Bitcoin Off-The-Grid (BOTG): secure savings script v0.1.1

[bitlotto]

Special thanks to 'grondilu' and 'unk' ! I pretty much merged their commands/scripts together to create this one! Donate to them if you want to show thanks!

This script is intended to be added to any live CD so that all a user has to do is type:

./botg.sh

A tiny little script that uses openssl to create a private key along with a matching Bitcoin address. When run off of a Live CD environment, a very safe location for storing BTC can be created. Running on a Live CD with no Internet ensures no virus or malware can get the private key. The script will create a private key and present it in two formats: Hex and Base58. Either format can be used to access the matching Bitcoin address and helps provide redundancy in case one is copied down wrong. After copying down the keys and the matching Bitcoin address the user is advised to reboot the computer. Keeping the key "off-the-grid" or off any computer means no viruses or computer security lapses will jeopardize your BTC. No backups or encryption is needed. Any money you send to the matching Bitcoin address will be safe. The only way to steal the BTC would be to steal the key directly off of where it is written down. Therefore, it's best to keep the paper somewhere safe where it can't get destroyed or stolen.

Other uses could be:
-pre-loaded cards/tickets that are redeemable
-sending BTC when you are not sure who is going to receive it such as geo cache locations
-scratch cards or draws that are done at parties where everyone gets tickets with unknown amounts
-give BTC to someone and you don't know their Bitcoin address

Script has been tested a lot. Personally I have created over 500 keys and then imported them into Bitcoin to see if they were valid. All worked perfectly!

I'll update this post as the script develops and suggestions/improvements are made.

BOTG v.0.1.1

Create file botg.sh and make executable.

Code:

#!/bin/bash 

base58=({1..9} {A..H} {J..N} {P..Z} {a..k} {m..z})
bitcoinregex="^[$(printf "%s" "${base58[@]}")]{34}$"

decodeBase58() {
    local s=$1
    for i in {0..57}
    do s="${s//${base58[i]}/ $i}"
    done
    dc <<< "16o0d${s// /+58*}+f" 
}

encodeBase58() {
    # 58 = 0x3A
    bc <<<"ibase=16; n=${1^^}; while(n>0) { n%3A ; n/=3A }" |
    tac |
    while read n
    do echo -n ${base58[n]}
    done
}

checksum() {
    xxd -p -r <<<"$1" |
    openssl dgst -sha256 -binary |
    openssl dgst -sha256 -binary |
    xxd -p -c 80 |
    head -c 8
}

checkBitcoinAddress() {
    if [[ "$1" =~ $bitcoinregex ]]
    then
        h=$(decodeBase58 "$1")
        checksum "00${h::${#h}-8}" |
        grep -qi "^${h: -8}$"
    else return 2
    fi
}

hash160() {
    openssl dgst -sha256 -binary |
    openssl dgst -rmd160 -binary |
    xxd -p -c 80
}

hash160ToAddress() {
    printf "%34s\n" "$(encodeBase58 "00$1$(checksum "00$1")")" |
    sed "y/ /1/"
}

publicKeyToAddress() {
    hash160ToAddress $(
    openssl ec -pubin -pubout -outform DER |
    tail -c 65 |
    hash160
    )
}

hash256ToAddress() {	
	#printf "80$1$(checksum "80$1")"
    printf "%34s\n" "$(encodeBase58 "80$1$(checksum "80$1")")" |
    sed "y/ /1/"
}


privateKeyToWIF() {
    hash256ToAddress $(openssl ec -text -noout -in data.pem | head -5 | tail -3 | fmt -120 | sed 's/[: ]//g')
}

echo " "
echo "BITCOINS OFF-THE-GRID (BOTG) v0.1.1: One of the most secure savings you'll ever get!"
echo " "
echo "For BEST results:"
echo " "
echo "-run './botg' from a Live Linux CD"
echo "-run this script with the Internet turned off"
echo "-reboot computer when done"
echo "-never record the secret key on a computer"
echo "-safely hide the key on a peice of paper where it won't get stolen"
echo "eg. hiding the paper in your car or inside your TV means you'll "
echo "never be able to get your money if that thing is stolen."
echo "-if you are not hiding the key, lock it up in a safe or safety deposit box"
echo " "
echo "***BOTG's strength is that since the secret key is never stored on your computer"
echo "there is nothing for a virus, malware, or spyware to steal!***"
echo " "
echo "Type and/or move the mouse for about 5 minutes. This will help improve the"
echo "randomness of your key....."
echo "Pressing ENTER will continue the script!"

