Title: Check if your BTC-key is vulnerable Post by: ca333 on March 05, 2015, 01:45:59 PM Hi,
thought maybe someone can use the script below. I just wrote it to check couple of my public keys for reused R-signing values which allow generating of the private key of affected PKs. The script is very lightweight and uses urllib2 for loading the data from blockchain.info. So no local btc-node is needed. The script only works for keys with up to 50 tx. If your key got more than 50 tx you have to add some lines (add loop and use optional API-parameters limit and offset to parse through all transactions [50+]). Also the script contains a lot of debug-output which you can just comment or remove. This is OpenSource and BETA software - USE AT OWN RISK - released under GNU Public License. Code: #!/usr/bin/python if you have question ask me. thank you. Title: Re: Check if your BTC-key is vulnerable Post by: coinableS on March 05, 2015, 02:03:20 PM Hmm very interesting thanks for sharing. Can you explain further how a private key get's leaked through a tx hash? i remember people talking about this was a counter-party bug and other online wallets, but I never actually understood how someone can get the PK from a tx hash.
Title: Re: Check if your BTC-key is vulnerable Post by: newIndia on March 05, 2015, 02:06:31 PM Great work. Can u please provide a step by step method to run this ?
Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 05, 2015, 03:47:52 PM THIS IS ONLY FOR EDUCATIONAL PURPOSE. PLEASE DO NOT HARM OTHER!
Hmm very interesting thanks for sharing. Can you explain further how a private key get's leaked through a tx hash? i remember people talking about this was a counter-party bug and other online wallets, but I never actually understood how someone can get the PK from a tx hash. We don't get private key from the hash. we get it from the scripts. When a btc-tx is generated it must be signed. but many developers from btc-services code their own "wallet-system" so they make it all from their software and when their signing procedure resuses signing values, then it s easy to generate the private key from that. the input scripts of transaction contains two signature values. i call s and r. so when we have 2 inputs or more in a transaction or different inputs from different transaction (of same publickey) and reused r values it s a huge problem for security. ECDSA then allows you recalculate with curve. formula: Code: privatekey = (sop1*s2 - sop2*s1)/(r*(s1-s2)) now only sop1 and sop2 is missing! These are hashes of the outputs to be signed. Also this is calculated by OP_CHECKSIG. so we have all data for calculating private-key. so i make example now: Public key: 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm (i take this example because this vulnerability is public already) my script tell me we have duplicates in transaction: 9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1 input script 1: 30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69 c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff input script 2: 30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69 c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff first i must explain you inputs script format header descr: 0x30 = header byte 0x44 = length descriptor (68 bytes) 0x02 = header byte 0x20 = r value length descriptor (32 bytes) d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1 the r coordinate as a big endian integer 0x02 = header byte 0x20 = s value length descriptor (32 bytes) 44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e the s1 coordinate and 9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab the s2 coordinate as a big endian integer 0x01 = hashtype byte and 04dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c2 1e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff is the pubkeyhash ok so now we know how inputs script is formated. now we calculated missing sop1 and sop2 by OP_CHECKSIG(): sop1: c0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e sop2: 17b0f41c8c337ac1e18c98759e83a8cccbc368dd9d89e5f03cb633c265fd0ddc so we now have a ll data for calculation: Code: p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 now we can calculate with below formulas: mathcad or sagemath and we get privkey. plese note p is the order for the field. p = parameter for secp256k1 curve order which bitcoin use. now we create finite field for calculation: Code: K = GF(p) and calculate decimal private key inside this field with: Code: K((z1*s2 - z2*s1)/(r*(s1-s2))) ouput: 88865298299719117682218467295833367085649033095698151055007620974294165995414 so when we encode we get priv-key hex-coded: c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96 and when converted to WIF format: 5KJp7KEffR7HHFWSFYjiCUAntRSTY69LAQEX1AUzaSBHHFdKEpQ i hope this help you understand. also: here is implementation for calculating by software: https://gist.github.com/nlitsme/dda36eeef541de37d996 hope it's clear and helped. thank you Title: Re: Check if your BTC-key is vulnerable Post by: coinableS on March 05, 2015, 04:17:46 PM Thanks for that explanation and breaking it down so it's easy to understand.
At least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. Title: Re: Check if your BTC-key is vulnerable Post by: RodeoX on March 05, 2015, 04:20:45 PM Hey cool gadget man! Thanks for making it open source. :-*
Title: Re: Check if your BTC-key is vulnerable Post by: zen2 on March 05, 2015, 04:23:24 PM WOW!! thanks very much for sharing and for this detailed explanation. very interesting! i also always keep my coin in coldstorage or my bitcoinode which connected via armory.
