|
Title: BtcIO - Open source, cold, BTC wallet Post by: avadhuta on February 25, 2021, 11:45:24 AM A desktop app(console and with a GUI) for Windows and Linux, written in .NET CORE, designed to quickly generate privates and addresses by seed phrase, view balances and send transactions from your private accounts and wallets.
Github https://github.com/avadhuta/BtcIO/releases (https://github.com/avadhuta/BtcIO/releases) screenshots: https://i.imgur.com/ZxuXYuV.jpeg https://i.imgur.com/6evZ7YW.jpeg https://i.imgur.com/M8tslVi.jpg https://i.imgur.com/kjvhsnS.jpg The example of use with a test network (with a mainnet it works the same way): For console https://youtu.be/Mnm2dWqRP8g (https://youtu.be/Mnm2dWqRP8g) For GUI variant https://youtu.be/JiTr551-veE (https://youtu.be/JiTr551-veE) The library used are NBitcoin and blockcypher.com API. Title: Re: BtcIO - Open source, cold, BTC wallet Post by: avadhuta on March 01, 2021, 12:04:38 PM You might want to add README.md on your GitHub repository Yes, you are right. Thank. .zip Source Code :D :D :D Do you think BtcIO is open source? Sources: https://github.com/avadhuta/BtcIO Title: Re: BtcIO - Open source, cold, BTC wallet Post by: pooya87 on March 02, 2021, 04:07:05 AM You might want to warn people that you are using a very weak RNG (System.Random) to generate their keys[1] and it is not safe to use this method to get a true random bitcoin private key to be used for real bitcoins.
Also you are using your own defined word list to generate the "seed" which you end up computing its SHA256 only as a "secure" entropy[2] https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/Tech.cs#L75-L82 https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/WalletTools.cs#L255 Title: Re: BtcIO - Open source, cold, BTC wallet Post by: NotATether on March 02, 2021, 09:21:13 AM You might want to warn people that you are using a very weak RNG (System.Random) to generate their keys[1] and it is not safe to use this method to get a true random bitcoin private key to be used for real bitcoins. Also you are using your own defined word list to generate the "seed" which you end up computing its SHA256 only as a "secure" entropy[2] https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/Tech.cs#L75-L82 https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/WalletTools.cs#L255 It is more secure, in that method, to use the System.Security.Cryptography.RNGCryptoServiceProvider (https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rngcryptoserviceprovider?view=net-5.0) class than Random and then use it's GetBytes method to get a byte value which OP then takes the modulus of words.Length. For example: Code: using System.Security.Cryptography; Note: I did not test this code for syntax errors. Title: Re: BtcIO - Open source, cold, BTC wallet Post by: pooya87 on March 03, 2021, 04:02:58 AM RNGCryptoServiceProvider It is safer but not safe, you should never use the bare RNG provided by the framework because if a vulnerability is found in it or if there is a backdoor everything built on top of it will become vulnerable. It should always be mixed with another source of entropy.Your code is broken by the way, all the words in the string will be the same and only from 0 to 255 index is covered. Title: Re: BtcIO - Open source, cold, BTC wallet Post by: avadhuta on March 04, 2021, 03:06:33 PM You might want to warn people that you are using a very weak RNG (System.Random) to generate their keys[1] and it is not safe to use this method to get a true random bitcoin private key to be used for real bitcoins. You are absolutely right, my logic for generating the passphrase is made elementary, although it is dangerous to use any software RNG for this, especially in open source.Also you are using your own defined word list to generate the "seed" which you end up computing its SHA256 only as a "secure" entropy[2] https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/Tech.cs#L75-L82 https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/WalletTools.cs#L255 An intelligent user can create seed himself or add any of words and symbols as entropy. As an option, I will add the ability to use any arbitrary file as a seed, and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe. :) It is more secure, in that method, to use the System.Security.Cryptography.RNGCryptoServiceProvider (https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rngcryptoserviceprovider?view=net-5.0) class than Random and then use it's GetBytes method to get a byte value which OP then takes the modulus of words.Length. For example: Thanks for the code, but I don't think that a more complex RNG will change anything in this case, especially in open source, manual entropy is needed.Code: using System.Security.Cryptography; Note: I did not test this code for syntax errors. Title: Re: BtcIO - Open source, cold, BTC wallet Post by: pooya87 on March 05, 2021, 04:14:22 AM An intelligent user can create seed himself or add any of words and symbols as entropy. You can and should not ever rely on the user