Bitcoin Forum
April 19, 2014, 04:21:06 AM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 [All]
  Print  
Author Topic: [ANNOUNCE] Android key rotation  (Read 32567 times)
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 11, 2013, 04:19:13 PM
 #1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

http://bitcoin.org/en/alert/2013-08-11-android

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.

In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommended you upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.

If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup.

Updates for other wallet apps should be released shortly.

Some technical details of what exactly has gone wrong inside Android will be released once the upgrade process is reasonably compete. I will keep track of the upgrade status of each wallet app I know about in the post below.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJSB7jRAAoJEPLkhhyZiIFvpk8IAI34L0HsEj5wztFl18jQxj74
svaY+eY1mwgWZjjyZlCRlP42B3u5zF2jlh2+taRgM9DaXlECqa3euGe+EmHWirTU
HTTNNg2ZFf7jvruUZ2tanl4Sv34/q/q8w81zL6uJAKK98ZBWuMQ9oPghW1erCAHv
Ke5eoLzGdnwpAN817SLGL2iUgwMpJLu7Jx2HEhF2Yz7Yl1+ScLHzlXSZP65BlpI7
lNeJweQsC0PHPnumde/UIRdcTQqhciY/0xM7HHyrrn00AW56vu4l+/Hb9Mr9rpds
Rx2UEvFXQ5KWX7e8E3+Wx2Rs/w5cYRwwsfzwWIYkoZaJ3ssaPaYAEr5YMO1bz24=
=AFBd
-----END PGP SIGNATURE-----

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
1397881266
Hero Member
*
Offline Offline

Posts: 1397881266

View Profile Personal Message (Offline)

Ignore
1397881266
Reply with quote  #2

1397881266
Report to moderator
1397881266
Hero Member
*
Offline Offline

Posts: 1397881266

View Profile Personal Message (Offline)

Ignore
1397881266
Reply with quote  #2

1397881266
Report to moderator
1397881266
Hero Member
*
Offline Offline

Posts: 1397881266

View Profile Personal Message (Offline)

Ignore
1397881266
Reply with quote  #2

1397881266
Report to moderator
Unbeatable Service & Product Support
Grab Your Miners at GAWMiners.com
Order Before April 25th to receive
Double your Hashing Power for 1 week!

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397881266
Hero Member
*
Offline Offline

Posts: 1397881266

View Profile Personal Message (Offline)

Ignore
1397881266
Reply with quote  #2

1397881266
Report to moderator
1397881266
Hero Member
*
Offline Offline

Posts: 1397881266

View Profile Personal Message (Offline)

Ignore
1397881266
Reply with quote  #2

1397881266
Report to moderator
1397881266
Hero Member
*
Offline Offline

Posts: 1397881266

View Profile Personal Message (Offline)

Ignore
1397881266
Reply with quote  #2

1397881266
Report to moderator
1397881266
Hero Member
*
Offline Offline

Posts: 1397881266

View Profile Personal Message (Offline)

Ignore
1397881266
Reply with quote  #2

1397881266
Report to moderator
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 11, 2013, 04:19:21 PM
 #2

Here are the rollout statuses of each wallet I'm aware of:

Bitcoin Wallet by Andreas Schildbach

An update has been prepared and is now rolling out on the play store. When you are notified, let the app update and the rest will happen automatically. Learn more.

BitcoinSpinner / Mycelium Wallet

An update has been prepared for Mycelium Wallet and is being pushed out via the Play Store. If you use BitcoinSpinner you are encouraged to upgrade to Mycelium Wallet, which is maintained by the same people.

blockchain.info wallet

An update is on the Play Store that will walk you through the key rotation process when you open it. Upgrade immediately and follow the on screen instructions.



Please note that apps where you don't control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated or controlled by you at all.

Basic rule of thumb - if you'd lose the money if the phone/tablet were destroyed (assuming no backups), and that device is an Android device, then you need to upgrade ASAP.

For blockchain.info wallets, even if the keys were generated on a desktop/laptop computer or iPhone, if any payments were made from an Android device, you are also affected. Likewise, if you have imported private keys from elsewhere into an Android wallet and made payments with it, you may also be affected.



I'd like to publicly thank Jean-Pierre Rupp (Xeno-Genesis on this forum) for bringing one of the vulnerabilities to our attention last week. His notification to us about the RSA paper started the effort needed to re-key peoples wallets. I'd also like to thank johoe and BurtW for their investigations into how peoples wallets were being compromised.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
beerbeerbeer
Newbie
*
Offline Offline

Activity: 2

Hi doggy! You're my favorite customer!


View Profile

Ignore
August 11, 2013, 04:45:00 PM
 #3

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
Dougie
Full Member
***
Offline Offline

Activity: 210


You are not special.


View Profile

Ignore
August 11, 2013, 04:50:16 PM
 #4

This is very useful information. Thanks for the announcement.

Lurking since 2011...
1J4DhU3q6RxxCTfAAcg5ExVK6FfxkmzkTH
DiamondCardz
Sr. Member
****
Offline Offline

Activity: 378


A caelo usque ad centrum.


View Profile WWW

Ignore
August 11, 2013, 04:50:36 PM
 #5

Oh dear. Thanks for the update.

Blindfolded
Full Member
***
Offline Offline

Activity: 156



View Profile

Ignore
August 11, 2013, 04:51:37 PM
 #6

Thanks for the heads up.
Boelens
Sr. Member
****
Offline Offline

Activity: 364


View Profile

Ignore
August 11, 2013, 04:52:23 PM
 #7

Oh wow, I'm glad all the warnings are spreading so quickly, everyone has to be informed ASAP.
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 11, 2013, 04:56:12 PM
 #8

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? Smiley

This post is over one month old, while this one over half a year...
Watchfulness my ass Smiley

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
colinistheman
Sr. Member
****
Offline Offline

Activity: 336


In RonPaulCoin We Trust


View Profile

Ignore
August 11, 2013, 04:56:51 PM
 #9

Thank god I have an iPhone Smiley

RonPaulCoin (RPC) - Rare and Valuable!  www.ronpaulcoin.com
RonPaulCoin: RVoNR4t7oA1cC5AnhU1M1LybEiHqeguazm
Bitcoin: 1AkA8YSPPc85rwVwkCDWGo4gGa86DzCnh7
Boelens
Sr. Member
****
Offline Offline

Activity: 364


View Profile

Ignore
August 11, 2013, 04:57:06 PM
 #10

Thank god I have an iPhone Smiley

I don't even have a smartphone ;P
E.Sam
Sr. Member
****
Offline Offline

Activity: 336



View Profile WWW

Ignore
August 11, 2013, 04:58:59 PM
 #11

Just wondering, would this affect Electrum as well?

http://electrum.org/android.html

apetersson
Hero Member
*****
Offline Offline

Activity: 632


mycelium.com


View Profile WWW

Ignore
August 11, 2013, 05:07:56 PM
 #12

If you are using Mycelium Wallet, a fix has been published to the play store (still pending review) and to mycelium.com

if you download it from mycelium.com, you can check the sha1sum

Code:
dba000cad4cbf94a7b4c621f57482322c0a96678  mbw-v0.6.5.apk

There will be a wizard guiding you through the process in an upcoming version, but for now, you can simply download version 0.6.5 (or greater) and move the keys to newly generated addresses.

  • generate a new key
  • backup this key (to sdcard or similar)
  • manually send funds to the new secure address.
  • move your empty old key to the Archive category

Please take care. The most likely chance of lost bitcoins is the loss of private keys. Don't use our wallet without a backup of the keys.
TippingPoint
Sr. Member
****
Offline Offline

Activity: 336


Live a Quiet Life & Work With Your Hands


View Profile

Ignore
August 11, 2013, 05:12:49 PM
 #13

a component of Android responsible for generating secure random numbers contains critical weaknesses

Thank you.

The first rule of fight club is you do not talk about fight club.
Bitmessage BM-2cTpnX2iUZm4V2utSE82SG9RRQ5LQ6Huj3
n4ru
Sr. Member
****
Offline Offline

Activity: 266



View Profile

Ignore
August 11, 2013, 05:15:01 PM
 #14

If an address is generated by a computer or other source, and then imported into a blockchain wallet, is it still vulnerable?

I ask because of change addresses.
Boelens
Sr. Member
****
Offline Offline

Activity: 364


View Profile

Ignore
August 11, 2013, 05:16:20 PM
 #15

If an address is generated by a computer or other source, and then imported into a blockchain wallet, is it still vulnerable?

I think only if it's generated by Android.
HeroC
Sr. Member
****
Offline Offline

Activity: 364


HeroiCraft Minecraft server! - mc.heroicraft.net


View Profile WWW

Ignore
August 11, 2013, 05:21:39 PM
 #16

Woah, I have 2 addresses with only 0.002 in them that I generated a year ago. Are they safe? What should I do?

I also imported a vanity address to blockchain.info. Is that safe? I only made one transaction out of it. I generated many other addresses through blockchain.info but never sent anything from them. Are they safe?

฿: 1HeroCC | Ł: LgR6wtrpB3DjBWEixoXHpqn8PU3S1zrfFL
Pyramining | Bitcoin PyramidCoinURL | CoinChat | BitMessage address: BM-2D8H4Dgm4r3Qq7gNJvXHJ4HCUAKBHbavrW
Build your own Miner!

Earn Devcoins by Writing
1Nn4u4Lvb2opYf6EgDJPMSqhWshsBFt4hN
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 11, 2013, 05:21:51 PM
 #17

Because Bitcoin transactions require random numbers to create, if you generated spends with an imported key from Android then the key itself may be compromised, but this isn't a given, see here:

http://www.reddit.com/r/Bitcoin/comments/1k51dh/bad_signatures_leading_to_558_btc_theft_so_far/cblgtut


12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
Xer0
Sr. Member
****
Offline Offline

Activity: 448


°^°


View Profile

Ignore
August 11, 2013, 05:21:59 PM
 #18

For blockchain.info wallets, even if the keys were generated on a desktop/laptop computer or iPhone, if any payments were made from an Android device, you are also affected. Likewise, if you have imported private keys from elsewhere into an Android wallet and made payments with it, you may also be affected.

Don't get this...
Wallet created with Bitcoin-QT; imported to Blockchain, but created new Address in Browser - still vulnerable?
BurtW
Hero Member
*****
Offline Offline

Activity: 1050

I no longer support vanity addresses


View Profile

Ignore
August 11, 2013, 05:29:34 PM
 #19

For blockchain.info wallets, even if the keys were generated on a desktop/laptop computer or iPhone, if any payments were made from an Android device, you are also affected. Likewise, if you have imported private keys from elsewhere into an Android wallet and made payments with it, you may also be affected.

Don't get this...
Wallet created with Bitcoin-QT; imported to Blockchain, but created new Address in Browser - still vulnerable?
No matter when or where created if you SPENT BTC from an address using a wallet on an android device then the private key may be known.

Try this:

Basically every bitcoin transaction is signed in order to prove you have the private key and can transfer the funds.  There is a bug in the secure random number generator on the android phones that causes it to sometimes use the same random number to sign a transaction.  If you sign two different transactions with the same private key and the same random number then it is very easy to just calculate the private key from the two signatures.

Bitcoin must have unqualified fungibility to survive as a form of money.  We must support all efforts that protect and improve the fungible nature of Bitcoin and stand firmly against anyone or anything which threatens this essential property.
elebit
Full Member
***
Offline Offline

Activity: 228


View Profile

Ignore
August 11, 2013, 05:32:09 PM
 #20

Could you please clarify:

1. Is this the same, or a different, issue from the one being discussed in the "Bad signatures" thread?

2. Is it absolutely and completely true that this is an Android issue, ie. hosted Blockchain.info wallets and other wallet software written in Java is not affected?

3. I generated my wallet keys off-device. Am I still vulnerable?

4. I generated my wallet keys on-device but have only received funds and not sent any, so no transactions were actually generated by the Android application. Am I still vulnerable?

5. If it turns out from any of the above two reasons that I am not vulnerable, will the update to Android Wallet specifically still rotate my wallet? There are probably a lot of wallets out there who would be greatly hurt by unnecessary transaction fees.
n4ru
Sr. Member
****
Offline Offline

Activity: 266



View Profile

Ignore
August 11, 2013, 05:33:40 PM
 #21

So basically, Google pulled a Sony...

Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 11, 2013, 05:41:04 PM
 #22

Could you please clarify:

1. Is this the same, or a different, issue from the one being discussed in the "Bad signatures" thread?

2. Is it absolutely and completely true that this is an Android issue, ie. hosted Blockchain.info wallets and other wallet software written in Java is not affected?

3. I generated my wallet keys off-device. Am I still vulnerable?

4. I generated my wallet keys on-device but have only received funds and not sent any, so no transactions were actually generated by the Android application. Am I still vulnerable?

5. If it turns out from any of the above two reasons that I am not vulnerable, will the update to Android Wallet specifically still rotate my wallet? There are probably a lot of wallets out there who would be greatly hurt by unnecessary transaction fees.

1. It's the same issue

2. It's an Android issue, not a Java issue.

3. The key would not have an issue in this case. However if you spent money from it then there's a small chance the key may have been exposed. However someone has been monitoring the network for this and claims it only happens a few times a month worldwide, what's more, someone appears to be stealing the money when it does happen. So if you haven't already suffered a theft, you probably haven't been exposed in this way, and simply upgrading and rotating the wallet is sufficient.

4. Your key may be vulnerable.

5. All wallets will be rotated automatically. The Bitcoin Wallet app doesn't really support importing arbitrary private keys. You can do it by re-using the backup mechanism, but key imports/exports in general have all kinds of problems and if you do it, you are "on your own". It's not an official feature of the app.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
Andreas Schildbach
Sr. Member
****
Offline Offline

Activity: 424



View Profile WWW

Ignore
August 11, 2013, 05:42:11 PM
 #23

I see a lot of questions here about which keys are affected and which not.

As far as Bitcoin Wallet goes, it will rotate your keys no matter how you created them and if you used them for signing. This is because there is no supported way of importing keys from other sources than itself (backup), so all keys must have been created using the flaky random number generator.

I can't tell about the other apps, but I hope they will rotate all keys as well.

Bitcoin Wallet for Android: Your own Bitcoins, in your own pocket!
https://play.google.com/store/apps/details?id=de.schildbach.wallet
AliceWonder
Member
**
Offline Offline

Activity: 112



View Profile

Ignore
August 11, 2013, 05:51:22 PM
 #24

Could this be what was behind all those random 1 mBTC payments that were going around?

As they are spent, if the wallet was Android they are now multiple spends from same address possibly allowing attacker to figure out private key.

This space for rent. PM me if interested.
-=-
Pro-tip: un-solicited offers in your PM box from users you've never heard of are quite likely attempts to scam you.
n4ru
Sr. Member
****
Offline Offline

Activity: 266



View Profile

Ignore
August 11, 2013, 05:52:29 PM
 #25

Could this be what was behind all those random 1 mBTC payments that were going around?

As they are spent, if the wallet was Android they are now multiple spends from same address possibly allowing attacker to figure out private key.
Interesting thought... it would make a bit of sense.
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 11, 2013, 05:55:37 PM
 #26

pink is a really crappy color, fwiw.

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 11, 2013, 05:58:14 PM
 #27

pink is a really crappy color, fwiw.
indeed - it's barely visible.

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
DiamondCardz
Sr. Member
****
Offline Offline

Activity: 378


A caelo usque ad centrum.


View Profile WWW

Ignore
August 11, 2013, 05:58:53 PM
 #28

I noticed it instantly, actually.  Lips sealed

al.matic
Jr. Member
*
Offline Offline

Activity: 57


View Profile

Ignore
August 11, 2013, 06:00:31 PM
 #29

So basically, Google pulled a Sony...




So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...
n4ru
Sr. Member
****
Offline Offline

Activity: 266



View Profile

Ignore
August 11, 2013, 06:09:58 PM
 #30

So basically, Google pulled a Sony...




So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...
The exploit isn't in the algorithm, it's in generating a secure random number. It also wasn't the PSN hack, it was the PS3 hack.

With Sony, they used the same number every single time. It simply wasn't random, and was a horrible, or rather, *not* an implementation of the encryption in the right manner.

With Android, the same random number apparently comes up once in a while. Still horrible considering the money involved (probably worse), but there's only a chance to get the same random number (as opposed to guaranteed with Sony).
No_2
Sr. Member
****
Offline Offline

Activity: 406


BTC: the beginning of stake-based public resources


View Profile

Ignore
August 11, 2013, 06:24:47 PM
 #31

Interesting bug. Thanks for the info.

If you like what I'm doing or have benefited from my efforts please consider donating to MetaLair, they are designing a decentralised exchange and need your support.
Lists: All Physicals Minted | UK Organisations Accepting Crypto | UK Organisations Accepting Crypto (reddit)Payment Methods
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 11, 2013, 06:28:14 PM
 #32

I noticed it instantly, actually.  Lips sealed
I did too, just couldnt read it. Thought it was a new ad at first =P

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
theymos
Administrator
Hero Member
*
Offline Offline

Activity: 1540


View Profile
August 11, 2013, 06:33:02 PM
 #33

It's hard to get a good color due to the gradient.

justusranvier
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW

Ignore
August 11, 2013, 06:37:29 PM
 #34

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.

Anon136
Hero Member
*****
Online Online

Activity: 574



View Profile

Ignore
August 11, 2013, 06:39:19 PM
 #35



in case anyone is confused about the color coding.

Rep Thread: https://bitcointalk.org/index.php?topic=381041
BTC: 1J68eajnyueiLeYdaBUiVySFhPiwpafzmY QR: goo.gl/lhqn11
NXT: 14075156995145364873  QR: goo.gl/nRLQ6B
BurtW
Hero Member
*****
Offline Offline

Activity: 1050

I no longer support vanity addresses


View Profile

Ignore
August 11, 2013, 06:42:16 PM
 #36

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.
Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).

Bitcoin must have unqualified fungibility to survive as a form of money.  We must support all efforts that protect and improve the fungible nature of Bitcoin and stand firmly against anyone or anything which threatens this essential property.
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 11, 2013, 06:43:03 PM
 #37


in case anyone is confused about the color coding.

I withdrew all my BTC from vulnerable addresses.

This image reminds me how my crazy (in hindsight) mother did the same with her cash from the bank on Sept 11.
 

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 11, 2013, 06:45:00 PM
 #38

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.
You must be joking.
If you cannot use the same private key again, to sign a different stuff, then it is not even a digital signature application - you can as well start using random and their hashes, or something..

Of course it must work multiple times - just like PGP/RSA has been working, ever since it was invented.
And nobody says that you using the same PGP key twice "should be considered negligent" - it would just defeat the purpose of a digital signature Smiley

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
AliceWonder
Member
**
Offline Offline

Activity: 112



View Profile

Ignore
August 11, 2013, 06:47:14 PM
 #39

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.
Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).

Yes really. Payment addresses should not be re-used after money is spent. If you do not re-use the address then you can not fall victim to this if your random generator is not as random as it should be.

But that has nothing to do with deterministic wallets. Non deterministic wallets do not require address re-use.

This space for rent. PM me if interested.
-=-
Pro-tip: un-solicited offers in your PM box from users you've never heard of are quite likely attempts to scam you.
justusranvier
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW

Ignore
August 11, 2013, 06:48:25 PM
 #40

Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).
If addresses are never reused, it doesn't matter if individual private keys are compromised after the fact.

justusranvier
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW

Ignore
August 11, 2013, 06:51:30 PM
 #41

But that has nothing to do with deterministic wallets. Non deterministic wallets do not require address re-use.
The reason that clients reuse addresses is because random key wallets are unsuitable for general use.

Requiring users to update their backups after every n transactions results in permanently lost funds.

The solution is to implement BIP32.

kangasbros
Hero Member
*****
Offline Offline

Activity: 808


View Profile

Ignore
August 11, 2013, 06:53:47 PM
 #42

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.
Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).

Single-address-per-transaction policy is better for privacy, and also protects from a class of security issues AFAIK. IMHO it is kind of supporting that BItcoinJ dev team hasn't been very keen on implementing proper multi-address support. But then again, it is open source, if you don't like it develop a batch... Myself I don't use BitcoinJ but other solutions.

Yash
Jr. Member
*
Offline Offline

Activity: 52



View Profile

Ignore
August 11, 2013, 06:55:48 PM
 #43

This is very risky... I was thinking about installing a wallet on my phone but it's too early to do that now.