read random

openssl  ecparam -genkey -name secp256k1 | tee data.pem &>/dev/null

echo " "
echo " "
echo "The following is the secret key in hex format. Record it carefully."
echo "Record the whole line after a 'read EC key'"
echo " "

hexsize=$(openssl ec -text -noout -in data.pem | head -5 | tail -3 | fmt -120 | sed 's/[: ]//g' ) 

while [ ${#hexsize} -ne 64 ]
do
openssl  ecparam -genkey -name secp256k1 | tee data.pem &>/dev/null && hexsize=$(openssl ec -text -noout -in data.pem | head -5 | tail -3 | fmt -120 | sed 's/[: ]//g' ) 
done

openssl ec -text -noout -in data.pem | head -5 | tail -3 | fmt -120 | sed 's/[: ]//g' 

echo "Hit ENTER to continue"
read random

echo " "
echo "The following is the secret key in base58. This is the most"
echo "common format to import your key. Make sure to copy it down"
echo "carefully. Either this or the hex code could be used but it's"
echo "best to record both for redundancy. These two codes are to "
echo "be kept secret on a peice of paper or written down"
echo "somewhere safe. Putting them on a computer will lesson"
echo "the security of these keys."
echo "The address should begin with '5'."
echo " "

privateKeyToWIF

echo "Hit ENTER to continue"
read random

echo " "
echo "The following is the Bitcoin address you can send your savings to."
echo "Record the address carefully. It is not critical you keep this address"
echo "secret. Only the two other codes must remain secret!"
echo "The line that begins with the number 1 is your Bitcoin address you send"
echo "the funds to."
echo " "

openssl ec -pubout < data.pem | publicKeyToAddress

openssl  ecparam -genkey -name secp256k1 | tee data.pem &>/dev/null && rm data.pem

echo " "
echo "Hit ENTER to exit"
read random
exit 0

This creates a file data.pem in RAM. DO NOT save anything onto disk. Reboot the computer. Do not use with a Live CD set up to automatically save stuff on the hard drive.

Changelog:
0.0.2 -add part to ensure that entropy is good enough on live cd, encode hex to base58 as well, add note about having key that begins with 00, remove all caps!
0.0.3 -remake key if it's not exactly 64
0.1.0 -improve operation, and make it pretty.
0.1.1 -add pause at end in case it's run in a gui so it doesn't close

[mpfrank]

Neato.  I like it.  Post your address and I'm sure someone will give you a small donation to test it.

[bitlotto]

Neato.  I like it.  Post your address and I'm sure someone will give you a small donation to test it.

I'd rather if someone wants to donate to the cause. Just run the script. Send some BTC to the address (tiny amount - it's not tested after all). Then post the bitcoin address and the hex and see how long till someone takes it.

[Rogue Star]

if you ever need to test something, you should try learning about/using bitcoin in testnet mode. the testnet faucet is quite generous if you don't want to mine for them. transactions can take a long time to validate however.

[bitlotto]

if you ever need to test something, you should try learning about/using bitcoin in testnet mode. the testnet faucet is quite generous if you don't want to mine for them. transactions can take a long time to validate however.

I know  It's just that I'm about to go to bed and thought people may want to take a look. I'll have to experiment with testnet. Hopefully some who already know how to use testnet are trying it out right now? Anyways, I figured I get it out sooner rather than later so some people can see it and look it over....

[Rogue Star]

heh, i'm in the same boat. too late for me to review/test it out, might be helpful advice for people that don't want to use "real" BTC when they test it out.

[casascius]

I made one test with this, and I was able to confirm that on my one test, the Bitcoin address given was a match for the private key given.  In other words, I imported the private key, and Bitcoin independently gave the same Bitcoin address that matched the one given by the script.

In order to import the private key, I had to modify the script to also give the private key in Wallet Import Format.  Here is my modified script.

NO WARRANTY WHATSOEVER, USE AT OWN RISK

EDIT: A known problem with my modification, is it doesn't deal with the leading 00 byte tacked on the front of the private key if the first byte >= 0x80.  (this extra 00 ostensibly is to ensure the number isn't interpreted as a negative number).  If that's there, the script generates a wallet import key code that doesn't start with a '5', and this is wrong.  I don't do bash scripting much, someone who knows more will need to fix it.  hash256toaddress needs to take only the last 64 characters of the input string.

Code:

#!/bin/bash 

base58=({1..9} {A..H} {J..N} {P..Z} {a..k} {m..z})
bitcoinregex="^[$(printf "%s" "${base58}")]{34}$"

decodeBase58() {
    local s=$1
    for i in {0..57}
    do s="${s//${base58}/ $i}"
    done
    dc <<< "16o0d${s// /+58*}+f" 
}

encodeBase58() {
    # 58 = 0x3A
    bc <<<"ibase=16; n=${1^^}; while(n>0) { n%3A ; n/=3A }" |
    tac |
    while read n
    do echo -n ${base58[n]}
    done
}

checksum() {
    xxd -p -r <<<"$1" |
    openssl dgst -sha256 -binary |
    openssl dgst -sha256 -binary |
    xxd -p -c 80 |
    head -c 8
}

