Title: protocol vulnerability? Post by: kzv on April 08, 2016, 08:44:41 AM Hi,
I'm learning the basics of Bitcoin protocol and have a question. When i push raw transaction to the network, all nodes may read it for checking... If some "bad-hacker" node will save my "scriptSig" for transaction inputs, but will change my "scriptPubKey" for outputs. Then the scammer may send a fake transaction to other nodes and there's a possibility to lose my money? Title: Re: protocol vulnerability? Post by: achow101 on April 08, 2016, 11:41:05 AM Hi, Nope, not possible. The scriptsig, if using sighash all (the default), is a signature of the hash of the transaction. If part of the transaction is changed, the hash will no longer match and thus the signature will no longer be valid and thus the transaction ID invalid.I'm learning the basics of Bitcoin protocol and have a question. When i push raw transaction to the network, all nodes may read it for checking... If some "bad-hacker" node will save my "scriptSig" for transaction inputs, but will change my "scriptPubKey" for outputs. Then the scammer may send a fake transaction to other nodes and there's a possibility to lose my money? Title: Re: protocol vulnerability? Post by: kzv on April 08, 2016, 12:04:16 PM Hi, Nope, not possible. The scriptsig, if using sighash all (the default), is a signature of the hash of the transaction. If part of the transaction is changed, the hash will no longer match and thus the signature will no longer be valid and thus the transaction ID invalid.I'm learning the basics of Bitcoin protocol and have a question. When i push raw transaction to the network, all nodes may read it for checking... If some "bad-hacker" node will save my "scriptSig" for transaction inputs, but will change my "scriptPubKey" for outputs. Then the scammer may send a fake transaction to other nodes and there's a possibility to lose my money? Thank you for responce. Is there any documentation how "scriptSig" is constructing for given transaction? Title: Re: protocol vulnerability? Post by: achow101 on April 08, 2016, 12:44:41 PM Nope, not possible. The scriptsig, if using sighash all (the default), is a signature of the hash of the transaction. If part of the transaction is changed, the hash will no longer match and thus the signature will no longer be valid and thus the transaction ID invalid. Thank you for responce. Is there any documentation how "scriptSig" is constructing for given transaction? [/quote] There is probably something about it on https://bitcoin.org/en/developer-documentation. Otherwise you can look in the code. Title: Re: protocol vulnerability? Post by: DannyHamilton on April 08, 2016, 01:05:46 PM Is there any documentation how "scriptSig" is constructing for given transaction? http://bitcoin.stackexchange.com/a/5241 https://en.bitcoin.it/w/images/en/7/70/Bitcoin_OpCheckSig_InDetail.png Title: Re: protocol vulnerability? Post by: kzv on April 08, 2016, 01:24:47 PM Nope, not possible. The scriptsig, if using sighash all (the default), is a signature of the hash of the transaction. If part of the transaction is changed, the hash will no longer match and thus the signature will no longer be valid and thus the transaction ID invalid. Thank you for responce. Is there any documentation how "scriptSig" is constructing for given transaction? [/quote] Picture from https://bitcoin.org/en/developer-examples#offline-signing http://snag.gy/iSpgb.jpg It seems that signed only scriptPubKey for the previous transaction. "PubKey Script" for the new transaction is not signed and new transaction is not signed too! So anyone may change scriptPubKey for unconfirmed transaction. :( Title: Re: protocol vulnerability? Post by: achow101 on April 08, 2016, 01:39:19 PM Picture from https://bitcoin.org/en/developer-examples#offline-signing -snip img- It seems that signed only scriptPubKey for the previous transaction. "PubKey Script" for the new transaction is not signed and new transaction is not signed too! So anyone may change scriptPubKey for unconfirmed transaction. :( Title: Re: protocol vulnerability? Post by: DannyHamilton on April 08, 2016, 02:09:08 PM Picture from https://bitcoin.org/en/developer-examples#offline-signing - snip - It seems that signed only scriptPubKey for the previous transaction. "PubKey Script" for the new transaction is not signed and new transaction is not signed too! So anyone may change scriptPubKey for unconfirmed transaction. :( Nope. See all those arrows passing through the "Signed Data" box? That means all those fields are included in what gets signed. If you had read the paragraph after the picture, you would have known that there is more signed than just the scriptPubKey... Quote As illustrated above, the data that gets signed includes the txid and vout from the previous transaction. That information is included in the createrawtransaction raw transaction. But the data that gets signed also includes the pubkey script from the previous transaction, even though it doesn’t appear in either the unsigned or signed transaction. Title: Re: protocol vulnerability? Post by: hhanh00 on April 08, 2016, 02:16:55 PM If you had read the paragraph after the picture, you would have known that there is more signed than just the scriptPubKey... Quote As illustrated above, the data that gets signed includes the txid and vout from the previous transaction. That information is included in the createrawtransaction raw transaction. But the data that gets signed