Gocoin - totally different bitcoin client with deterministic cold wallet

[piotr_n]

Hi, when I run

> ./wallet -l -v

and enter 1234 as the passphrase, I get the following addresses:

mtMzKRALsjU3QUW9f7mrNdFkKuR32rRVJk TypC 1
ms8dDiiQh92J13Sb5FGxTcLbxfeyKTXAkT TypC 2
mjUi7buZNg93whuD1qeohVm7TKeBgs1G8E TypC 3
mhYcRqxfUJkEMCNQXPZueCJpnWxuGg3m7k TypC 4
mgrkKPPFUppG9WNySxiYtPA77yPVQk4x9j TypC 5
muTGvkfyRDQ1n5otCqukPK5RX1Spnyf5qG TypC 6
n3AgSXhgVt4BuunbzLhjc2bKbdxHmUkGET TypC 7
mzvpZH8jhgYs5JGHSF7HZBnvYudP8xQwWa TypC 8
mofUnUzEJDFNHfhbY51sqRqzKARWbwuEhr TypC 9
moJ4HS4NYtDRd9KqeG282qferp4kXHbbDH TypC 10
mkTDZxJTM6oR88zTtV1gWE6qNnEQvxT5wD TypC 11
mzKNtwNaeScnY71zFqghA69iTTgZX5gh6b TypC 12
mw1JJpDtTLRdkC7akZoYt15wsSifGP89vf TypC 13
moUuYTsFA69LAuwyVSNKJiHrTkGp5XPmPm TypC 14
mpA8fNq4Qt6gd3sPNvoFne85wz7KHHsUb7 TypC 15
mxF4F2V1ySQMrR1tdsA4u5fQdmDdaVgiW5 TypC 16
mgstWQteoRTQnkAMXU2viRmHu1AYXHbBx8 TypC 17
mzkhGFopVmfeLAw84YcVx3uZgfbo3XYmGR TypC 18
mjivnvukgajoHCmJ55dXh1QyN84WhVEVD1 TypC 19
muGkLzrQ4CrBo91ecMdkcjbET4LmB6aYPw TypC 20
mnjxHuncYvNNzr71T1gTKqUE17jHMjUHqz TypC 21
n48TXP4PiRy9wDcZJFKFNNYnPgkss2WAb1 TypC 22
mjX8qm14PQntBqwa2AazzA58hqccpzmHit TypC 23
mgJJQ5QPWYqB1p1KauNtEZUawqBL7JURU5 TypC 24
n26Ncr3fKHNTsANMi1cdDfB4uNyxvXKs7A TypC 25

These are not valid bitcoin addresses. What am I doing wrong?

you probably have wallet.cfg and it is configured to use testnet
just set it to false or remove wallet.cfg - the default is non-testnet for all I know.


EDIT:
oh sorry - my bad.
it was the wallet.cfg that I committed  to github that has "testnet=true"
I have just fixed it.

Thanks for reporting!

[1715599670]

1715599670

[Tovadnok]

Just a suggestion:

When creating transactions on the online machine, it would be great if it was possible to obtain the hash that needs to be signed directly instead of the transaction zip file. Then, a human can type it in on the offline machine, and then type the signature value back on the online computer.

This removes the need to plug usb drives into the offline device.

[piotr_n]

That's a great idea, @Tovadnok - thanks!

I will look into it, as soon as I'm back from holiday.

[piotr_n]

Just a suggestion:

When creating transactions on the online machine, it would be great if it was possible to obtain the hash that needs to be signed directly instead of the transaction zip file. Then, a human can type it in on the offline machine, and then type the signature value back on the online computer.

This removes the need to plug usb drives into the offline device.

After all, giving it more thought, it seems kind of tricky and I am not sure anymore about an actual usefulness of such a feature.

First of all the Gocoin's security assumes that the online machine is not secured.
This implies that the hash that needs to be signed, since created on the online machine, may be a subject to an attack, giving you a value that describes a different transaction.
That is bad, because having just the hash you cannot verify the content of the transaction at the offline machine, before signing it.

Second thing is that you would need to sign as many hashes, as there are inputs in the transaction. And moreover for each of the hashes you would need to manually specify the actual signing address that shall be used.

And then at the end, having the signature already (and the public key), you need to assemble this data back into a signed transaction, before broadcasting...

That is really a lot of hassle - just typing in the digits seems like a huge waste of time.
So I really don't see anyone using such a complex and unsecured system.
You really want to verify the actual content of the transaction that you are about to sigh at the offline machine, because this is a crucial part of the wallet's security.

