|
There is a "SecurePrint" option, which allows you to memorize another string on the screen, which would not be printed and must be input or the recovery could not be done.
|
|
|
|
It was recognised in a presentation by djb and Tanja Lange in May: http://www.hyperelliptic.org/tanja/vortraege/20130531.pdfSearch the slides for the name Jerry Solinas. Also see the slide containing the phrase "But what if the NSA knows a weakness". And as you note, the Brainpool RFC says explicitly that the NIST curves don't provide any justification for their seed values. I would guess that there were probably only 10-15 people in the world who knew about this issue before the Snowden blowup though. I saw this presentation, but I haven't seen careful examination of the constants other than what gmaxwell did, also the slide mentions Apple's usage of Curve25519 rather than a NIST curve, I wonder if they are also aware of their problems. |
|
|
|
Why have I found nobody, before gmaxwell, trying to verify if the secp256r1 constants make sense? Why?
The spec described it as random, and if you looked at and didn't think too hard the claim of random sounded pretty good... "They used a cryptographic hash to set the values, not really any algebraic structure going to be found there!". Like a lot of things, its seems completely obvious in hindsight, but personally I only thought to reconsider it while I was in the middle of blabbering off to someone "there is no real reason to be concerned, they set them randomly using ... wait a minute!", ... and even then I'd been spending time dorking around with zero knoweldge proofs based on the fiat-shamir heuristic, in which an attacker grinds at a hash hoping to get a lucky value the has him make successful validation probes. I wasn't the first person to express some reservations about the methodology used for the NIST curves (e.g. the Brainpool curve RFC shows the NIST curves no love), though I'm not aware of anyone pointing out that someone could have tested seeds until they got a weaker (or stronger) one until I did, though I sure others _must_ have realized it. It's also more obvious in contrast to secp256k1 and ed25519 which have fewer— almost no— degrees of freedom. The NSA had our psychology nailed, it knows well that we won't be bothered to run some tests over its constants, even if millions of us depend on ECC everyday. Otoh, it's pretty fortunate to be trained and spanked in the Bitcoin world everyday, the "nothing between you and your enemy but cryptography" design makes sure no one should cease being paranoid(or at least vigilant) without getting punished. |
|
|
|
|
Why have I found nobody, before gmaxwell, trying to verify if the secp256r1 constants make sense? Why?
|
|
|
|
...
when i asked about the 100 kg bar for btc, that was not exactly a joke. like i said, i bet gold and silver will out last btc and ltc as money. its just smart to take some profits.
What's this heresy?  You trying to drive the rate down? gold has been around for 4000 years, i bet it will be around 4000 more that being said im 95% of wealth in crypto Until the day when we can create matters out of vacuum from the waste energy generated by miners.  |
|
|
|
i will admit im a risk taker and i have made some good calls. people thought it was crazy when i left school the first time. but it was great, made some money and then later went back. and while i was at school did the gold and oil thing. then i suspect gold and silver were going to correct and as luck would have it, crypto was right here. i still think we might lose 35% more in gold and silver but i dont care, holding some silver and land is just smart. im now thinking about generations after me more than myself. crazy thing to do at 30 and yeah its been an odd life. iv had so much good luck (golden cock thing) that i just sort of expect the worst. hitting heads so many times in a row will make a guy start to wonder about things. lol about that gold thing, everyone thought i was nuts but i knew i was right. i even called the housing collapse, got my parents to sell just in time and got them into gold... honestly i for a while thought i might have been insane as the gold thing just look so clear as day to me that i could not understand why others did not see the same thing, even after i showed them my logic. took me a few years of wondering if i was insane or not but now i think im pretty sane but still. i cant be the only one lol is that right? i don't recall even seeing you in this thread until the last year or so. and you certainly were no where to be seen the latter half of 2011 when i was engaging in hand to hand combat with the gold bugs after my first gold thread started in 8/2011. all i see is someone continually buying silver dips only to be handed a bloody knife. He was around, just not so much into the speculation board I guess. He was infamously a GLBSE passthrough, who along with his customers lost something like 10,000 BTCs to pirateat40, so I would not be too surprised if he has still kept quite a few to himself. Also this is BTC speculation board, his LTC investment otoh could be considered wildly successful, and pretty much everyone knows he get involved with ASICMINER from very early on. |
|
|
|
hey Chaang,
you're gonna be rich!
