EcuaMobi (OP)
Legendary
 Offline
Activity: 1876
Merit: 1475
|
 |
October 04, 2014, 08:30:31 PM
Last edit: October 09, 2014, 06:49:01 PM by EcuaMobi |
|
I've read on several places the idea to use real-world entropy such as dice or cards to generate a seed to create bitcoin addresses. Basing on that idea, I have create a simple Android app that allows users to generate up to 52 bitcoin addresses from a deck of cards. You can get it here from Google Play: https://play.google.com/store/apps/details?id=com.ecuamobi.deckwalletor https://github.com/ecuamobi/deck-wallet/blob/master/market/DeckWallet_1.0.apk?raw=trueIt requires a device running Android 4.0+ with touchscreen. Features- Easily enter the order of the cards by using spinners.
- Supports an optional password.
- Checks for repeated or missing cards, as well as miss-entered passwords.
- Allows the user to re-enter everything to double-check the generated wallet. This is to prevent sending coins to the void.
- Shows QR codes for the generated addresses and private keys.
- Allows individual sharing of an address or key, as well as bulk sharing of all generated addresses.
About security- Completely offline. The application does not requires permission to access the Internet, store files, or any other.
- Open source. The code is available here: https://github.com/ecuamobi/deck-wallet/
- You don't need to enter the order of the cards using the keyboard, therefore it's not vulnerable to malicious keyboards.
- Checks for repeated or missing cards.
- Allows the user to re-enter everything to double-check the generated wallet.
- 2FA: Option to enter a password (or more than one to create secondary wallets) besides the deck itself.
- Allows the generation on an extra wallet using a secondary password, thus protecting the main one against a physical attack (disclose the secondary password instead of the main one).
- Obscurity: An attacker won't know there are bitcoins in that deck, even if they find it.
Instructions- Install Deck Wallet on a non-rooted Android device.
Important: Make sure to download only from either
https://play.google.com/store/apps/details?id=com.ecuamobi.deckwallet or
https://github.com/ecuamobi/deck-wallet/blob/master/market/DeckWallet_1.0.apk?raw=true
and double check it does not require any permissions. - Riffle shuffle a deck of cards 7 times or more.
- Select the number of cards to use. 52 is recommended.
- Enter every card on the app (it takes me about 4 or 5 minutes to do so).
- Optionally enter a password you won't forget (it's not possible to recover it!).
- Touch "Go!" to generate up to 52 bitcoin addresses. It will generate as many addresses as the number of entered cards.
- Optionally, copy the order of the cards into another deck, as backup.
- Double-check your deck wallet: Touch the 'Check' icon and re-enter the same password and card order.
- After checking it, send some bitcoins to your deck wallet and store your deck of cards in a safe place.
How it works- The entered cards are converted to 2-char strings and concatenated. For example 3 of hearths is represented as 3H. 10, Jack, Queen and King are represented as T, J, Q and K respectively.
- If a password is entered, it is pre-pended to the resulting string.
Example seed: myPasswordAH4CTS9D...KHQS - The first address is calculated as a brain address, using SHA256 from the full generated seed. The result is the same as manually entering the full string into http://bitaddress.org or other similar tool.
- The second address is calculated from the seed except the first card is moved to the end (Example: myPassword4CTS9D...KHQSAH)
- The third address is calculated from the seed except the first 2 cards are moved to the end (Example: myPasswordTS9D...KHQSAH4C) and so on.
- To check the generated wallet, the double SHA256 of the full seed is temporarily stored on RAM.
- Nothing is stored permanently and nothing is sent or received through Internet (the app doesn't have permission to do that).
DonationsIf you find this app useful, please consider donating: bitcoin:17GXYDJEDUqw7hYtqquyN1kYWmtcmFKhK8DeckWallet is open source released under the MIT license. It is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. |
|
|
|
|
blossbloss
Jr. Member
Offline
Activity: 50
Merit: 1
|
|
October 04, 2014, 11:48:44 PM |
|
Nice idea. A few comments:
1) the recommended 7 shuffles should be specified as (well distributed) riffle shuffles (based on Percy Diaconis work at Harvard). If the user does not feel comfortable doing riffle shuffles, then they should use what ever shuffle they know, but they should shuffle for a long time.
2) when you generate the successive addresses, you should cycle the deck and put the card at the back of the deck so that there are still 52 cards in the seed. That way, you can generate 52 addresses instead of just 20.
3) Provide a strong warning that the user should not enter standard (widely known by magicians) stacks, even though that might seem like a good idea. Always shuffle the cards.
4) I am assuming that if I shuffle the cards and write them down, they will generate the same wallet if I do the process over again. Right?
|
|
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
October 05, 2014, 12:06:40 AM |
|
Nice idea. A few comments:
1) the recommended 7 shuffles should be specified as (well distributed) riffle shuffles (based on Percy Diaconis work at Harvard). If the user does not feel comfortable doing riffle shuffles, then they should use what ever shuffle they know, but they should shuffle for a long time.
