DiceKeys

DiceKeys is a physical mechanism for creating and storing a 192-bit key. The idea is that you roll a special set of twenty-five dice, put them into a plastic jig, and then use an app to convert those dice into a key. You can then use that key for a variety of purposes, and regenerate it from the dice if you need to.

This week Stuart Schechter, a computer scientist at the University of California, Berkeley, is launching DiceKeys, a simple kit for physically generating a single super-secure key that can serve as the basis for creating all the most important passwords in your life for years or even decades to come. With little more than a plastic contraption that looks a bit like a Boggle set and an accompanying web app to scan the resulting dice roll, DiceKeys creates a highly random, mathematically unguessable key. You can then use that key to derive master passwords for password managers, as the seed to create a U2F key for two-factor authentication, or even as the secret key for cryptocurrency wallets. Perhaps most importantly, the box of dice is designed to serve as a permanent, offline key to regenerate that master password, crypto key, or U2F token if it gets lost, forgotten, or broken.

[…]

Schechter is also building a separate app that will integrate with DiceKeys to allow users to write a DiceKeys-generated key to their U2F two-factor authentication token. Currently the app works only with the open-source SoloKey U2F token, but Schechter hopes to expand it to be compatible with more commonly used U2F tokens before DiceKeys ship out. The same API that allows that integration with his U2F token app will also allow cryptocurrency wallet developers to integrate their wallets with DiceKeys, so that with a compatible wallet app, DiceKeys can generate the cryptographic key that protects your crypto coins too.

Here’s the DiceKeys website and app. Here’s a short video demo. Here’s a longer SOUPS talk.

Preorder a set here.

Note: I am an adviser on the project.

Another news article. Slashdot thread. Hacker News thread. Reddit thread.

Tags: , ,

Posted on August 24, 2020 at 6:23 AM73 Comments

Comments

Q August 24, 2020 6:57 AM

I would very very uncomfortable about having not only the physical key available to any thief or agent that decides they want it, but also having it available in a vulnerable leaky phone and app that all measure of companies and people can spy upon. Just no.

Stuff like this should only be in my head IMO. Then I get to decide if it ever gets revealed to someone else.

Ari Trachtenberg August 24, 2020 7:20 AM

“mathematically unguessable key” – really Bruce? You know better than to taunt the hackers with hyperbolic language. If anything, the key is “practically unguessable” – but mathematically, it is certainly guessable.

ronys August 24, 2020 7:48 AM

Nice.

Now all we need is an API to integrate it into the various versions of PasswordSafe (PC, iPhone and Android)…

Sam August 24, 2020 9:54 AM

What problem is this solving exactly? There are many problems across the entire crpyto ecosystem, but “keys not being random enough” is pretty damn low on the list, and certainly not outweighed by sending your key through a computer-vision based web app.

Jolene R August 24, 2020 10:26 AM

Despite the current version of the DiceKeys app being hosted on the web, Schechter says that it’s designed so that no data ever leaves the user’s device.

So… we’re training users to just trust websites that ask for extremely sensitive data but claim it won’t be sent back? It wouldn’t be hard to give “special” behavior to certain IP addresses or user-agents. I see no signatures or hashes in the Javascript, which means we can’t easily tell people in dangerous counties what to expect—they get the security of the weakest of the several hundred certificate authorities. The author didn’t even bother with a long-term domain registration—it’s currently set to expire 9 months from now, and who knows what will be hosted there once they stop caring to renew it?

The general principle of using dice is sound. Personally, I’d go with paper as the storage mechanism. Easier to store (e.g. in a safety deposit box) and maybe hide/disguise. I don’t love the idea of every device needing to have the master secret to decrypt passwords, or of needing to trust the one with the camera (phones have way too much software; standalone cameras rarely encrypt, so it will be important to physically destroy the storage medium lest it eventually end up in a thrift store).

I feel it’s only a matter of time before malware starts attacking password management systems in a major way. I’m not aware of any with “interesting” key management features, and we might benefit from adding some. For example: per-device keys so I can choose which devices can decrypt; key-splitting schemes; something to export a session cookie so a secure device can log an insecure device into a service without sharing the password.

Bruce Schneier August 24, 2020 10:27 AM

@ Ari Trachtenberg:

“‘mathematically unguessable key’ – really Bruce? You know better than to taunt the hackers with hyperbolic language. If anything, the key is ‘practically unguessable’ – but mathematically, it is certainly guessable.”

I didn’t write that. It’s a quote from the Wired article.

greenup August 24, 2020 10:44 AM

@Q:

Stuff like this should only be in my head IMO. Then I get to decide if it ever gets revealed to someone else.

My head can’t contain enough provably random bits.
“split the key”;
roll the dice, use them, and apply a small transformation that your mind can remember.
swap the upper left and lower right dice. or rotate one of them a quarter turn. If your dice are captured, and Eve doesn’t know a transformation has been applied, they are effectively worthless, and if she Does know that a transformation has been applied, she still has a tough problem.)

j.c. August 24, 2020 11:13 AM

With little more than a plastic contraption that looks a bit like a Boggle set and an accompanying web app to scan the resulting dice roll, DiceKeys creates a highly random, mathematically unguessable key.

Sounds like a good way to generate an “official” secret key for something centrally managed like DNSSEC.

It’s a bit like the cage they roll the numbered balls in at the bingo parlor. Everyone can see (and witness) that the balls are duly shaken up and rolled around in the cage before one is selected at random, and even verify as the game is played, that each numbered ball is present and called exactly once.

A basic die has six faces, which is not commensurate with powers of two, but perhaps a four-sided traditional Jewish “dreidel” could be used to generate exactly two bits of randomness with each roll.

