Bitcoin Forum

Economy => Trading Discussion => Topic started by: rjk on May 10, 2012, 11:04:32 PM


Title: How to prove that you own/control a private key after it has been stolen
Post by: rjk on May 10, 2012, 11:04:32 PM
So these days, it seems that bitcoin private keys are being stolen all the time. I'd like to know the best way for a victim to prove that they owned the keys FIRST, potentially enabling them to recover funds.
As we know, anyone with the private key can sign a message from it. I would like to know whether my idea would work - basically it is as follows:

Before you are hacked, and when you have reasonably good proof that your keys are secure and un-hacked, perform the following steps:
  • This assumes that you have an existing -otc signing key, or that you can create one and keep it completely separate from your bitcoin keys, and protected with a strong password.
  • Take the key fingerprint from the RSA signing key, and create a message that contains that fingerprint, as well as a statement that you control it, plus any other identifying information that you wish to include.
  • Sign that message with your RSA key.
  • Sign the previously signed message with the bitcoin key.
  • MOST IMPORTANT STEP: Sign the final message with a signature from a known timestamp server, such as Verisign. This is the part that I am not sure about - can you timestamp arbitrary data in the same manner that you can timestamp an executable?
Once you have done this, you can prove that you owned a compromised key prior to it being compromised, and you can sign messages to that effect with your RSA key. Obviously, if both are stolen, you are SOL.

Would this work? Does anyone have any reason why it might not work, or perhaps a better way to do it?

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: rjk on May 11, 2012, 12:48:32 AM
The above post was made with a lot of haste, due time constraints. However, I had a little time to think about it, and have refined the procedure a little bit below, to hopefully be a bit more clear:

Key #1 is a standard message signing key, and it could be any valid format such as RSA, PGP, GPG, etc.
Key #2 is the private key to the bitcoin address that you wish to prove that you own.

  • Create a message that contains the fingerprint of Key #1, the bitcoin address, the current date and time, and optionally any other info that you want to include such as your -otc nick, you bitcointalk.org nick, your name, etc.
  • Sign the message with the bitcoin private key (Key #2).
  • Sign the previous signature with Key #1
  • Timestamp the whole works with a signature and a time from a trusted timestamp server such as Verisign et al.
  • Publish the blob of data on a website somewhere.

The timestamping part of the process is explained somewhat generally here: http://en.wikipedia.org/wiki/Trusted_timestamping
My understanding is that the data is hashed with a one way hash (perhaps SHA256?) and then the hash is signed by the trusted time stamping authority.

I will attempt to demonstrate using my signature donation address, my -otc GPG key, and a public timestamp server. I fear that the process may fall apart at the timestamp step, but hopefully we can figure this out for ease of use in the future.

My donation address is: 1NgLdhjHfLbcVawMk4DNEv8yf9ZzzNJV6U
My -otc data is here: http://bitcoin-otc.com/viewgpg.php?nick=rjk and the fingerprint is 585C086DAD92DCA4080BD9740B9FF092ACB50C08

My message is as follows:
Code:
I (rjk) control this bitcoin address: 1NgLdhjHfLbcVawMk4DNEv8yf9ZzzNJV6U My key fingerprint is: 585C086DAD92DCA4080BD9740B9FF092ACB50C08 This message was created 5/10/2012 8:40PM Eastern time
When I sign that message with the key for 1NgLdhjHfLbcVawMk4DNEv8yf9ZzzNJV6U, I get the following:
Code:
G9fe7xx/dCESzyxkpISxCzNXCXYRA7u1ALR8aG8LC4eRGXhApqA9/Q4OSzJiKgf0Pgi5ifnwkHcVSJH93/tadsI=
I then sign the signature with my -otc ID:
Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G9fe7xx/dCESzyxkpISxCzNXCXYRA7u1ALR8aG8LC4eRGXhApqA9/Q4OSzJiKgf0Pgi5ifnwkHcVSJH93/tadsI=
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPrF8WAAoJEAuf8JKstQwIt4oIAIBTOMSf8Dfa0PcXTlzuhniZ
VdcecUUILR28Ikvq5xux2TrW6dm9hpnkwUcluPeq6pCo9bMlYF+jgN1iTnYUFdN0
wMlB9PSPs5GSN4WDyu5sKdLaN5hVZTXb4IabGJNvDyqkIMco02VgLZR5+AoX6BJj
wh4qk26Ckv/bLjPxRWW57rdUUOw83I/YTTFuPwMQbp8AsJADpRhQJhuNo5aE6SGW
R5c6TiTg9n4Mva02a4YZjzZ+dNuX21mH6hMDroI4pk8gQJz9gWLotGCO0JF59Y7e
uSnWRzT0YJ84cP8uc46LrUWHvgK4kM9jbFlSr8WhPpp/WsH7eGn8sbbH5fH6eFE=
=pKQ2
-----END PGP SIGNATURE-----
Now I need to hash the above blob and sign it with a trusted timestamp server. There is a web service at http://timemarker.org/en/GetStamp.aspx but it doesn't seem to load reliably. There may be better services, or it might be possible to do it a different way. I was able to get it to work though, and the result is:
Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Timestamp-version:  1.0
Description:        timestamp
Signed-by:          http://timeMarker.org/
Timestamp:          Fri, 11 May 2012 00:45:03 GMT
Number:             13080
Ref-Hash-SHA512:    546100a6ee3597206d5997322978960e6abf5afdb66823198bdea632b4d7877d9d9a42ec352eed8a37ab1710730e21cfedafc616eca7a700e1989ffa1e051328
Ref-Hash-RIPEMD160: 83d20c3a748cd05a6bc55daad2c720d6b4b3cb1f
Hash-SHA512:        7d2a8a4319c01bfef0e404948ab0fe9fa28cf012e1e7a9a45c5da53bed1a0a363e6aadb7aab20f6e8dab96d9b9885a1222ccb6dc4f2289dea60d44ed5113b1c0
Hash-RIPEMD160:     868e087ef8f9024209e73e0fee52d2971513c657
-----BEGIN PGP SIGNATURE-----

