How safe is Sparrow's wallet encryption? \ stacker news ~bitcoin

How safe is Sparrow's wallet encryption?

7629 sats \ 20 comments \ @pillar 27 Dec 2023 bitcoin

Sparrow wallet offers setting up a password for each wallet. The password is used to encrypt and decrypt the wallet file.

How safe and strong is the encryption used? I couldn't find details on this in the docs, and I don't have the knowledge to judge from the code itself.

view all related items

1675 sats \ 5 replies \ @deletedd 27 Dec 2023

deleted by author

21 sats \ 3 replies \ @pillar OP 27 Dec 2023

Thanks. From what I understand, this is not what is used to encrypt the wallet, but rather the hashing algorithm used on the wallet password. It's definitely an important part of the security scheme, but it's not exactly what I'm looking for.

In any case, thanks for sharing.

789 sats \ 0 replies \ @ek 27 Dec 2023

From what I understand, this is not what is used to encrypt the wallet, but rather the hashing algorithm used on the wallet password.

That's a very good find by @radentor but you're right, the quoted docs don't mention how the derived key is used to encrypt the wallet afaict.

Btw, I wouldn't call Argon2 a hashing algorithm (at least in this context here) even though it can be seen as one. All key derivation functions (KDFs) are very similar to hashing algorithms since they try to output something very random in a deterministic way - like hashing algorithms do. Afaik, KDFs only additionally guarantee certain properties, unlike hashing algorithms. A hashing algorithm does not have to be as secure as a KDF.

So basically, Sparrow uses Argon2 to derive a key from your password. And this key is used to encrypt the wallet. However, as you mentioned, the quoted docs don't mention which algorithm is used for encryption, that's right.

See this and this question on StackExchange for more info regarding KDFs vs hashing algorithms.

0 sats \ 0 replies \ @rijndael 28 Dec 2023

Looks like it uses ECIES: https://github.com/sparrowwallet/sparrow/blob/4feb4a3a79a3bbe69178fbefa38cd530fe963240/src/main/java/com/sparrowwallet/sparrow/io/JsonPersistence.java#L167

0 sats \ 0 replies \ @deletedd 27 Dec 2023

deleted by author

0 sats \ 0 replies \ @Nuttall 27 Dec 2023

Strong Encryption Many wallets use relatively weak password hashing in order to support a wide range of devices, such as PBKDF2 or similar. Sparrow is desktop focussed and uses a configuration of Argon2 (winner of the Password Hashing Competition in 2015) configured to take at least 500ms on modern hardware to derive the key from your password in order to unlock your wallet. Even if it only contains public keys, that data is still worth protecting properly.

612 sats \ 6 replies \ @ek 27 Dec 2023

Good question, I also use Sparrow and I also didn't find anything related to this in the docs.

Will ask in the TG group or check the code and come back with an update.

1569 sats \ 5 replies \ @ek 27 Dec 2023

Okay, I got nerdsniped by this, haha

Did some little "reverse engineering" [0]. I tried file on the encrypted wallet file but it came up empty handed:

$ file wallet.mv.db
wallet.mv.db: data

But afaik, all file does to identify a file is to look at the file signature (also known as magic bytes):

This manual page documents the format of magic files as used by the file(1) command, version 5.45. The file(1) command identifies the type of a file using, among other tests, a test for whether the file contains certain “magic patterns”.

-- https://man.archlinux.org/man/core/file/magic.5.en

(ok, apparently only "among other tests")

So why not just look at the magic bytes ourself?

$ hexdump -C -n32 wallet.mv.db
00000000  48 32 65 6e 63 72 79 70  74 0a fa 3e 4a fb 1e 2f  |H2encrypt..>J../|
00000010  99 ff 53 50 52 57 31 0a  5c 89 26 f0 23 97 3c 73  |..SPRW1.\.&.#.<s|
00000020

Turns out, Sparrow likely uses H2 Database under the hood to store wallets:

Welcome to H2, the Java SQL database.

This makes sense since Sparrow indeed is written in Java.

The security docs however mention this:

Encrypted storage Encrypting your on-disk database will provide a small measure of security to your stored data. You should not assume that this is any kind of real security against a determined opponent however, since there are many repeated data structures that will allow someone with resources and time to extract the secret key.

Also the secret key is visible to anything that can read the memory of the process.

Mhh, that doesn't sound good 🤔

I asked in the TG group. Let's wait for an answer before jumping to conclusions. I also didn't take a close look at the source code yet.

[0] not sure if this already counts as reverse engineering

407 sats \ 2 replies \ @pillar OP 27 Dec 2023

You made my day just by showing me the nerd sniping verb.

Looking forward to know that you find out in the TG group.

I didn't understand from your message if the wallet file itself is an encrypted H2 database and Sparrow reads from it and decrypts on the fly, or if Sparrow starts and in-memory H2 database when the daemon starts and loads the data from the wallet file into the H2 database on runtime.

1 sat \ 1 reply \ @ek 27 Dec 2023

I didn't understand from your message if the wallet file itself is an encrypted H2 database and Sparrow reads from it and decrypts on the fly, or if Sparrow starts and in-memory H2 database when the daemon starts and loads the data from the wallet file into the H2 database on runtime.

My educated guess would be it's the former. But that is also a good question!

Are you playing the nerd sniping game as mentioned in the xkcd? lol

228 sats \ 0 replies \ @pillar OP 27 Dec 2023

I promise I'm shooting with no evil intent. I just can't help myself.

0 sats \ 1 reply \ @franzap 27 Dec 2023

Great find! Do update us here

91 sats \ 0 replies \ @ek 28 Dec 2023

The only reply I got was this (someone linked this message in a reply)

The mv.db file format is from the embedded open source database that Sparrow uses, called H2. You can open it outside Sparrow if you have an H2 client, although if your wallet is encrypted you’ll have to rederive the database password from your wallet password via Argon2. The next version of Sparrow will allow importing this file format (as well as opening it directly).

This doesn't really answer my question but ok.

As a ~~screen~~scrollshot:

122 sats \ 3 replies \ @anon 27 Dec 2023

Personally, I take the wallet directory and locate it within a VeraCrypt volume and keep the VeraCrypt volume in cold storage.

0 sats \ 0 replies \ @franzap 28 Dec 2023

I also do something similar

0 sats \ 1 reply \ @Max_Maxi 28 Dec 2023

Interesting. Can you please explain more on this? Thanks

0 sats \ 0 replies \ @ek 28 Dec 2023

He's talking about disk encryption, on a USB stick as cold storage probably.

10 sats \ 0 replies \ @quark 27 Dec 2023

I guess it depends on your password quality. You can always additionally encrypt with another tool, the whole partition where your wallet is stored too.

0 sats \ 0 replies \ @Athena_Alpha 29 Dec 2023

Interesting question. We knew that Sparrow used Argon2 (and that it's OWASP recommended) but beyond that it's an interesting thing to verify.

We've reached out to @SparrowWallet on Twitter to see if they can come on in here and help clear things up 🙂

FWIW, we wouldn't ever consider giving Sparrow (or any other software based wallet) access to your Private Keys. Instead they should be stored on a well vetted Hardware Wallet if we're talking about any amount of funds you don't want to lose. That way even if an attacker breaks your password, all they'll get is the wallet file. They'll be able to see your coins... but not spend / steal them.

0 sats \ 0 replies \ @yongterrydoylen2owh7 27 Dec 2023 outlawed

stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.