Fixed that for you. I have money wealth than I could spend in 500 years. And because of that I'm going to spend at least 1% on silver and gold.  I bet you wont like this but I bet someone is still using silver and gold as money after BTC dies (even if it takes 1000 years). How did you acquire all that wealth? (Besides crypto) i went all in gold and silver on leverage around 300 and 7. also made a bit with oil going to the moon. to get my start money i sold a tech company to amazon in early 2002. i did sell almost all of my gold and silver to get into crypto and im just now replacing some of it with a few percent of my crypto. i do not feel bad at all for doing this. Wow, you did it with style too (although one can hardly recommend using leverage ). You sir deserve to be fucking rich It wasn't just his knack to make good calls, you also have to have a particular kind of personality-the risk seeking one. You could have seen the cryptocoin thing coming, but are you going to cash out all your PM investments, which was going so well, to get all in into it, even if the chance of cryptos get to 0 is only 20%? For me the answer was definitely a "No", and I doubt many would have said the same. People like me would only invest what they could afford to lose without kicking themselves, so we should be reasonable about our investment expectations, (though more than 10000% return in fiat terms is not reasonable anywhere out of the crypto circle ) Also, I think what's equally important, perhaps more important is the experience, that we were here, at the start, together pushing this crypto thing into what it is today, and what it will be tomorrow, such a experience is priceless, along with many tales that will be told to our children and grandchildren. |
|
|
|
Wait, what's a "write only" fs? Never heard of that. Probably something like encrypting something with the public key of someone else, where even the sender can't decrypt/read the message afterwards?
Of what use it that here? The infected online computer has to have write access, and the secure to-be-infected offline computer needs read access (for the first part of the signing). With that, the malware will be able to reach the offline computer no matter what. The question is to prevent it from executing on the offline machine. After that, with both machines infected, all is lost anyway.
I may be missing something here?
Ente
You can create a big partition, filled by lots and lots of files, unknown to any program on the online computer, so the malware on the online computer, without knowledge of the underlying structure of the FS, should have a very slim chance of putting itself somewhere auto-executable(on the contrary it may even make the filesystem unmountable by overwriting some essential metadatas) after the decryption, as the space allocation is not contiguous and linear. Armory, otoh, could be instructed to write transaction data to some designated places, to be recovered later. |
|
|
|
|
No "connection reset", just the page taking forever to load, with GAE or VPN on the page loads instantly. Can any other Chinese user confirm? I have asked several people to run the test and they return the same results.
|
|
|
|
Sorry, I was talking about the scenario when a malware taking over the online computer and trying to sneak itself into a USB disk to steal the private keys on the offline computer. Anyway what would be the obstacles for creating entire transactions offline? Along with a write-switch protected USB drive it would be possible to make sure the offline computer is never infected, as the online Armory would only validate and broadcast the transactions supplied to it. When creating a transaction you need to know which unspent outputs to use, so knowledge of the blockchain is necessary. Well, if you are extremely paranoid, you can avoid using USB sticks: simply print the unsigned-tx file and manually type it into the offline PC. Do the same with the signed-tx file to transfer it to the online PC for broadcasting. When I move my transaction back to the online machine, Armory can check if all the outputs are unspent, if I did something wrong then we are back to square one. Also I don't think UTXOs alone are really much information, they should well fit into a sheet of paper using the same format of codes used for paper wallet backup, but etotheipi mentioned somewhere that a transaction could be as large as 1 MB and off the limit of even static QR code, so I am also curious what could make it so big, lots of dust outputs? |
|
|
|
|
Wait for the government to come in and kick their ass.
|
|
|
|
What's the difference between creating entire transactions offline/online? The chain code could be input manually into the offline computer, along with a number determining the indexes of the deterministic addresses to be created, the online Armory will simply check if the transaction is valid and no private key will ever get onto the online computer.
