Bitcoin Forum
June 17, 2019, 02:07:41 AM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: More Signatures with Repeated Nonces.  (Read 7480 times)
johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 141


View Profile
April 09, 2016, 05:30:49 AM
Last edit: April 12, 2016, 01:54:13 AM by johoe
 #1

My script that I still occasionally run has detected repeated nonces (r-value) in signatures again.  Looks like a bad random number generator; the repetitions usually happen some days apart.  The problem seems already to be fixed but the addresses that were compromised are still used.

There were at least 135 keys involved of which at least 82 are compromised now.  Most keys are related to 1BTrViTDX... (in the sense that they are inputs in the same transaction).

I setup a bot to sweep the compromised keys.  If you can prove that it is your address, you can contact me to get the collected funds back.

But don't use the addresses again.  There will probably be other persons setting up bots soon...

EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b.  This address doesn't seem to be compromised yet.  Note that this address has also been exposed and should not be used any more.

So far I have collected about 7 BTC.

EDIT2: Fixed the number of addresses.  I accidently counted five unrelated addresses.  Here is a complete list (addresses marked with + can be cracked):
http://johoe.mooo.com/bitcoin/2016-03-compromised.txt

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
1560737261
Hero Member
*
Offline Offline

Posts: 1560737261

View Profile Personal Message (Offline)

Ignore
1560737261
Reply with quote  #2

1560737261
Report to moderator
Bitcoin Poker 3.0
The Largest Bitcoin Poker Site
Bad Beat Jackpot Available
No Limit Texas Hold'em Cash Games And Tournaments
PLAY NOW
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1560737261
Hero Member
*
Offline Offline

Posts: 1560737261

View Profile Personal Message (Offline)

Ignore
1560737261
Reply with quote  #2

1560737261
Report to moderator
1560737261
Hero Member
*
Offline Offline

Posts: 1560737261

View Profile Personal Message (Offline)

Ignore
1560737261
Reply with quote  #2

1560737261
Report to moderator
setupbounds
Hero Member
*****
Offline Offline

Activity: 910
Merit: 509



View Profile
April 09, 2016, 06:10:07 AM
 #2

The mentioned signature can be used in wallets typically hardware wallets Only?

Please also give us the link to generate new Signature with repeated nonces.
johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 141


View Profile
April 09, 2016, 11:23:36 AM
Last edit: April 09, 2016, 11:51:27 AM by johoe
 #3

The last time this happened was the Blockchain.info December 2014 incident.  You can read it up here

  https://bitcointalk.org/index.php?topic=581411.0

AFAIK all hardware wallets use deterministic signatures by now, so I don't think it is a hardware wallet.  The wallet is reusing random nonces to generate the signatures.  It could be a bad random number generator or someone cloned the random state (e.g. by cloning a virtual machine or forking processes) or maybe even another openssl problem.  I guess a cloned virtual machine is most likely from the pattern I observe.  It wouldn't have happened if they had used deterministic signatures.

https://blockchain.info/tx/fc9c8c56ce09b48f1e593a0df3f9a03f8dc33ba2027621e047fc5fc4f86f93f6
https://blockchain.info/tx/34535e979bf3e0b960d7e3be85713fa6561a4d9642c7199a7bdf93b721b529a7
https://blockchain.info/tx/e1c9b009cfa861501ae6f3379148fcc5c0de98c5774a6c576fb9f9e6eb2879eb

All three transactions use r = 538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951


Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
annette786
Full Member
***
Offline Offline

Activity: 160
Merit: 100



View Profile
April 09, 2016, 07:40:38 PM
 #4

Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 141


View Profile
April 09, 2016, 08:57:16 PM
 #5

Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

Only, if you spend the paper wallet with a broken client.  But if you don't reuse paper wallets after emptying them, you are not affected by this problem.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
calkob
Hero Member
*****
Offline Offline

Activity: 770
Merit: 501


View Profile
April 09, 2016, 09:07:38 PM
 #6

Great job johoe, i admire your honesty Sir.  What in your estimation is the source of this problem?
AgentofCoin
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile
April 09, 2016, 09:14:56 PM
 #7

...
EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b.  This address doesn't seem to be compromised yet.  Note that this address has also been exposed and should not be used any more.

