin

address● Only the private key can spend

Signatures● To spend bitcoins, two things are

needed:– The public key– A signature

● Only a private key can make a signature

● A public key can check a signature

Checking Spends

1) Hash the public key

2) If it matches the address, proceed

3) Check the signature

Questions?