I'm not sure I understand your question. The online computer already never touches the private key data. It is created on the offline computer and stays on the offline computer. Only the root public key is transferred to the online computer. Even all the data moving back and forth between the two systems is totally security-insensitive -- no private key data ever touches the USB key, only signed transactions that will end up in the blockchain anyway. When people talk about "paper wallets", I believe they're talking about something similar to what you are describing: the private keys are not held on the offline computer, but instead re-typed every time the offline computer is booted. Also, when Armory upgrades to BIP 32, it will be possible to compute private key X directly. But the current deterministic algorithm in Armory uses a real chain: i.e. private key X depends on private key X-1. Therefore, if you need address 132, you have to compute the first 131. Instead, I don't even pass indices between the systems. Armory just precomputes the first 100-1000 addresses and identifies what it is capable of signing in the supplied transaction. Sorry, I was talking about the scenario when a malware taking over the online computer and trying to sneak itself into a USB disk to steal the private keys on the offline computer. Anyway what would be the obstacles for creating entire transactions offline? Along with a write-switch protected USB drive it would be possible to make sure the offline computer is never infected, as the online Armory would only validate and broadcast the transactions supplied to it. |
|
|
|
Epic fail by a top blogosphere economics writer. "Bitcoins don’t serve any useful purpose."http://gonzalolira.blogspot.com/2013/11/bitcoins-get-out-while-gettings-good.htmlGonzalo Lira has long been happy to point out in detail the disastrous meltdown that is fiat money, central banks, the bankster complex. Yet the most powerful solution to this mess passes straight over his head. He can't see that an incorruptible store of value has any purpose, that sending money point-to-point anywhere in the world has any purpose, that all the advanced escrow/mutisig features which could revolutionize commerce have any purpose. He can't see that transferring $147 million in the blink of an eye without intermediaries or counterparty risk, with negligible fees, has any purpose! He has been predicting hyperinflation of the US dollar year after year, and yet he can't see that money pouring into Bitcoin is the market predicting the ultimate hyperinflation of many currencies. He needs to totally rethink cryptocurrency, or drown in ignominy. Made me rethinking, do some of the harshest critics of the current financial system, really want it to go away? Without the robbers, what are cops for? If the fundamental transformation takes place and the rule of financial world becomes entirely different and the hubbub of the old time matters no more, are they going to be happy? Some of them may not, as their expertise becomes useless. |
|
|
|
listening now, but it seems like peter schiff doesn't know enough about bitcoin to beat anyone at a debate. im guessing he's saying something that an old thinker would.
Thats why hes a fool. When you dont know something then dont comments. However, he opens his mouth and argues like he KNOWS its a ponzi scheme. He even makes a youtube video "What is Bitcoin?" Here is what a smart OLD thinker does Warren Buffet: I dont know.... either Gates or Munger is right. Yeah Buffet is alot older than Schiff. But you can see why one is a billionaire and one is not. Well ,being the captain of the gold-bug ship, he is expected to know everything, he can't make himself looking like a fool, poor Peter... |
|
|
|
OP reminds me of this poem I read somewhere, must have been a long time ago  .... "Give me your tired, your poor, Your huddled masses yearning to breathe free, The wretched refuse of your teeming shore. Send these, the homeless, tempest-tost to me, I lift my lamp beside the golden door!" |
|
|
|
|
What's the difference between creating entire transactions offline/online? The chain code could be input manually into the offline computer, along with a number determining the indexes of the deterministic addresses to be created, the online Armory will simply check if the transaction is valid and no private key will ever get onto the online computer.
|
|
|
|
People who have been into BTC for awhile are converting more of their fiat into BTC.
At any rate, if price goes up quickly, it makes sellers hesitant to sell, buyers even more anxious to buy, the price go up even more quickly, and when it has gone to parabolic (defined by roughly 50-100% increase in 72 hours), it will crash. There is no going around this. That pretty much is the only thing missing in your crash picture--rapidly ascending price, we are now stalling and flucutating. |
|
|
|
I don't know if this has been proposed already, but would it be possible and/or improve the security to transfer the unsigned transaction to the offline PC on a write-locked medium (like USB drive with write-lock-switch or CD) and then use QR-codes to transfer back only the signatures? This way the only possibility for the private keys to get out of the offline PC would be the QR-codes. This should be detectable pretty early, because the QR-code would be bigger than normal. For most transactions 1-3 QR-codes should be enough (and if iQR-codes will be availiable, a single code should be sufficient for a majority of the cases).
On the usability side this could be implemented by having a smartphone app, which reads the QR-code and connects via UPnP (or similiar) to a daemon running in the armory client on the online pc. The online pc then matches the signature to the unsigned transactions. No webcams (besides in the smartphone) are needed this way. Even single-machine setups using a live-cd for the offline part could use this as the smartphone could act as an intermediate storage for the signature until the single machine has rebooted into online mode.