Version: BCPG v1.32

iQEcBAEBAgAGBQJPrGEPAAoJEPKfyyzv5FwHGTAIAJeBSIPa9SedxzsdhnnfHI8i
EDgZH/H6qt2JvmLxr9oPnGFc2jb6+45cTjS8c3LsbKMk8eFt0afF+S4D7POiXl9M
fs6sW8TzkAxbEf1qvIO4c0js4iohBY2UnfmfcPH018b3a/PYVYy06qcaMzJq3IP8
O09msBgT/LyXNw37fuf3eaXTbUVYJxcYvPYKydE8IZ4W1IHVH0coMWKcCg6AT6SY
mcxwxgichIi1HQr82bM1MpSsWKE3v+hao1dvRORTpbjM+FQR6tgQ8baYL2uAkHBK
6RGs/JDVmcqhtx5u67tDq4oHEpxoMOk2EGZ9puJMetdaI4Z2tNRK0oUedBSDvRM=
=ZkFP
-----END PGP SIGNATURE-----

So theoretically, that should be able to prove that I controlled 1NgLdhjHfLbcVawMk4DNEv8yf9ZzzNJV6U prior to 00:45:03 GMT 5/11/2012, as per the time stamping service.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: Maged on May 11, 2012, 05:02:12 PM
As a reminder, you don't have to use a "trusted" timestamp server. Instead, you could totally just use the single most powerful, decentralized, and provably unchangeable timestamp system on the planet. Given the name of this forum, I shouldn't have to tell you what that is...  :P

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: rjk on May 11, 2012, 05:03:56 PM
Quote from: Maged on May 11, 2012, 05:02:12 PM
As a reminder, you don't have to use a "trusted" timestamp server. Instead, you could totally just use the single most powerful, decentralized, and provably unchangeable timestamp system on the planet. Given the name of this forum, I shouldn't have to tell you what that is...  :P
Heh, I should have thought of that. I guess the final bit of the puzzle is how to make it very easy.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: goblin on May 11, 2012, 05:12:18 PM
For timestamping, check out chronobit: https://github.com/goblin/chronobit

It's still quite immature and probably needs an update after the recent change to p2pool, but it shows the point and implements it.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: goblin on May 11, 2012, 05:13:04 PM
However, what makes you assume that if someone loses a private key from a wallet, they won't also lose the private key used for signing the private keys from a wallet?

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: rjk on May 11, 2012, 05:14:18 PM
Quote from: goblin on May 11, 2012, 05:13:04 PM
However, what makes you assume that if someone loses a private key from a wallet, they won't also lose the private key used for signing the private keys from a wallet?
Those keys are the same thing. But what this does is make it so that you can prove that you had control of that key first, otherwise the hacker could claim that he did, and there would be no proof in either direction.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: nybble41 on May 11, 2012, 05:16:12 PM
How do you intend to prove that you didn't deliberately give someone the private key? Private keys have become a form of payment in their own right; for example, you can provide one to MtGox to fund your account. A key isn't necessarily "stolen" just because you had it first, and now someone else also has it.

So far as the bitcoin system is concerned, possession of the private key is ownership. The damage is in the unauthorized access to your computer, and for that you need to show that the key was copied without your consent.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: rjk on May 11, 2012, 05:18:12 PM
Quote from: nybble41 on May 11, 2012, 05:16:12 PM
How do you intend to prove that you didn't deliberately give someone the private key? Private keys have become a form of payment in their own right; for example, you can provide one to MtGox to fund your account. A key isn't necessarily "stolen" just because you had it first, and now someone else also has it.

So far as the bitcoin system is concerned, possession of the private key is ownership. The damage is in the unauthorized access to your computer, and for that you need to show that the key was copied without your consent.
That is where the RSA/PGP/GPG/etc key comes in. If you for some reason wanted to give a private key to someone (why?) you could create a message with your signing key to say that it was authorized.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: etotheipi on May 11, 2012, 05:19:41 PM
Why do you need to use the non-Bitcoin key for anything?