Title: Re: Check if your BTC-key is vulnerable Post by: najzenmajsen on March 05, 2015, 04:25:33 PM Thanks for that explanation and breaking it down so it's easy to understand. This is a really good tip , would reccomend it to anyone. Reading this post actually got me a lil bit scared , prolly gonna make some paper wallets brbAt least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 05, 2015, 04:47:09 PM Thanks for that explanation and breaking it down so it's easy to understand. At least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. yes mostly online wallets/service. but sadly not only online wallets. i saw many droid technologies with same issues. and most problematic is the clones of cryptocoins which use this old android wallet clones. i already warned developers but many don't understand whats not good. i recommend sandbox system for handling BTC and/or cold-storage (paper & CLEAN usb flash). example I have computer with my bitcoins and only can connect with self writed IR-module for datatranser of signed transactions. so only can go out via IR to my internet-connected computer. and this have script which accept IR data and make rest. all started with little adruino experiment i made with friend :) people often don't understand that enviroment must be secure. encryption and passwords is useless when enviroment is not secure. example you have super secured computer with sandbox (VM) and bitcoins safed here. but hacker goes in your computer with worm/expl/trojan and then waits for you type in password or keys and then all is stolen.. so most important thing is secure computer good or make it offline(no network communication i.e. rj45, wifi) when it s for bitcoin. Title: Re: Check if your BTC-key is vulnerable Post by: MakingMoneyHoney on March 05, 2015, 05:17:59 PM Thanks for that explanation and breaking it down so it's easy to understand. At least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. yes mostly online wallets/service. but sadly not only online wallets. i saw many droid technologies with same issues. and most problematic is the clones of cryptocoins which use this old android wallet clones. i already warned developers but many don't understand whats not good. i recommend sandbox system for handling BTC and/or cold-storage (paper & CLEAN usb flash). example I have computer with my bitcoins and only can connect with self writed IR-module for datatranser of signed transactions. so only can go out via IR to my internet-connected computer. and this have script which accept IR data and make rest. all started with little adruino experiment i made with friend :) people often don't understand that enviroment must be secure. encryption and passwords is useless when enviroment is not secure. example you have super secured computer with sandbox (VM) and bitcoins safed here. but hacker goes in your computer with worm/expl/trojan and then waits for you type in password or keys and then all is stolen.. so most important thing is secure computer good or make it offline(no network communication i.e. rj45, wifi) when it s for bitcoin. Can you say which droid wallets use it? Thanks for posting this. Most of my bitcoins are already on paper wallets from a clean Ubunutu system (not connected to internet, old printer not connected to internet, etc). But I still have to use a hot wallet sometimes to pay people. Title: Re: Check if your BTC-key is vulnerable Post by: cr1776 on March 05, 2015, 05:23:56 PM Thanks for that explanation and breaking it down so it's easy to understand. At least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. yes mostly online wallets/service. but sadly not only online wallets. i saw many droid technologies with same issues. and most problematic is the clones of cryptocoins which use this old android wallet clones. i already warned developers but many don't understand whats not good. i recommend sandbox system for handling BTC and/or cold-storage (paper & CLEAN usb flash). example I have computer with my bitcoins and only can connect with self writed IR-module for datatranser of signed transactions. so only can go out via IR to my internet-connected computer. and this have script which accept IR data and make rest. all started with little adruino experiment i made with friend :) people often don't understand that enviroment must be secure. encryption and passwords is useless when enviroment is not secure. example you have super secured computer with sandbox (VM) and bitcoins safed here. but hacker goes in your computer with worm/expl/trojan and then waits for you type in password or keys and then all is stolen.. so most important thing is secure computer good or make it offline(no network communication i.e. rj45, wifi) when it s for bitcoin. Can you say which droid wallets use it? Thanks for posting this. Most of my bitcoins are already on paper wallets from a clean Ubunutu system (not connected to internet, old printer not connected to internet, etc). But I still have to use a hot wallet sometimes to pay people. Perhaps referring to the bad rng on android from about 18 months ago: https://bitcoin.org/en/alert/2013-08-11-android Title: Re: Check if your BTC-key is vulnerable Post by: MakingMoneyHoney on March 05, 2015, 05:39:29 PM Thanks for that explanation and breaking it down so it's easy to understand. At least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. yes mostly online wallets/service. but sadly not only online wallets. i saw many droid technologies with same issues. and most problematic is the clones of cryptocoins which use this old android wallet clones. i already warned developers but many don't understand whats not good. i recommend sandbox system for handling BTC and/or cold-storage (paper & CLEAN usb flash). example I have computer with my bitcoins and only can connect with self writed IR-module for datatranser of signed transactions. so only can go out via IR to my internet-connected computer. and this have script which accept IR data and make rest. all started with little adruino experiment i made