wanted: concise tutorial for casascius 2factor goldbars.

[2weiX]

So I don't get it.
Before I trust my BTCs to that thing, I need to exactly know how it works.
I don't know why I'm stupid with this thing, usually I am quite quick to catch on.

I will offer one Bitcoin for a tutorial.

Step by step, with pictures.
If you're familiar with ELI5, you know what I want.

If this thing is concise, well-written and understandeable, I might host it (or maybe even get Mike to do it).

Hack away!

[MPOE-PR]

Nice work there subSTR.

[🏰 TradeFortress 🏰]

1. Download BTCAddress software located at https://casascius.com/btcaddress.zip and run it.

2. Select "Intermediate Generator" from menu "Tools".

https://i.imgur.com/Lgik2.png

3. Type desired password in the upper field and press button "Encode passphrase".

https://i.imgur.com/PlkAA.png

4. After few seconds, intermediate password code will appear in the lower field.

https://i.imgur.com/IPmCD.png

5. Copy provided intermediate password code and paste it in the field "Notes" located at the bottom of https://www.casascius.com page.

https://i.imgur.com/nNhrX.png

6. Fill the rest of the form and press button "Get Address". You will be provided with conformation code, that you can - and should - use to
check that the Bitcoin address you'll be funding is one that is actually restricted by your password and that you have the correct password.
To check both cases, run BTCAddress software and select "Conformation Code Validator" from menu "Tools".

https://i.imgur.com/5XXt6.png

7. Type password you used in step 3. in the upper field, paste conformation code in the lower field and then press button "Confirm".

https://i.imgur.com/XqYkD.png

8. If both password and conformation code are correct, you will be provided with Bitcoin address that will be funded with bitcoins. At that point,
you should go to blockchain.info or similar site and check if Bitcoin address is in use already!

~~~~~

9. To redeem bitcoins, run BTCAddress software and select "Address Utility" from menu "Tools".

https://i.imgur.com/zeAcU.png

10. Type embedded private key located on Casascius product and password you used in step 3. in appropriate fields and then press double-down
arrows button.

https://i.imgur.com/qqyOi.png

11. The decrypted hex private key will appear in the field "Private Key (Hex)". You must import it into wallet you want to be funded with bitcoins.

~~~~~

Note:

Don't do it unless someone confirms procedure is complete and actualy works. I never ordered anything from Casascius, nor I redeemed any of
his products, nor BTCAddress software actualy works for me in step 10. - it crashes badly!

You should put this on the bitcoin wiki!

[2weiX]

thanks,
I will try this out tomorrow night.

[casascius]

Sorry, I'd have helped with this sooner, I've been in Las Vegas this week for CES and have spent way less time answering e-mails recently.

More recent builds of my software have a "decrypt" screen.  https://casascius.com/btcaddress-alpha.zip may have it.  This is more intuitive than using the Address Utility.

I have a working intermediate code generator for the iPhone, still have some polishing to do before it's App Store ready.  Need to make sure it properly shuts down threads if you move away from the app while it's busy so it doesn't crash etc.  This app uses your e-mail to send them to someone for bill printing, helping keep the process sterile as well as convenient for newbies.  I loaded it on a few people's iPhones and iPads manually at the BitPay booth while I was at CES.

[2weiX]

tried it, works.

waiting for casascius to answer the last two question.s

also: please pm me your adress for the bounty.

[casascius]

Sorry, I'd have helped with this sooner

Backoff, cas, that 1 BTC is mine, all miiiiine!  

Anyway, what exactly happens in step 8.? Is address and just address provided? What if it is in use already? Buyer must cancel order
or all he must do is come up with another password, e.g. back to step 3.? In very unlikely case of password matching address that is
already loaded with bitcoins, would you cancel order or what?

The address is the address you'll get when the correct private key is decrypted.  By running a code through the confirmation process, you receive assurance that you were told to fund an address that depended on knowing your passphrase, rather than one that came from a potential attacker's wallet.

An encrypted private key contains two things: 8 bytes of salt, and a 32-byte "factor".  (This is the second factor in the two-factor scheme.  The first factor comes from the passphrase)

A confirmation code is similar: it contains 8 bytes of salt, but it doesn't contain the second factor: instead it contains the product of the second factor times G (a constant).  This multiplication cannot be reversed - the key that makes elliptic curve cryptography work - but since Bitcoin addresses are also based on the factor times G, it remains possible to compute the address if you know the first factor.  (that's why the passphrase is needed)

Because the confirmation code allows independent confirmation that an address is based on your own factor*G for which they don't know the original factor (you gave factor*G to them via the intermediate code), you can safely assume they don't know the private key for the two-factor address since they can't possibly have the factor based on your passphrase.

Finally, with regard to password matching:  Even if two people unknowingly use the same password, they will never have an address collision.  This would be equally as unlikely as hitting "generate" in a bitcoin client and getting somebody else's address.

[2weiX]

Furthermore:

It's  possible for you to generate multiple adresses and "2nd factors" based on the same passphrase?

[casascius]

Furthermore:

It's  possible for you to generate multiple adresses and "2nd factors" based on the same passphrase?

Yes absolutely.  Intermediate codes have 128 bits of salt. And the second factor is totally random.

One can even generate multiple key pairs from the same first factor, although at the risk that someone with the intermediate code, an encrypted key, and corresponding plaintext private key could probably decrypt other keys made from the same intermediate. Rare risk, but easily solvable by either using a unique intermediate code, or by not decrypting any of your keys for someone who has the intermediate code. Newer code I am working on embeds a batch and sequence number in the salt so there is a mechanism for someone to ensure salt isn't reused.

[2weiX]

just another question:

how can I, only from the confirmation code and the password, verify that i will be able to import the privkey without opening the 2factor bar?

:noob:

[casascius]

just another question:

how can I, only from the confirmation code and the password, verify that i will be able to import the privkey without opening the 2factor bar?

:noob:

Whenever I do a 2-factor bar, I send you a sheet with 8 sets of privkey+address+confirmationcode, all produced from your passphrase.  I only need one, so one of the private keys is clearly punched out, and the other seven remain for testing.  The punched out circles are the actual copy placed inside your bar.  You essentially have to trust that the part that is missing from the sheet is actually what's inside your bar.  I typically make some markings on the sheet before punching it out to help with that, some of those markings will be visible through the hologram's window.  Beyond that, you can test any of the other 7 private keys to make sure they can be imported with your passphrase, and trust that if whatever of the first seven you test will work, so will the eighth.