Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: kzv on April 08, 2016, 08:44:41 AM



Title: protocol vulnerability?
Post by: kzv on April 08, 2016, 08:44:41 AM
Hi,
I'm learning the basics of Bitcoin protocol and have a question.

When i push raw transaction to the network, all nodes may read it for checking...

If some "bad-hacker" node will save my "scriptSig" for transaction inputs, but will change my "scriptPubKey" for outputs. Then the scammer may send a fake transaction to other nodes and there's a possibility to lose my money?



Title: Re: protocol vulnerability?
Post by: achow101 on April 08, 2016, 11:41:05 AM
Hi,
I'm learning the basics of Bitcoin protocol and have a question.

When i push raw transaction to the network, all nodes may read it for checking...

If some "bad-hacker" node will save my "scriptSig" for transaction inputs, but will change my "scriptPubKey" for outputs. Then the scammer may send a fake transaction to other nodes and there's a possibility to lose my money?


Nope, not possible. The scriptsig, if using sighash all (the default), is a signature of the hash of the transaction. If part of the transaction is changed, the hash will no longer match and thus the signature will no longer be valid and thus the transaction ID invalid.


Title: Re: protocol vulnerability?
Post by: kzv on April 08, 2016, 12:04:16 PM
Hi,
I'm learning the basics of Bitcoin protocol and have a question.

When i push raw transaction to the network, all nodes may read it for checking...

If some "bad-hacker" node will save my "scriptSig" for transaction inputs, but will change my "scriptPubKey" for outputs. Then the scammer may send a fake transaction to other nodes and there's a possibility to lose my money?


Nope, not possible. The scriptsig, if using sighash all (the default), is a signature of the hash of the transaction. If part of the transaction is changed, the hash will no longer match and thus the signature will no longer be valid and thus the transaction ID invalid.

Thank you for responce.
Is there any documentation how "scriptSig" is constructing for given transaction?


Title: Re: protocol vulnerability?
Post by: achow101 on April 08, 2016, 12:44:41 PM
Nope, not possible. The scriptsig, if using sighash all (the default), is a signature of the hash of the transaction. If part of the transaction is changed, the hash will no longer match and thus the signature will no longer be valid and thus the transaction ID invalid.

Thank you for responce.
Is there any documentation how "scriptSig" is constructing for given transaction?
[/quote]
There is probably something about it on https://bitcoin.org/en/developer-documentation. Otherwise you can look in the code.


Title: Re: protocol vulnerability?
Post by: DannyHamilton on April 08, 2016, 01:05:46 PM
Is there any documentation how "scriptSig" is constructing for given transaction?

http://bitcoin.stackexchange.com/a/5241

https://en.bitcoin.it/w/images/en/7/70/Bitcoin_OpCheckSig_InDetail.png


Title: Re: protocol vulnerability?
Post by: kzv on April 08, 2016, 01:24:47 PM
Nope, not possible. The scriptsig, if using sighash all (the default), is a signature of the hash of the transaction. If part of the transaction is changed, the hash will no longer match and thus the signature will no longer be valid and thus the transaction ID invalid.

Thank you for responce.
Is there any documentation how "scriptSig" is constructing for given transaction?
There is probably something about it on https://bitcoin.org/en/developer-documentation. Otherwise you can look in the code.
[/quote]

Picture from https://bitcoin.org/en/developer-examples#offline-signing

http://snag.gy/iSpgb.jpg

It seems that signed only scriptPubKey for the previous transaction.
"PubKey Script" for the new transaction is not signed and new transaction is not signed too! So anyone may change scriptPubKey for unconfirmed transaction.  :(


Title: Re: protocol vulnerability?
Post by: achow101 on April 08, 2016, 01:39:19 PM

Picture from https://bitcoin.org/en/developer-examples#offline-signing

-snip img-

It seems that signed only scriptPubKey for the previous transaction.
"PubKey Script" for the new transaction is not signed and new transaction is not signed too! So anyone may change scriptPubKey for unconfirmed transaction.  :(
Nope. Read all of https://bitcoin.org/en/developer-guide#transactions


Title: Re: protocol vulnerability?
Post by: DannyHamilton on April 08, 2016, 02:09:08 PM
Picture from https://bitcoin.org/en/developer-examples#offline-signing

- snip -

It seems that signed only scriptPubKey for the previous transaction.
"PubKey Script" for the new transaction is not signed and new transaction is not signed too! So anyone may change scriptPubKey for unconfirmed transaction.  :(

Nope.

See all those arrows passing through the "Signed Data" box?  That means all those fields are included in what gets signed.

If you had read the paragraph after the picture, you would have known that there is more signed than just the scriptPubKey...

Quote
As illustrated above, the data that gets signed includes the txid and vout from the previous transaction. That information is included in the createrawtransaction raw transaction. But the data that gets signed also includes the pubkey script from the previous transaction, even though it doesn’t appear in either the unsigned or signed transaction.


Title: Re: protocol vulnerability?
Post by: hhanh00 on April 08, 2016, 02:16:55 PM
If you had read the paragraph after the picture, you would have known that there is more signed than just the scriptPubKey...