with friend :) people often don't understand that enviroment must be secure. encryption and passwords is useless when enviroment is not secure. example you have super secured computer with sandbox (VM) and bitcoins safed here. but hacker goes in your computer with worm/expl/trojan and then waits for you type in password or keys and then all is stolen.. so most important thing is secure computer good or make it offline(no network communication i.e. rj45, wifi) when it s for bitcoin. Can you say which droid wallets use it? Thanks for posting this. Most of my bitcoins are already on paper wallets from a clean Ubunutu system (not connected to internet, old printer not connected to internet, etc). But I still have to use a hot wallet sometimes to pay people. Perhaps referring to the bad rng on android from about 18 months ago: https://bitcoin.org/en/alert/2013-08-11-android But that page says it was fixed with the "current" updates as of 2013. And the OP is talking currently of 2015. Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 05, 2015, 05:59:00 PM Thanks for that explanation and breaking it down so it's easy to understand. At least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. yes mostly online wallets/service. but sadly not only online wallets. i saw many droid technologies with same issues. and most problematic is the clones of cryptocoins which use this old android wallet clones. i already warned developers but many don't understand whats not good. i recommend sandbox system for handling BTC and/or cold-storage (paper & CLEAN usb flash). example I have computer with my bitcoins and only can connect with self writed IR-module for datatranser of signed transactions. so only can go out via IR to my internet-connected computer. and this have script which accept IR data and make rest. all started with little adruino experiment i made with friend :) people often don't understand that enviroment must be secure. encryption and passwords is useless when enviroment is not secure. example you have super secured computer with sandbox (VM) and bitcoins safed here. but hacker goes in your computer with worm/expl/trojan and then waits for you type in password or keys and then all is stolen.. so most important thing is secure computer good or make it offline(no network communication i.e. rj45, wifi) when it s for bitcoin. Can you say which droid wallets use it? Thanks for posting this. Most of my bitcoins are already on paper wallets from a clean Ubunutu system (not connected to internet, old printer not connected to internet, etc). But I still have to use a hot wallet sometimes to pay people. Perhaps referring to the bad rng on android from about 18 months ago: https://bitcoin.org/en/alert/2013-08-11-android exactly. bad signing values issue like explained in the first post. Thanks for that explanation and breaking it down so it's easy to understand. At least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. yes mostly online wallets/service. but sadly not only online wallets. i saw many droid technologies with same issues. and most problematic is the clones of cryptocoins which use this old android wallet clones. i already warned developers but many don't understand whats not good. i recommend sandbox system for handling BTC and/or cold-storage (paper & CLEAN usb flash). example I have computer with my bitcoins and only can connect with self writed IR-module for datatranser of signed transactions. so only can go out via IR to my internet-connected computer. and this have script which accept IR data and make rest. all started with little adruino experiment i made with friend :) people often don't understand that enviroment must be secure. encryption and passwords is useless when enviroment is not secure. example you have super secured computer with sandbox (VM) and bitcoins safed here. but hacker goes in your computer with worm/expl/trojan and then waits for you type in password or keys and then all is stolen.. so most important thing is secure computer good or make it offline(no network communication i.e. rj45, wifi) when it s for bitcoin. Can you say which droid wallets use it? Thanks for posting this. Most of my bitcoins are already on paper wallets from a clean Ubunutu system (not connected to internet, old printer not connected to internet, etc). But I still have to use a hot wallet sometimes to pay people. Perhaps referring to the bad rng on android from about 18 months ago: https://bitcoin.org/en/alert/2013-08-11-android But that page says it was fixed with the "current" updates as of 2013. And the OP is talking currently of 2015. not all forker adapted updates to their fork-branches and clones. the BTC wallet for android is fixed and "secure" regarding rng issue. Title: Re: Check if your BTC-key is vulnerable Post by: cr1776 on March 05, 2015, 06:02:45 PM Thanks for that explanation and breaking it down so it's easy to understand. At least only addresses with spent outputs through a web wallet are possibly at risk, so that's good for me as I keep very small amounts in those. Keep your cold storage cold and only keep a small amount in your hot/spending wallets. yes mostly online wallets/service. but sadly not only online wallets. i saw many droid technologies with same issues. and most problematic is the clones of cryptocoins which use this old android wallet clones. i already warned developers but many don't understand whats not good. i recommend sandbox system for handling BTC and/or cold-storage (paper & CLEAN usb flash). example I have computer with my bitcoins and only can connect with self writed IR-module for datatranser of signed transactions. so only can go out via IR to my internet-connected computer. and this have script which accept IR data and make rest. all started with little adruino experiment i made with friend :) people often don't understand that enviroment must be secure. encryption and passwords is useless when enviroment is not secure. example you have super secured computer with sandbox (VM) and bitcoins safed here. but hacker goes