[sqabeloth]

Awesome client! You did great job! Thanks a lot for making this really cool bitcoin client 

[Tovadnok]

@piotr_n you're right about the fact that the has could be modified. That's a very good point.
However, I still think that transferring transactions via a USB drive is very risky.

If bitcoin is valuable, stuxnet-like malware may emerge that travels to the offline machine through a thumbdrive, and then travels back on the same thumbdrive, this time carrying your private keys with it. Once the USB drive is re-inserted into the online machine, the private keys are sent out to a malicious server.

I do think that your software is pretty much the only one out there that one person can read the entire code base and convince themselves that it does what it claims to do. This is a nice side effect of Go.

I guess the real problem to solve here is how to make the transactions themselves transferable to the offline machine without risking compromise of the offline machine.

[piotr_n]

@piotr_n you're right about the fact that the has could be modified. That's a very good point.
However, I still think that transferring transactions via a USB drive is very risky.

If bitcoin is valuable, stuxnet-like malware may emerge that travels to the offline machine through a thumbdrive, and then travels back on the same thumbdrive, this time carrying your private keys with it. Once the USB drive is re-inserted into the online machine, the private keys are sent out to a malicious server.

I do think that your software is pretty much the only one out there that one person can read the entire code base and convince themselves that it does what it claims to do. This is a nice side effect of Go.

I guess the real problem to solve here is how to make the transactions themselves transferable to the offline machine without risking compromise of the offline machine.

If you are worried of stuxnet-like malware, just copy your file several times on the way - using different devices, with completely different software.

These days there are plenty of embedded devices (cameras, GPS systems, media players, etc) that can copy data to/from USB disks or memory cards.
No way anyone would be able to create stuxnet-like malware that can infect each possible system.

Basically you can think of many kinds of countermeasures to protect this channel - copying the data at least once on its way is just the first one that comes to my mind.

It is a good idea to not have any GUI at the wallet machine, because AFAIK the stuxnet was infecting windows using an exploit in parsing shortcut/icon files, or something like that...
In other words: make sure to use a system which does not read any data from USB, except the one that you explicitly ordered it to read. Then an infection is pretty unlikely.
And also don't use root/admin account at the wallet machine - this makes infection even less likely.
You can even use an entirely read-only file system there, e.g. by booting it from a CD or a write protected USB medium.

Another trick could be to use a very small medium. For instance if you had a disk/diskette with only 16KB capacity, that should be enough for most transactions, but it's extremely unlikely that any malware (capable of stealing keys from your offline wallet) would fit into it.

[Tovadnok]

Hi Piotrnar,

I'm not sure that copying several times, using non-root users, etc, will solve the problem. The concern is that someone will develop a new malware targeted specifically at your software. It can then exploit whatever vulnerabilities are currently available and will not necessarily use the same techniques as stuxnet.

Your idea for using a really small storage device makes a lot of sense. That's essentially what happens if a human types the data in -- you're using a very low bandwidth channel.

[piotr_n]

I totally don't understand how anyone could develop a malware that would be able to copy itself unnoticed through a several different systems.
The only way stuxnet could spread in the first place was through a 0-day exploit, for which only Windows was vulnerable.

But well, you wanted a functionality to sign a hash - here it comes, though as I had said it isn't quite secured and there is plenty of hassle with it.
Anyway, it is already committed into github - comes with version 0.9.2.

Here is how to use it:

1.
Having the payment.zip created at the online machine, extract it (on whichever machine you want) and being in the payment folder execute:

Code:

wallet -raw tx2sign.txt -hashes

This will print a hash that needs to be signed and the address that it shall be signed with - one pair for each of the transaction's inputs.

2. Now, on the offline wallet machine, execute such a command for each of the pairs:

Code:

wallet -sign <addrN> -hash <hashN>

Each of this commands will give you a hex dump of the public key and the canonical signature.

3. Now move the key+sig pairs to a PC where you have the unsigned transaction (tx2sign.txt) and use the tool called txaddsig, for each of the tx inputs executing:

Code:

txaddsig tx2sign.txt 0 <signature0> <pubkey0>
txaddsig <txfromprvstep>.txt 1 <signature1> <pubkey1>
...
txaddsig <txfromprvstep>.txt N <signatureN> <pubkeyN>

The file created after the last step shall contain a fully signed transaction. Before loading it to the node, for broadcasting, you can decode it's content with:

Code:

wallet -d <txfromlaststep>.txt

[Tovadnok]

Thanks, Piotr_n.

I agree that the fact that hash can be substituted by an attacker on the online machine is still a problem. I'll try to think of a way around this issue.
Overall, I think your client probably has the most secure design out there.

[piotr_n]

You're welcome.

Coming back to a malware that would eventually be able to attack the offline wallet.
The only path I see, except exploiting the OS, is some kind of stack-overflow exploit that would be smuggled to the wallet PC, inside one of the balance description files, or the raw transaction file.
If I had screwed up something (which isn't unlikely), the wallet app may crash while parsing a corrupt file, especially if it was corrupt by design...

Though I am not aware of an existence of any possible stack-overflow exploits for software written in Go.
AFAIK, Go's framework is more like Java, having a quite restricting memory manager and thus making a possibility of stack-overflow exploits very unlikely.

But nothing is impossible and I have seen many things in my life, so thanks for your valuable feedback @Tovadnok - it's been taken with a seriousness it deserves.

[piotr_n]

A update on 0.9.3 that is going to be released soon (the previous one was about 0.9.0)

As usually a more detailed list of changes is in the changelog.txt

I believe the most important feature that the new version brings is support for multisig addresses.

I already updated the user manual with the info on how to use the new feature: http://www.assets-otc.com/gocoin/manual/multisig

Please remember that the multisig code is pretty fresh and something may not work quite well yet. So make sure to try it with testnet first and please report any issues.

[piotr_n]

Sorry.
If your gocoin node had a breakdown today, it was because of some unique multisig txs that appeared in the chain last night.
I have just fixed it - pull the recent changes from github and it should go on with the remaining blocks now.

[bitcool]

Thank you for providing btc community with a great alternative.

Since both are written in GO, if you don't mind, any information comparing GoCoin with Conformal will be very helpful.

it was claimed that there was well over one man-year worth of work spent in Conformal, guess GoCoin is on the same level?

[piotr_n]

Haven't really looked at the other project.

From the description I read that it's basically bitcioind rewritten into Go - so that's at least the first difference, because Gocoin's architecture is quite different from bitcoind, especially at the "blockchain parser/db <=== online node ===> wallet" interface.

Yes, it's been a year since I started it, so you may say that it was one man-year work, though I wasn't working on any schedule, rather for fun, education and a personal necessity.
But that (according to some research I've learned) is supposedly much more efficient way of development than working for money and I think I can agree with it, comparing to how quickly I remember delivering stuff last time anyone was paying me, not to mention how much more stressful it had been  

So a may-year is a relative term and moreover, apparently the less you pay for it, the more you can get

[piotr_n]

Can you imagine that some asshole removed my entire article from the wiki, just to put an ad of his corporation in its place?
https://en.bitcoin.it/w/index.php?title=Gocoin&action=historysubmit&diff=43684&oldid=41856

We empower merchants... - WTF? What kind of article is this?
Vandalism and spam - that's all I know they empower for sure.

Anyway, I'm not going to argue with idiots, so I just recovered the content from the history and put it at a different name.
https://en.bitcoin.it/wiki/Gocoin_bitcoin_software

EDIT (2014-Apr-12):
I did not ask for it, but apparently people read my posts and someone decided that I should get the original location back:
https://bitcointalk.org/index.php?topic=560755.0
Anyway, thanks, whoever you were

[Elerntta]

Is it really so good? What's the main advantage that made you to begin to use it?

[piotr_n]

I think the most important thing for me, is an easy to use cold storage wallet - deterministic, based on a seed password.
It does not require me to do any backups, not even to store the actual password anywhere, except in my own brain.

Of course, for convenience and additional security (to access the cold wallet less often), I also use a wallet containing some small amounts on the online machine - obviously with a different seed password, but also not requiring any backups.

The client node can switch between my different wallets, in a fraction of a second. So I can easily choose any of them, use the web GUI to make an unsigned transaction - and then just execute the wallet app (on any PC I want; hot or cold) to sign it, simply by typing in the seed password which I keep stored only in my head.
Let's face it: it's the best security there is and none of the existing commercial hardware wallets comes even close to it.

And the recent versions also support a relatively easy to use multisig signing - which makes the security aspects even more crazy.
Personally I have not used it yet, didn't find a need for it, but I did test it, FWIW, so it should work.

[Tovadnok]

It's a great piece of software. I'm using it for my own bitcoin wallet.

[Heater]

This is great - well done!