checkBitcoinAddress() {
    if [[ "$1" =~ $bitcoinregex ]]
    then
        h=$(decodeBase58 "$1")
        checksum "00${h::${#h}-8}" |
        grep -qi "^${h: -8}$"
    else return 2
    fi
}

hash160() {
    openssl dgst -sha256 -binary |
    openssl dgst -rmd160 -binary |
    xxd -p -c 80
}

hash160ToAddress() {
    printf "%34s\n" "$(encodeBase58 "00$1$(checksum "00$1")")" |
    sed "y/ /1/"
}

hash256ToAddress() {	
	#printf "80$1$(checksum "80$1")"
    printf "%34s\n" "$(encodeBase58 "80$1$(checksum "80$1")")" |
    sed "y/ /1/"
}

publicKeyToAddress() {
    hash160ToAddress $(
    openssl ec -pubin -pubout -outform DER |
    tail -c 65 |
    hash160
    )
}

privateKeyToWIF() {
    hash256ToAddress $(openssl ec -text -noout -in data.pem | head -5 | tail -3 | fmt -120 | sed 's/[: ]//g')
    
}

openssl  ecparam -genkey -name secp256k1 | tee data.pem &>/dev/null

sleep 3

echo " "
echo "BITCOINS OFF-THE-GRID (BOTG) : A VERY SECURE SAVINGS ACCOUNT!"
echo " "
echo "THE FOLLOWING WILL BE THE PRIVATE HEX KEY NEEDED TO ACCESS YOUR BITCOINS!"
echo "***RECORD THIS NUMBER CAREFULLY*** IT CONTAINS NUMBERS 0-9 AND LETTERS A-F."
echo "THIS WILL HELP SO YOU DON'T ACCIDENTALLY CONFUSE SIMILAR LOOKING DIGITS LATER ON!"
echo "KEEP THIS HEX KEY SAFE. HIDE IT AND/OR LOCK IT UP SOMEWHERE." 
echo "IT IS THE ONLY WAY TO ACCESS THE BTC IN THE FUTURE. WHOEVER HAS THAT HEX KEY"
echo "CAN SPEND YOUR MONEY. RECORD THE WHOLE LINE AFTER 'read EC key' "
echo " "
echo "ONLY USE THIS HEX KEY AND ADDRESS IF THIS SCRIPT WAS RUN OFF OF A LIVE CD WITH"
echo "NO INTERNET CONNECTION. REBOOT COMPUTER WHEN DONE TO CLEAR RAM."
echo "DO NOT COPY THIS HEX KEY ANYWHERE ONTO A COMPUTER."
echo " "



openssl ec -text -noout -in data.pem | head -5 | tail -3 | fmt -120 | sed 's/[: ]//g' 
privateKeyToWIF

sleep 2

echo " "
echo "THE FOLLOWING IS THE BITCOIN ADDRESS YOU CAN SEND YOUR SAVINGS TO."
echo "RECORD THE ADDRESS CAREFULLY. IT IS NOT CRITICAL YOU KEEP THIS ADDRESS"
echo "SECRET. THE HEX CODE AND THE WALLET-IMPORT-KEYCODE MUST REMAIN SECRET!"
echo "THE LINE THAT BEGINS WITH THE NUMBER 1 IS THE BITCOIN ADDRESS."
echo " "

openssl ec -pubout < data.pem | publicKeyToAddress


echo " "
echo "SPECIAL THANKS TO 'grondilu' AND 'unk' WHO MADE THIS SCRIPT POSSIBLE!!" 

[Hal]

How much entropy does a live cd have after booting?

[casascius]

How much entropy does a live cd have after booting?

I guess the question really boils down to where does OpenSSL get its random numbers from.

EDIT: the answer looks like /dev/urandom.  And apparently, you can increase entropy by sending random data to /dev/random.  Maybe the user can be asked to mash on their keyboard, and that be sent to /dev/random.  Just going by what I read on Wikipedia, no guarantee to accuracy.

[casascius]

One additional comment,

Having the person write down the private key in wallet import format provides a useful measure of protection against minor transcription errors. If user can't reimport their private key and the checksum fails, it is reasonably possible to make a utility brute force against simple transcription errors (wrong case, characters missing/transposed/etc.) until the checksum can be made to match.


 Better yet, maybe another script that allows user to type back in what they wrote down (with the original removed off screen so they MUST type from their copy) to make sure they wrote it right.

[bitlotto]

Better yet, maybe another script that allows user to type back in what they wrote down (with the original removed off screen so they MUST type from their copy) to make sure they wrote it right.

That's a pretty good idea. Blank the screen and have the user write out what they wrote down. That way they can be sure they wrote it down correctly.