Why not just sign a message declaring your name, email, etc, using your Bitcoin private key, then hash160 that msg+signature, and send 0.0001 BTC to it using the blockchain as a timestamp server?  The inclusion into a block is all that is needed for timestamping, and it still can't be produced by anyone except for the owner of the Bitcoin address.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: rjk on May 11, 2012, 05:22:05 PM
Quote from: etotheipi on May 11, 2012, 05:19:41 PM
Why do you need to use the non-Bitcoin key for anything?

Why not just sign a message declaring your name, email, etc, using your Bitcoin private key, then hash160 that msg+signature, and send 0.0001 BTC to it using the blockchain as a timestamp server?  The inclusion into a block is all that is needed for timestamping, and it still can't be produced by anyone except for the owner of the Bitcoin address.
It is a 2 part protection, because it allows you to be identified as the owner even after the key is compromised. Certainly, you can sign messages to that effect prior to a compromise, but after that no message can be trusted. That last part (running a hash160 on it and sending a satoshi to it) was the part that could replace the timestamp server given in the example.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: nybble41 on May 11, 2012, 05:39:52 PM
Quote from: rjk on May 11, 2012, 05:18:12 PM
Quote from: nybble41 on May 11, 2012, 05:16:12 PM
How do you intend to prove that you didn't deliberately give someone the private key? Private keys have become a form of payment in their own right; for example, you can provide one to MtGox to fund your account. A key isn't necessarily "stolen" just because you had it first, and now someone else also has it.

So far as the bitcoin system is concerned, possession of the private key is ownership. The damage is in the unauthorized access to your computer, and for that you need to show that the key was copied without your consent.
That is where the RSA/PGP/GPG/etc key comes in. If you for some reason wanted to give a private key to someone (why?) you could create a message with your signing key to say that it was authorized.
You could, but the absence of such a message does not mean the transfer was not authorized. Moreover, unless everyone timestamps their keys this way, anyone who does not have such a timestamp is left with the task of proving a negative--that they do not have a timestamp to sign over. Actually, that could be a problem even if you do sign over a timestamp, since nothing prevents you from having more than one, dated earlier than the one you signed over, which you've been keeping to yourself.

You could mitigate this by only considering timestamps which have already been made public, but it seems easier to me to simply secure your private keys.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: rjk on May 11, 2012, 05:45:07 PM
Quote from: nybble41 on May 11, 2012, 05:39:52 PM
Quote from: rjk on May 11, 2012, 05:18:12 PM
Quote from: nybble41 on May 11, 2012, 05:16:12 PM
How do you intend to prove that you didn't deliberately give someone the private key? Private keys have become a form of payment in their own right; for example, you can provide one to MtGox to fund your account. A key isn't necessarily "stolen" just because you had it first, and now someone else also has it.

So far as the bitcoin system is concerned, possession of the private key is ownership. The damage is in the unauthorized access to your computer, and for that you need to show that the key was copied without your consent.
That is where the RSA/PGP/GPG/etc key comes in. If you for some reason wanted to give a private key to someone (why?) you could create a message with your signing key to say that it was authorized.
You could, but the absence of such a message does not mean the transfer was not authorized. Moreover, unless everyone timestamps their keys this way, anyone who does not have such a timestamp is left with the task of proving a negative--that they do not have a timestamp to sign over. Actually, that could be a problem even if you do sign over a timestamp, since nothing prevents you from having more than one, dated earlier than the one you signed over, which you've been keeping to yourself.

You could mitigate this by only considering timestamps which have already been made public, but it seems easier to me to simply secure your private keys.
Quite so. I brought this up because the last time Bitcoinica was hacked, there were those that were saying that they should not be pursuing the recovery of their funds because it would not be possible to prove in court that they had ownership of the funds/keys first. This provides a way for a public entity to prove ownership based on a timestamp, and as we saw this morning, private keys can get stolen from large public entities too. I would love to see better security on everyone's private keys.

Title: Re: How to prove that you own/control a private key after it has been stolen
Post by: etotheipi on May 11, 2012, 06:15:53 PM
Fair enough.  I was focusing on the case that you need to prove to a court that you are the original owner.  It's just as easy to use one key as it is two keys for that initial blockchain injection which proves "Joe Schome <joe.shmoe@schmoeblog.com>" owned the key at least as early as <insert time here>.  Regardless of a second key...

The real issue is that most users don't actually do this, leaving open the possibility that someone steals your keys, and then does it themselves, claiming that you stole their keys and furnishing their "proof" to claim legal ownership.   It's difficult to distinguish that situation from the normal situation where this succeeds.  Therefore, I don't how this would be too useful right now, until it becomes so widely used that users are expected to use it.

Otherwise, I like the idea.  It could be done once per deterministic wallet, which could then be used to prove that you own every key in the wallet.  If blockchain bloat was a problem, there could be a free service that collects such signatures, jams them into a merkle tree, and posts the root into a single tx so that minimal coins and kB are wasted for the timestamping.  The service wouldn't even really have to be trusted, you just need to get the merkle tree and save it with your data and you can verify it yourself.  This would be preferable to doing it yourself, since you might have reasons to be doing high-frequency timestamping, which costs nothing computationally, but could add up in fees/burnt coins and blockchain bloat.



Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines