Crypto currencies are a game-changer. But, as currently implemented, they are designed to fail. The proposals here won’t change the outcome.
Simply put: there is no spend password on the private key!
To illustrate: my PGP/GPG private keys are only created and used offline; printed and stored in an offsite safe. But, they are vulnerable to replication. Somebody sitting at a keyboard and hammering out a random string that just may be identical to my original PGP/GPG private key.
So, when somebody finally replicates my PGP/GPG private key they must still crack my random password to impersonate me. That, is to transact with my key.
The Android Bitcoin flaw proved that the Bitcoin 51 character private key is much easier to replicate. It starts with the digit 5 and the rest of the key are randomised characters from the Base58 symbol chart on the Base58Check encoding page.
It doesn’t matter if you follow best-practice privacy measures, such as cold storage, paper-wallets, encrypted USB drives, etc. No passphrase, no security.
It won’t be long before some script-kiddy writes an algorithm to replicate all possible Bitcoin private keys. Run them through the JavaScripts available online that calculate the individual public keys. Query sites such as Bitcoin Block Explorer for addresses with transaction histories. Download the JavaScript to create secure offline Bitcoin transactions. Then, broadcast the transactions.
All without touching a single encrypted wallet.dat.
––––
REFERENCES
····
The Android Bitcoin vulnerability explained
http://blogs.avg.com/mobile/android-bitcoin-vulnerability-explained/····
Base58Check encoding
https://en.bitcoin.it/wiki/Base58Check_encoding····
Query private wallet keys at
https://www.bitaddress.org····
Watch wallets online at
https://blockchain.info/address/····
Retrieve transaction history at
http://blockexplorer.com/q/mytransactions/····
Create offline send with
http://www.howtovanish.com/images/offline-transactions.zip····
Broadcast spend at
http://blockchain.info/pushtx
Show Posts