in your computer with worm/expl/trojan and then waits for you type in password or keys and then all is stolen.. so most important thing is secure computer good or make it offline(no network communication i.e. rj45, wifi) when it s for bitcoin. Can you say which droid wallets use it? Thanks for posting this. Most of my bitcoins are already on paper wallets from a clean Ubunutu system (not connected to internet, old printer not connected to internet, etc). But I still have to use a hot wallet sometimes to pay people. Perhaps referring to the bad rng on android from about 18 months ago: https://bitcoin.org/en/alert/2013-08-11-android But that page says it was fixed with the "current" updates as of 2013. And the OP is talking currently of 2015. This is true, but as below it was a reference to past issues. Title: Re: Check if your BTC-key is vulnerable Post by: viboracecata on March 06, 2015, 04:02:23 AM Very nice tool, thanks
Title: This message was too old and has been purged Post by: Evil-Knievel on March 06, 2015, 08:31:38 AM This message was too old and has been purged
Title: Re: Check if your BTC-key is vulnerable Post by: Remember remember the 5th of November on March 06, 2015, 02:08:00 PM This software is great, but does not provide any value to the users. This was what I was going to say. Any re-used R-value will be detected and exploited within 20 seconds.I am pretty sure, that reused R values will be detected within milliseconds and the private keys emptied immediately. So if your funds are gone, you have reused a R value ;-) Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 06, 2015, 04:09:25 PM This software is great, but does not provide any value to the users. I am pretty sure, that reused R values will be detected within milliseconds and the private keys emptied immediately. So if your funds are gone, you have reused a R value ;-) not "any" because low balance keys are not interested for bad guys. i provided this for testing/educational purposes. if i find out it makes harm to users/btc-community i will delete all. also the services i finded out have rng vuln i directly imported balance and contacted developers. i think nobody with exsisting btc-service have rng issue anymore. also all pubkeys with more 50BTC or more balance are secured. and i extra only provided a lightweight script. so with this technology (json request http) no chance to scan fast. if ported into ansic and used on highend server with own blockchain i can scan/compare all chain inputs in no time. but i think this people who are able to do this, have a moral compass and do not do this... badguys most cases are not very inteligent. also if anybody interested in more things i start soon release my scriptbase and software on github. (ca333) it s all for btc-security and some cryptocurrencies security. thank you. Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 07, 2015, 01:09:14 PM hi,
some asked me because of r-value is not display correct, but you have to watch on r value length descriptor in input script i descriped format of inputs in above posts. and then you only change: the char-array indexes for your correct length. for example this is for 64 chars = 32byte lenght of r-value. Code: if inputs[xi][10:74] == inputs[x+zi][10:74]: when need help ask me. thank you Title: Re: Check if your BTC-key is vulnerable Post by: FabioCarpi on March 08, 2015, 10:54:32 AM there how to run this script online?
Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 08, 2015, 02:01:01 PM there how to run this script online? how you mean run online? you can run script in your computer. only install dependcies: python5 and then run make script executable (chmod 755) and then must only: Code: ./script.py Code: python script.py Title: Re: Check if your BTC-key is vulnerable Post by: dsyahputera on March 08, 2015, 02:05:01 PM 50 transactions? Is that just the out transactions or whole transactions?
Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 08, 2015, 02:29:33 PM 50 transactions? Is that just the out transactions or whole transactions? this is global value ("whole tx"). so 50 tx for one pubkey. Title: Re: Check if your BTC-key is vulnerable Post by: FabioCarpi on March 08, 2015, 03:15:42 PM how you mean run online? i dont want to download the pythonTitle: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 08, 2015, 06:13:29 PM how you mean run online? i dont want to download the pythonhmm. you can also run it on vps server no problem. but most online-python parsers have urllib2/curl deactivated because security reasons. so it s difficult to have online-run. Title: Re: Check if your BTC-key is vulnerable Post by: FabioCarpi on March 08, 2015, 08:45:28 PM ok
i give up I downloaded the python and ran the script it shows the data about my transactions ... and show "compare" (ln 51) and stops ... Title: Re: Check if your BTC-key is vulnerable Post by: frankenmint on March 08, 2015, 09:32:27 PM ok i give up I downloaded the python and ran the script it shows the data about my transactions ... and show "compare" (ln 51) and stops ... Same, is the idea that its good to go and compare would ONLY show vulnerabilities (reused keys to sign messages) edit: okay yes, looking more closely at the code a 2nd time: Code: print "In Input NR: " + str(xi) + "[global increment] " + str(inputs[xi]) Should output like: In Input NR: 4 Reused R-Value: XXXXXXXXXXXXXXXX if you have a problem that is Title: Re: Check if your BTC-key is vulnerable Post by: FabioCarpi on March 08, 2015, 09:40:25 PM i got it
