Here's a cool thing I saw recently... https://www.schneier.com/blog/archives/2020/08/dicekeys.html The intention of this parallels the various Bitcoin "Solid Steel Passphrase Wallet" items that were popular a year or so ago (See https://www.toughgadget.com/bitcoin-crypto-metal-recovery-seed-wallets/, https://www.buybitcoinworldwide.com/wallets/steel/ ) It's a case for a set of 25 dice that looks like a Boggle game set; it will generate and "record" what ought to be a Sooper Seekrut key as would be used for things like: - master key for password manager - U2F key for 2 Factor Authentication - Secret key for cryptocurrency wallet By being a set of dice with a nice plastic box to hold them securely, this is not vulnerable to various threats common to electronic devices: - EMP (for those highly worried about nuclear devices) - Water damage Of course, if all your disk drives get toasted, there might not be any data left to decrypt or systems to connect to. And plastic will melt away or burn when exposed to fire... But it's pretty cool, I'm tempted to grab a set. There's a web app: https://dicekeys.app/ It appears that this application, embedded in a single JavaScript file, runs locally, inside your browser, so that usual criticisms about it being a giant security vulnerability of sharing your key with their web site seems like it mightn't apply. How to confirm in an authoritative way that nothing is *actually* shared seems like the fun security question. -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
A riff off: https://en.wikipedia.org/wiki/Diceware ../Dave On Aug 28, 2020, 11:15 AM -0400, Christopher Browne via talk <talk@gtalug.org>, wrote:
Here's a cool thing I saw recently...
https://www.schneier.com/blog/archives/2020/08/dicekeys.html
The intention of this parallels the various Bitcoin "Solid Steel Passphrase Wallet" items that were popular a year or so ago (See https://www.toughgadget.com/bitcoin-crypto-metal-recovery-seed-wallets/, https://www.buybitcoinworldwide.com/wallets/steel/ )
It's a case for a set of 25 dice that looks like a Boggle game set; it will generate and "record" what ought to be a Sooper Seekrut key as would be used for things like: - master key for password manager - U2F key for 2 Factor Authentication - Secret key for cryptocurrency wallet
By being a set of dice with a nice plastic box to hold them securely, this is not vulnerable to various threats common to electronic devices: - EMP (for those highly worried about nuclear devices) - Water damage
Of course, if all your disk drives get toasted, there might not be any data left to decrypt or systems to connect to. And plastic will melt away or burn when exposed to fire...
But it's pretty cool, I'm tempted to grab a set.
There's a web app: https://dicekeys.app/
It appears that this application, embedded in a single JavaScript file, runs locally, inside your browser, so that usual criticisms about it being a giant security vulnerability of sharing your key with their web site seems like it mightn't apply. How to confirm in an authoritative way that nothing is *actually* shared seems like the fun security question. -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?" --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Fri, Aug 28, 2020 at 11:15:00AM -0400, Christopher Browne via talk wrote:
Here's a cool thing I saw recently...
https://www.schneier.com/blog/archives/2020/08/dicekeys.html
The comments are certainly fun to read.
The intention of this parallels the various Bitcoin "Solid Steel Passphrase Wallet" items that were popular a year or so ago (See https://www.toughgadget.com/bitcoin-crypto-metal-recovery-seed-wallets/, https://www.buybitcoinworldwide.com/wallets/steel/ )
It's a case for a set of 25 dice that looks like a Boggle game set; it will generate and "record" what ought to be a Sooper Seekrut key as would be used for things like: - master key for password manager - U2F key for 2 Factor Authentication - Secret key for cryptocurrency wallet
By being a set of dice with a nice plastic box to hold them securely, this is not vulnerable to various threats common to electronic devices: - EMP (for those highly worried about nuclear devices) - Water damage
Of course, if all your disk drives get toasted, there might not be any data left to decrypt or systems to connect to. And plastic will melt away or burn when exposed to fire...
But it's pretty cool, I'm tempted to grab a set.
There's a web app: https://dicekeys.app/
It appears that this application, embedded in a single JavaScript file, runs locally, inside your browser, so that usual criticisms about it being a giant security vulnerability of sharing your key with their web site seems like it mightn't apply. How to confirm in an authoritative way that nothing is *actually* shared seems like the fun security question.
I guess if you load the page, go offline, do the thing, close the browser, wipe any caches and other things from it, then maybe you could trust it? Or save a copy locally, read all the code and only run your verified local copy? -- Len Sorensen
On 2020-08-28 11:15 a.m., Christopher Browne via talk wrote:
Here's a cool thing I saw recently...
https://www.schneier.com/blog/archives/2020/08/dicekeys.html
Just use a single good quality die and one of the wordlists. Randomly acquired, not a"special" piece of kit from a "special" vendor. The generation and protection of secret keys is key. You cannot trust a third party to generate and store keys.
participants (4)
-
Christopher Browne -
David Mason -
lsorense@csclub.uwaterloo.ca -
Scott Frederick