[bitlotto]

How much entropy does a live cd have after booting?

Good point. I think I'll add something about typing stuff at random and/or moving the mouse around a bunch.

[bitlotto]

Updated to 0.0.2
Some testing being done : https://forum.bitcoin.org/index.php?topic=23521.0

Any useful tips or changes to the script are appreciated!! 

[bitlotto]

There's still a problem, in that any private key that legitimately starts with 0000 thru 007F will still get misprocessed, because it will be spit out as a 62-character string.

The criterion you need to look for is not whether the private key starts with 00, but rather, whether it is exactly 64 characters long.  This HAS to work 100% of the time; having it make people lose funds, even if rarely, is inviting disaster and liability.

Anyone now what a great fix would be? I'm off to work and won't have time to look at it for a while...

[bitlotto]

fixed script. Should always create 64 character long hexes. Will this always make right keys now?

[casascius]

fixed script. Should always create 64 character long hexes. Will this always make right keys now?

Fingers crossed, one would hope.

I did some playing with it - observed that it rerolls the dice a few times (when the length is not 64 I presume)... and I imported one Base58 key into a wallet with the import patch, and Bitcoin successfully derived the correct address for it.

The next suggestion I might offer would be to abbreviate the text, it seems overly verbose and a bit panicky, and also I'd remove the thanks to grondilu and unk (thanks guys...they've been thanked).  I would also be willing to bet that the Base58 key is what's most likely going to be imported by a user, rather than the hex key, and would update the text to reflect that (though I wouldn't remove the hex key altogether).  BitBills uses Base58, so does sipa's wallet import... and Base58 has a checksum and guards against typos, where hex does not.

[bitlotto]

fixed script. Should always create 64 character long hexes. Will this always make right keys now?

Fingers crossed, one would hope.

I did some playing with it - observed that it rerolls the dice a few times (when the length is not 64 I presume)... and I imported one Base58 key into a wallet with the import patch, and Bitcoin successfully derived the correct address for it.

The next suggestion I might offer would be to abbreviate the text, it seems overly verbose and a bit panicky, and also I'd remove the thanks to grondilu and unk (thanks guys...they've been thanked).  I would also be willing to bet that the Base58 key is what's most likely going to be imported by a user, rather than the hex key, and would update the text to reflect that (though I wouldn't remove the hex key altogether).  BitBills uses Base58, so does sipa's wallet import... and Base58 has a checksum and guards against typos, where hex does not.

Thanks. Yes, the wording does have to be cleaned up. I was focusing first on the algorithms. Thanks for checking and helping me with this. I think once it's tested some people may want to use it as it provides a pretty high security place to put your BTC. Are you able to get those other transactions I did or did I make a bad key with the older script....

[casascius]

Thanks. Yes, the wording does have to be cleaned up. I was focusing first on the algorithms. Thanks for checking and helping me with this. I think once it's tested some people may want to use it as it provides a pretty high security place to put your BTC. Are you able to get those other transactions I did or did I make a bad key with the older script....

I didn't try to get the other ones... but regardless, if you just import the base58 version of the keys with sipa's import, and see that the matching Bitcoin address showed up in the wallet (since it is computed from the private key), and this could be repeated reliably without exception, I would guess it is overwhelmingly likely that it was correct without the need to do a confirming transaction.

Also I did some experimenting with openssl.  Yes, openssl will occasionally generate a 31-byte private key.  (it's, of course, a 32-byte private key that happens to start with 00, and the leading zero truncated).

It seems as though this behavior doesn't apply to the public key.  The public key as omitted by openssl seems to always start with 04, and no extra "sign" 00 appears if the key material starts with 0x80-0xFF, and nothing is omitted as "leading zeroes", even if the first byte of key material is 00 and the second is 00-7F.  I was able to generate a public key starting with "04 00 6b" (where 04 is the standard prefix).  So my guess is the public key is safe from weird exceptions.

[bitlotto]

It looks like it's creating pretty good keys! I've personally created over 100 keys and they were all valid and correct when imported into Bitcoin!

[casascius]

5HtNFUCKiNGPiECEoFGoDDaMNCoCKSuCKiNGSHiT3Viwnu6QQby
1Kv4AcDNkRjhAYvPo3w8RnDw8Jb6Pgq579
0.05 BTC

5JokeHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHADmwBca
1HvUDLU1iTfoTCp7KQw6V3Rm9KtZ56NwPS
0.05 BTC

I made an app in Visual Studio that freely converts BTCAddress <--> Pubhash <-- PubKeyHex <-- PrivKeyHex <--> PrivKeyBase58... mainly to increase my understanding of how the algorithms work.

It can generate new addresses at random, and as you can guess, I added a silly feature that allows substitution of characters, where the app would automatically recompute the checksum so that it would be a valid key.

I may publish the source...it happens to be a handy tool.