Clive Robinson August 24, 2020 12:17 PM

@ ALL,

Has anyone done the math?[1]

25 six sided dice would give,

6^25 = 2.8430 x 10^19

which is nowhere near,

2^196 = 1.004 x 10^59

Even assuming you were alowing for face orientation you get,

(6×4)^25 = 24^25 = 3.2009 x 10^34

Now if you purchased three sets and numbered them you would get,

6^75 = 2.2979 x 10^58

Which is close but still quite not there.

[1] I’m kind of assuming in my very soggy state due to cloud burst in London, that I have. But… have both my body and brain been able to work the calculator on my mobile phone, and does that in turn do the math[2] 😉

[2] Hmm you are supposed to check your math :-S

So on the observation 2^10 = 1.025 x 10^3

2^196 is aproximately,

2^6 = 64,
1.024^19 = 1.5692754338,
x 64 ~= 100,
19 x 3 = 57.

Thus 2^196 ~= 100 x 10^57 = 10^59
Which looks about right… I’ll let others do the others 😉

Bob Paddock August 24, 2020 12:34 PM

Might want to look at this long historical record of
predicting the outcomes of die rolls, in places like
the Journal of Parapsychology, Rhine Research Center,
Paranormal Association etc.

Then look at the documentation on influencing the outcome
of events from the LONG running experiments at
Princeton Engineering Anomalies Research (PEAR Lab) on
“Scientific Study of Consciousness-Related Physical Phenomena”.

The PEAR research has been moved to ICRL when the Princeton lab was closed.

http://pearlab.icrl.org

People in Parapsychology know their work will be scrutinized and attacked, so they are meticulous in the details and statistics.

If some one in Parapsychology showed the same statistics that were used to ‘prove’ the existence of the Higgs boson, they would have gotten their ass handed to them for a bad experiment and bad math.

There are MANY things that are not understood in the Universe. Ignoring and ridiculing them doesn’t make them go away. There is lots of research in such areas for those willing to look…

Clive Robinson August 24, 2020 12:38 PM

@ j.c.,

A basic die has six faces, which is not commensurate with powers of two

Not in the singular no…

But throw the dice twice that gives you a grid of 6×6 or 36 which is only a smidgen above 2^5.

So if you get 1:1, 1:6, 6:1, or 6:6 just throw the dice twice again to get your next five bits

It’s the about the easiest way to get a long string of random bits with just pencil and paper.

The 36 grid square works almost as well for generating decimal or letter strings of unbound length, you just have to keep throwing properly untill your wrist gives in…

The real problem is that as you get tired you will drop into not a proper throw but a small “cupped hand roll” which can become quite determanistic. The easy way around this is two dice of different colours in a “straight beer glass” with a beer mat over the top. Pick it up and shake it so the dice bounce from the bottom of the glass to the beer mat and back again three times then just look through the side of the glass to get the two values for the grid.

David Leppik August 24, 2020 12:57 PM

Cute, but not very useful. If you don’t trust your system’s random number generator, you’ve got bigger problems than password generation—and you shouldn’t be trusting the computer vision JavaScript to (a) be local, and (b) convert the data into a password.

I do like the form factor, though. Unlike paper, it’s not easy to get lost or misplaced like a slip of paper and it’s easy to destroy.

Chelloveck August 24, 2020 1:11 PM

Very similar to the idea I came up with a while back to generate 192-bit keys using just shy of $2 worth of pennies and an old coffee can.

Curtis M August 24, 2020 1:40 PM

@Clive

If each die is unique, then the position of each die within the 5×5 grid is also a random factor. This multiplies the number of possibilities by an additional 25! (25 factorial), which gives about 2^198 possibilities.

RPN calculator trail for anyone who wants to verify:

     6
     4
   * 24
     25
   ^ 32009658644406818986777955348250624
     25
fact 15511210043330985984000000
   * 496508538648719564809316402287439226010265627463254016000000
     2
 log 198.305576127

Anders August 24, 2020 1:59 PM

What i hate is how they advertise this.

“Don’t let your own security lock you out
DiceKeys are backup security keys that prevent lockouts and make it easier to adopt stronger online security.”

No matter how securely you keep your keys or password this
doesn’t prevent lockouts. For example arrogant social media
companies makes their own rules when and whether to lock
you up. Google, Facebook, etc they all decide whether to lock up
your account just when you change your browser or ISP.

I know the case when after IP address change (long time was
static then changed) GMAIL locked up the account although
valid password was known and asked security question that
was even never set up.

And then there’s lot of cases where Facebook thinks your name
is false, locks up your account and demands official government
issued photo ID.

Chelloveck August 24, 2020 2:07 PM

@Curtis: Yeah, the math checks out. I had to work through a toy example (4 coins of different colors) to prove to myself that the factorial term should really be there, but it’s right. The fact that it gives roughly 4 times as many permutations as needed is kind of handy, letting them treat all four orientations of the grid identically.

MarkH August 24, 2020 2:16 PM

@Clive:

I just wrote a careful derivation, with subscripts and superscripts … and as I was about to submit I saw that Curtis M beat me to the punch 🙂

I remark as a detail, that if the frame itself lacks an orientation marker (I haven’t looked at pictures), it could be oriented in any of 4 ways, reducing the effective total of unique outcomes to 2^196.

@TimH:

As I recently remarked on another thread, bias doesn’t reduce entropy nearly as much as my intuition would have led me to expect.

I computed examples of the percentage of entropy reduction for cubic dice, with preferred outcomes twice as likely as non-preferred:

  1. face loaded (bias toward 1 face) -2.4%
  2. edge loaded (bias toward 2 faces) -3.3%
  3. corner loaded (bias toward 3 faces) -3.2%

I don’t have experience with loaded dice, but I suspect that sufficient loading to yield such 2:1 biases might be readily detectable to people handling the dice.