After looking at some of the tx going into and out of one of the compromised addresses,
it seems to me (but of course in Bitcoin we can never really know), the address's connections
may have some associations with a few different darknet markets.

So, if the above is true, I assume we will never hear from the true owner of the compromised addresses
and learn what was the wallet used and the cause of this reuse issue.



I support a decentralized & unregulatable ledger first, with safe scaling over time.
Request a signed message if you are associating with anyone claiming to be me.
johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 141


View Profile
April 09, 2016, 09:38:37 PM
 #8

What in your estimation is the source of this problem?

My guess is a cloned virtual machine state. 

Observation: The reuse happened several days apart and then the nonces are repeated in roughly the same order.  This happened three times.  Then another completely different set of 10 nonces were repeated again after a few days. 

Possible Explanation: The nonces are generated by a random number generator whose state is stored in a virtual machine image.  After a few days the machine was restored to an earlier snapshot and restarted.  Then again after a few days the machine was restored to this state. 

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
lucasjkr
Hero Member
*****
Offline Offline

Activity: 644
Merit: 500


View Profile
April 10, 2016, 12:48:17 AM
 #9

I would have thought that among all the other noise that an RNG should be using to seed itself, one of those inputs would be tied to the date and time? So that even if you had cloned a VM, and started it a few days late, it would have new seed data to generate randoms from than the original before it was cloned?
jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1010


View Profile
April 10, 2016, 05:18:05 AM
 #10

Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

Only, if you spend the paper wallet with a broken client.  But if you don't reuse paper wallets after emptying them, you are not affected by this problem.


Don't reuse paper wallets after emptying them, and don't reuse paper wallets before emptying them

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
eddie13
Hero Member
*****
Offline Offline

Activity: 1162
Merit: 926


BTC or BUST


View Profile
April 10, 2016, 05:31:01 AM
 #11


I setup a bot to sweep the compromised keys.  If you can prove that it is your address, you can contact me to get the collected funds back.

So how much BTC have you so far "swept"?

This Space For Rent
throwaway084575
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
April 10, 2016, 09:53:28 AM
 #12

I have a paper wallet from bitcoinpaperwallet.com, created a few years ago and use mycelium to spend a little from it every so often. The change always goes back to the address should I move all those funds to a new wallet and not spend from paper wallets like that?
johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 141


View Profile
April 10, 2016, 10:24:55 AM
 #13

So how much BTC have you so far "swept"?

I updated the first post, so far 7 BTC.

I have a paper wallet from bitcoinpaperwallet.com, created a few years ago and use mycelium to spend a little from it every so often. The change always goes back to the address should I move all those funds to a new wallet and not spend from paper wallets like that?

It's better to empty the paper wallet at once into Mycelium and never use it again.  If that contains too much, create several paper wallets with smaller amounts.
Mycelium is not affected by this bug (I think they use deterministic signatures).

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
GermanGiant
Hero Member
*****
Offline Offline

Activity: 784
Merit: 500



View Profile
April 10, 2016, 11:40:56 AM
 #14

I have a few questions here...

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

2. Blockchain.info has recently introduced HD wallets. Are they safe now ?

3. Are multisig addresses (starting with 3) unaffected by this ?

4. If https://coinb.in (https://github.com/OutCast3k/coinbin/) is run from local machine to spend from addresses generated by https://www.bitaddress.org (https://github.com/pointbiz/bitaddress.org) running at local machine, will that be safe ?
Kprawn
Legendary
*
Offline Offline

Activity: 1750
Merit: 1058


View Profile
April 10, 2016, 12:06:53 PM
 #15

Hey, OP once again thank you for your honesty. I doubt if these funds will be claimed if they connected to the Darkweb. A typical reason to setup a virtual machine is to evade

tracking and eliminating footprints. {Starting from a clean image} If this is in any way linked to illegal activities, please report it to the authorities. We do not need any bad

publicity. Good work, I hope you will run your script more regularly to expose these compromised signatures.  Wink

freebitcoin.TO WIN A  LAMBORGHINI!..