Feel free to share your BTC with me ^^  12vZsZJR6SdR8Xh2omNC5j67yy2J2kVEVL
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 11, 2013, 06:58:19 PM
 #44

The new bitcoinj release that will be announced shortly has some initial code for BIP32. It's definitely something I want to integrate. It's difficult on mobile devices because they don't have any swapfile, so you can't just use as much memory as you want. You have to define a key window in which money can be received. Coins sent to keys that fall outside that window won't show up which is obviously very problematic. All in all, it's delicate and will require some careful experimentation and testing to make it work.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
BurtW
Hero Member
*****
Offline Offline

Activity: 1050

I no longer support vanity addresses


View Profile

Ignore
August 11, 2013, 06:59:42 PM
 #45

Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).
If addresses are never reused, it doesn't matter if individual private keys are compromised after the fact.
The point is that with a proper RNG reuse is safe.

With a bad RNG no address is safe because it leads to bad signatures AND bad private keys.

Bitcoin must have unqualified fungibility to survive as a form of money.  We must support all efforts that protect and improve the fungible nature of Bitcoin and stand firmly against anyone or anything which threatens this essential property.
elebit
Full Member
***
Offline Offline

Activity: 228


View Profile

Ignore
August 11, 2013, 07:06:43 PM
 #46

Mike Hearn, Goonie, thanks for answering my questions.

So if I understand this correctly, if you generated your key an Android, OR if you generated a transaction on Android, one should consider that key insecure. Correct?

Will the wallet rotation on the Android Bitcoin Wallet incur a transaction fee?
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 11, 2013, 07:08:13 PM
 #47

Transactions that re-use K values seem to result in a theft a few hours later. So, if your money hasn't been stolen and the key was not weakly generated, it's probably OK.

Yes it will incur the usual min tx fee.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
Moogle
Full Member
***
Offline Offline

Activity: 224


KUPO!


View Profile WWW

Ignore
August 11, 2013, 07:09:40 PM
 #48

Pretty annoying for those people who imported vanity addresses into their android devices

sinner
Full Member
***
Offline Offline

Activity: 175



View Profile

Ignore
August 11, 2013, 07:12:42 PM
 #49

i'm confused--are all blockchain.info wallets vulnerable?  (even if you dont have an android phone)

HODLING
Boelens
Sr. Member
****
Offline Offline

Activity: 364


View Profile

Ignore
August 11, 2013, 07:13:28 PM
 #50

i'm confused--are all blockchain.info wallets vulnerable?  (even if you dont have an android phone)

No, just those generated by an Android phone.
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 11, 2013, 07:13:52 PM
 #51

i'm confused--are all blockchain.info wallets vulnerable?  (even if you dont have an android phone)
Here are the rollout statuses of each wallet I'm aware of:

blockchain.info wallet: An update was released today that adds a new key using a fixed RNG, so you can manually rotate now. Another update will follow in the coming days that will automatically re-send all coins controlled by the previous keys to the new one.

Please note that apps where you don't control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated or controlled by you at all.

Basic rule of thumb - if you'd lose the money if the phone/tablet were destroyed (assuming no backups), and that device is an Android device, then you need to upgrade ASAP.

For blockchain.info wallets, even if the keys were generated on a desktop/laptop computer or iPhone, if any payments were made from an Android device, you are also affected. Likewise, if you have imported private keys from elsewhere into an Android wallet and made payments with it, you may also be affected.



Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
STT
Sr. Member
****
Offline Offline

Activity: 308


pug


View Profile WWW

Ignore
August 11, 2013, 07:15:13 PM
 #52

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time

jbis1
Jr. Member
*
Offline Offline

Activity: 38



View Profile

Ignore
August 11, 2013, 07:17:16 PM
 #53

Reading through the entire thread, I am still not clear on this. If I logged into and made transactions using the blockchain.info website through my Android device's web browser, does this affect me? I have never used the blockchain.info app.
apetersson
Hero Member
*****
Offline Offline

Activity: 632


mycelium.com


View Profile WWW

Ignore
August 11, 2013, 07:17:34 PM
 #54

If you are using Mycelium Wallet, a fix has been published to the play store (still pending review) and to mycelium.com

if you download it from mycelium.com, you can check the sha1sum

Code:
dba000cad4cbf94a7b4c621f57482322c0a96678  mbw-v0.6.5.apk

There will be a wizard guiding you through the process in an upcoming version, but for now, you can simply download version 0.6.5 (or greater) and move the keys to newly generated addresses.

  • generate a new key
  • backup this key (to sdcard or similar)
  • manually send funds to the new secure address.
  • move your empty old key to the Archive category

Please take care. The most likely chance of lost bitcoins is the loss of private keys. Don't use our wallet without a backup of the keys.
P_Shep
Hero Member
*****
Offline Offline

Activity: 826


View Profile WWW

Ignore
August 11, 2013, 07:18:35 PM
 #55

Oopsie!
I've extracted all mah money... Waiting for update.

Anubis cgminer web frontend: https://bitcointalk.org/index.php?topic=57342.0
Files and instructions for CGminer on DD-WRT: https://bitcointalk.org/index.php?topic=76685.0
Pan handling: 1Fxpijq1NN52LzSzD2WtGbT3ZTWq366ejj
Sukrim
Hero Member
*****
Offline Offline

Activity: 994


View Profile

Ignore
August 11, 2013, 07:19:53 PM
 #56

Annoyingly the Schildbach wallet seems to now enforce(!) a 0.0001 BTC default fee! Angry

Well, these issues aside - thanks for informing us.

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf | https://just-dice.com/ <-- Bitcoin gambling done right!
Remember remember the 5th of November
Hero Member
*****
Offline Offline

Activity: 896

Remember me


View Profile

Ignore
August 11, 2013, 07:21:29 PM
 #57

Annoyingly the Schildbach wallet seems to now enforce(!) a 0.0001 BTC default fee! Angry

Well, these issues aside - thanks for informing us.
Well what do you expect? The minimum I always pay is 0.0006 or 0.0005 on the -Qt client. Non-fee transactions usually means hours to days waiting for confirmations.

BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 11, 2013, 07:21:37 PM
 #58

Annoyingly the Schildbach wallet seems to now enforce(!) a 0.0001 BTC default fee! Angry

Well, these issues aside - thanks for informing us.
I cant find any wallet other than bitcoin-qt that lets you put a 0.00 tx fee. Surprising to see people in here wondering about fees. it's a penny. Go sell something on PayPal and tell me about fees.

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
JoelKatz
Hero Member
*****
Offline Offline

Activity: 1036


Democracy is vulnerable to a 51% attack.


View Profile WWW

Ignore
August 11, 2013, 07:21:39 PM
 #59

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
This is a common misconception. Real-world computers actually have access to any number of sources of real randomness. For example, the offset between the crystal oscillator that drives the CPU and the crystal oscillator that drives the network card is determined by microscopic zone temperature variations that are believed to be truly random. The latency of a hard disk drive is dependent on turbulent airflow drag on the spindle which is also believed to be truly random. Some CPUs and chipsets have true random number generators on them, usually obtained from shot noise which is also believed to be truly random. (And even if they're not truly random, they are entirely unpredictable.)

I am an employee of Ripple Labs, the company behind the Ripple payment network.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 11, 2013, 07:23:19 PM
 #60

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
This is a common misconception. Real-world computers actually have access to any number of sources of real randomness. For example, the offset between the crystal oscillator that drives the CPU and the crystal oscillator that drives the network card is determined by microscopic zone temperature variations that are believed to be truly random. The latency of a hard disk drive is dependent on turbulent airflow drag on the spindle which is also believed to be truly random. Some CPUs and chipsets have true random number generators on them, usually obtained from shot noise which is also believed to be truly random. (And even if they're not truly random, they are entirely unpredictable.)
Which does not change the fact that there are corporations out there selling certified random number generators, for thousands of dollars per piece.
Try to explain to a bank that a PC can generate random data equally well... Smiley

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 11, 2013, 07:24:06 PM
 #61

Annoyingly the Schildbach wallet seems to now enforce(!) a 0.0001 BTC default fee! Angry

Well, these issues aside - thanks for informing us.
Well what do you expect? The minimum I always pay is 0.0006 or 0.0005 on the -Qt client. Non-fee transactions usually means hours to days waiting for confirmations.

I second this. While mining with deepbit, their tx fees are not included. One payment sat for almost 4 days before being picked up by eligius pool. Just send the penny.

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
n4ru
Sr. Member
****
Offline Offline

Activity: 266



View Profile

Ignore
August 11, 2013, 07:24:37 PM
 #62

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
Nothing can generate a random number. Us included. Only pseudo-random.
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 11, 2013, 07:24:51 PM
 #63

Fees have to be attached due to a strange quirk of bitcoind mining code - it only allocates 27kb per block for free transactions. There's no obvious reason that should be the case and I'm sure it'll get fixed at some point. Even a penny is a high fee to pay, IMO.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
JoelKatz
Hero Member
*****
Offline Offline

Activity: 1036


Democracy is vulnerable to a 51% attack.


View Profile WWW

Ignore
August 11, 2013, 07:30:06 PM
 #64

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
Nothing can generate a random number. Us included. Only pseudo-random.
So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that?

I am an employee of Ripple Labs, the company behind the Ripple payment network.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ
elebit
Full Member
***
Offline Offline

Activity: 228


View Profile

Ignore
August 11, 2013, 07:30:45 PM
 #65

I cant find any wallet other than bitcoin-qt that lets you put a 0.00 tx fee. Surprising to see people in here wondering about fees. it's a penny. Go sell something on PayPal and tell me about fees.

Here are some reasons why:

You might only have only a couple of pennies in your wallet (for novelty purposes).

Those who have moved beyond fiat pricing might like the idea of keeping their 1.0 bitcoins instead of having 0.99999 bitcoins.

Old money which is not broken in many thin slices don't need to pay fees, they don't need to wait more than a few hours anyway.
JoelKatz
Hero Member
*****
Offline Offline

Activity: 1036


Democracy is vulnerable to a 51% attack.


View Profile WWW

Ignore
August 11, 2013, 07:31:44 PM
 #66

If an address is generated by a computer or other source, and then imported into a blockchain wallet, is it still vulnerable?

I think only if it's generated by Android.
Unfortunately, it is still vulnerable. The signature algorithm uses the random number generator as well and if a signature is generated improperly, it can compromise the private key. This was, in fact, the way the vulnerability was exploited.

"... some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen." -- Mike Hearn

I am an employee of Ripple Labs, the company behind the Ripple payment network.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ
candtalan
Jr. Member
*
Offline Offline

Activity: 53


View Profile

Ignore
August 11, 2013, 07:46:27 PM
 #67

Quote
..... Payment addresses should not be re-used after money is spent. If you do not re-use the address then you can not fall victim to this if your random generator is not as random as it should be.
Novice here.
I guess, or understand, that 'receive' addresses can be safely used more than once? Presumably the receive process is much more passive than a payment process? Is my understanding ok here please?
NeedChangeNow
Jr. Member
*
Offline Offline

Activity: 30


View Profile

Ignore
August 11, 2013, 07:49:16 PM
 #68

Is this flaw related to why "Error Response Invalid signature" keeps happening to certain users attempting to send funds from the Blockchain.info Android app? (thread here: https://bitcointalk.org/index.php?topic=240548.0). I'd love to be able to get my btc out of this wallet but it seems less likely by the day.
justusranvier
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW

Ignore
August 11, 2013, 07:51:46 PM
 #69

I guess, or understand, that 'receive' addresses can be safely used more than once?
Receive addresses should be used exactly one time, then never again.

If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.

elor70
Member
**
Offline Offline

Activity: 84


View Profile

Ignore
August 11, 2013, 07:53:11 PM
 #70

Thanks for the warning

LaudaM
Sr. Member
****
Offline Offline

Activity: 378



View Profile

Ignore
August 11, 2013, 08:00:32 PM
 #71

Oh boy, we didn't need this.
Thanks for the heads up.

BTC: 19zYTT7QoCqURn5oZw8VMMSo4tbpERUB4i
candtalan
Jr. Member
*
Offline Offline

Activity: 53


View Profile

Ignore
August 11, 2013, 08:04:44 PM
 #72

I guess, or understand, that 'receive' addresses can be safely used more than once?
Receive addresses should be used exactly one time, then never again.
If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.
Oh bother. Thanks. In my case I have never used an android device for any Bitcoin stuff so I trust I am safe from the current non random number issue(?)
However, it has been convenient to gather occasional small amounts from the (get free bitcoins) site http://netlookup.se/free-bitcoins/247552
Just to be very clear here, I now should not offer the same receive address more than once then?
tia
(edit)
I note that  this site mentioned above works on the basis of a receive address being used repeatedly.... Is it a scam site? or is it just  doing rather bad things?
n4ru
Sr. Member
****
Offline Offline

Activity: 266



View Profile

Ignore
August 11, 2013, 08:12:17 PM
 #73

I guess, or understand, that 'receive' addresses can be safely used more than once?
Receive addresses should be used exactly one time, then never again.
If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.
Oh bother. Thanks. In my case I have never used an android device for any Bitcoin stuff so I trust I am safe from the current non random number issue(?)
However, it has been convenient to gather occasional small amounts from the (get free bitcoins) site http://netlookup.se/free-bitcoins/247552
Just to be very clear here, I now should not offer the same receive address more than once then?
tia
(edit)
I note that  this site mentioned above works on the basis of a receive address being used repeatedly.... Is it a scam site? or is it just  doing rather bad things?

Oh boy... justusranvier is totally confusing the newbies.
rumak
Member
**
Offline Offline

Activity: 61


View Profile

Ignore
August 11, 2013, 08:13:13 PM
 #74

Thanks for the quicks news and update.
Sukrim
Hero Member
*****
Offline Offline

Activity: 994


View Profile

Ignore
August 11, 2013, 08:13:39 PM
 #75

Well what do you expect? The minimum I always pay is 0.0006 or 0.0005 on the -Qt client. Non-fee transactions usually means hours to days waiting for confirmations.
I wouldn't mind actually waiting some time if that meant my transaction was free. I didn't want or plan to transfer these funds in the first place and I don't mind them being stuck for some time in limbo. Once the TX is out there, it would be hard to double spend it anyways.

I cant find any wallet other than bitcoin-qt that lets you put a 0.00 tx fee. Surprising to see people in here wondering about fees. it's a penny. Go sell something on PayPal and tell me about fees.
Schildbach allowed this (0 fees) too some time ago so I consider it a regression. If I use PayPal, I pay for a service that goes beyond simple money transfer (I get fraud protection etc.).

I second this. While mining with deepbit, their tx fees are not included. One payment sat for almost 4 days before being picked up by eligius pool. Just send the penny.
This is just stupidity on deepbit's end - they could always include their payouts for free in their own blocks and I suggested something like that (pools accepting each other's payouts for free) long time ago. Back then it was anyways easy to get anything transacted for free, so they never went forward with it. I don't want to pay a whole penny for a few bytes of storage that will be pruned away sooner or later anyways.

Fees have to be attached due to a strange quirk of bitcoind mining code - it only allocates 27kb per block for free transactions. There's no obvious reason that should be the case and I'm sure it'll get fixed at some point. Even a penny is a high fee to pay, IMO.
The wallet used to have a setting that let me set fees to 0 on my own risk. This setting seems to be gone...
Anyways, fee handling and transaction priorization is a big mess in my opinion still in Bitcoin, especially in the reference client that everyone seems to use unreflected without even thinking about the settings.


About receiving coins at the same address:
In the end it means that you potentially loose privacy (e.g. the free bitcoins site could link your IP to your address, then you sell a obile phone on the web and let them pay to the same address - now the free bitcoin site can see that you received some more coins + the buyer of the phone sees that you probably used this site). Security wise it means that once you send something from your address, you expose the public key belonging to that address. In this case, the signature generated with it is weakening security - there is also the possibility of a breach of ECDSA keys in general. As long as nothing has been transfered off an address, it is as safe as possible from a current security standpoint.

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf | https://just-dice.com/ <-- Bitcoin gambling done right!
ashish12
Member
**
Offline Offline

Activity: 116


View Profile

Ignore
August 11, 2013, 08:21:17 PM
 #76

totally agree  Smiley

Well what do you expect? The minimum I always pay is 0.0006 or 0.0005 on the -Qt client. Non-fee transactions usually means hours to days waiting for confirmations.
I wouldn't mind actually waiting some time if that meant my transaction was free. I didn't want or plan to transfer these funds in the first place and I don't mind them being stuck for some time in limbo. Once the TX is out there, it would be hard to double spend it anyways.

I cant find any wallet other than bitcoin-qt that lets you put a 0.00 tx fee. Surprising to see people in here wondering about fees. it's a penny. Go sell something on PayPal and tell me about fees.
Schildbach allowed this (0 fees) too some time ago so I consider it a regression. If I use PayPal, I pay for a service that goes beyond simple money transfer (I get fraud protection etc.).

I second this. While mining with deepbit, their tx fees are not included. One payment sat for almost 4 days before being picked up by eligius pool. Just send the penny.
This is just stupidity on deepbit's end - they could always include their payouts for free in their own blocks and I suggested something like that (pools accepting each other's payouts for free) long time ago. Back then it was anyways easy to get anything transacted for free, so they never went forward with it. I don't want to pay a whole penny for a few bytes of storage that will be pruned away sooner or later anyways.

Fees have to be attached due to a strange quirk of bitcoind mining code - it only allocates 27kb per block for free transactions. There's no obvious reason that should be the case and I'm sure it'll get fixed at some point. Even a penny is a high fee to pay, IMO.
The wallet used to have a setting that let me set fees to 0 on my own risk. This setting seems to be gone...
Anyways, fee handling and transaction priorization is a big mess in my opinion still in Bitcoin, especially in the reference client that everyone seems to use unreflected without even thinking about the settings.


About receiving coins at the same address:
In the end it means that you potentially loose privacy (e.g. the free bitcoins site could link your IP to your address, then you sell a obile phone on the web and let them pay to the same address - now the free bitcoin site can see that you received some more coins + the buyer of the phone sees that you probably used this site). Security wise it means that once you send something from your address, you expose the public key belonging to that address. In this case, the signature generated with it is weakening security - there is also the possibility of a breach of ECDSA keys in general. As long as nothing has been transfered off an address, it is as safe as possible from a current security standpoint.
kangasbros
Hero Member
*****
Offline Offline

Activity: 808


View Profile

Ignore
August 11, 2013, 08:21:53 PM
 #77

I guess, or understand, that 'receive' addresses can be safely used more than once?
Receive addresses should be used exactly one time, then never again.
If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.
Oh bother. Thanks. In my case I have never used an android device for any Bitcoin stuff so I trust I am safe from the current non random number issue(?)
However, it has been convenient to gather occasional small amounts from the (get free bitcoins) site http://netlookup.se/free-bitcoins/247552
Just to be very clear here, I now should not offer the same receive address more than once then?
tia
(edit)
I note that  this site mentioned above works on the basis of a receive address being used repeatedly.... Is it a scam site? or is it just  doing rather bad things?


If you are receiving miniscule amounts, then it doesn't matter. You can use common sense. The site isn't scam.

candtalan
Jr. Member
*
Offline Offline

Activity: 53


View Profile

Ignore
August 11, 2013, 08:25:36 PM
 #78

Quote
If you are receiving miniscule amounts, then it doesn't matter. You can use common sense. The site isn't scam.
Ah thanks, I was hoping that, it also helps to confirm my limited understanding of this stuff.
ISAWHIM
Sr. Member
****
Offline Offline

Activity: 350



View Profile

Ignore
August 11, 2013, 08:29:48 PM
 #79

Nothing can generate a random number. Us included. Only pseudo-random.

That is an opinion...

Fact is... any number which is not sequential and read from a list, is random. Might not be "as random as you would like", but it is still random. Even pseudo-random selection is non-sequential and not read from a list. (Unless you start at the beginning, start at the same seed/list or the seed is the same seed/list as another seed. Which is the repeat of a list.)

But I digress...

The problem is that these devices and programs, made by programmers with little knowledge, failed to understand the devices they were working with. That is what happens when you just copy-n-paste code and don't actually KNOW what it is doing.

One year... This has been known about android since the first program "solitaire" which used random numbers to shuffle, released before the phone was even physically made, in the emulator.

Oh, and the comment about "Glad I have an i-phone"... LOL... Might want to look at all the exploits your phone has, before you open your mouth. You are worse-off than the android phone, because you are naive and oblivious to the reality of the flaws of the device in your hands. Yay, you don't have THIS FLAW... You have your own, and no-one is fixing shit for you, unless you pay them for the app to secure the flaws.
elebit
Full Member
***
Offline Offline

Activity: 228


View Profile

Ignore
August 11, 2013, 08:43:36 PM
 #80

2. It's an Android issue, not a Java issue.

Also, could we please get a link to the relevant Android bug tracker item?

It's a bit frustrating to piece together rumors in order to know what actually happened here.
E.Sam
Sr. Member
****
Offline Offline

Activity: 336



View Profile WWW

Ignore
August 11, 2013, 09:02:35 PM
 #81

Just wondering, would this affect Electrum as well?

I m asking as it uses Google Scripting Layer & Python for Android

http://electrum.org/android.html

n4ru
Sr. Member
****
Offline Offline

Activity: 266



View Profile

Ignore
August 11, 2013, 09:09:07 PM
 #82

Just wondering, would this affect Electrum as well?

I m asking as it uses Google Scripting Layer & Python for Android

http://electrum.org/android.html
The issue appears to be in the java implementation of secureRandom that Google uses.
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 11, 2013, 09:09:19 PM
 #83

Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
Andreas Schildbach
Sr. Member
****
Offline Offline

Activity: 424



View Profile WWW

Ignore
August 11, 2013, 09:16:25 PM
 #84

Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.

At least its not running on Java, afaik. So it can't be affected by the same issues.

Bitcoin Wallet for Android: Your own Bitcoins, in your own pocket!
https://play.google.com/store/apps/details?id=de.schildbach.wallet
ReCat
Sr. Member
****
Offline Offline

Activity: 378



View Profile WWW

Ignore
August 11, 2013, 09:32:09 PM
 #85

Thank god I have an iPhone Smiley
As far as apple is concerned. Bitcoin wallets don't exist for iOS. Tongue Security through obscurity is good, I think.

BTC: 1recatirpHBjR9sxgabB3RDtM6TgntYUW
Hold onto what you love with all your might, Because you can never know when - Oh. What you love is now gone.
btcsql
Full Member
***
Offline Offline

Activity: 179


View Profile

Ignore
August 11, 2013, 09:35:41 PM
 #86

Mike Hearn, you are the man now dog!
bitcool
Hero Member
*****
Offline Offline

Activity: 1106

Live and enjoy experiments


View Profile

Ignore
August 11, 2013, 10:35:07 PM
 #87

How "critical" is it? Has there been any successful attack using this weakness?
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 11, 2013, 10:44:24 PM
 #88

How "critical" is it? Has there been any successful attack using this weakness?

Sounds extremely critical, see links below.


done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? Smiley

This post is over one month old, while this one over half a year...
Watchfulness my ass Smiley

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
Phinnaeus Gage
Hero Member
*****
Offline Offline

Activity: 1050


Bitcoin: An Idea Worth Spending


View Profile WWW

Ignore
August 11, 2013, 10:48:08 PM
 #89

So basically, Google pulled a Sony...




So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...
The exploit isn't in the algorithm, it's in generating a secure random number. It also wasn't the PSN hack, it was the PS3 hack.

With Sony, they used the same number every single time. It simply wasn't random, and was a horrible, or rather, *not* an implementation of the encryption in the right manner.

With Android, the same random number apparently comes up once in a while. Still horrible considering the money involved (probably worse), but there's only a chance to get the same random number (as opposed to guaranteed with Sony).

As I get my head wrapped around this, what comes to mind is after reading the above is that if a random number is picked from a finite set of 10K elements, e.g., a duplicate is more apt to appear then choosing a random number from a finite set of 10100,000 elements. Does this make sense?

kano
Hero Member
*****
Online Online

Activity: 1008


Linux since 1997 RedHat 4


View Profile

Ignore
August 11, 2013, 11:22:06 PM
 #90

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
Nothing can generate a random number. Us included. Only pseudo-random.
So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that?
Ah, that's how Apple solved it?
Their phones have uranium in them Smiley

BTC: 1KanoiBupPiZfkwqB7rfLXAzPnoTshAVmb
CGMiner developer,  IRC FreeNode #cgminer kanoi
Help keep Bitcoin secure by mining on pools with Stratum, the best protocol to mine Bitcoins with ASIC hardware
Xer0
Sr. Member
****
Offline Offline

Activity: 448


°^°


View Profile

Ignore
August 11, 2013, 11:52:53 PM
 #91

explains the price...
ionstorm
Sr. Member
****
Offline Offline

Activity: 266


View Profile

Ignore
August 12, 2013, 12:58:34 AM
 #92

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
Sukrim
Hero Member
*****
Offline Offline

Activity: 994


View Profile

Ignore
August 12, 2013, 01:05:01 AM
 #93

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
Most likely not, either someone wanted to give a present to you or something else happened. It is not very likely that you would get MORE funds through this issue! Wink

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf | https://just-dice.com/ <-- Bitcoin gambling done right!
EagleTM
Jr. Member
*
Offline Offline

Activity: 45


View Profile

Ignore
August 12, 2013, 01:10:25 AM
 #94

Regarding Electrum:

We need to look into this further but as far as I'm aware Electrum relies on python's random implementation which is usually the operating system's PRNG. This would make running Electrum on Android vulnerable to the same vectors as described in this post for other wallets.

Even If you created the seed on another platfrom it may be possible to reveal the ECDSA private key of one of the addresses by spending (signing) multiple times from one address on Android. The seed itself should be safe.

The userbase of Electrum on Android (SL4A) is small because of the cumbersome setup. Still, if you are a user and want to be safe don't spend from Android until further news are available and secure funds from addresses which you have spent from in Android and still have funds on.
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 12, 2013, 01:12:56 AM
 #95

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
did you google the sending address?

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
EagleTM
Jr. Member
*
Offline Offline

Activity: 45


View Profile

Ignore
August 12, 2013, 01:15:21 AM
 #96

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?

Though unlikely I suppose if you (not so) "randomly" happened to create a collision on Android you may have gained .15 BTC of an other user and both of you could spend it. It may well be related but certainly a coincidence. Would be interesting if this is followed up...
justusranvier
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW

Ignore
August 12, 2013, 01:25:27 AM
 #97

Of course it must work multiple times - just like PGP/RSA has been working, ever since it was invented.
And nobody says that you using the same PGP key twice "should be considered negligent" - it would just defeat the purpose of a digital signature Smiley
A better analogy would compare Bitcoin addresses to session keys.

ironfalcon
Newbie
*
Offline Offline

Activity: 16


View Profile

Ignore
August 12, 2013, 01:55:03 AM
 #98

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

http://bitcoin.org/en/alert/2013-08-11-android

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.

as a former Google employee I thank you for your vigilance!
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 12, 2013, 02:08:16 AM
 #99

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

http://bitcoin.org/en/alert/2013-08-11-android

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.

as a former Google employee I thank you for your vigilance!
How many BTC you want for that crazy hat they give you?

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
grau
Hero Member
*****
Offline Offline

Activity: 602


bits of proof


View Profile WWW

Ignore
August 12, 2013, 03:17:53 AM
 #100

The new bitcoinj release that will be announced shortly has some initial code for BIP32. It's definitely something I want to integrate. It's difficult on mobile devices because they don't have any swapfile, so you can't just use as much memory as you want. You have to define a key window in which money can be received. Coins sent to keys that fall outside that window won't show up which is obviously very problematic. All in all, it's delicate and will require some careful experimentation and testing to make it work.

The BOP android wallet to be released in conjunction with our payment solution uses BIP32.

The mobile uses the next even index of BIP32 as change and odd as next receiver addresses. The server implements a single pass scan using a BIP32 public key, that generates an increasing look ahead window from last seen address on the block chain.

BOP Bitcoin Server: a modern, modular implementation of Bitcoin. https://bitsofproof.com
tgeller
Newbie
*
Offline Offline

Activity: 4


View Profile

Ignore
August 12, 2013, 03:31:12 AM
 #101

What about other Android wallets that are derived from Schildbach's code, such as Litecoin-Qt and Feathercoin-Qt??? I assume they have the same vulnerability. Any plans to update those?
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 12, 2013, 03:36:28 AM
 #102

What about other Android wallets that are derived from Schildbach's code, such as Litecoin-Qt and Feathercoin-Qt??? I assume they have the same vulnerability. Any plans to update those?
no BTC no care.

don't they call Feather Coin "Fork that Coin"??

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
tgeller
Newbie
*
Offline Offline

Activity: 4


View Profile

Ignore
August 12, 2013, 03:53:59 AM
 #103

@millsdmb, that's not helpful. Your opinion about Litecoin is less important than helping prevent theft, and hope others in this forum will have useful information for the community at large.
giszmo
Hero Member
*****
Offline Offline

Activity: 1064


‘ɥɔʇɐʍ ʇsnɾ ˙ǝƃuɐɥɔ ɐuuoƃ s,ןɐǝɹ


View Profile WWW

Ignore
August 12, 2013, 05:04:44 AM
 #104

@millsdmb, that's not helpful. Your opinion about Litecoin is less important than helping prevent theft, and hope others in this forum will have useful information for the community at large.

Not all consider all alt coins part of the community and while I consider most alt coins blatant scams and therefore would not bother helping them not loosing their premined coins or whatever, I wouldn't consider the bitcoin community at large responsible for those rare alt coins that are no scams.

BitPirate
Full Member
***
Offline Offline

Activity: 238


RMBTB.com: The secure BTC:CNY exchange. 0% fee!


View Profile

Ignore
August 12, 2013, 05:12:29 AM
 #105

How are the patches working around the problem?

Are they using a different source of entropy, or are they checking that the two R-values don't collide?

In my mind, best practice would be to do both.

I see a lot of cases in code where people need multiple random and unique values, (e.g. UUIDs)... where the only two requirements are that they are indeterminate and unique... but because the domain of random outcomes is so huge they rely on the vanishingly small probability of collision, and don't bother to check uniqueness.

But as we have found, that "vanishingly small probability" isn't so small if the PRNG is broken. A simple collision check isn't a waste of CPU cycles -- it guards against this kind of system problem.

As such, can all Bitcoin clients, Android or otherwise, be updated to check that the two R-values are unique?

On a different note, I don't see much discussion about the broken Android PRNG, does anyone have a link to the bug reports? This must have some pretty far-reaching consequences outside Bitcoinland too...?

westkybitcoins
Hero Member
*****
Offline Offline

Activity: 938

Firstbits: Compromised. Thanks, Android!


View Profile

Ignore
August 12, 2013, 05:28:23 AM
 #106

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?

Potentially different (worrisome) issue.

https://bitcointalk.org/index.php?topic=269231.0

There is the chance that spending that "free money" could result in the private key of that address being exposed.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
emibe
Jr. Member
*
Offline Offline

Activity: 30


View Profile

Ignore
August 12, 2013, 05:39:48 AM
 #107

Thanks for the update.
molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
August 12, 2013, 06:24:01 AM
 #108

But that has nothing to do with deterministic wallets. Non deterministic wallets do not require address re-use.
The reason that clients reuse addresses is because random key wallets are unsuitable for general use.

Requiring users to update their backups after every n transactions results in permanently lost funds.

The solution is to implement BIP32.

correct me if I'm wrong... type 2 deterministic wallets pose a danger in themselves: rf one key gets compromised, all of them are. It's possible a user exportet a single key from his electrum wallet and used it in mycelium (for example). It could get compromised by the bad RNG in android and compromise all keys of the wallet.

I'm all for using deterministic wallets and use them myself. I just don't ever export private keys from them.



molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
August 12, 2013, 06:34:17 AM
 #109

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
Nothing can generate a random number. Us included. Only pseudo-random.
So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that?

God ;-). He makes decisions based on discussion with the other gods. It's not random, but based on divine rationality. Just believe me, I talk to the spaghetti monster every day and it never utters random nonsense.

side-note: Oh hey cool. Here's another reason to found the "church of random".

justusranvier
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW

Ignore
August 12, 2013, 06:38:46 AM
 #110

It's possible a user exportet a single key from his electrum wallet and used it in mycelium (for example). It could get compromised by the bad RNG in android and compromise all keys of the wallet.
Does Electrum have "watching only" copies of deterministic wallets like Armory does? The attacker would need access to that in order to compromise the entire wallet instead of just the single private key that was exported and then used on a vulnerable client.

I just don't ever export private keys from them.
Private keys are called "private" for a reason, the belief of some people that it's a good idea to share them notwithstanding...

Snail2
Sr. Member
****
Offline Offline

Activity: 392



View Profile

Ignore
August 12, 2013, 07:44:18 AM
 #111

Thanks for the update.

BTC.sx - Leveraged Bitcoin Trading. Simply use Bitcoin to take advantage of a rising or falling Bitcoin price.

BTC:1BF4jonmLRCtfcA2mxFBZgyRpdHviCTK5M  LTC:LSWWrUZFsVQYfnJF8u2wsfSJzt6nGekspY
phatsphere
Hero Member
*****
Offline Offline

Activity: 698


View Profile

Ignore
August 12, 2013, 08:02:28 AM
 #112

this thread should be closed, and only updated with news reagrding the actual problem. we don't need yet another fee discussion.

also, one should answer the question, if imported vanity addresses are a problem. i would say no, only the possible other addresses where some change might have gone.

in case you want to be friends with my wallet, you have to send to 1HB9mgo3cdqBoC3jPemDpD8TPHFxcuQ8AD - http://www.bitcoin-austria.at/
jubalix
Sr. Member
****
Offline Offline

Activity: 434


View Profile

Ignore
August 12, 2013, 08:02:53 AM
 #113

How vulnerable is electrum to the seed issue that android has
particularly on the various OS's

eg

OSX 10.8 +
WIN7 / WIN 8
UBUNTU

etc
etc

does any one even know???

how can we check we are not doing

http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

this?
molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
August 12, 2013, 08:10:57 AM
 #114

How vulnerable is electrum to the seed issue that android has
particularly on the various OS's

eg

OSX 10.8 +
WIN7 / WIN 8
UBUNTU

etc
etc

does any one even know???

how can we check we are not doing

http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

this?

you can look at some signatures and check the random numbers. If they're equal, RNG is flawed. If not there is a chance it's not flawed. One could also look at the implementation. Not sure which random generator electrum uses. It's written in python, chances are it falls back to OS-specific native implementation. I'm pretty sure the mobile version doesn't use the android java implementation.

grau
Hero Member
*****
Offline Offline

Activity: 602


bits of proof


View Profile WWW

Ignore
August 12, 2013, 08:24:17 AM
 #115

The new bitcoinj release that will be announced shortly has some initial code for BIP32. It's definitely something I want to integrate. It's difficult on mobile devices because they don't have any swapfile, so you can't just use as much memory as you want. You have to define a key window in which money can be received. Coins sent to keys that fall outside that window won't show up which is obviously very problematic. All in all, it's delicate and will require some careful experimentation and testing to make it work.

The BOP android wallet to be released in conjunction with our payment solution uses BIP32.

The mobile uses the next even index of BIP32 as change and odd as next receiver addresses. The server implements a single pass scan using a BIP32 public key, that generates an increasing look ahead window from last seen address on the block chain.
I was asked in a PM if that increases the load on the server with every new transaction.

Yes it does, but we have a strategy to reset the effort. Knowing current master key birth time point limits scan as we only have to scan blocks thereafter. Now, the BOP wallet does not directly use the root BIP32 master, but a current master child of that and rolls to a new master child at user's request thereby resetting birth and scan effort. I consider making these rolls mandatory after a threshold use.

BOP Bitcoin Server: a modern, modular implementation of Bitcoin. https://bitsofproof.com
Xeno-Genesis
Jr. Member
*
Offline Offline

Activity: 38



View Profile WWW

Ignore
August 12, 2013, 10:04:56 AM
 #116

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.
solex
Sr. Member
****
Offline Offline

Activity: 476



View Profile

Ignore
August 12, 2013, 10:06:25 AM
 #117

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Well done!

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?
The source: http://nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

Please help fund projects to advance Bitcoin:
CoinJoin privacy protection at 3M8XGFBKwkf7miBzpkU3x2DoWwAVrD1mhk P2Pool decentralized mining at 1KxvX5Hx8nh36ig2gT5bpeEcqLQcwJsZGB
blockchain ultra-pruning at 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 12, 2013, 10:08:33 AM
 #118

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Well done!

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?

Depends how you define "it".
http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
willphase
Hero Member
*****
Offline Offline

Activity: 767


View Profile

Ignore
August 12, 2013, 10:37:33 AM
 #119

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Well done!

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?

Depends how you define "it".
http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html


It's always been known that ECDSA with same random number allows private key discovery. It's been known since earlier this year that some hardware wallets were not using decent random numbers, but as far as I know it's only very recently that it was found that Android PRNG also suffered from this issue.

Will

piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 12, 2013, 10:39:41 AM
 #120

as far as I know it's only very recently that it was found that Android PRNG also suffered from this issue.

Then look at this document - published several months ago:
https://bitcointalk.org/index.php?topic=271486.msg2913741#msg2913741
http://www.scribd.com/doc/131955288/Randomly-Failed-The-State-of-Randomness-in-Current-Java-Implementations

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
jubalix
Sr. Member
****
Offline Offline

Activity: 434


View Profile

Ignore
August 12, 2013, 10:40:58 AM
 #121

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 12, 2013, 10:41:59 AM
 #122

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out
blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
Xeno-Genesis
Jr. Member
*
Offline Offline

Activity: 38



View Profile WWW

Ignore
August 12, 2013, 10:48:25 AM
 #123

I emailed to a journalist from The Register how I discovered that the Android PRNG affected BitcoinJ applications in Android. Here's a copy of the email I sent to the journalist:

Quote
I discovered the flaw thanks to a small stash of stolen bitcoins.

It all started with a missed call from a friend at 00:30 on August 5, and a subsequent SMS telling me that he got 0.91 bitcoins stolen from his Android wallet. "Somebody hacked my Android phone" he would repeat. I did not believe this to be likely. He is the most security conscious person I know. Besides, he is a computer scientist and knows the Bitcoin protocol in and out. Android phones are known to be vulnerable, but it's very unlikely that a phone that only ran reputable apps from Google Play got hacked. I thought about Spock, who quoted Arthur Conan Doyle: "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth". The impossible was that his phone got hacked. The truth then should be that somebody found his private key through cryptanalysis on the Bitcoin blockchain (the public ledger were all transactions are kept).

A lookup on the address that the funds were sent to revealed a forum post https://bitcointalk.org/index.php?topic=251743, so I put on my detective hat and read the post. I also published a message to it stating what had happened to my friend. The common factor seemed to be Android, and I immediately thought about the possibility of a flaw in its pseudo-random number generator (PRNG).

I investigated online and found this paper http://www.scribd.com/doc/131955288/Randomly-Failed-The-State-of-Randomness-in-Current-Java-Implementations#page=9, which I sent to Mike Hearn pointing him to page 9 in which the flaw in Apache Harmony's PRNG (the one used by Android) was described. I also pointed to him that his BitcoinJ code was using that PRNG in the regular non-seeded way, which triggered the flaw.

I originally suggested that private key collisions may have being found and exploited. Later on the weekend a reply to the Bitcoin forum post by johoe clarified that the issue with the PRNG was leading to collisions in the random number parameter k that the elliptic curve signature algorithm needs in order to be secure, making it trivial to extract the private key from two transactions that used the same k.
gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
August 12, 2013, 10:57:33 AM
 #124

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?
I'm not sure it thats entirely inaccurate, go look at the bitcoin-dev logs from January. IIRC, there was reason to suspect that some of the duplicate nonce signatures were coming from BitcoinJ and there was some speculation about broken java RNGs that went nowhere.
narayan
Member
**
Offline Offline

Activity: 98


I do not sell Bitcoins. I sell SHA256(SHA256()).


View Profile

Ignore
August 12, 2013, 11:00:31 AM
 #125

What do I do?? I have 20 BTC in Blockchain.info and now it doesn't even load

Did someone steal my coins??