also includes the pubkey script from the previous transaction, even though it doesn’t appear in either the unsigned or signed transaction. He's concerned that the signature doesn't cover the output of the current transaction - which it does for all signature types besides SIGHASH_NONE. To be honest, I don't understand this drawing either. This explanation works better for me. https://en.bitcoin.it/wiki/OP_CHECKSIG Title: Re: protocol vulnerability? Post by: kzv on April 08, 2016, 02:18:16 PM Picture from https://bitcoin.org/en/developer-examples#offline-signing - snip - It seems that signed only scriptPubKey for the previous transaction. "PubKey Script" for the new transaction is not signed and new transaction is not signed too! So anyone may change scriptPubKey for unconfirmed transaction. :( Nope. See all those arrows passing through the "Signed Data" box? That means all those fields are included in what gets signed. If you had read the paragraph after the picture, you would have known that there is more signed than just the scriptPubKey... Quote As illustrated above, the data that gets signed includes the txid and vout from the previous transaction. That information is included in the createrawtransaction raw transaction. But the data that gets signed also includes the pubkey script from the previous transaction, even though it doesn’t appear in either the unsigned or signed transaction. I readed this. ONLY data from the PREVIOUS transaction is signed! Data in CURRENT transaction is not signet and not protected from changing. Right? Title: Re: protocol vulnerability? Post by: achow101 on April 08, 2016, 02:23:52 PM I readed this. ONLY data from the PREVIOUS transaction is signed! Data in CURRENT transaction is not signet and not protected from changing. Right? Title: Re: protocol vulnerability? Post by: kzv on April 08, 2016, 02:31:54 PM I readed this. ONLY data from the PREVIOUS transaction is signed! Data in CURRENT transaction is not signet and not protected from changing. Right? Where this wrote? Give me please link to any document or source code? Now i can see only Quote includes the txid and vout from the previous transaction andQuote also includes the pubkey script from the previous transaction Title: Re: protocol vulnerability? Post by: achow101 on April 08, 2016, 02:48:08 PM I readed this. ONLY data from the PREVIOUS transaction is signed! Data in CURRENT transaction is not signet and not protected from changing. Right? Where this wrote? Give me please link to any document or source code? Now i can see only Quote includes the txid and vout from the previous transaction andQuote also includes the pubkey script from the previous transaction It's also in the source somewhere. Title: Re: protocol vulnerability? Post by: DannyHamilton on April 08, 2016, 07:47:15 PM If you had read the paragraph after the picture, you would have known that there is more signed than just the scriptPubKey... He's concerned that the signature doesn't cover the output of the current transactionQuote As illustrated above, the data that gets signed includes the txid and vout from the previous transaction. That information is included in the createrawtransaction raw transaction. But the data that gets signed also includes the pubkey script from the previous transaction, even though it doesn’t appear in either the unsigned or signed transaction. Certainly, but he said it "seems that signed only scriptPubKey", and clearly that isn't true. Therefore, it should be obvious to him, from reading the paragraph below the drawing, that he misunderstood the drawing. See all those arrows passing through the "Signed Data" box? That means all those fields are included in what gets signed. I readed this.ONLY data from the PREVIOUS transaction is signed! Data in CURRENT transaction is not signet and not protected from changing. Right? No. That is not right. I can't tell if you are failing to pay attention, or if you are just trolling. With sighash all, all of the data in the current transaction, except for the signature itself, is signed. This prevents any transaction data from being changed. Which has already been explained 3 times, and several links have been included to provide additional details for better understanding. I'm beginning to think we are being trolled. NO! With sighash all, all of the data in the current transaction, except for the signature itself, is signed. This prevents any transaction data from being changed. Where this wrote? Give me please link to any document or source code? [/quote] You have been provided several links. The source code is in github. Here: https://github.com/bitcoin/bitcoin Now i can see only Quote includes the txid and vout from the previous transaction andQuote also includes the pubkey script from the previous transaction If that's all you can see in this whole thread, then you are only looking for things that you can take out of context to create confusion. I'm nearly certain you are just trolling now. He's been told that the entire transaction is signed multiple times. He's been supplied with links with additional details about what is signed. And yet, he carefully searches through posts and links looking for small pieces that he can take out of context and then exclaim that only the inputs are signed. Nonsense. Title: Re: protocol vulnerability? Post by: kzv on April 08, 2016, 09:35:08 PM Thank you guys.
I realized my mistake. Your links are very useful for me. Sorry for my English )) |