but would be nice a message saying "all good" ^^ Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 08, 2015, 11:22:23 PM ok i give up I downloaded the python and ran the script it shows the data about my transactions ... and show "compare" (ln 51) and stops ... Same, is the idea that its good to go and compare would ONLY show vulnerabilities (reused keys to sign messages) edit: okay yes, looking more closely at the code a 2nd time: Code: print "In Input NR: " + str(xi) + "[global increment] " + str(inputs[xi]) Should output like: In Input NR: 4 Reused R-Value: XXXXXXXXXXXXXXXX if you have a problem that is oh sorry. yes correct. it only make output when you have problem/vuln. i added other output so it say "Good pubkey. No problems" when no reused signing key detectet. (in IT when all good we don't hear/see, we know then.., only when problem it must make alert. ;-) ) Title: Re: Check if your BTC-key is vulnerable Post by: itod on March 09, 2015, 10:29:14 AM but i think this people who are able to do this, have a moral compass and do not do this... badguys most cases are not very inteligent.[/b] I wouldn't rely on this assumption, proof being that all vulnerable services have already being cleaned up. As someone said any reused value that now appears on the blockchain is cleaned almost instantly. Title: Re: Check if your BTC-key is vulnerable Post by: frankenmint on March 10, 2015, 04:51:38 PM interesting feedback from person on reddit when I shared this script (I wrote an article on my own site to archive this script and talk about it and share it with others who aren't on here) and it goes like:
Quote There's a problem with either the script or the blockchain.info api where the number of tx field doesn't match the actual number of tx sent. In other words, Code: assert( len(addrdata['txs']) < addrdata['n_tx'] ) Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 11, 2015, 12:02:39 AM interesting feedback from person on reddit when I shared this script (I wrote an article on my own site to archive this script and talk about it and share it with others who aren't on here) and it goes like: Quote There's a problem with either the script or the blockchain.info api where the number of tx field doesn't match the actual number of tx sent. In other words, Code: assert( len(addrdata['txs']) < addrdata['n_tx'] ) The script only works for keys with up to 50 tx. If your key got more than 50 tx you have to add some lines (add loop and use optional API-parameters limit and offset to parse through all transactions [50+]). yes but i writed this in the first post (see above comment), so its only for max 50 tx. when it s more you must adapt the script because it takes the information from blockchain.info and example its more 50 tx, but only loading 50 tx data from bc.info API, then it parses outside range of loaded data. this is the error. i hope you understand. when you need adaption of script write me. i am happy to help you anytime. thank you. Title: Re: Check if your BTC-key is vulnerable Post by: mistercoin on March 11, 2015, 03:03:31 PM Hey cool gadget man! Thanks for making it open source. :-* I second this. Very nice indeed. ;D Title: Re: Check if your BTC-key is vulnerable Post by: frankenmint on March 11, 2015, 04:13:23 PM interesting feedback from person on reddit when I shared this script (I wrote an article on my own site to archive this script and talk about it and share it with others who aren't on here) and it goes like: Quote There's a problem with either the script or the blockchain.info api where the number of tx field doesn't match the actual number of tx sent. In other words, Code: assert( len(addrdata['txs']) < addrdata['n_tx'] ) The script only works for keys with up to 50 tx. If your key got more than 50 tx you have to add some lines (add loop and use optional API-parameters limit and offset to parse through all transactions [50+]). yes but i writed this in the first post (see above comment), so its only for max 50 tx. when it s more you must adapt the script because it takes the information from blockchain.info and example its more 50 tx, but only loading 50 tx data from bc.info API, then it parses outside range of loaded data. this is the error. i hope you understand. when you need adaption of script write me. i am happy to help you anytime. thank you. Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on March 15, 2015, 09:38:26 PM interesting feedback from person on reddit when I shared this script (I wrote an article on my own site to archive this script and talk about it and share it with others who aren't on here) and it goes like: Quote There's a problem with either the script or the blockchain.info api where the number of tx field doesn't match the actual number of tx sent. In other words, Code: assert( len(addrdata['txs']) < addrdata['n_tx'] ) The script only works for keys with up to 50 tx. If your key got more than 50 tx you have to add some lines (add loop and use optional API-parameters limit and offset to parse through all transactions [50+]). yes but i writed this in the first post (see above comment), so its only for max 50 tx. when it s more you must adapt the script because it takes the information from blockchain.info and example its more 50 tx, but only loading 50 tx data from bc.info API, then it parses outside range of loaded data. this is the error. i hope you understand. when you need adaption of script write me. i am happy to help you anytime. thank you. hello sory i don't see yours reply so waited so long. excuse me. ok i post pseudocode hope you can add it with python in fact only little work: full script i write in coming weeks. #EDIT: overload with RL-work. will sit on extension soon. Code: x=0 This is the example of above pseudocode with REAL values in it. so you see every loops job and what is happening here exact: Code: //now REAL example with value: so we think for a [b]tx with 138 TXs[/b] have a good sunday evening. thank you. ca333 Title: Re: Check if your BTC-key is vulnerable Post by: Snagglebone on March 19, 2015, 01:43:44 AM Thank you for providing this tool it is very useful.
Title: Re: Check if your BTC-key is vulnerable Post by: Jude Austin on April 03, 2015, 11:37:12 PM Does anyone have a version that can handle more than 50 transactions?
I am working on it now lol Title: Re: Check if your BTC-key is vulnerable Post by: e1ghtSpace on April 09, 2015, 11:11:00 AM Wow, I didn't think it would be possible to calculate the private key just from a reused value. So when transactions are normally cast, is the r value recalculated?