Quote
As illustrated above, the data that gets signed includes the txid and vout from the previous transaction. That information is included in the createrawtransaction raw transaction. But the data that gets signed also includes the pubkey script from the previous transaction, even though it doesn’t appear in either the unsigned or signed transaction.


He's concerned that the signature doesn't cover the output of the current transaction - which it does for all signature types besides SIGHASH_NONE.

To be honest, I don't understand this drawing either. This explanation works better for me.

https://en.bitcoin.it/wiki/OP_CHECKSIG




Title: Re: protocol vulnerability?
Post by: kzv on April 08, 2016, 02:18:16 PM
Picture from https://bitcoin.org/en/developer-examples#offline-signing

- snip -

It seems that signed only scriptPubKey for the previous transaction.
"PubKey Script" for the new transaction is not signed and new transaction is not signed too! So anyone may change scriptPubKey for unconfirmed transaction.  :(

Nope.

See all those arrows passing through the "Signed Data" box?  That means all those fields are included in what gets signed.

If you had read the paragraph after the picture, you would have known that there is more signed than just the scriptPubKey...

Quote
As illustrated above, the data that gets signed includes the txid and vout from the previous transaction. That information is included in the createrawtransaction raw transaction. But the data that gets signed also includes the pubkey script from the previous transaction, even though it doesn’t appear in either the unsigned or signed transaction.


I readed this.
ONLY data from the PREVIOUS transaction is signed!
Data in CURRENT transaction is not signet and not protected from changing.
Right?


Title: Re: protocol vulnerability?
Post by: achow101 on April 08, 2016, 02:23:52 PM

I readed this.
ONLY data from the PREVIOUS transaction is signed!
Data in CURRENT transaction is not signet and not protected from changing.
Right?

NO! With sighash all, all of the data in the current transaction, except for the signature itself, is signed. This prevents any transaction data from being changed.


Title: Re: protocol vulnerability?
Post by: kzv on April 08, 2016, 02:31:54 PM

I readed this.
ONLY data from the PREVIOUS transaction is signed!
Data in CURRENT transaction is not signet and not protected from changing.
Right?

NO! With sighash all, all of the data in the current transaction, except for the signature itself, is signed. This prevents any transaction data from being changed.

Where this wrote? Give me please link to any document or source code?

Now i can see only
Quote
includes the txid and vout from the previous transaction
and
Quote
also includes the pubkey script from the previous transaction


Title: Re: protocol vulnerability?
Post by: achow101 on April 08, 2016, 02:48:08 PM

I readed this.
ONLY data from the PREVIOUS transaction is signed!
Data in CURRENT transaction is not signet and not protected from changing.
Right?

NO! With sighash all, all of the data in the current transaction, except for the signature itself, is signed. This prevents any transaction data from being changed.

Where this wrote? Give me please link to any document or source code?

Now i can see only
Quote
includes the txid and vout from the previous transaction
and
Quote
also includes the pubkey script from the previous transaction

See https://bitcoin.org/en/developer-guide#signature-hash-types

It's also in the source somewhere.


Title: Re: protocol vulnerability?
Post by: DannyHamilton on April 08, 2016, 07:47:15 PM
If you had read the paragraph after the picture, you would have known that there is more signed than just the scriptPubKey...

Quote
As illustrated above, the data that gets signed includes the txid and vout from the previous transaction. That information is included in the createrawtransaction raw transaction. But the data that gets signed also includes the pubkey script from the previous transaction, even though it doesn’t appear in either the unsigned or signed transaction.

He's concerned that the signature doesn't cover the output of the current transaction

Certainly, but he said it "seems that signed only scriptPubKey", and clearly that isn't true.  Therefore, it should be obvious to him, from reading the paragraph below the drawing, that he misunderstood the drawing.

See all those arrows passing through the "Signed Data" box?  That means all those fields are included in what gets signed.
I readed this.
ONLY data from the PREVIOUS transaction is signed!
Data in CURRENT transaction is not signet and not protected from changing.
Right?

No.  That is not right.

I can't tell if you are failing to pay attention, or if you are just trolling.

With sighash all, all of the data in the current transaction, except for the signature itself, is signed. This prevents any transaction data from being changed.

Which has already been explained 3 times, and several links have been included to provide additional details for better understanding.

I'm beginning to think we are being trolled.

NO! With sighash all, all of the data in the current transaction, except for the signature itself, is signed. This prevents any transaction data from being changed.

Where this wrote? Give me please link to any document or source code?
[/quote]

You have been provided several links.

The source code is in github.  Here:
https://github.com/bitcoin/bitcoin

Now i can see only
Quote
includes the txid and vout from the previous transaction
and
Quote
also includes the pubkey script from the previous transaction

If that's all you can see in this whole thread, then you are only looking for things that you can take out of context to create confusion.  I'm nearly certain you are just trolling now.

He's been told that the entire transaction is signed multiple times.  He's been supplied with links with additional details about what is signed.  And yet, he carefully searches through posts and links looking for small pieces that he can take out of context and then exclaim that only the inputs are signed.  Nonsense.


Title: Re: protocol vulnerability?
Post by: kzv on April 08, 2016, 09:35:08 PM
Thank you guys.
I realized my mistake. Your links are very useful for me. Sorry for my English ))