The smartphone can also act as an additional security layer, if it does some simple plausability checks on the data received through the QR-code. So even if the malware on the online pc makes it to the offline pc and tricks armory into putting the private keys into the QR-code, the smartphone would notice and prevent the data from going back to the infected online pc. So for this scenario to be fruitful for the attacker, he needs to also compromise the user's smartphone in addition to the online pc and the offline pc.
But if the malware manages to control both Armory instances on the offline and the online computers, then they can make you supplying the online instance a signature signing a transaction created in secret to the attacker's address, while showing you the normal one on the screen...... That's a valid point, I didn't think of, thanks for mentioning! But the smartphone intermediate step should help. As long as the smartphone is not infected it still could verify the signature against the original transaction. Let's assume the malware on the online pc managed to get a malicious transaction onto the pendrive and the user did sign it on the offline pc, because armory was tricked into showing him the original transaction. Now the signature of the malicious transaction will be transfered to the smartphone. The smartphone acquires the original transaction from the online pc and checks the signature against the transaction. Now, because the online pc sent the original transaction, but the offline pc sent the signature for the malicious transaction, the verification will fail. On the other hand, if the online pc sends the malicious transaction, a careful user would notice the change on the smartphone. I think the important part is indeed the intermediate check on the smartphone. The qr code for returning the signature alone won't defend against malicious transactions (as you pointed out). However, since the smartphone still is connected via wifi it probably can be compromised rather easily, too. Nevertheless it increases the complexity for the attacker, while the complexity for the user doesn't increase that much. My gut feeling is that your proposal is a big step in the right direction, which has the potential to achieve ideal security, so we should not only be satisified with " increases the complexity for the attacker". |
|
|
|
I don't know if this has been proposed already, but would it be possible and/or improve the security to transfer the unsigned transaction to the offline PC on a write-locked medium (like USB drive with write-lock-switch or CD) and then use QR-codes to transfer back only the signatures? This way the only possibility for the private keys to get out of the offline PC would be the QR-codes. This should be detectable pretty early, because the QR-code would be bigger than normal. For most transactions 1-3 QR-codes should be enough (and if iQR-codes will be availiable, a single code should be sufficient for a majority of the cases).
On the usability side this could be implemented by having a smartphone app, which reads the QR-code and connects via UPnP (or similiar) to a daemon running in the armory client on the online pc. The online pc then matches the signature to the unsigned transactions. No webcams (besides in the smartphone) are needed this way. Even single-machine setups using a live-cd for the offline part could use this as the smartphone could act as an intermediate storage for the signature until the single machine has rebooted into online mode.
The smartphone can also act as an additional security layer, if it does some simple plausability checks on the data received through the QR-code. So even if the malware on the online pc makes it to the offline pc and tricks armory into putting the private keys into the QR-code, the smartphone would notice and prevent the data from going back to the infected online pc. So for this scenario to be fruitful for the attacker, he needs to also compromise the user's smartphone in addition to the online pc and the offline pc.
But if the malware manages to control both Armory instances on the offline and the online computers, then they can make you supplying the online instance a signature signing a transaction created in secret to the attacker's address, while showing you the normal one on the screen...... |
|
|
|
Nobody interested in discussion? Actually, I am.  I've seen your post a few days ago, but I wanted to give myself some time to think about it. My conclusion so far is, that it will not stop uber-malware, which infects the pendrive's firmware. But as I still don't know if I should take this kind of danger for real or not, we should leave it aside for now. So, the write-only fs could prevent malware on the filesystem-level, if the malware is not specifically targeted at the write-only fs. However, if there is a known vulnerability in the write-only fs, it doesn't matter that the malware can't be read back on the online pc. The online pc still can write to the write-only fs. And as soon as the malware is decrypted on the offline machine, it can be executed. The point where I'm still unsure about is, if the write-only fs has to read and decrypt parts where malware could hide in order to decrypt the transaction. Yes, you have a good point, do you know how on-the-fly disk encryption program http://en.wikipedia.org/wiki/On-the-fly_encryption manages to retreive and decrypt files per demand, as everything including the metadata are supposed to be encrypted in the first place? Are metadatas for all the files stored in the same place and have to be loaded entirely each time, or the metadata for each file is accessed separately? BTW, your project is super interesting! |
|
|
|
|
Show Posts
