[GTALUG] Dice Keys
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Sun Aug 30 16:19:14 EDT 2020
On Fri, Aug 28, 2020 at 11:15:00AM -0400, Christopher Browne via talk wrote:
> Here's a cool thing I saw recently...
>
> https://www.schneier.com/blog/archives/2020/08/dicekeys.html
The comments are certainly fun to read.
> The intention of this parallels the various Bitcoin "Solid Steel Passphrase
> Wallet" items that were popular a year or so ago
> (See https://www.toughgadget.com/bitcoin-crypto-metal-recovery-seed-wallets/,
> https://www.buybitcoinworldwide.com/wallets/steel/ )
>
> It's a case for a set of 25 dice that looks like a Boggle game set; it will
> generate and "record" what ought to be a Sooper Seekrut key as would be
> used for things like:
> - master key for password manager
> - U2F key for 2 Factor Authentication
> - Secret key for cryptocurrency wallet
>
> By being a set of dice with a nice plastic box to hold them securely, this
> is not vulnerable to various threats common to electronic devices:
> - EMP (for those highly worried about nuclear devices)
> - Water damage
>
> Of course, if all your disk drives get toasted, there might not be any data
> left to decrypt or systems to connect to. And plastic will melt away or
> burn when exposed to fire...
>
> But it's pretty cool, I'm tempted to grab a set.
>
> There's a web app: https://dicekeys.app/
>
> It appears that this application, embedded in a single JavaScript file,
> runs locally, inside your browser, so that usual criticisms about it being
> a giant security vulnerability of sharing your key with their web site
> seems like it mightn't apply. How to confirm in an authoritative way that
> nothing is *actually* shared seems like the fun security question.
I guess if you load the page, go offline, do the thing, close the browser,
wipe any caches and other things from it, then maybe you could trust it?
Or save a copy locally, read all the code and only run your verified
local copy?
--
Len Sorensen
More information about the talk
mailing list