.
                                ▄▄▄▄▄▄▄▄▄▄███████████▄▄▄▄▄
                    ▄▄▄▄▄██████████████████████████████████▄▄▄▄
                    ▀██████████████████████████████████████████████▄▄▄
                    ▄▄████▄█████▄████████████████████████████▄█████▄████▄▄
                    ▀████████▀▀▀████████████████████████████████▀▀▀██████████▄
                      ▀▀▀████▄▄▄███████████████████████████████▄▄▄██████████
                           ▀█████▀  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  ▀█████▀▀▀▀▀▀▀▀▀▀
                   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1010


View Profile
April 10, 2016, 01:10:39 PM
Last edit: April 10, 2016, 02:05:19 PM by jl2012
 #16

I have a few questions here...

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

You won't be affected if you NEVER spend, of course

Quote

3. Are multisig addresses (starting with 3) unaffected by this ?

yes

EDIT: yes, they are affected

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 141


View Profile
April 10, 2016, 01:41:24 PM
 #17

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

2. Blockchain.info has recently introduced HD wallets. Are they safe now ?

3. Are multisig addresses (starting with 3) unaffected by this ?

4. If https://coinb.in (https://github.com/OutCast3k/coinbin/) is run from local machine to spend from addresses generated by https://www.bitaddress.org (https://github.com/pointbiz/bitaddress.org) running at local machine, will that be safe ?

1. If you empty the wallet with a single transaction there is only a very tiny chance that you are affected.  For this the client must be really buggy selecting the same nonce twice in this transaction, and someone (amaclin  Grin) needs to have his bot running that tries to immediately double spend your transaction after seeing it.  I have seen such a double-spend attempt once but it didn't succeed; although if it had succeeded, I wouldn't have seen it.

2. Probably no bitcoin client is completely safe.  With regards to this problem, they are safe since they use deterministic signatures (January 2015).

3. No.  My script also scans for multisig (at least I intended to do that).  But I haven't found a reused nonce in a multisig so far.

4. They claim to use deterministic signatures.  If that is correct, they are safe.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
Answerme2
Member
**
Offline Offline

Activity: 108
Merit: 10


View Profile
April 10, 2016, 03:38:02 PM
 #18

Hello
i have 1 question.
Suppose i use two electrum wallets on two different machines one offline and one online.If i use offline machine to just sign transactions via electrum and then transfer the signed transaction to the online electr wallet on another PC for broadcasting.Am i safe?
Do i risk getting my bitcoins stolen?Can my private keys leak? and if so how's that possible?

shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1484
Merit: 1314


No I dont escrow anymore.


View Profile WWW
April 10, 2016, 07:57:26 PM
 #19

Hello
i have 1 question.
Suppose i use two electrum wallets on two different machines one offline and one online.If i use offline machine to just sign transactions via electrum and then transfer the signed transaction to the online electr wallet on another PC for broadcasting.Am i safe?
Do i risk getting my bitcoins stolen?Can my private keys leak? and if so how's that possible?

If the wallet on the online machine is watch only, if you are not using a virtual machine and electrum the keys will not leak. There is always the risk that someone will break in and take the offline machine. A virus will most likely not reach the offline machine.
Answerme2
Member
**
Offline Offline

Activity: 108
Merit: 10


View Profile
April 10, 2016, 08:43:51 PM
 #20

Hello
i have 1 question.
Suppose i use two electrum wallets on two different machines one offline and one online.If i use offline machine to just sign transactions via electrum and then transfer the signed transaction to the online electr wallet on another PC for broadcasting.Am i safe?
Do i risk getting my bitcoins stolen?Can my private keys leak? and if so how's that possible?

If the wallet on the online machine is watch only, if you are not using a virtual machine and electrum the keys will not leak. There is always the risk that someone will break in and take the offline machine. A virus will most likely not reach the offline machine.
No as i said i am not using a virtual machine.
I am using a completely different PC that's running linux and my online watch online wallet is on different PC running windows so would i be at risk of this attack mentioned by the OP in this thread?  or any other attack?

Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!