to be the source of entropy, they will never create strong ones ever.Quote As an option, I will add the ability to use any arbitrary file as a seed, and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe. :) This makes your program to be a brainwallet which are very unsafe and 100k hashes does not make brute forcing slow.Title: Re: BtcIO - Open source, cold, BTC wallet Post by: NotATether on March 05, 2021, 06:26:33 AM ...and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe. :) I don't think that will be effective in the long run. An Nvidia V100 can theoretically do 10x as many hashes as a K520 and they were released just 3 years apart. So I imagine if not the current Ampere cards or next year's cards, one of these years someone's going to be able to pass 100K hashes/s at the same speed people pass 2000 hashes/s (number of PBKDF2 rounds of seed phrase) today. Title: Re: BtcIO - Open source, cold, BTC wallet Post by: avadhuta on March 06, 2021, 11:59:06 AM An intelligent user can create seed himself or add any of words and symbols as entropy. You can and should not ever rely on the user to be the source of entropy, they will never create strong ones ever.Quote As an option, I will add the ability to use any arbitrary file as a seed, and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe. :) This makes your program to be a brainwallet which are very unsafe and 100k hashes does not make brute forcing slow....and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe. :) I don't think that will be effective in the long run. An Nvidia V100 can theoretically do 10x as many hashes as a K520 and they were released just 3 years apart. So I imagine if not the current Ampere cards or next year's cards, one of these years someone's going to be able to pass 100K hashes/s at the same speed people pass 2000 hashes/s (number of PBKDF2 rounds of seed phrase) today. Code: public static string[] words = ReadResource("words.txt").Split('\n');Code: public static (string address, string wif) newWifAddr(string seed, string net = "test3", int addrtype = 2) Title: Re: BtcIO - Open source, cold, BTC wallet Post by: pooya87 on March 07, 2021, 04:05:21 AM I read more about RNGCryptoServiceProvider, it inspires trust, for now I limit myself to it and a 100k hashes. If the result provided by RNGCryptoServiceProvider were weak or flawed then hash of that result is no different than the original entropy and it too would be weak.In other words by hashing it n times you aren't really making a meaningful difference. The correct way is to mix it with another source of entropy. For example some use Guid.NewGuid() and mix (eg. using a KDF) the returned 128 bit with the 256 bit entropy, you could use a user input, etc. Title: Re: BtcIO - Open source, cold, BTC wallet Post by: Kirsting on March 12, 2021, 12:51:28 PM A desktop app(console and with a GUI) for Windows and Linux, written in .NET CORE, designed to quickly generate privates and addresses by seed phrase, view balances and send transactions from your private accounts and wallets. Github https://github.com/avadhuta/BtcIO/releases (https://github.com/avadhuta/BtcIO/releases) screenshots: https://i.imgur.com/ZxuXYuV.jpeg https://i.imgur.com/6evZ7YW.jpeg https://i.imgur.com/M8tslVi.jpg https://i.imgur.com/kjvhsnS.jpg The example of use with a test network (with a mainnet it works the same way): For console https://youtu.be/Mnm2dWqRP8g (https://youtu.be/Mnm2dWqRP8g) For GUI variant https://youtu.be/JiTr551-veE (https://youtu.be/JiTr551-veE) The libraries used are NBitcoin and QbitNinja, as well as the blockcypher.com API. It is better to hide private keys, they cannot be entered from the keyboard :o or by copying, it is not safe. The seed phrase generates an encrypted wallet with a password. User entropy is also needed, one RNG is not reliable. Title: Re: BtcIO - Open source, cold, BTC wallet Post by: avadhuta on March 15, 2021, 11:42:39 AM If the result provided by RNGCryptoServiceProvider were weak or flawed then hash of that result is no different than the original entropy and it too would be weak. 100k hashes will slow down brute-force by 100k times, even if the entropy was weak.In other words by hashing it n times you aren't really making a meaningful difference. The correct way is to mix it with another source of entropy. For example some use Guid.NewGuid() and mix (eg. using a KDF) the returned 128 bit with the 256 bit entropy, you could use a user input, etc. But you may be right, I will remove the multi hash and add custom entropy. Thank. It is better to hide private keys, they cannot be entered from the keyboard :o or by copying, it is not safe. The seed phrase generates an encrypted wallet with a password. User entropy is also needed, one RNG is not reliable. Yes, I'll think about it. Title: Re: BtcIO - Open source, cold, BTC wallet Post by: avadhuta on March 27, 2021, 03:52:26 PM Added user entropy, functionality for opening and saving wallets, anonymous transactions via TOR, hiding WIF and seed.
https://www.youtube.com/watch?v=Oytmq7KVDPE |