Even in my worst case of edge loading, I compute that the system would still yield about 189 bits of entropy; the reduction of entropy caused by bias would presumably not have any practical security effect.

Note: If it seems surprising that edge loading is worse than corner loading, consider that the more faces are preferred, the more nearly the die approximates an unbiased one.

Clive Robinson August 24, 2020 2:38 PM

@ Curtis M, Chelloveck,

If each die is unique, then the position of each die within the 5×5 grid is also a random factor.

To a limited extent yes[1].

What I was going on was what was said in the video, that each dice had a letter[2] and a number and an orientation. Put it did not mention position.

I guess I should have twigged from the “letter” as that implicitly gives position.

That said converting the permutation to a useful value by hand is not a game for the faint hearted.

[1] If you use the method shown in the video of just pour from the bag to pile them on top of the grid you do not get a random distribution. That is those at the bottom of the bag are more likely to end up furthest from the center. You can use a variation on Pascal’s triangle to work it out, but unless you are planning on doing the math for fun or “browny points” etc I would not bother. Then of course as the operator has to “wiggle them in” in some way, they will add a bias to the face orientation just trying to get a dice into a grid position.

[2] To save people straining theor eyes the mising letter is “Q” for the obvious OCR reasons I guess (in codes it’s generaly the “J” which is not used in Latin or the “W” which can be easily replaced by “UU”).

Clive Robinson August 24, 2020 2:45 PM

@ MarkH,

I computed examples of the percentage of entropy reduction for cubic dice

I’ll bite 😉

What method did you use?

MarkH August 24, 2020 2:57 PM

@Chelloveck:

The can-of-pennies idea is perfectly reasonable. There’s no practical need to “toss” them: who could predict their orientation as they are extracted from the coffee can?

Using the paper coin rolls available from banks, and marking the sequence (and orientation) on the rolls, the key could be stored very inconspicuously, and retrieved whenever needed.

How likely are searchers to recognize coin rolls as critical data?

You’d save the cost of DiceKeys (whatever that might be), and avoid the obvious security vulnerabilities of using a phone and the conversion code.

However, you might consume half an hour to do the job carefully, and tie up $2 of your net worth.

PS I was wondering about the idiosyncratic transliteration of человек, but after a web search I’m guessing it comes from Tony Burgess 🙂

MarkH August 24, 2020 3:28 PM

@Clive:

What method did you use?

Being a veteran copy-and-paste engineer, I slavishly followed the formula in section 6 of Shannon’s 1948 paper1, which expresses entropy as the summation of

-p * log(p)

over the set of possible distinct outcomes, where p is the probability of the specific outcome.

I use log2 in order to obtain entropy in bits.

For the example of a face-loaded die with 2:1 bias, I take the probability of getting the preferred face as 2/7, and each of the other five faces as 1/7.

Of course, real-world loading wouldn’t be expect to yield binary probabilities; it’s just a crude model for estimation purposes2.

Here’s raw output from my 9-line program:

2.584962501 bits (fair die)
2.521640636 bits (face loaded)
2.5 bits (edge loaded)
2.503258335 bits (corner loaded)

I think this is correct, but with my poor sleep anything is possible.

1 I got it from the horse’s mouth … you may consider my renditions as the opposite orifice 😉

2 Just for fun, I ran a more continuous face loading with the preferred face as three times as likely as the opposing face, and the other four twice as likely as the opposing face (or 2/3 as likely as the favored face). The entropy came out at 2.522 bits, practically identical to my cruder model. But if the preferred face is four times as likely as its opposite, and twice as likely as the other four, the entropy drops to 2.47 bits — a 4.4% entropy reduction. Anyway, I guess that such a die might “feel odd” to a person who rolled it around in the palm for a few seconds …

name.withheld.for.obvious.reasons August 24, 2020 3:28 PM

Didn’t think I’d be in on this one but I was wrong, bet on snake eyes and rolled box cars instead. Chew, chew.

@ Bob Paddock

I worked with a fellow at Cambridge, Gordon Read, one of the last rounds of actual testing and analysis whilst the project was still at Princeton. Drafted a design specification for a new testing environment that answered some of the inherent problems in the PEAR sensor/test/statistically modeling. Took me nearly three months just to sell it, one day at the faculty cafeteria he found that it might be a direction to head. Haven’t seen him for ages, did have a slight falling out as I called him on some EM research and data structuring and analysis–I said that the existing work didn’t quite have the rigor one might expect of an empirical study and suggested that at best it was inconclusive. Needless to say, three days past before we spoke again.

Background is important, there were some legitimate elements to the suggested research but there were deficiencies in the test construction, data sampling, anomalistic correlation, error or precision analysis. The basic work pointed to the direction, just didn’t seem to have scope necessary to pull some things out…

Don’t know what happened after the Princeton shutdown, my guess is that the work had hit a wall. It migrated to Italy at some point in time, about 2004.

Anything that attempts to resolve some deterministic element from a non-deterministic system is going to have challenges. There is an element in the dice formed electronically that is quite different from physical expressions of the same dice–cause they’re not the same.

vas pup August 24, 2020 3:33 PM

@Bruce: how about breaking it by powerful supercomputers( quantum in particular) which are in possession of government and/or computer moguls?

MarkH August 24, 2020 4:02 PM

@Bob Paddock:

I took a look at the linked site, and my eyes soon alit on the phrase:

“intangible physical mechanisms”

Say WHAT?