Got error 157 'Unknown error code' from NDBCLUSTER

BTC: 1PiPooLvcEoBLuXBHbwUnN5rShs2nas223
LTC: LRq7YPMDoERSZcte9ZPNHQkUbfiPsY55VM
jubalix
Sr. Member
****
Offline Offline

Activity: 434


View Profile

Ignore
August 12, 2013, 11:02:04 AM
 #126

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out
blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

hmm deliberate


but surley bitcoind can do this as well. a program tha compares sigs must be able to run through and auto check
TradeFortress
Inputs.io
VIP
Sr. Member
*
Offline Offline

Activity: 462

coinlenders.com


View Profile WWW

Ignore
August 12, 2013, 11:04:01 AM
 #127

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out
blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

hmm deliberate


but surley bitcoind can do this as well. a program tha compares sigs must be able to run through and auto check

You should have been emailed a copy of your wallet every time you made changes to it. Import it to Multibit with your passphrase.

Inputs.io - bitcoin wallet + offchain + security
CoinLenders - bitcoin bank script / functional demo
CoinChat - chat network integrated with Bitcoin

Contact me via email! admin@glados.cc | GPG KeyID 63DD3F13
http://1v.io/gladoscc | 1GLadosEkeAsLReqS3yQ51E1R3wVtbJCDF
theDF
Jr. Member
*
Offline Offline

Activity: 56



View Profile

Ignore
August 12, 2013, 11:17:21 AM
 #128

What do I do?? I have 20 BTC in Blockchain.info and now it doesn't even load

Did someone steal my coins??

Got error 157 'Unknown error code' from NDBCLUSTER

Calm down, and check you wallet right now because blockchain.info already back to normal *so far

Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 12, 2013, 12:27:01 PM
 #129

It's got nothing to do with bitcoinj. The issue is with SecureRandom itself. As far as I know all Bitcoin signing implementations on Android use this API.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
becoin
Hero Member
*****
Offline Offline

Activity: 840



View Profile

Ignore
August 12, 2013, 12:33:22 PM
 #130

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? Smiley

This post is over one month old, while this one over half a year...
Watchfulness my ass Smiley
As always, Bitcoin is mercilessly exposing every shady practice on everything it touches. I don't trust Google. Like MS they are also in bed with the US government. They try to promote Android as open source but keep the JVM for Android closed. This is why every Java based app for Android is not truly open sourced! Period. Paragraph.

18sNtvUmtW6nrQXfYt1wvviGockSWxhPBX
Predictious
Full Member
***
Offline Offline

Activity: 126



View Profile WWW

Ignore
August 12, 2013, 01:16:02 PM
 #131

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.
Well done guys! It would have been fair that Mike Hearn gave you credits.
molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
August 12, 2013, 01:33:34 PM
 #132

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Thank you so much for your prudence!

westkybitcoins
Hero Member
*****
Offline Offline

Activity: 938

Firstbits: Compromised. Thanks, Android!


View Profile

Ignore
August 12, 2013, 01:37:24 PM
 #133

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? Smiley

This post is over one month old, while this one over half a year...
Watchfulness my ass Smiley
As always, Bitcoin is mercilessly exposing every shady practice on everything it touches. I don't trust Google. Like MS they are also in bed with the US government. They try to promote Android as open source but keep the JVM for Android closed. This is why every Java based app for Android is not truly open sourced! Period. Paragraph.


Hmph.

I think if this were common knowledge it might raise a few eyebrows. I was under the impression it was open-source through and through.

*re-investigates cyanogenmod*

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
August 12, 2013, 01:39:19 PM
 #134

I just remembered: There was a "workshop" at CCC end of last year I attended. Transactions were shown in the blockchain with identical R in signatures. The source was supposedly traced to "bitcoincard" test transactions.

Now I'm not so sure it was the only source.

westkybitcoins
Hero Member
*****
Offline Offline

Activity: 938

Firstbits: Compromised. Thanks, Android!


View Profile

Ignore
August 12, 2013, 01:49:31 PM
 #135

also, one should answer the question, if imported vanity addresses are a problem. i would say no, only the possible other addresses where some change might have gone.

Yes, they are.

This particular problem isn't about the private keys themselves (although I wouldn't trust private keys generated with a broken psuedo-random number generator anyway.) The problem is that securely signing a transaction requires using a unique random value each time. If you use the same private key in two different transactions/spends, and this includes vanity addresses, but the same random value is involved in the signing process both times, then your key is compromised.

It doesn't matter what the private key is. If you can't get decent random values to use for the signing, you're going to be exposed. It's a pretty disturbing oversight on the part of those who wrote the Android PRNG library.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
phatsphere
Hero Member
*****
Offline Offline

Activity: 698


View Profile

Ignore
August 12, 2013, 02:34:17 PM
 #136

It's a pretty disturbing oversight on the part of those who wrote the Android PRNG library.

yes. that's what's baffling me, too. especially given the fact, that an android device has much more sources of random information than a commodity pc. just think about gyroscope, magnetism, acceleration, ...

in case you want to be friends with my wallet, you have to send to 1HB9mgo3cdqBoC3jPemDpD8TPHFxcuQ8AD - http://www.bitcoin-austria.at/
theDF
Jr. Member
*
Offline Offline

Activity: 56



View Profile

Ignore
August 12, 2013, 02:52:47 PM
 #137

yes. that's what's baffling me, too. especially given the fact, that an android device has much more sources of random information than a commodity pc. just think about gyroscope, magnetism, acceleration, ...

Oh yeah, why the developers never think about it.. using sensors as random generator that almost impossible to generate same pattern, brilliant!

piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 12, 2013, 02:54:43 PM
 #138

Oh yeah, why the developers never think about it.. using sensors as random generator that almost impossible to generate same pattern, brilliant!
Because this should be a duty of an OS, to get adventage of whatever entropy sources it has and provide the apps with an API for a secured random numbers.
At least a modern OS - nobody had expected it from MS-DOS back then Smiley

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 12, 2013, 03:32:41 PM
 #139

I already updated the second post after my announcement to give some credit to Jean-Pierre, though I guess most of the credit goes to the researchers who uncovered the vulnerabilities in the first place. But still, it was very useful for Jean-Pierre to inform us privately.

The Android JVM is open source. It's called Dalvik. I don't know where anyone would get the idea it's not open source from.


12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
HBBZ
Member
**
Offline Offline

Activity: 67


Trading as market making


View Profile WWW

Ignore
August 12, 2013, 03:54:31 PM
 #140

This is a sign of a healthy community. Bravo!

南無阿彌陀佛
phatsphere
Hero Member
*****
Offline Offline

Activity: 698


View Profile

Ignore
August 12, 2013, 03:55:30 PM
 #141

Oh yeah, why the developers never think about it..
well, "java" in general has the idea that you do not have to think about this. as a developer you assume that it works – which in reverse is a good way to shoot yourself in the foot. in that case, the implementation of java is the problem. i don't know any details about google's modifications on the underlying linux itself, but my guess is, that it's random number source is also a good one. it's more or less just this broken link between low level to a higher levels which causes this.
if the android linux-os developers are as smart as i think, they're already using all available input sensors as sources for randomness.

in case you want to be friends with my wallet, you have to send to 1HB9mgo3cdqBoC3jPemDpD8TPHFxcuQ8AD - http://www.bitcoin-austria.at/
dserrano5
Staff
Hero Member
*****
Offline Offline

Activity: 686



View Profile

Ignore
August 12, 2013, 04:11:32 PM
 #142

BitcoinSpinner / Mycelium Wallet

An update has been prepared for Mycelium Wallet and is being pushed out via the Play Store. If you use BitcoinSpinner you are encouraged to upgrade to Mycelium Wallet, which is maintained by the same people.

I just removed Spinner and installed Mycelium. It reports version 0.7.0 beta, is this one safe regarding this problem?

PGP :: OTC :: Localbitcoins :: bitcoind -addnode=bk5ejfe56xakvtkk.onion
I prefer to be sent PGP-encrypted PMs :: Prefiero recibir MPs cifrados con PGP.
Diapolo
Hero Member
*****
Offline Offline

Activity: 766


Bitcoin-Qt co-developer


View Profile WWW

Ignore
August 12, 2013, 04:18:37 PM
 #143

It would be nice, it other App stores would also get updates. F-Droid for example doesn't yet show an update for Bitcoin Wallet.

Dia

Like my work for Bitcoin-Qt?
1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x
bitcoin:1PwnvixzVAKnAqp8LCV8iuv7ohzX2pbn5x?label=Diapolo
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 12, 2013, 04:28:56 PM
 #144

How are the patches working around the problem?

Are they using a different source of entropy, or are they checking that the two R-values don't collide?

In my mind, best practice would be to do both.

I see a lot of cases in code where people need multiple random and unique values, (e.g. UUIDs)... where the only two requirements are that they are indeterminate and unique... but because the domain of random outcomes is so huge they rely on the vanishingly small probability of collision, and don't bother to check uniqueness.

But as we have found, that "vanishingly small probability" isn't so small if the PRNG is broken. A simple collision check isn't a waste of CPU cycles -- it guards against this kind of system problem.

As such, can all Bitcoin clients, Android or otherwise, be updated to check that the two R-values are unique?

On a different note, I don't see much discussion about the broken Android PRNG, does anyone have a link to the bug reports? This must have some pretty far-reaching consequences outside Bitcoinland too...?
Any comments from the developers here?  Checking the uniqueness would require storing past r values along with the private key. Any problematic consequences of this?

And yes, I am surprised that there is not much buzz about the broken android PRNG in general, unrelated to Bitcoin. Does all crypto on Android rely on this broken PRNG?  Who wrote this particular implementation, who let it slip by? What else has slipped by? 

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
apetersson
Hero Member
*****
Offline Offline

Activity: 632


mycelium.com


View Profile WWW

Ignore
August 12, 2013, 04:31:43 PM
 #145

BitcoinSpinner / Mycelium Wallet

An update has been prepared for Mycelium Wallet and is being pushed out via the Play Store. If you use BitcoinSpinner you are encouraged to upgrade to Mycelium Wallet, which is maintained by the same people.

I just removed Spinner and installed Mycelium. It reports version 0.7.0 beta, is this one safe regarding this problem?

yes it is. it also features a migration wizard if you generated a key inside Mycelium prior to 0.6.5.
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 12, 2013, 04:32:57 PM
 #146

How are the patches working around the problem?

