Recent user complaints have pointed out to the fact that Monero’s seed encryption is vulnerable to any known plaintext recovery. The issue was reported by a Reddit user ‘fierce_uk’.
The bug in the code was not apparent at first because it was buried deep within the code, in the 1100th line.
Why is this bug a problem?
Adding a random number which represents the password to the plaintext compromises any other ciphertext that shares the same password if a plaintext is ever revealed. In the cryptographic language, this is known as a key recovery attack.
“A key recovery encryption system (or recoverable encryption system) is an encryption system with a backup decryption capability that allows authorized persons (users, officers of an organization, and government officials), under certain prescribed conditions, to obtain the keys needed to decrypt ciphertext.”
The issue arises from the fact that the 25-word format, which is an old version of the shoehorning security method, does not have enough space where an initialization vector can fit. The encrypted seed code has to be six words longer.
This will enable the code to include a 64 bit IV which is to be protected using a proper encryption algorithm. The words are to be replaced using a Gnu Private Guard. A GPG allows the user to encrypt and sign their data and communication. It also acts as an efficient key management system.
Garlicgambit, a Reddit user wanted to know:
“Does this negatively impact the plausible deniable seed storage method we posted about a couple of days ago? Will it need modifications or additional warnings? Or should it be taken down altogether?”
‘fierce_uk’, the Reddit user who discovered the vulnerability replied:
“My recommendation would be
- a) Never reuse a password between two seeds.
- b) Never disclose the spendkey to the wallet, even if you are done with it.
I opted to remove it, since using the word “encryption” in this context might mislead some users into thinking that the seed is actually as safe as it would be in an AES-encrypted message.”
Moreno has not yet responded to the fallacy in the seed code but users are expecting an update soon.