Title: Re: Check if your BTC-key is vulnerable Post by: Coef on April 09, 2015, 12:08:19 PM Wow, I didn't think it would be possible to calculate the private key just from a reused value. So when transactions are normally cast, is the r value recalculated? Yes. CMIIW I believe the latest wallets (eg. core 0.10) are all using deterministic signatures to make sure the R values are unique for each transaction. Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on April 09, 2015, 01:33:16 PM Wow, I didn't think it would be possible to calculate the private key just from a reused value. So when transactions are normally cast, is the r value recalculated? Yes. CMIIW I believe the latest wallets (eg. core 0.10) are all using deterministic signatures to make sure the R values are unique for each transaction. yes it s possible when you use redundant signature values. but its new libsecp256k1 library from sipa (Pieter Wuille) use deterministic generation of k value. so its sure signing value is unique. this is updated 13 day ago: https://github.com/bitcoin/bitcoin/commit/223d8630b0bf1809d29660004255237ad9d15f86 you can read the details for the BIP 0032 here with full explanation: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki also must mention Gregory Maxwell gave advice for BIP extension: http://www.archivum.info/mailcatch/2013-08/00364/(Bitcoin-development)-BIP-32.5.html Title: Re: Check if your BTC-key is vulnerable Post by: sss555 on April 22, 2015, 05:55:50 AM p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
r = 0xd47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1 s1 = 0x44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e s2 = 0x9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab sop1 = 0xc0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e sop2 = 0x17b0f41c8c337ac1e18c98759e83a8cccbc368dd9d89e5f03cb633c265fd0ddc how to get ( sop1 & sop2 ) these two value, any formula or any script available........... Title: Re: Check if your BTC-key is vulnerable Post by: amaclin on April 22, 2015, 08:06:19 AM how to get ( sop1 & sop2 ) these two value, any formula or any script available........... Not too easy. You should have good lib for bitcoin transactions to create "a template" and take a sha256d () of it. Here is a piece of my code. But it will be useless for you. Just a pseudo-code Code: const MyKey32 Transaction::getRawHash ( const int n, const QByteArray& scr ) const Title: Re: Check if your BTC-key is vulnerable Post by: sss555 on April 23, 2015, 02:07:46 AM how to get ( sop1 & sop2 ) these two value, any formula or any script available........... Not too easy. You should have good lib for bitcoin transactions to create "a template" and take a sha256d () of it. Here is a piece of my code. But it will be useless for you. Just a pseudo-code Code: const MyKey32 Transaction::getRawHash ( const int n, const QByteArray& scr ) const Thank you http://bitcoin.stackexchange.com/questions/25387/how-to-get-the-z-value-aka-hash-of-the-outputs-to-be-signed http://bitcoin.stackexchange.com/questions/25814/ecdsa-signature-and-the-z-value http://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx here i get explanation, i almost understand but not clear, i need step by step explanation please... Title: Re: Check if your BTC-key is vulnerable Post by: itod on April 23, 2015, 06:44:30 AM how to get ( sop1 & sop2 ) these two value, any formula or any script available........... Not too easy. You should have good lib for bitcoin transactions to create "a template" and take a sha256d () of it. Here is a piece of my code. But it will be useless for you. Just a pseudo-code Code: const MyKey32 Transaction::getRawHash ( const int n, const QByteArray& scr ) const Thank you http://bitcoin.stackexchange.com/questions/25387/how-to-get-the-z-value-aka-hash-of-the-outputs-to-be-signed http://bitcoin.stackexchange.com/questions/25814/ecdsa-signature-and-the-z-value http://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx here i get explanation, i almost understand but not clear, i need step by step explanation please... After this things will be clearer: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/ (https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/) Title: Re: Check if your BTC-key is vulnerable Post by: sss555 on June 02, 2015, 11:24:53 AM http://bitcoin.stackexchange.com/questions/37740/same-identical-r-value-of-all-transaction-not-provide-corresponding-privatekey
Same identical R value of all transaction not provide corresponding privatekey https://blockchain.info/tx/9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1 transaction you get R = d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1 S1 = 44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e S2 = 9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab Z1 = c0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e Z2 = 17b0f41c8c337ac1e18c98759e83a8cccbc368dd9d89e5f03cb633c265fd0ddc z = 7a1a7e52797fc8caaa435d2a4dace39158504bf204fbe19f14dbb427faee50ae private key = c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96 but the other transaction not providing corresponding private key with same identical R value = d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1 https://blockchain.info/tx/47106ff70bf779efc32230f5ca956d0fc563f35a3c4395d1977fc38995327fe1 https://blockchain.info/tx/00b4dea9266283d93f35240f34b871b55e59c3d4a7705aa08d5745af398d9046 https://blockchain.info/tx/d6f071e082ebb8c7c7721a9019d7478489e3fd423cae6acabdbd2ffd28f5c300 https://blockchain.info/tx/83415dded4757181c6e1c55104e2742a6f8cff05a9a46fbf029ae47b0054d511 https://blockchain.info/tx/2bd15366f5bcc2046c480db4d6ad82450893f2a3370935ddee753325f1a7c6cc https://blockchain.info/tx/e96feca9744b95533a5a3f657c346d7772a5004a76f4bc8de810b7ad015f6440 https://blockchain.info/tx/5a994f485039ebd83a0ed22cae943f0c792d85d218884f4cd80bd7cccdd75aae Title: Re: Check if your BTC-key is vulnerable Post by: mistercoin on June 03, 2015, 11:16:12 AM This software is