  1. As I showed above, even a pretty big bias wouldn’t impair the practicality (such as it is) of DiceKeys.
  2. The claimed effects reported by PEAR, at several parts per ten thousand, would have too small an effect on net entropy to be measured by any practical means.
  3. As Carl Sagan liked to say, extraordinary claims require extraordinary evidence.
  4. Physicist Robert L. Park, who has specialized in the debunking of pseudoscience, observes that a common characteristic of pseudoscientific claims is the small magnitude of reported effects. Small effects don’t prove that the science is invalid, but they surely open the door to a plethora of unnoticed errors.

  5. By definition, pseudoscience looks like science (at least, at sufficient remove) … but it ain’t.

For an impressive example of authentic science at work, cosmologists set out (decades ago now) to look for inhomogeneity of the cosmic background radiation. They knew that effects they were looking for would be small in magnitude.

A group of experimental scientists built a pair of detectors, with a fixed angle between them, to be flown in a high-altitude jet. This would enable them to compare readings from different parts of the sky, and over a large number of flights, to construct a cosmic background map.

The team wrote that they identified more than sixty mechanisms which could cause errors in the readings from their instrumentation, and developed techniques to correct or compensate for each one of them.

My extra-sensory precognition tells me that when psychic research is conducted at that level of rigor, and yields results beyond the estimated experimental error, plenty of scientists will sit up and take notice.

Until then, my presumption is “confirmation bias run riot” until proven otherwise.

Peter August 24, 2020 4:07 PM

I worry about dice rolling as a method of generating entropy, since people are likely to be tempted to “fix” rolls. People are extremely good at spotting sequences, matching digits, and many other “patterns” in random data. A person who sees these patterns will often adjust dice to remove them, generating a key that looks more random to them, but has much less entropy than one that they had no hand in.

Jon August 24, 2020 4:16 PM

And there’s a picture of your ‘secret key’ on your smartphone

This is not ‘secure offline storage’. Jon(s)MayNotKnowMuchButThisOneAtLeastKnowsThatIsABadIdea.

Jon August 24, 2020 4:30 PM

@ On binary dice:

Just roll on down to your local game shop, they’ll cheerfully sell you many differently shaped dice. The only common other binary one is eight-sided (3 bits!), but there’s many more. J.

Ismar August 24, 2020 6:20 PM

A step in the right direction as it gives a way of generating highly random sequences accompanied by the long term too complex to remember in most human brains.
The Achilles heel of the system- using of the image recognition software can be overcome by expanding the plastic box with a bit of electronic circuitry which would be able to derive the key from the position and orientation of the locked in dice.
The circuitry must not have any means of communication to the outside world apart from a simple display to show the master key if and when required.
The version 2 of this device can even have a physical lock on the box itself and tamper proof mechanisms.

Clive Robinson August 24, 2020 6:29 PM

@ Peter, Charles,

I worry about dice rolling as a method of generating entropy, since people are likely to be tempted to “fix” rolls.

They will and it’s not just rolls either, they will happily rearange the word order in a Diceware pass phrase to make it easier to remember.

@ ALL,

Humans have not just failings but faults and laziness as well. Almost invariably users take an adverserial approach to how they approach the use of “security”.

Thus users will be “invrntive” in a detrimental way, especially woth the likes of authentication systems.

When you think about it nearly all our security systems are based at the root on “unpredictability”. Thus passwords and passphrases must be “unguessable” which is just another way to say “unpredictable” or some definition of “random looking”

Unptedictable is something most humans can not tolerate in even small amounts most brains are not wired for it. Hence the saying “creature of habit”. So your average user who thinks they are smart[1] will come up with a “system” to make their life that little bit easier. Which is usually so obvious that it’s in somebodies list of password types to brut force.

As after more than six decades we have still not come up with anything humans will be comfortable with… Then as security designers we have to bite the bullet and realise that,

1, There is no brain friendly system.
2, A percentage of users will cheat.

So… not only do we have to design a system to a certain security level, we actually have to go above and beyond that, because of those “smart users”[1] and their systems…

Which is why “token bassed authentication” is becoming more and more prevelent as our “monkey brains” have been beaten by fast hard drives and graphics co-processor cards in an ever widening gap we will never close…

[1] You know the type, wears a suit but chews their toe nails 😉

echo August 24, 2020 6:44 PM

Everyone getting excited about the maths and the paranormal and being Hercule Poirot? I still think it’s “too much interception and eco-waste and bitrot waiting to happen.”

Plus it’s all just more American marketing to get you to buy into their ecosystem so shifting attention, go-to defaults, and ramming more stuff down your throat you don’t need to buy because, hey, Dollars. Everyone including the “hierarchy” of Wired and Slashdot and Forbes and all the hangers on are extracting their value as the story passed along. Eyeballs impressed. Marketing databases updated. Unseen and unblinking machines analyse. Stock market values ripple. Dollar value calculated. And then that same Dollar used to beat and threaten you via the international financial system.

So basically no. I haven’t heard one single reason why I should buy into this product so still not interested.

echo August 24, 2020 6:59 PM

@Clive

So… not only do we have to design a system to a certain security level, we actually have to go above and beyond that, because of those “smart users”[1] and their systems…

I respectfully disagree. Without going into all the ins and outs a system only needs to be so secure. Not everyone needs the expensive “duck and roll” blah-de-blah fifty document each being three thousand pages long system. They just don’t. When professional conceit starts kicking in because you assume you are “more clever” than “dumb” users you begin to create other problems including over-engineered and paranoid systems which offload costs. This is no different from the dumb gold plated Whitehall crap which perpetuates “take a perfect sphere and role it in a straight line” authoritarianism which treats the end user like a criminal and adds unreasonable undue burdens up and beyond the point where the system does the complete opposite of what was intended.

