Title: Vanitygen & GPG for secure private keys ** 2+ factor auth ** (software provided) Post by: CIYAM on October 13, 2012, 02:17:06 AM There have been numerous threads discussing how to generate offline wallets and typically the problem ends up being that if your keys a) generated from a password or b) stored in clear text on a disk then they are subject to attack keyloggers or malware.
I am wondering if using GPG would provide a simple solution by having the output of vanitygen encrypted to a GPG public key (the private key not being known to the "offline" system). With this approach even if the "offline" system was stolen no generated private keys could be taken (apart from the GPG key which is actually of no consequence). I will probably put together a small script/program to accomplish this but I guess if the GPG functionality could be built in to vanitygen itself this would be even more secure (i.e. so the private key is never output as clear text). (see source in posts below) Title: Re: [Idea] Vanitygen with GPG to create private keys safely Post by: Buffer Overflow on October 13, 2012, 02:28:08 AM I thought there was an command line option to encrypt output from vanitygen already. I might be wrong though and thinking of some other program.
Title: Re: [Idea] Vanitygen with GPG to create private keys safely Post by: CIYAM on October 13, 2012, 02:51:02 AM I thought there was an command line option to encrypt output from vanitygen already. I might be wrong though and thinking of some other program. Really - using GPG (and only the private key to be encrypted)? (certainly not the version that I am running but it is probably a bit old) Title: Re: [Idea] Vanitygen with GPG to create private keys safely Post by: CIYAM on October 13, 2012, 04:07:32 AM Anyway for anyone that is interested I've whipped up a little utility and a couple of scripts to accomplish this (for Windows).
Assuming you have GPG installed (with your public key in its keyring) create a dummy key-pair (I've used sample@domain.com here) and give it the password "password". First part is a simple tool (probably could just be a shell script in Linux) which firstly sends a hard-coded password to cout (the security of the GPG "from" should be irrelevant as it being used as a "send only" address) followed by the private key line it finds from cin (it is expecting its cin to be coming from "vanitygen"). The "address" line is output to a fixed filename ("x" in this source). Code: [x.cpp] The second part is a batch file you call in order to create a new bitcoin address (change Ian to your own GPG name): Code: @echo off The final part is the "findrep.vbs" tool (wouldn't be needed if using Linux): Code: Const ForReading = 1 So now to generate a new bitcoin address you just type "genaddr" at the command prompt. As well as displaying the address and the GPG encrypted private key it saves the output to a file which is the name of the address (which can be safely backed up anywhere). The following a sample of the output: Code: Address: 16vKwvg61UycrbhygXokVNQE3CxMSx22r7 When you decide to "redeem" the address simply use "gpg --decode" with the file to get the private key: Code: gpg: encrypted with 2048-bit RSA key, ID D25430ED, created 2012-03-25 Title: Re: [Idea] Vanitygen with GPG to create private keys safely (with source code) Post by: guruvan on October 13, 2012, 09:49:32 AM Awesome. Been wanting this exact tool for some time.
Any chance of porting it to linux? Title: Re: [Idea] Vanitygen with GPG to create private keys safely (with source code) Post by: CIYAM on October 13, 2012, 10:12:36 AM Awesome. Been wanting this exact tool for some time. Any chance of porting it to linux? Hmm... I guess if a small bounty were to be offered (is 1 btc too much to ask?) then I could become motivated enough to put together a bash script. ;) Title: Re: [Idea] Vanitygen with GPG to create private keys safely Post by: Buffer Overflow on October 13, 2012, 10:15:31 AM I thought there was an command line option to encrypt output from vanitygen already. I might be wrong though and thinking of some other program. Sorry, must of been thinking of some other program. Title: Re: [Idea] Vanitygen with GPG to create private keys safely ** 2 factor update ** Post by: CIYAM on October 14, 2012, 04:54:29 AM I just realised that with only a little minor tweaking this approach can be turned into a "roll your own" 2 factor authentication system. The idea is to encrypt the bitcoin private key to one GPG public key and then pipe this into another GPG encryption to a second GPG public key. So if you generate the GPG private keys on separate hardware then both computers would need to be compromised in order for your bitcoin private key to be obtained.
Obviously this could be extended to 3 factors or more (depending upon level of paranoia, available hardware and degree of laziness). Updated C++ program (takes an optional argument "2" to indicate it is being used as the second pipe): Code: [x.cpp] Updated batch file to create GPG encrypt the private key twice (thus requiring both GPG keys in order to decrypt the bitcoin private key) - change Ian_1 and Ian_2 to your own two different public GPG key names: Code: [genaddr.bat] Title: Re: [Idea] Vanitygen with GPG to create private keys safely ** 2 factor update ** Post by: CIYAM on October 14, 2012, 06:51:04 AM Well I decided to whip up a bash script anyway as I think I will be using this with a Linux OS down the track.