great, but does not provide any value to the users. I am pretty sure, that reused R values will be detected within milliseconds and the private keys emptied immediately. So if your funds are gone, you have reused a R value ;-) not "any" because low balance keys are not interested for bad guys. i provided this for testing/educational purposes. if i find out it makes harm to users/btc-community i will delete all. also the services i finded out have rng vuln i directly imported balance and contacted developers. i think nobody with exsisting btc-service have rng issue anymore. also all pubkeys with more 50BTC or more balance are secured. and i extra only provided a lightweight script. so with this technology (json request http) no chance to scan fast. if ported into ansic and used on highend server with own blockchain i can scan/compare all chain inputs in no time. but i think this people who are able to do this, have a moral compass and do not do this... badguys most cases are not very inteligent. also if anybody interested in more things i start soon release my scriptbase and software on github. (ca333) it s all for btc-security and some cryptocurrencies security. thank you. Hats off to you for not being like most others. Many others with your skillset would use their talent for malicious intentions, it takes a real human to use their talents for honesty. Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on June 04, 2015, 09:07:44 AM This software is great, but does not provide any value to the users. I am pretty sure, that reused R values will be detected within milliseconds and the private keys emptied immediately. So if your funds are gone, you have reused a R value ;-) not "any" because low balance keys are not interested for bad guys. i provided this for testing/educational purposes. if i find out it makes harm to users/btc-community i will delete all. also the services i finded out have rng vuln i directly imported balance and contacted developers. i think nobody with exsisting btc-service have rng issue anymore. also all pubkeys with more 50BTC or more balance are secured. and i extra only provided a lightweight script. so with this technology (json request http) no chance to scan fast. if ported into ansic and used on highend server with own blockchain i can scan/compare all chain inputs in no time. but i think this people who are able to do this, have a moral compass and do not do this... badguys most cases are not very inteligent. also if anybody interested in more things i start soon release my scriptbase and software on github. (ca333) it s all for btc-security and some cryptocurrencies security. thank you. Hats off to you for not being like most others. Many others with your skillset would use their talent for malicious intentions, it takes a real human to use their talents for honesty. thank you for positive feedback. i think we, as human, and as technical skilled community, must try to make it better place, RL and virtual world. and only when "you behave like you want also other to behave" (= form of categorical imperative from Immanuel Kant) the society and community we living in, will move into good ("moral and ethical correct") direction... for my opinion we must fight bad malicious things and not make more harm for others.. karma is existent. thank you ca333 Title: Re: Check if your BTC-key is vulnerable Post by: virtualx on June 04, 2015, 09:15:07 AM Interesting script, going to have a closer look at this later. You probably want to do this line of code in two steps:
Code: addrdata = json.load(urllib2.urlopen(urladdr)) An improvement would be an auto checker, that simply extracts the bitcoin addresses from the wallet files at runtime and uses them as input. Title: Re: Check if your BTC-key is vulnerable Post by: salek11 on June 08, 2015, 11:02:56 AM thanks very much for sharing....
very interesting.. Title: Re: Check if your BTC-key is vulnerable Post by: sss555 on June 12, 2015, 10:50:43 AM Hi, thought maybe someone can use the script below. I just wrote it to check couple of my public keys for reused R-signing values which allow generating of the private key of affected PKs. The script is very lightweight and uses urllib2 for loading the data from blockchain.info. So no local btc-node is needed. The script only works for keys with up to 50 tx. If your key got more than 50 tx you have to add some lines (add loop and use optional API-parameters limit and offset to parse through all transactions [50+]). Also the script contains a lot of debug-output which you can just comment or remove. This is OpenSource and BETA software - USE AT OWN RISK - released under GNU Public License. Code: #!/usr/bin/python if you have question ask me. thank you. The script working good but some problem more then a 50 transaction it not process address: 1szVke6ThJtfdUTi6Y5AAMDMePM4Ha8vK output Resued R-Value: 262e481b6d8905b5adba67aff05eb8261501b0a9434c0b7f043d00cf8d23c91b ---------------------------------------------------------------------------------------------------------------------- if address: 1QCRoj5dPAsADvzd2o7NBy6kywBEkfC1Xh output compare: Good pubKey. No problems. ------------------------------------------------------------------------------------------------------------------------ if address: 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm output TX nr :51 Traceback (most recent call last): File "C:\master\identical-r-check.py", line 61, in <module> print "hash: " + str(addrdata['txs'][y]['hash']) IndexError: list index out of range ------------------------------------------------------------------------------------------------------------------------ 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm -> this address reused r value but the script give error how to solve , if any solved script available Title: Re: Check if your BTC-key is vulnerable Post by: eyeknock on June 12, 2015, 11:21:25 AM omg, this is really interesting and i didnt saw it before, ty so much for share it man!!