Sometimes a lock is just a lock..

Sometimes a crosscut shredder and bonfire is just a cross cut shredder and bonfire.

Sometimes the entropy generated is entropy generated.

“The more you know the less you carry.”

Jesse Thompson August 24, 2020 7:01 PM

@Charles

https://en.wikipedia.org/wiki/Diceware

Took the words right out of my mouth. This app just sounds like somebody trying to sex up and repackage Diceware to a smartphone-addicted audience.

@greenup

My head can’t contain enough provably random bits.

I’d imagine mneumonics could help here. Many people have memorized the lyrics to tons of different songs. Some have memorized the entire transcripts of movies like Holy Grail, Princess Bride, or Breakfast Club. I feel like Neil Cicierega/Lemon Demon’s Word Disassociation has relatively higher entropy lyrics than much of the grammatically correct English language does, but I’ve memorized that just fine myself (along with many hundred other songs).

Without any rhyme or meter I keep about a dozen different 4-6 word long passphrases (equiprobable choices between a pile of roughly 3000 words) in my noodle quite comfortably. If my math is correct that’s over 600 bits of entropy right there.

So I’ll bet you could handle 200 bits when packaged/encoded in a friendly enough fashion. 🙂

echo August 24, 2020 8:10 PM

@JesseThompson

Took the words right out of my mouth. This app just sounds like somebody trying to sex up and repackage Diceware to a smartphone-addicted audience.

Pretty much and Diceware isn’t all its cracked up to be and in some cases a complete waste of time on top of itself being a pseudo-clever piece of marketing.

Without any rhyme or meter I keep about a dozen different 4-6 word long passphrases (equiprobable choices between a pile of roughly 3000 words) in my noodle quite comfortably. If my math is correct that’s over 600 bits of entropy right there.

So I’ll bet you could handle 200 bits when packaged/encoded in a friendly enough fashion. 🙂

Yes there’s this and other offline ways adequate to the problem. No need for chiselled men with gimlet eyes and multi-layered multi-jurisdictional “duck and roll” OTP systems. I usually find being a total assclown is enough. Good luck finding my password if I can remember where to find it.

Dave August 24, 2020 9:45 PM

@Sam: My thoughts exactly. It’s a cute gimmick that solves no identifiable problem. I’ve got hexadecimal dice that some vendor was giving away at the RSA conference years ago that do the same thing as this. Never used them.

Dave August 24, 2020 9:53 PM

@MikeA: “I do like your dreidel idea, although I’d want to source/make my own dreidel”.

I’ve got a much better source, I just use Trump tweets and interview comments as my entropy source. I’m getting close to 128 bits of pure entropy from each statement he makes. Feed it into a strong seeded extractor and bingo, done.

Jon August 25, 2020 2:38 AM

Throwing dice into a rack and locking them in there is a good way of doing two things:

a) generating a high-entropy key and
b) keeping it for re-creation later.

But like all encryption, the problems are in the implementation, not the fundamental mathematics. Generating good keys is not that hard. Storing them is trivial. Re-using them is a bad idea.

The fact that in order to use this you need to have a picture of the “Secret” key on your phone is a colossal attack surface – if they can get to your phone’s pictures, they don’t need to get anywhere near your house. Even if you have deleted the picture, if they can just refuse to accept your key, claiming it’s damaged, they can make you take another picture – and now it’s theirs.

J.

weather August 25, 2020 3:31 AM

@Bruce s
Did you run the dice pattern through the program I wrote, did in 2011 you run it through keeck salsa etc, what did you workout?

Peter A. August 25, 2020 4:47 AM

I do not get it – are you supposed to just keep this blue box of dice around you whenever you need to open your password manager or access any other system? And you need a separate set for every important secret? Not so handy, to put it mildly. A slip of paper in your wallet is better.

I’d rather use the $25 gadget as a method to generate multiple passwords for not-so-valuable resources. But is it any better than my /dev/random for this purpose?

Clive Robinson August 25, 2020 5:07 AM

@ Dave,

I’ve got hexadecimal dice that some vendor was giving away at the RSA conference years ago that do the same thing as this. Never used them.

Well if life gives you lemons…

Drill a hole through a pair of them attach an ornate bit of “dangle” and some earing loops.

Then give them to your favourite squeeze whilst gently singing “I’ve put a hex on you” 😉

Clive Robinson August 25, 2020 5:20 AM

@ Peter A.,

I do not get it – are you supposed to just keep this blue box of dice around you whenever you need to open your password manager or access any other system?

It’s for a “root of trust seed/secret”.

That all your other secrets are generated from. So think of it as a “master key” “from which all other geys are generated”. Thus you can if need be recreate any and all lost keys (personaly I think it’s a bad idea as there are other ways to do the same thing with less risk).

So yes you do need to keep it around “just in case” but obviously you should keep it very secure.

So as the old joke has it,

    Lock it in a safe, weld the door shut, encase it in several tons of reinforced concreate and drop it over the side of a ship at the deepest point in the ocean.
    But… Just to be sure make a hundred other such blocks of concreate and drop them ontop to ensure that little extra bit of security.

So yes for most people it is a gimick or toy, something you can put on the coffee table for guests to see and their children to play with.

echo August 25, 2020 6:15 AM

So basically Dicekey is a novelty item like fat middle-aged MBAs playing Airsoft?

That wasn’t too snarky was it? I get really snarky when I’m bored.

FA August 25, 2020 6:39 AM

@clive

If you use the method shown in the video of just pour from the bag to pile them on op of the grid you do not get a random distribution.