2) when you generate the successive addresses, you should cycle the deck and put the card at the back of the deck so that there are still 52 cards in the seed. That way, you can generate 52 addresses instead of just 20.
3) Provide a strong warning that the user should not enter standard (widely known by magicians) stacks, even though that might seem like a good idea. Always shuffle the cards.
4) I am assuming that if I shuffle the cards and write them down, they will generate the same wallet if I do the process over again. Right?
Thanks for your comments. Regarding 1 (and probably 3), the 7-time shuffle is already recommended under instructions. I will consider 2, although I really don't think more than 20 addresses are required. Regarding 4, of course it would generate the same addresses, be it from the same deck itself (recommended) or a paper where you wrote it down. |
|
|
|
|
blossbloss
Jr. Member
Offline
Activity: 50
Merit: 1
|
|
October 05, 2014, 03:24:31 AM |
|
Regarding 1 (and probably 3), the 7-time shuffle is already recommended under instructions.
To be clear, what I meant that the 7 shuffles need to be riffle shuffles in order to generate a random sequence. Other kinds of shuffles (such as overhand shuffles) will not come close to generating a random sequence after only 7 shuffles. |
|
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
October 05, 2014, 03:35:39 AM |
|
Regarding 1 (and probably 3), the 7-time shuffle is already recommended under instructions.
To be clear, what I meant that the 7 shuffles need to be riffle shuffles in order to generate a random sequence. Other kinds of shuffles (such as overhand shuffles) will not come close to generating a random sequence after only 7 shuffles. I see. I missed that. I've updated the OP adding that. |
|
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
October 06, 2014, 05:19:41 PM |
|
Following blossbloss's advice, I'll change how the extra addresses are generated. Therefore, don't use the app to store your bitcoins yet. I will publish version 1.0 this week. |
|
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
October 07, 2014, 04:47:02 PM |
|
DeckWallet has been updated to version Beta 0.2. You can download it here: https://github.com/ecuamobi/deck-wallet/blob/master/market/DeckWallet_0.2.apk- It now allows choosing the number of cards with a minimum of 31.
- It generates as many bitcoin addresses as the number of entered cards. The addresses are generated by moving the first card to the end. See "How it works" in the OP.
Any feedback is welcome, especially regarding security.
|
|
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
October 09, 2014, 08:21:27 PM |
|
|
|
|
|
|
|
PolarPoint
|
|
October 09, 2014, 09:11:28 PM |
|
Very nice idea! So I can lock that deck of cards in a safe and no one will know I have a bitcoin keys hidden inside. You know what could be nicer if the app can access the camera on the phone and "watch" I deal the cards one by one and the app can recognise all the numbers and suits of each card so I don't have to enter the cards manually.  |
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3052
Merit: 1032
RIP Mommy
|
|
October 09, 2014, 09:36:34 PM |
|
Very nice idea! So I can lock that deck of cards in a safe and no one will know I have a bitcoin keys hidden inside.
Make sure to put some other magic props in there, or people will. |
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
October 09, 2014, 10:11:55 PM |
|
Very nice idea! So I can lock that deck of cards in a safe and no one will know I have a bitcoin keys hidden inside. You know what could be nicer if the app can access the camera on the phone and "watch" I deal the cards one by one and the app can recognise all the numbers and suits of each card so I don't have to enter the cards manually. Nice idea  probably for a future version. It seems like a big project. However, I'm not sure if waiting until a mobile camera focuses and scans would be faster than manually entering a single card. Very nice idea! So I can lock that deck of cards in a safe and no one will know I have a bitcoin keys hidden inside.
Make sure to put some other magic props in there, or people will. It's recommended to use a password and to keep the cards in a safe place. Following those 2 rules (plus a proper shuffling) can be an extremely safe way to store BTC for a long period. Most people won't know that a deck of cards can hold a set of BTC keys, but of course that's not enough for security. |
|
|
|
|
unamis76
Legendary
Offline
Activity: 1512
Merit: 1012
|
|
October 10, 2014, 08:09:47 PM |
|
This app looks really nice, and this project has some legs to walk a long walk... Looking good, keep it up |
|
|
|
|
blossbloss
Jr. Member
Offline
Activity: 50
Merit: 1
|
|
October 11, 2014, 02:00:32 AM |
|
Very nice work!
|
|
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
October 13, 2014, 03:57:15 PM |
|
This app looks really nice, and this project has some legs to walk a long walk... Looking good, keep it up Very nice work!
Thanks! Any feedback is welcome, especially regarding security or ideas to improve it. |
|
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
February 07, 2015, 01:32:13 PM |
|
Anyone using this app please post your review.