i will try it as soon as i come to my house. Title: Re: Check if your BTC-key is vulnerable Post by: virtualx on June 12, 2015, 11:22:21 AM Hi, thought maybe someone can use the script below. I just wrote it to check couple of my public keys for reused R-signing values which allow generating of the private key of affected PKs. The script is very lightweight and uses urllib2 for loading the data from blockchain.info. So no local btc-node is needed. The script only works for keys with up to 50 tx. If your key got more than 50 tx you have to add some lines (add loop and use optional API-parameters limit and offset to parse through all transactions [50+]). Also the script contains a lot of debug-output which you can just comment or remove. This is OpenSource and BETA software - USE AT OWN RISK - released under GNU Public License. Code: #!/usr/bin/python if you have question ask me. thank you. The script working good but some problem more then a 50 transaction it not process address: 1szVke6ThJtfdUTi6Y5AAMDMePM4Ha8vK output Resued R-Value: 262e481b6d8905b5adba67aff05eb8261501b0a9434c0b7f043d00cf8d23c91b ---------------------------------------------------------------------------------------------------------------------- if address: 1QCRoj5dPAsADvzd2o7NBy6kywBEkfC1Xh output compare: Good pubKey. No problems. ------------------------------------------------------------------------------------------------------------------------ if address: 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm output TX nr :51 Traceback (most recent call last): File "C:\master\identical-r-check.py", line 61, in <module> print "hash: " + str(addrdata['txs'][y]['hash']) IndexError: list index out of range ------------------------------------------------------------------------------------------------------------------------ 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm -> this address reused r value but the script give error how to solve , if any solved script available It looks like addrdata isn't large enough, simply a buffer overflow. Does print "number of txs: " + str(addrdata['n_tx']) output a value larger than 50? I suggest printing y, addrdata['n_tx'] and the other values. It's a multidimensional array and one of them is out of range, meaning the array is not large enough to store values there. Title: Re: Check if your BTC-key is vulnerable Post by: ca333 on June 21, 2015, 08:10:22 AM [...] The script working good but some problem more then a 50 transaction it not process address: 1szVke6ThJtfdUTi6Y5AAMDMePM4Ha8vK output Resued R-Value: 262e481b6d8905b5adba67aff05eb8261501b0a9434c0b7f043d00cf8d23c91b ---------------------------------------------------------------------------------------------------------------------- if address: 1QCRoj5dPAsADvzd2o7NBy6kywBEkfC1Xh output compare: Good pubKey. No problems. ------------------------------------------------------------------------------------------------------------------------ if address: 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm output TX nr :51 Traceback (most recent call last): File "C:\master\identical-r-check.py", line 61, in <module> print "hash: " + str(addrdata['txs'][y]['hash']) IndexError: list index out of range ------------------------------------------------------------------------------------------------------------------------ 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm -> this address reused r value but the script give error how to solve , if any solved script available you must use offset to load ALL data. I posted on previous page: interesting feedback from person on reddit when I shared this script (I wrote an article on my own site to archive this script and talk about it and share it with others who aren't on here) and it goes like: Quote There's a problem with either the script or the blockchain.info api where the number of tx field doesn't match the actual number of tx sent. In other words, Code: assert( len(addrdata['txs']) < addrdata['n_tx'] ) The script only works for keys with up to 50 tx. If your key got more than 50 tx you have to add some lines (add loop and use optional API-parameters limit and offset to parse through all transactions [50+]). yes but i writed this in the first post (see above comment), so its only for max 50 tx. when it s more you must adapt the script because it takes the information from blockchain.info and example its more 50 tx, but only loading 50 tx data from bc.info API, then it parses outside range of loaded data. this is the error. i hope you understand. when you need adaption of script write me. i am happy to help you anytime. thank you. hello sory i don't see yours reply so waited so long. excuse me. ok i post pseudocode hope you can add it with python in fact only little work: full script i write in coming weeks. #EDIT: overload with RL-work. will sit on extension soon. Code: x=0 This is the example of above pseudocode with REAL values in it. so you see every loops job and what is happening here exact: Code: //now REAL example with value: so we think for a [b]tx with 138 TXs[/b] have a good sunday evening. thank you. ca333 I write again: THIS SCRIPT ONLY WORK FOR MAX 50tx. If you want more, you must use algorithm from above i published in previous page. Please read all posting in this thread. then its all clear. thank you, ca333 It looks like addrdata isn't large enough, simply a buffer overflow. Does print "number of txs: " + str(addrdata['n_tx']) output a value larger than 50? I suggest printing y, addrdata['n_tx'] and the other values. It's a multidimensional array and one of them is out of range, meaning the array is not large enough to store values there. yes because data is NOT LOADED from blockchain. so script parses out of range ==> "overflow" (from array) Title: Re: Check if your BTC-key is vulnerable Post by: XMRChina on June 25, 2015, 03:37:22 AM Hi, thought maybe someone can use the script below. I just wrote it to check couple of my public keys for reused R-signing values which allow generating of the private key of affected PKs. The script is very lightweight and uses urllib2 for loading the data from blockchain.info. So no local btc-node is needed. The script only works for keys with up to 50 tx. If your key got more than 50 tx you have to add some lines (add loop and use optional API-parameters limit and offset to parse through all transactions [50+]). Also the script contains a lot of debug-output which you can just comment or remove. This is OpenSource and BETA software - USE AT OWN RISK - released under GNU Public License. Code: #!/usr/bin/python if you have question ask me. thank you. Thank you for making this! Educating people by sharing this sort of thing will help make people more careful in the future. Hopefully people will stop making the same mistakes Title: Re: Check if your BTC-key is vulnerable Post by: HeadsOrTails on June 29, 2015, 02:50:37 AM I've fixed the code to loop through the offset (https://gist.github.com/a8fecbfc619e2c72893d) (ie get >50 Txs), but the code isn't flagging 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm as a bad key when it's the address IDd as being a bad address. (http://"http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html")
any idea why? Code: Code:
|