Doesn’t matter if the distribution in the bag was random. Just shake it before.

Also ‘wiggling the cubes in place’ can be done with your eyes closed, to avoid bias.

The weak point of this thing is IMHO that since it’s advertised as a key storage system, it’s all to obvious what it is when e.g. your home is searched. There are many simple ways to avoid this, and to ensure that the key is destroyed when not handled correctly. I once used a string of colored plastic beads to encode a secret key. It’s easy to arrange that the string breaks or the beads fall off when not handled carefully. There are many variations on this theme.

echo August 25, 2020 7:50 AM

@FA

The weak point of this thing is IMHO that since it’s advertised as a key storage system, it’s all to obvious what it is when e.g. your home is searched. There are many simple ways to avoid this, and to ensure that the key is destroyed when not handled correctly. I once used a string of colored plastic beads to encode a secret key. It’s easy to arrange that the string breaks or the beads fall off when not handled carefully. There are many variations on this theme.

Nobody says a key needs to be stored in one place or one form either. That will keep them busy. lol

M.V. August 25, 2020 8:07 AM

@M.V.

Second thought: I am wrong.

Without lettering it would be 24^25 possibilities.
The letter arrangement is on top of that.

log2(25! * 24^25) = 198.3 bits

metaschima August 25, 2020 8:17 AM

Hello Mr. Bruce. I’d like to humbly suggest a few tweaks from my research into physical RNGs.

  1. The dice must be thrown on a larger field not directly into a box.
  2. The dice should be casino dice with greatly decreased manufacturing bias.
  3. It would be better to use a cup instead of a bag.
  4. Specific advice should be given to remove all electronics from the room.

Why?

  1. The randomness in dice throws comes from the chaos like effect of the dice that is started by the thrower. Throwing the dice into a confined space reduces this effect by confining the range of possibilities and thus lowering randomness.

  2. Dice manufactured by regular injection molding have typically a reasonably high amount of bias. Casino dice are carefully machined and have low bias, much lower than regular injection mold dice such as the ones that are currently being used for this project. Note that when using casino dice it would be best that they be used on a carpeted like surface such as a baccarat table as this helps to grip the edges of the dice and and increases the chaos like effect and leads to improved randomness.

  3. Although a bag is decent at protecting the initial state of the dice from observation, it would be better to use a cup as this will allow greater mobility of the dice within the cup and better randomization of the initial state of the dice.

  4. It goes without saying that observing any part of the dice throwing process or the initial state of the dice could compromise the security of this random number generator. As many of the articles you have posted have shown even recording the audio in a room where the dice are being thrown could be a threat.

Otherwise, I think it is a great project, I have been thinking about similar schemes for a long time but have never been able to produce something workable, so this is excellent news for me.

Impossibly Stupid August 25, 2020 10:20 AM

@greenup

roll the dice, use them, and apply a small transformation that your mind can remember

Over two years ago I developed a scramble sheet concept based on that approach. The dice mechanism is then essentially superfluous, though, given that modern devices have quality sources of entropy rather than relying on just pseudorandom generators.

@Jesse Thompson

So I’ll bet you could handle 200 bits when packaged/encoded in a friendly enough fashion.

Another tool I wrote years ago was to encode 40 bits of location data using everyday words. One of the unique-AFAIK things I did in my approach was to make it possible to pick the words used to make it more memorable (e.g., the Statue of Liberty was encoded as bathe powder + track shut by default, but one other way the same location could be encoded is mass trip voyage + she country success diamond). If I had the time, I’m sure I could do something similar to generate memorable sentences that contain well over 200 bits.

ajay August 25, 2020 11:40 AM

“The can-of-pennies idea is perfectly reasonable. There’s no practical need to “toss” them: who could predict their orientation as they are extracted from the coffee can? Using the paper coin rolls available from banks, and marking the sequence (and orientation) on the rolls, the key could be stored very inconspicuously, and retrieved whenever needed.”

Or (cribbing from Cryptonomicon here) a pack of cards. Even less conspicuous than a paper coin roll, lighter and easy to carry. And a pack of cards can be in 52! different configurations – you would need a very large roll of pennies indeed to store that much information.

Both, of course, are far less conspicuous than a custom-made Boggle set with no other known function.

The advantage of DiceKeys, I suppose, is that it reads the dice automatically – a human entering a list of 100 heads or tails, is going to make a mistake.

MarkH August 25, 2020 11:48 AM

@metaschima:

Please see my comments above; unless the dice are grossly imbalanced, the likely effect of bias on the resulting entropy will be too small to have any practical security effect.

For an illustration of the relative insensitivity of entropy to small magnitudes of bias, please see Figure 7 of “A Mathematical Theory of Communication” by C. E. Shannon.

It will be interesting to see what manufacturing controls DiceKeys will place on die bias. I don’t think it’s an unmanageable problem. LEGO brand toy bricks are injection molded to tolerances on the order of 0.01 mm.

In my long experience of engineering work, I’ve concluded that one of the most frequent mistakes made by engineers is optimization: people put enormous effort and complication into optimizing the wrong parameters, without understanding the role they play in the desired performance level.

During the Cold War, Western observers who had the opportunity to examine Soviet combat aircraft observed that superficially, they looked comparatively rough and crude, BUT had excellent tolerances and finishes on the critical surfaces (most of the skin of an airplane has practically no effect on aerodynamic characteristics).

