Milk Sad: Weak Entropy in libbitcoin (bc) seed generation

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
passphrase-generator diceware passphrase Password eff-dice

InfluxDB
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • libbitcoin-system

    Bitcoin Cross-Platform C++ Development Toolkit

    • Some extra relevant links:

    https://github.com/libbitcoin/libbitcoin-system/pull/559

    The pull request adding the vulnerability, the lack of review or collaboration is worth noticing. The prior code was already dubious in that AFAIK std::random_device library doesn't promise that the randomness is suitable for cryptography. I believe on common systems where this code was run the old code was not likely to be exploitable, but I wouldn't bet my money on it.

    https://twitter.com/evoskuil/status/1688657656620167169

    Developer commentary on this issue. I can't figure out what "long-documented intended usage" a seed command that mandates 128-bits of output but never has more than 32-bits of entropy would have.

    https://archive.is/A7Jn6

    The documentation the tweet references. I don't know how the 'Pseudorandom seeding' warning there would be distinguishable from warnings against CSPRNGs in favor of dice rolls or whatever. Nor can I figure out for whose convenience this function would serve except attackers.

      https://archive.is/HDe8h

  • Pgen

    Command-line passphrase generator

    • This xkcd comic has been instrumental to me.

    I wrote a command-line utility a couple of years ago that I use myself regularly to generate secure and memorable passwords

    https://github.com/ctsrc/Pgen

    With this tool you can also see how many bits of entropy the passphrase generation settings you are using will result in.

    For example, generating a 5 word password using the long wordlist

        pgen -l -n 5

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • nodice-cli

    A simple diceware generator with no dependencies.

    • That’s excellent! I had the same idea I completed a few weeks ago in python trying to write it with the standard library and have it be easily auditable. You can check it out here if you want:

    https://github.com/avnigo/nodice-cli

  • bip39

    A web tool for converting BIP39 mnemonic codes

  • gui

    Bitcoin Core GUI staging repository

    • libbitcoin isn't a company. It's an alternative C++ implementation (https://github.com/libbitcoin) to the Bitcoin Core (https://github.com/bitcoin/bitcoin) implementation. Bitcoin Core is the one originally from Satoshi. Libbitcoin came in like 2011 or so iirc and was led by Amir Taaki. Libbitcoin is a lot less popular than Bitcoin Core, as you can see on the github stats.

  • libbitcoin-explorer

    Bitcoin Command Line Tool

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts