Bitcoin Forum
September 25, 2018, 06:15:01 PM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Is it safe to encrypt your private keys with BIP38 and bitaddress.org?  (Read 1041 times)
lukaexpl
Full Member
***
Offline Offline

Activity: 148
Merit: 100


View Profile
August 17, 2017, 08:08:39 AM
 #1

Lets say you use this page in an offline mode, print the encrypted keys, stamp it on metal, store it somewhere in a vault etc.
That should provide you reasonable security.

However, that site is the only one I could find doing the decryption of encrypted private keys.
The fear that I have is that if the site is gone would you be able to employ a sufficiently able programmer to create an encryption/decryption program with the information publicly available regarding this encryption protocol?

Thanks
1537899301
Hero Member
*
Offline Offline

Posts: 1537899301

View Profile Personal Message (Offline)

Ignore
1537899301
Reply with quote  #2

1537899301
Report to moderator
1537899301
Hero Member
*
Offline Offline

Posts: 1537899301

View Profile Personal Message (Offline)

Ignore
1537899301
Reply with quote  #2

1537899301
Report to moderator
1537899301
Hero Member
*
Offline Offline

Posts: 1537899301

View Profile Personal Message (Offline)

Ignore
1537899301
Reply with quote  #2

1537899301
Report to moderator
Einax Airdrops and Bounties made easy! List your ERC-20 token
FREE
ETH markets launching soon!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
dunand
Hero Member
*****
Offline Offline

Activity: 637
Merit: 500



View Profile
August 17, 2017, 01:08:05 PM
 #2

You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.
lukaexpl
Full Member
***
Offline Offline

Activity: 148
Merit: 100


View Profile
August 17, 2017, 01:32:24 PM
 #3

I do! Thanks. I would only put my mind at more ease knowing that recreating something like BIP38 protocol is relatively simple task for the educated.
lukaexpl
Full Member
***
Offline Offline

Activity: 148
Merit: 100


View Profile
August 18, 2017, 08:40:38 AM
 #4

You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.

When you run the proccess of private key creation using bitaddress.org is it enough to be offline or should you be made to jump through hoops by burning Linux installation, running it on a computer with harddrive plugged out, no internet connection etc.?
dunand
Hero Member
*****
Offline Offline

Activity: 637
Merit: 500



View Profile
August 18, 2017, 11:35:02 AM
 #5

You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.

When you run the proccess of private key creation using bitaddress.org is it enough to be offline or should you be made to jump through hoops by burning Linux installation, running it on a computer with harddrive plugged out, no internet connection etc.?

If you are 100% sure your computer is safe from spyware...
lukaexpl
Full Member
***
Offline Offline

Activity: 148
Merit: 100


View Profile
August 18, 2017, 11:38:04 AM
 #6

Thanks. So for ultimate safety you should take the hard route.

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?
ranochigo
Legendary
*
Offline Offline

Activity: 1554
Merit: 1094


View Profile WWW
August 18, 2017, 11:53:17 AM
 #7

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?
Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.

If you want to be safe, you HAVE to install a clean OS offline and load the website in your offline instance. Your cold storage can be considered as compromised once the computer it has is connected to the internet.

cr1776
Legendary
*
Offline Offline

Activity: 2002
Merit: 1007


View Profile
August 18, 2017, 12:06:22 PM
 #8

I do! Thanks. I would only put my mind at more ease knowing that recreating something like BIP38 protocol is relatively simple task for the educated.

You can also fork it on github which gives you another online backup of it.
lukaexpl
Full Member
***
Offline Offline

Activity: 148
Merit: 100


View Profile
August 18, 2017, 12:41:14 PM
 #9

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?
Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.


Thanks. So the keylogger gets my password but if I only write down an encrypted key and than shut bitaddress.org I should be half-way safe because it would have the password but not what it unlocks - namely encrypted private key.
cr1776
Legendary
*
Offline Offline

Activity: 2002
Merit: 1007


View Profile
August 18, 2017, 02:39:10 PM
 #10

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?
Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.


Thanks. So the keylogger gets my password but if I only write down an encrypted key and than shut bitaddress.org I should be half-way safe because it would have the password but not what it unlocks - namely encrypted private key.

You also should clear the browser cache, quit the browser etc after doing it.
lukaexpl
Full Member
***
Offline Offline

Activity: 148
Merit: 100


View Profile
August 19, 2017, 08:52:51 AM
 #11


Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.

If you want to be safe, you HAVE to install a clean OS offline and load the website in your offline instance. Your cold storage can be considered as compromised once the computer it has is connected to the internet.

If the keyloggers are so prevalent and powerful aren't we at risk of having masterseed or mnemonic stolen everytime we TYPE it in any type of wallet that takes keyboard input.
Is there a way around it, like for example displaying randomly ordered keyboard on screen within such software. Why is that not implemented or am I being naive without being aware of it?
ranochigo
Legendary
*
Offline Offline

Activity: 1554
Merit: 1094


View Profile WWW
August 19, 2017, 09:08:04 AM
 #12

If the keyloggers are so prevalent and powerful aren't we at risk of having masterseed or mnemonic stolen everytime we TYPE it in any type of wallet that takes keyboard input.
Yes. That's why you have to be careful about what you download and click.
Is there a way around it, like for example displaying randomly ordered keyboard on screen within such software. Why is that not implemented or am I being naive without being aware of it?
Yes. It's called on-screen keyboard. Most wallet don't implement it and I can see why. If there is a keylogger in your computer, there's an extremely high chance of your computer also having other malware (RAT) and that can do whatever they want with your wallet.

Kaller
Hero Member
*****
Offline Offline

Activity: 687
Merit: 501


dApps Development Automation Platform


View Profile
August 19, 2017, 02:00:27 PM
 #13

Yes you can do this safely.
First, wipe your computer first to make sure there are no viruses.
Turn turn off internet when you get to Bitaddress.
You can still generate addresses with the internet off.
Finally, print the keys and voila, you have secure keys!
Unless you have a virus no one will know them.


            ▄▄▄▄
        ▄▄████████▄▄
    ▄▄████████████████▄▄
 ▄████████████████████████▄
██████████▀▀███████████████
██████████▄   ▀█████████████
████████████▄   ▀███████████
██████████████▄   ▀█████████
█████████████▀   ▄██████████
███████████▀   ▄████████████
██████████▄  ▄██████████████
███████████████████████████
 ▀████████████████████████▀
    ▀▀████████████████▀▀
        ▀▀████████▀▀
            ▀▀▀

⬢⬢

⬢⬢



       ▄▄▄▄
   ▄▄████████▄▄
▄██████████▀▀▀█▀█▄
██ ▀█████▀     ▀██
██▌   ▀▀▀      ███
███▄           ███
████▀         ████
▀████▄     ▄▄████▀
   ▀▀▄▄▄▄████▀▀
       ▀▀▀▀


██████████████████



       ▄▄▄▄
   ▄▄████████▄▄
▄████████████████▄
██████████▀▀  ▐███
██████▀▀  ▄   ████
███▀   ▄█▀   ▐████
████▄▄█▀     █████
▀█████▌ ▄▄▄ ▐████▀
   ▀▀████████▀▀
       ▀▀▀▀


██████████████████



       ▄▄▄▄
   ▄▄████████▄▄
▄███████▀   ▐████▄
████████  ▄███████
██████      ██████
████████  ████████
████████  ████████
▀███████  ███████▀
   ▀▀████████▀▀
       ▀▀▀▀


██████████████████



       ▄▄▄▄
   ▄▄██▀█▀███▄▄
▄███▀▀▀ ▀ ▀▀█████▄
██████ ████▄ █████
██████ ▀▀▀▀ ▄█████
██████ ▄▄▄▄ ▀█████
██████ ████▀ █████
▀███▄▄▄ ▄ ▄▄█████▀
   ▀▀██▄█▄███▀▀
       ▀▀▀▀


██████████████████
mpufatzis
Full Member
***
Offline Offline

Activity: 406
Merit: 118


A sports token that knows your favorite team


View Profile WWW
August 26, 2017, 10:27:28 AM
 #14

Use a Raspberry Pi.
Burn an SD Card with Linux, run the saved (in a memory stick)  Bitaddress webpage using the RPi web browser and make as many keys as you wish.
Print the keys in a printer (you can connect it to RPi too, google for more informations) or encrypt the list in the the memory stick using pgp.
Format or destroy the SD Card and never use the memory stick in a computer.

│  F Λ N C H Λ I N   by SportsCastr   │    A sports token that knows your favorite team
(    Private Sale OPEN on QRYPΓOS    )          ►   WHITEPAPER   ◄
[        TWITTER        FACEBOOK        REDDIT        ANN THREAD        TELEGRAM        INSTAGRAM        ]
jal007
Full Member
***
Offline Offline

Activity: 137
Merit: 100


View Profile
August 28, 2017, 10:36:28 PM
 #15

instead of using betaadress i think you should try this https://keybase.io/warp/ they scrypt algorithm and pbkdf2 with ability to use salt key

they describe there algorithm like this.

s1    =   scrypt(key=(passphrase||0x1), salt=(salt||0x1), N=218, r=8, p=1, dkLen=32)
s2    =   pbkdf2(key=(passphrase||0x2), salt=(salt||0x2), c=216, dkLen=32, prf=HMAC_SHA256)
keypair   =   generate_bitcoin_keypair(s1 ⊕ s2)


achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1659


3F1Y9yquzvY6RWvKbw2n2zeo9V5mvBhADU


View Profile WWW
August 28, 2017, 11:13:51 PM
 #16

instead of using betaadress i think you should try this https://keybase.io/warp/ they scrypt algorithm and pbkdf2 with ability to use salt key

they describe there algorithm like this.

s1    =   scrypt(key=(passphrase||0x1), salt=(salt||0x1), N=218, r=8, p=1, dkLen=32)
s2    =   pbkdf2(key=(passphrase||0x2), salt=(salt||0x2), c=216, dkLen=32, prf=HMAC_SHA256)
keypair   =   generate_bitcoin_keypair(s1 ⊕ s2)
No, don't do that. That is making a brainwallet, which is not what OP is asking. It is not encrypting private keys or using BIP 38 or doing anything of the sort that OP is asking about. Please do not post if you don't know what you are talking about.

Kakmakr
Legendary
*
Offline Offline

Activity: 1414
Merit: 1125

★ ChipMixer | Bitcoin mixing service ★


View Profile
August 29, 2017, 06:37:42 AM
 #17

You do not need the site to "decrypt" the private keys. This can be done with other sites and software, where you sweep the private key to use those bitcoins. You use that site to generate your paper wallets. < public & private key combination >

Just take note : Simply generating this offline are not a fail-safe method to protect the information that were generated. Some Malware can still log information in "offline" mode and then make that available to their "master" when the computer are online again.

I prefer to use a cheap second-hand computer that will never be used online again, to generate my paper wallets. ^smile^

gentlemand
Legendary
*
Online Online

Activity: 1764
Merit: 1260


Hello You


View Profile
August 29, 2017, 10:27:37 AM
 #18

If you are 100% sure your computer is safe from spyware...

It makes far more sense to do it with a machine that'll never see the internet again. You can get something that'll do the job for $20. If you ever do need to access the internet again with it just give it a comprehensive wipe.

It's far more reassuring doing all your crypto stuff on something you know can't possibly leak.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!