Building the Most Basic Bitcoin Wallet Ever (in Facebook Messenger)

[ftreml]

Here is an article I wrote for the Chatbots Magazine:

https://chatbotsmagazine.com/building-the-most-basic-bitcoin-wallet-ever-in-facebook-messenger-a71014d46258

[ArcCsch]

Actually, the private key for the generated Bitcoin address is encrypted with this PIN code, so as long as the PIN code is safe, the Bitcoin are safe. In Itipu, you can send your Bitcoins to your friend’s wallet by telling the bot to do so, like, “Send 2 dollars to joe.” (You have to enter your PIN code of course).

First, how long is this PIN?
If it is four digits, and the phone is hacked (encrypted key leaked), that would be broken pretty quickly, even with key stretching.
For example, if decrypting takes one minute on your phone, cracking would on average take a bit over eight hours on an identical phone, a powerful GPU could probably crack it in a few minutes.
You could fix that by replacing the PIN with a pass-phrase, until it becomes essentially a salted brain-wallet.
Also, if this is a bitcoin wallet, why does the article say "send 2 dollars to joe", instead of "send two millies to Joe"?

[bob123]

Actually, the private key for the generated Bitcoin address is encrypted with this PIN code, so as long as the PIN code is safe, the Bitcoin are safe. In Itipu, you can send your Bitcoins to your friend’s wallet by telling the bot to do so, like, “Send 2 dollars to joe.” (You have to enter your PIN code of course).

First, how long is this PIN?
If it is four digits, and the phone is hacked (encrypted key leaked), that would be broken pretty quickly, even with key stretching.
For example, if decrypting takes one minute on your phone, cracking would on average take a bit over eight hours on an identical phone, a powerful GPU could probably crack it in a few minutes.
You could fix that by replacing the PIN with a pass-phrase, until it becomes essentially a salted brain-wallet.
Also, if this is a bitcoin wallet, why does the article say "send 2 dollars to joe", instead of "send two millies to Joe"?

If you affect the Computing time with dummy operations you dont need a long passphrase..
Generally.. you could just use a 4 digit code.. and on 3 wrong enters.. the wallets blocks or deletes the priv keys..
With this option available.. you should make sure that the user of the wallet writes down a "passphrase" to recover the Priv keys
(or write down the priv keys itself).

[ArcCsch]

If you affect the Computing time with dummy operations you dont need a long passphrase..

It is relatively easy to set up a cluster thousands of times faster than a phone, this would crack the key about as fast as the phone can decrypt it.
I covered this in my previous post.

Generally.. you could just use a 4 digit code.. and on 3 wrong enters.. the wallets blocks or deletes the priv keys..
With this option available.. you should make sure that the user of the wallet writes down a "passphrase" to recover the Priv keys
(or write down the priv keys itself).

Most smartphones do not have a secure cryptoprocessor on board, a hacker can take the phone apart, remove the memory storage, and extract the encrypted keys.
After this, the hacker would not have any trouble cracking your key-stretching scheme.
This may require some effort, but it it well worth the stash of bitcoin.

[coinableS]

To be on the safe side, my wallet grants 2 Satoshi per byte.

I hope this is a typo. 2 sats/byte is very low.
Other than that, very cool article and project!

[bustedsynx]

Do be careful: Even someone with experience can read the thousands of lines of code in
a coins source and not spot a 'payload' or virus. Just because you compiled it yourself
does not mean you are safe from malware. Use virus scanners, websites like virustotal.com
and run unknown sources on separate machines or best in virtual machines for safety.

[maxi_malism]

Actually, the private key for the generated Bitcoin address is encrypted with this PIN code, so as long as the PIN code is safe, the Bitcoin are safe. In Itipu, you can send your Bitcoins to your friend’s wallet by telling the bot to do so, like, “Send 2 dollars to joe.” (You have to enter your PIN code of course).

First, how long is this PIN?
If it is four digits, and the phone is hacked (encrypted key leaked), that would be broken pretty quickly, even with key stretching.
For example, if decrypting takes one minute on your phone, cracking would on average take a bit over eight hours on an identical phone, a powerful GPU could probably crack it in a few minutes.
You could fix that by replacing the PIN with a pass-phrase, until it becomes essentially a salted brain-wallet.
Also, if this is a bitcoin wallet, why does the article say "send 2 dollars to joe", instead of "send two millies to Joe"?

You're right, but i think this type of wallet can still be usable to do casual transactions/tipping. The attacker still needs to have access to the phone, no? I mean, one could totally refute piggy banks as worthless because they're easily broken into. I for one liked this tutorial