I understand you probably don't want people to know that deck of cards in your drawer has any value but any comment would be appreciated.
Still looking for feedback regarding security. Anyone sees any way of this being hacked?
|
|
|
|
|
|
ColderThanIce
|
|
February 07, 2015, 05:02:51 PM |
|
this looks really cool, i might give it a try later on.
in your first post you say install it on a non-rooted phone. is this essential, or will it work on a rooted phone as well?
|
| ROLLIN.IO | BITCOIN DICE GAME
⚁ ⚂ ⚃ ⚄ ⚅ ⚁ ⚂
| ███████████████████
██ ██
██ ██
██ ██
██ ██
██ ██
██████████████████ ██
██ ██ ██
██ ██ ██
██ ██ ██
██ ██████████ ██████
██ ██ ██ ██
██ ██ ██ ██
██ ██ ██ ██
███████ ███████ ████
██ ██
██ ██
████
| ███████████
S O C I A L
C H A T T I N G | ██
████
██████
████████
██████████
████████████
██████████████
████████████████
██████████████████
████████████████████
████████
████████
████████
████████
| ██████████████
LEVEL UP SYSTEM
WITH REWADS | ██████
████████
██████████
████████████
██████████████
██████████████████
████████████████████
█ ████████████████
█ ████████████████
█ ████████████████
█ ████████████████
██████████████████
████████████████
█████████████
██████████
█████ | ██████████████
FREE BITCOINS |
|
|
|
unamis76
Legendary
Offline
Activity: 1512
Merit: 1012
|
|
February 07, 2015, 08:42:57 PM |
|
this looks really cool, i might give it a try later on.
in your first post you say install it on a non-rooted phone. is this essential, or will it work on a rooted phone as well?
It works on rooted and non-rooted as far as I know. But you're obviously more vulnerable if you install it in a rooted phone... (and the same goes for iOS and wallets on a jailbroken phone) |
|
|
|
|
|
ColderThanIce
|
|
February 08, 2015, 02:48:14 PM |
|
this looks really cool, i might give it a try later on.
in your first post you say install it on a non-rooted phone. is this essential, or will it work on a rooted phone as well?
It works on rooted and non-rooted as far as I know. But you're obviously more vulnerable if you install it in a rooted phone... (and the same goes for iOS and wallets on a jailbroken phone) oh ok, thanks for answering my question. i have a rooted phone so that's why i was wondering.  |
| ROLLIN.IO | BITCOIN DICE GAME
⚁ ⚂ ⚃ ⚄ ⚅ ⚁ ⚂
| ███████████████████
██ ██
██ ██
██ ██
██ ██
██ ██
██████████████████ ██
██ ██ ██
██ ██ ██
██ ██ ██
██ ██████████ ██████
██ ██ ██ ██
██ ██ ██ ██
██ ██ ██ ██
███████ ███████ ████
██ ██
██ ██
████
| ███████████
S O C I A L
C H A T T I N G | ██
████
██████
████████
██████████
████████████
██████████████
████████████████
██████████████████
████████████████████
████████
████████
████████
████████
| ██████████████
LEVEL UP SYSTEM
WITH REWADS | ██████
████████
██████████
████████████
██████████████
██████████████████
████████████████████
█ ████████████████
█ ████████████████
█ ████████████████
█ ████████████████
██████████████████
████████████████
█████████████
██████████
█████ | ██████████████
FREE BITCOINS |
|
|
|
unamis76
Legendary
Offline
Activity: 1512
Merit: 1012
|
|
February 08, 2015, 02:49:48 PM |
|
this looks really cool, i might give it a try later on.
in your first post you say install it on a non-rooted phone. is this essential, or will it work on a rooted phone as well?
It works on rooted and non-rooted as far as I know. But you're obviously more vulnerable if you install it in a rooted phone... (and the same goes for iOS and wallets on a jailbroken phone) oh ok, thanks for answering my question. i have a rooted phone so that's why i was wondering. You can install it, but I don't recomend you store big amounts of coins in that phone |
|
|
|
|
EcuaMobi (OP)
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
February 08, 2015, 03:00:54 PM |
|
this looks really cool, i might give it a try later on.
in your first post you say install it on a non-rooted phone. is this essential, or will it work on a rooted phone as well?
It works on rooted and non-rooted as far as I know. But you're obviously more vulnerable if you install it in a rooted phone... (and the same goes for iOS and wallets on a jailbroken phone) oh ok, thanks for answering my question. i have a rooted phone so that's why i was wondering. As a security measure this app doesn't require any permission at all. In a non-rooted phone the app can't override this, it simply can't access the Internet, store or read information from the device or anything else. If you rooted your phone the app *could* acquire root privileges and do any of those things. It won't but you would have to trust and that defies the purpose of not requiring any permissions. That's the main reason why using a non-rooted device is strongly recommended. |
|
|
|
|
|
