MultiversX Tracker is Live!

PSA: Trezor doesn't have the oft-mentioned seed extraction vulnerability. Use a strong PIN.

Bitcoin Reddit

More / Bitcoin Reddit 202 Views

Contrary to popular belief, Trezor no longer has the oft-mentioned seed extraction vulnerability, which was discovered by Ledger and confirmed by Kraken. SatoshiLabs fixed it in mid 2021 (June for Model T in firmware version 2.4.0 and May for Model One in firmware version 1.10.0).

The seed phrase is encrypted before stored in Trezor. The encryption algorithm used is ChaCha20, which is known to be secure. Data encrypted with ChaCha20 is uncrackable if done right. ChaCha20, or any other secure encryption algorithm for that matter, can be breakable if the encryption key is too weak. It needs 128 bits of entropy to be absolutely unbreakable. With a weak key, decryption may be successfully performed in a bruteforce manner.

Trezor uses the PIN as the encryption key. Before mid 2021, the PIN was up to 9 digits. There is less than 30 bits of entropy in a 9-digit PIN. Because of the low entropy, the extracted encrypted data could be easily decrypted with bruteforce and the seed could be extracted.

For a PIN to be absolutely secure, namely it has 128 or more bits of entropy, it needs at least 39 digits. Trezor's firmwares released in mid 2021 increased the upper limit of the PIN length to 50. A randomly generated PIN of 39 or more digits can guarantee absolute security of the seed even if an adversary gains the physical access to the device and successfully performs the data extraction trick. The seed can no longer be extracted.

submitted by /u/exab
[link] [comments]
Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments