Remove display_random feature #4119
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrewkozlik
added
core
|
|
obrusvit
reviewed
Aug 22, 2024
andrewkozlik
force-pushed
the
andrewkozlik/display_random
branch
2 times, most recently
from
5864ca8 to
d09fe09
Compare
prusnak
reviewed
Aug 22, 2024
| @@ -253,7 +253,6 @@ class TR: | |||
| device_name__change_template: str = "Change device name to {0}?" | |||
| device_name__title: str = "Device name" | |||
| entropy__send: str = "Do you really want to send entropy?" | |||
| entropy__title: str = "Internal entropy" | |||
| entropy__title_confirm: str = "Confirm entropy" | |||
There was a problem hiding this comment.
Is the entropy__title_confirm still used somewhere?
There was a problem hiding this comment.
Yes, it's a different thing. When you use trezorctl crypto get-entropy.
andrewkozlik
added
the
translations
andrewkozlik
force-pushed
the
andrewkozlik/display_random
branch
from
d09fe09 to
fec3881
Compare
|
i'd prefer doing this only in combination with the "iterated ResetDevice" thing you proposed on Slack. as it stands, we'd be removing a good if obscure feature (specifically method 2) without replacement |
prusnak
approved these changes
Aug 23, 2024
andrewkozlik
force-pushed
the
andrewkozlik/display_random
branch
from
fec3881 to
f32474a
Compare
|
I intend to prioritize the development of the proof of seed randomness (iterated ResetDevice) feature, which should be a more user friendly and more effective replacement for |
matejcik
reviewed
Aug 27, 2024
matejcik
approved these changes
Aug 27, 2024
andrewkozlik
force-pushed
the
andrewkozlik/display_random
branch
from
2df710a to
1655c53
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The
display_randomflag in theResetDevicemessage is used during seed generation to display the entropy that was generated internally by Trezor before asking for external entropy from the host. This feature, which is also known as show-entropy intrezorctl, allows the user to cross-check that Trezor generated a valid mnemonic sentence for the given internal and external entropy, i.e. that Trezor really used the externally provided entropy to generate the seed. I have come to the conclusion that this feature lacks purpose and have decided to remove it. (See detailed explanation below.)To be clear, the device tests still perform the cross-check by looking at the internal entropy, which is always provided in
DebugLinkState.reset_entropyin debug firmware builds, regardless of thedisplay_randomflag.Rationale
The intent of the user is to verify that Trezor is really using the externally provided entropy to generate the seed in order to protect themself from a Trezor that might have malicious firmware which could be generating seeds that come from a relatively small set which is known to the author of the malicious firmware.
Using this feature properly requires that the user has a good understanding of how the two entropies are combined together and how they are converted into a BIP-39 or SLIP-39 backup. The user also needs to at least have the ability to compute SHA-256 on the two entropy values. This implies that the validation cannot be done by hand, but needs to be done on a computer. In actual fact, the user should also compute the XPUB from the seed ideally for all accounts that they will be using, and ensure that the device shows the same XPUBs in the future. Otherwise a malicious firmware could be using a completely different seed to generate XPUBs and addresses than what it presented in the backup.
The user may choose to use this feature in one of several ways:
display_random, cross-check on their computer that the backup shown on Trezor is correct, and that both the computer and Trezor arrive at the same XPUBs. Repeat several times to be sure. Finally generate a seed without usingdisplay_random, record the XPUBs shown on Trezor and use that as their seed, i.e. trust the firmware in the final generation without cross-checking.display_random, record the XPUBs shown on Trezor and use that as their seed, i.e. again trust the firmware in the final generation without cross-checking.display_random, cross-check on their computer that the backup and XPUB shown on Trezor is correct and use it as their seed.Method 1 is actually flawed and creates a false sense of security. If the Trezor firmware is malicious, then it can choose to behave correctly when
display_randomis used, but maliciously when it is not used. Thus the final generated seed and XPUBs can be rigged.Method 2 is correct, but as it turns out, not entirely intuitive.
Method 3 means exposing the final seed to the computer. The process needs to be performed on a highly secured computer that is guaranteed to dispose of all secret data when finished. Ideally a live linux distribution without an internet connection.
With all the tooling and knowledge that the user needs, it is easier to just generate a seed outside of Trezor and recover it in Trezor. For this the user will need the same setup as in method 3, but does not need to know the details of how Trezor combines the randomness and derives the seed and thus no need for Trezor-specific tooling. To reap the full benefits of Trezor's internal TRNG, they can use
trezorctl crypto get-entropyand combine the result with randomness from any other sources in any way they choose.