(note that as the x.cpp program actually creates the file 'x' I renamed x.cpp to w.cpp for Linux and compiled it using 'g++ -o w w.cpp') Code: [genaddr] Enjoy! Title: Re: [Idea] Vanitygen with GPG to create private keys safely (with source code) Post by: salfter on October 16, 2012, 03:57:24 PM Awesome. Been wanting this exact tool for some time. Any chance of porting it to linux? Not much to it as a shell script...knocked this together in Cygwin, but it'd work the same under Linux, Mac OS X, or whatever. Output is in the same format as produced here (https://bitcointalk.org/index.php?topic=118182.msg1268868#msg1268868), but there's nothing to compile: Code: #!/bin/bash The address and encrypted private key are written to a file; leave out ">$addr.asc" on the last line if you'd rather have it go to stdout. Substitute appropriate values as follows: <dest-id>: address or PGP key ID for whom the private key should be encrypted <src-sign-id>: address or PGP key ID for whom the private key should be signed <passphrase>: passphrase for <src-sign-id> Title: Re: [Idea] Vanitygen with GPG to create private keys safely (with source code) Post by: salfter on October 16, 2012, 06:05:17 PM Code: #!/bin/bash ...and to generate QR codes, add these to the preceding script: Code: qrcode -o $addr.png -l M $addr qrcode is provided by libqrencode (https://github.com/fukuchi/libqrencode); a Win32 port (http://code.google.com/p/qrencode-win32) is available. Note that the private key QR code is also encrypted. Title: Re: Vanitygen & GPG for secure private keys ** 2+ factor auth ** (software provided) Post by: CIYAM on October 17, 2012, 02:25:33 AM Thanks for the neat bash script (I figured the program I whipped up shouldn't be needed for Linux but having worked for so many years under a standard Windows environment I have become accustomed to writing small programs to do such things).
I assume to do the 2-factor implementation you would assign a variable to the output of the first gpg call and then feed the password plus this into the second call? Title: Re: Vanitygen & GPG for secure private keys ** 2+ factor auth ** (software provided) Post by: salfter on October 17, 2012, 06:32:10 PM Thanks for the neat bash script (I figured the program I whipped up shouldn't be needed for Linux but having worked for so many years under a standard Windows environment I have become accustomed to writing small programs to do such things). I assume to do the 2-factor implementation you would assign a variable to the output of the first gpg call and then feed the password plus this into the second call? The original version of the script makes only one call to GPG. It's fed two lines: the passphrase of the signing key and the Bitcoin private key. The output from GPG is appended to the address and written to disk. In the version that generates QR codes, the second call gets the passphrase and a generated PNG with the QR code of the private key. This way, the private key (whether as text or a QR code) never goes to disk in unencrypted form. A QR code is also generated for the address; this is written to disk unencrypted. Title: Re: Vanitygen & GPG for secure private keys ** 2+ factor auth ** (software provided) Post by: CIYAM on October 18, 2012, 03:09:53 AM I really like the QR code idea a lot - am not sure if most GPG public keys are small enough to fit into a QR code but if so then I think that the combination of vanitygen and GPG could provide an extremely secure (and indeed "air gapped") method to generate wallet addresses.
Title: Re: [Idea] Vanitygen with GPG to create private keys safely Post by: K1773R on October 18, 2012, 06:25:25 AM Anyway for anyone that is interested I've whipped up a little utility and a couple of scripts to accomplish this (for Windows). Assuming you have GPG installed (with your public key in its keyring) create a dummy key-pair (I've used sample@domain.com here) and give it the password "password". First part is a simple tool (probably could just be a shell script in Linux) which firstly sends a hard-coded password to cout (the security of the GPG "from" should be irrelevant as it being used as a "send only" address) followed by the private key line it finds from cin (it is expecting its cin to be coming from "vanitygen"). The "address" line is output to a fixed filename ("x" in this source). Code: [x.cpp] The second part is a batch file you call in order to create a new bitcoin address (change Ian to your own GPG name): Code: @echo off The final part is the "findrep.vbs" tool (wouldn't be needed if using Linux): Code: Const ForReading = 1 So now to generate a new bitcoin address you just type "genaddr" at the command prompt. As well as displaying the address and the GPG encrypted private key it saves the output to a file which is the name of the address (which can be safely backed up anywhere). The following a sample of the output: Code: Address: 16vKwvg61UycrbhygXokVNQE3CxMSx22r7 When you decide to "redeem" the address simply use "gpg --decode" with the file to get the private key: Code: gpg: encrypted with 2048-bit RSA key, ID D25430ED, created 2012-03-25 why not making a fifo (mkfifo) and then point vanitygen to that file? cat the fifo per pipe into gpg and there u go, basic linux stuff :P Title: Re: [Idea] Vanitygen with GPG to create private keys safely Post by: CIYAM on October 18, 2012, 06:32:02 AM Anyway for anyone that is interested I've whipped up a little utility and a couple of scripts to accomplish this (for Windows). why not making a fifo (mkfifo) and then point vanitygen to that file? cat the fifo per pipe into gpg and there u go, basic linux stuff :PPerhaps you missed that. :) Title: Re: [Idea] Vanitygen with GPG to create private keys safely Post by: K1773R on October 18, 2012, 07:08:21 AM Anyway for anyone that is interested I've whipped up a little utility and a couple of scripts to accomplish this (for Windows). why not making a fifo (mkfifo) and then point vanitygen to that file? cat the fifo per pipe into gpg and there u go, basic linux stuff :PPerhaps you missed that. :) altough note dont think its rock solid ;) Title: Re: [Idea] Vanitygen with GPG to create private keys safely Post by: CIYAM on October 18, 2012, 07:35:04 AM altough note dont think its rock solid ;) I think it can be made rock solid but only if the computer you run it on is never again connected to the internet (or any network or other computer just in case it was in any way compromised). Another poster mentioned about creating QR codes which would make it convenient to transfer the encrypted private keys with an "air gap" (so there is no need to even use a USB to transfer the encrypted private keys for backup purposes). Title: Re: Vanitygen & GPG for secure private keys ** 2+ factor auth ** (software provided) Post by: K1773R on October 18, 2012, 08:12:18 AM lastly would be a better solutions, there are to many viruses/trojans/similiar that are spreading over USB and even infect offline pcs, afterwards transfering data from the offline PC to a online PC and to a CC of a botnet/similiar. most ppl believe a offline PC is secure, but it isnt.
the idea with the QR Code would be more secure but not 100%, it would be 100% if the QR Software on the smartphone is rock solid too (no possible exploits) and other devices if they get integrated. greetings |