In contrast, U.S. combat aircraft were “gold plated”: every part was made to exacting standards, whether or not the added cost had a practical benefit.

metaschima August 25, 2020 2:00 PM

@MarkH

I have read your posts here. I do agree that you could go with injection mold dice and the bias wouldn’t have a huge impact on the resulting entropy. But there’s more to consider. Casino dice are transparent, and you would get the added benefit of knowing that nobody has tampered with your dice while you were away, nor a three letter agency intercepted your dice before you get them in the mail and significantly bias them for their own ends, they would if they cared to. The other thing that I think would warrant the extra investment is that you’re probably using the dice because you want extremely high level of entropy that is not known to anyone but you, so for generating master keys and such. You want unbiased key generation. Depending on how you use the key you could leak information about the key, and if for some reason the key is compromised, bias in the key could potentially be detected and used to predict or weaken future keys generated the same way.

In conclusion, sure since the bias is not that huge you could get away with cheaper manufacturing techniques, but I would personally want casino dice for my set. Or you could come to a compromise, reduce bias within reason by injection mold and make the dice transparent.

Still Ticking August 25, 2020 2:42 PM

Back in the 1980’s I used five octal dice to generate DES keys for satellite-data-link encryption. 5d8 would give you 15 bits (subtract 1 from the number on the face to get 0-7 rather than 1-8), roll the set 4 times to get 60 bits, convert octal to hexadecimal with Unix dc(1) { 16 o 8 i NNNNNNNNNNNNNNNNNNNN p }, discard one trailing hex digit (4 bits) and use remaining 14 hex digits (left-pad with zeroes if necessary) as a 56-bit key.

I bequeathed those dice to my successor when I left the firm, so I don’t know where they finally ended up.

Singular Nodals August 25, 2020 7:00 PM

I don’t know, the boxed assemblage looks a bit too hexagrams of the Classic of Changes for me.

  1. en.m.wikipedia.org/wiki/I_Ching

Pseudosong Generator August 25, 2020 11:30 PM

With apologies to The Yardbirds

Box Full of Dice

Can’t recall the password, deep in dark despair
When you want to decrypt, tell me where is it where ?
If the key negates that entropy suffice
Just enter my hash code, picture’s on my device

And I know, I can’t ever lose this password, I will never not log in

I’ve got a bo-o-ox, bo-o-ox full of dice
I’ve got a bo-o-ox full of dice

  1. http://www.youtube.com/watch?v=LUkd9iAtVh8

Q August 30, 2020 12:44 AM

If we buy 100 normal 6-sided die and put them into a 10×10 holder then we can get a 256-bit key: log2(6^100 / 4) ~= 256.5 bits.

If we use those cheap small die, which cost very little, then the physical size would be about the same, probably a bit thinner.

And to use them we don’t have to use a special web-based app, delivered from an untrustworthy website, in an insecure phone. We could enter the 100 base-6 digits manually if needed, starting at the lowest numbered corner.

But even so, this whole idea isn’t really solving anything. Always keep your password(s) in your head. They might have a little bit less entropy, but they will have the highest possible secrecy.

Me August 31, 2020 8:53 AM

What advantage does this offer over say a deck of cards?

I am fairly certain it has less total randomness (8×10^66 vs 1×10^59), and is conspicuous (anyone looking at it will be able to discover its purpose via Google). I suppose this does address the issue of accidental re-randomizing if your kids get a hold of it, but then again, not really?

The app/picture thing is convenient, but does require an additional level of trust.

Dane August 31, 2020 4:46 PM

@Me – I agree. A deck of cards is a great deal more inconspicuous, and grants a far larger amount of entropy. (52! vs 25!(4^25)(6^25))

Plus, I could easily just type up the deck order (“Ace of Spades, 2 of Hearts, King of Diamonds, …” would be “AS2HKD…” or whatever) and use a standard hashing algorithm to produce a key.

No app needed. No trusting some random third party.

Singular Nodals September 1, 2020 2:51 AM

Or, one could take one dodecahedron and one icosahedron (numbered faces all) and roll them together 25 times for

log (240^25)/log (2) ~= 197 bits of entropy.

Or, have a box with two 5×5 cavities and scrabble 25 dodecahedra in one and 25 icosahedra in the other, etc.

I like it !

Singular Nodals September 1, 2020 3:08 AM

And the box could be decorated with a specially modified version of Dürer’s Melancholia [1] engraved on the top

  1. en.wikipedia.org/wiki/Melencolia_I#

MarkH September 2, 2020 6:31 AM

Hopefully not going too far, in adding to the list of comparable alternatives for the dual roles of generating and storing an unpredictable number:

Interlocking (“Jigsaw”) Puzzle

a. Thoroughly scramble the pieces.

b. Dump them on a table.

c. Flip as many as necessary, so all pieces are face down.

d. “Square up” each of the pieces to the table top [typically, it’s easy to orient each piece so its axes would be nearly parallel to one of a rectangular puzzle’s straight sides].

e. Place a single mark on as many pieces as necessary, to indicate which edge is nearest a chosen edge of the table top.

f. Assemble the puzzle.

Now, inspection of the puzzle’s reverse (image-free) side will reveal 2 bits from the orientation of the marks added in step (e) above.

An interesting attribute of this system, is that the puzzle can be left assembled (placed in a nice display frame, for example), or disassembled and returned to its box, from which it can be reassembled when needed.

LEGO Wall

a. Gather a group suitable group of pieces (for example, bricks with 2X2 knobs).

b. Scramble the collection of bricks.

c. Build a “wall,” one row at a time. Some means must be provided for distinguishing its two ends, by color or geometry. Use other dimension bricks as needed to fill out the construction.

d. As each row is completed, “read it out” by noting the orientation of the brand logo on the knobs of each brick. This will yield 2 bits per brick.

This key storage mechanism can only be re-read by disassembly, which must be done with a degree care if the key is not to be destroyed in the process.

For either of the above systems, a few extra “symbols” (puzzle pieces marked after assembly, or bricks deliberately oriented after read-out) could placed in each row as redundant check symbols to make the read-out process more robust.

Either or both systems could be highly inconspicuous depending on the environment, and have modest material costs.

Singular Nodals September 2, 2020 11:18 AM

Re: polyhedral dice

And, the dodecahedron and icosahedron are dual polyhedra ! How cool is that ?

Singular Nodals September 2, 2020 11:28 AM

@MarkH

How big a puzzle and how many marked pieces would give the canonical 196 bits ? I can’t claim to understand the orientation refinements you give, but just randomly selecting (i.e. marking) 31 pieces from a puzzle with 1000 distinct pieces gives around 196 bits, using one of the online combinations calculators

MarkH September 2, 2020 12:36 PM

@Singular:

Imagine that on the tabletop, each face-down puzzle piece is marked with an arrow pointing, say, toward the front door of the building.

When the puzzle is finished, individual arrows may point toward any of the 4 straight sides, so each mark encodes 2 bits.

In a 200 piece puzzle, there are 56 pieces with at least one straight side; if all 144 of the no-straight-side pieces are marked, you get 288 bits.

They could be read row by row, with no need for combinatorics.

Singular Nodals September 2, 2020 2:07 PM

@MarkH

Re: arrow

Thanks. If I understand correctly, the pieces in their assembled “canonical” positions are regarded as each divided into quadrants, and the marking of the pieces in the pile is a random selection for each piece of a quadrant. I hadn’t grasped how the orientation was being used.

I suppose you could use division into 2 or 3 (or 5 or more though not as practical) sectors etc. in the same way.

MarkH September 3, 2020 5:28 AM

@Singular Nodals:

I’m still not feeling confident that I’ve communicated clearly.

What I was imagining is pretty simple, because I’m allergic to complexity. Imagine that each puzzle piece were (or contained) a permanent magnet, “squared up” in the sense I mentioned above.

In the assembled puzzle, each piece would have its magnetic north side facing toward one of the puzzle’s 4 straight sides. Each piece functions as a unit, without any need for division into sections.

I don’t suppose that actual magnets would be suitable, so I propose a marking to serve the same purpose. The easiest would be a dot (or other visible marking) near only one of the piece’s 4 sides.

The side carrying the marking would be the “north pole” of that piece.

I suppose that when the pieces are first mixed up and then placed face-down, their orientations have no correlation to their assembled orientation. However, some care and thoroughness in scrambling/shaking/mixing would be needed keep it near enough to random.

Singular Nodals September 3, 2020 11:29 AM

@MarkH

Re: communication

I am pretty sure we are on the same page. I only dragged in conceptually dividing each piece into quadrants because all the jigsaw puzzles I have seen have pieces so irregular that I couldn’t otherwise see how to regard the pieces as having four sides.

Singular Nodals September 3, 2020 1:35 PM

‘The biggest problem with a 120-sided die is not its size, or its weight, or even its price. The biggest problem with a 120-sided die is no one knows what to do with it, a fact not lost on the people who created it. “We were a little concerned to make this because it’s so expensive and there’s no real use for it,” says Robert Fathauer.’

http://www.wired.com/2016/05/mathematical-challenge-of-designing-the-worlds-most-complex-120-sided-dice/

NOW we know what to do with it … muah-ha-ha-ha ….

Jeff September 19, 2020 7:35 AM

I think there is a bit of overthinking here. If one lives in a regular society and has a relatively normal life, then one might not expect to resist the attentions of a powerful government agency or who ever else has high level resources. You can expect that your house will be secure enough because someone wishing to steal from you online won’t also have access to your home. At least not yet (movie idea!!).

I never remember the title until I google it, but there’s a great xkcd comic (“Security”) about this overthinking. I played enough dice games in my youth to appreciate that even cheap injection molded dice like the ones that used to come in basic D&D boxed sets are unpredictable and fickle!

The criticisms around the implementation are quite valid, the current setup includes a proprietary app though it is possible that an iOS app could be trusted if I had faith in the app review process and in the security of my phone. And if the app’s code could be public (and verified by Apple let’s say) then that’d be great. As a a civilian so I don’t have exotic security requirements! Yet.

I ordered a set mainly because I want to experiment with using a second factor device like a yubikey (I was given a yubikey and I’ve never used it because it’s not yet there in terms of my primary platform iOS). It’s a neat idea, and yes it builds on prior work and there are DIY alternatives but I think it’s an easily managed form factor that would fit into a fire resistant home safe.

But, if I had something super valuable to protect with it I would probably upgrade to using the bank’s safe and possibly something professionally generated, plus an insurance policy and maybe a barrier of lawyers, and also lasers.

I just got a beta test set of the dicekeys, and will post more thoughts as I get into it more, but two immediate issues I had were that there was insufficient documentation of the exact steps used (including the error correction scheme), and reliance on an app. For the purpose of a beta it’s great, but it’s possible that I’ll eventually receive my real dice key set and I’ll store it for later use. But it’s entirely possible that it’ll be good enough and better than my current rat’s nest of passwords.

Eric November 17, 2020 3:34 PM

I’m a bitcoin user and this looks like a great way to create entropy with minimal trust. I’ve previously created a brainwallet by flipping coins and rolling dice and it was very time consuming.

I would recommend pairing this with an air gapped signature tool, something like Cobo vault for example except able to process the dice.

Typical bitcoin seeds are based on BIP39 mneumonics which means 12 words which represent 128 bits of entropy. I would look for something like this which can quickly generate the 12 words from dice rolls. For large value crypto assets, the twelve words are typically memorized or etched into steel for flood/fire proof safekeeping.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.