Are they using a different source of entropy, or are they checking that the two R-values don't collide?

In my mind, best practice would be to do both.

I see a lot of cases in code where people need multiple random and unique values, (e.g. UUIDs)... where the only two requirements are that they are indeterminate and unique... but because the domain of random outcomes is so huge they rely on the vanishingly small probability of collision, and don't bother to check uniqueness.

But as we have found, that "vanishingly small probability" isn't so small if the PRNG is broken. A simple collision check isn't a waste of CPU cycles -- it guards against this kind of system problem.

As such, can all Bitcoin clients, Android or otherwise, be updated to check that the two R-values are unique?

On a different note, I don't see much discussion about the broken Android PRNG, does anyone have a link to the bug reports? This must have some pretty far-reaching consequences outside Bitcoinland too...?
Any comments from the developers here?  Checking the uniqueness would require storing past r values along with the private key. Any problematic consequences of this?

And yes, I am surprised that there is not much buzz about the broken android PRNG in general, unrelated to Bitcoin. Does all crypto on Android rely on this broken PRNG?  Who wrote this particular implementation, who let it slip by? What else has slipped by? 
AFAIK, the patches are using /dev/random as the source of random data. This one has not been screwed up by Google and it seems to be reliable.

No need to keep track of all previews R values, since a chance of picking up the same 256 bit random number again is likely lower than a chance of the h/w failing in a away that it would broadcast such a stored R values from your history buffer.

And yes - all the other Android apps that rely on SecureRandom class are at risk.
I'm also surprised that Google does not give a shit, since it seems that they have known about this specific issue for months.
Maybe someone should sue them, to teach them a lesson. Smiley
I bet that there are plenty of (e.g. online banking) apps that are also affected.

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
TippingPoint
Sr. Member
****
Offline Offline

Activity: 336


Live a Quiet Life & Work With Your Hands


View Profile

Ignore
August 12, 2013, 04:35:01 PM
 #147

Exhibit A

https://developer.android.com/reference/java/security/SecureRandom.html



The first rule of fight club is you do not talk about fight club.
Bitmessage BM-2cTpnX2iUZm4V2utSE82SG9RRQ5LQ6Huj3
blockgenesis
Sr. Member
****
Offline Offline

Activity: 244


View Profile

Ignore
August 12, 2013, 04:42:52 PM
 #148

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Very much appreciated, thanks. And thanks to every developers who worked to push updates and instructions in a very short delay.

Donation: 18XXXQs1vAQGBAZbXKA322r9Zy1nZac2H4
grau
Hero Member
*****
Offline Offline

Activity: 602


bits of proof


View Profile WWW

Ignore
August 12, 2013, 04:50:43 PM
 #149

So Google discourages seeding SecureRandom .... Why ?
Maybe the default implementation is NSA approved.

BOP Bitcoin Server: a modern, modular implementation of Bitcoin. https://bitsofproof.com
gmaxwell
Staff
Hero Member
*****
Offline Offline

Activity: 1078


View Profile

Ignore
August 12, 2013, 04:52:43 PM
 #150

IIRC if you seed it before ever pulling a random number from it, it will only be seeded from your (quite likely weak) seed, and not the OS provided randomness. Seeding it should be unnecessary, and it makes it easy to screw yourself.
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 12, 2013, 04:52:52 PM
 #151

So Google discourages seeding SecureRandom .... Why ?
Maybe the default implementation is NSA approved.
Hehe - as a guy with a "tinfoil hat" label given already, I must say that it is not an entirely unreasonable theory Smiley

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
TippingPoint
Sr. Member
****
Offline Offline

Activity: 336


Live a Quiet Life & Work With Your Hands


View Profile

Ignore
August 12, 2013, 04:56:43 PM
 #152

Seed PRNG with accelerometer, gyroscope, compass, barometer, or GPS if available?
http://www.gsmarena.com/glossary.php3?term=sensors

The first rule of fight club is you do not talk about fight club.
Bitmessage BM-2cTpnX2iUZm4V2utSE82SG9RRQ5LQ6Huj3
piotr_n
Hero Member
*****
Offline Offline

Activity: 938



View Profile

Ignore
August 12, 2013, 04:57:52 PM
 #153

Seed with accelerometer, gyroscope, compass, barometer, or GPS if available?
But that is exactly what the default OS implementation should be doing.
Instead its seeding with a 31 bit value... Smiley

Check out gocoin - my original project of a bitcoin client written in Go, with some unique features.
grau
Hero Member
*****
Offline Offline

Activity: 602


bits of proof


View Profile WWW

Ignore
August 12, 2013, 05:12:27 PM
 #154

IIRC if you seed it before ever pulling a random number from it, it will only be seeded from your (quite likely weak) seed, and not the OS provided randomness. Seeding it should be unnecessary, and it makes it easy to screw yourself.
Understood.

If however the "self seeding" of SecureRandom creates low entropy then it creates a master key to all cryptography used on the device including https://, SSL and not only Bitcoin.

The fact that the few Bitcoin transactions that Android Wallet user created was able to expose the weakness tells me that the flaw is serious to such and extent that I ask if it is intentional.

Edit: I mean a back door with "master key" above. Brute forcing all protocols does not require real force in absence of quality randomness.

BOP Bitcoin Server: a modern, modular implementation of Bitcoin. https://bitsofproof.com
TippingPoint
Sr. Member
****
Offline Offline

Activity: 336


Live a Quiet Life & Work With Your Hands


View Profile

Ignore
August 12, 2013, 05:15:38 PM
 #155

"law enforcement remains in unanimous agreement that the continued widespread availability and increasing use of strong, non-recoverable encryption products will soon nullify our effective use of court-authorized electronic surveillance."  - Louis Freeh, former Director of FBI

The first rule of fight club is you do not talk about fight club.
Bitmessage BM-2cTpnX2iUZm4V2utSE82SG9RRQ5LQ6Huj3
becoin
Hero Member
*****
Offline Offline

Activity: 840



View Profile

Ignore
August 12, 2013, 06:05:56 PM
 #156

I already updated the second post after my announcement to give some credit to Jean-Pierre, though I guess most of the credit goes to the researchers who uncovered the vulnerabilities in the first place. But still, it was very useful for Jean-Pierre to inform us privately.

The Android JVM is open source. It's called Dalvik. I don't know where anyone would get the idea it's not open source from.


It's a pseudo open source!

It is not strictly a JVM as it is register based VM (opposed to stack based standard JVM) that executes its own Dalvik byte code, not Java byte code. A tool called dx is used to transform some Java classes into special .dex file format. Some structures (magic numbers) of the .dex file format are not well documented. If you create your own VM and file system and tag it open source you have to open source all the tools you use to compile it including the JIT compiler and interpreter.

Few links exposing recent security holes in Dalvik's proprietary .dex file format:
http://www.retrodev.com/android/dexformat.html

Anatomy of a security hole - Google's "Android Master Key" debacle explained
http://nakedsecurity.sophos.com/2013/07/10/anatomy-of-a-security-hole-googles-android-master-key-debacle-explained/

Anatomy of another Android hole
http://www.digitalnewsasia.com/node/2940


18sNtvUmtW6nrQXfYt1wvviGockSWxhPBX
SgtSpike
Hero Member
*****
Online Online

Activity: 1106


Firstbits: 18tkn


View Profile WWW

Ignore
August 12, 2013, 06:21:19 PM
 #157

Could the OP be updated to include a list of apps that have been updated against this bug?  I don't want to read through the whole 8 pages to find out which apps have and have not been updated, and I'm sure it'd be helpful to other people as well.

DiamondCardz
Sr. Member
****
Offline Offline

Activity: 378


A caelo usque ad centrum.


View Profile WWW

Ignore
August 12, 2013, 06:27:32 PM
 #158

Could the OP be updated to include a list of apps that have been updated against this bug?  I don't want to read through the whole 8 pages to find out which apps have and have not been updated, and I'm sure it'd be helpful to other people as well.

These are the current statuses:



From http://bitcoin.org/en/alert/2013-08-11-android - they should be getting updated daily.

phatsphere
Hero Member
*****
Offline Offline

Activity: 698


View Profile

Ignore
August 12, 2013, 06:30:45 PM
 #159

another question i have in mind is chrome, firefox, opera mobile or the native android web browser itself. suppose, i'm using one of those on my android phone or tablet, and i'm using a web-wallet like blockchain or a bitaddress generator. do these browsers also rely on this flaw in java or do they circumvent this via native C code?
i think it depends on the browser …

in case you want to be friends with my wallet, you have to send to 1HB9mgo3cdqBoC3jPemDpD8TPHFxcuQ8AD - http://www.bitcoin-austria.at/
CurbsideProphet
Hero Member
*****
Offline Offline

Activity: 518


View Profile

Ignore
August 12, 2013, 06:38:08 PM
 #160

Thanks for the heads up.  Guess I'll have to do another vanity addy, although I've never really used it other than for novelty.

1ProphetnvP8ju2SxxRvVvyzCtTXDgLPJV
blockgenesis
Sr. Member
****
Offline Offline

Activity: 244


View Profile

Ignore
August 12, 2013, 06:57:15 PM
 #161

Could the OP be updated to include a list of apps that have been updated against this bug?  I don't want to read through the whole 8 pages to find out which apps have and have not been updated, and I'm sure it'd be helpful to other people as well.

These are the current statuses:



From http://bitcoin.org/en/alert/2013-08-11-android - they should be getting updated daily.

Blockchain.info just released v3.54 , I've updated the page, it should refresh in the next minutes. Afterwhile, perhaps that few more details will be added but since all stated wallets now have updates published, I guess that most of it is over. Now it's just a matter of waiting for these updates to deploy and stay around to see how it goes.

Donation: 18XXXQs1vAQGBAZbXKA322r9Zy1nZac2H4
Hawkix
Hero Member
*****
Offline Offline

Activity: 481



View Profile WWW

Ignore
August 12, 2013, 07:01:09 PM
 #162

Shouldn't the key rotation be performed only on private keys known to be influenced (generation, transaction signatures) by this random generator flaw? I do not want to run Blockchain on my Android to realize that it will re-send and merge (automatically .. ugh) all my savings into another address!

Donations: 1Hawkix7GHym6SM98ii5vSHHShA3FUgpV6
http://btcportal.net/ - All about Bitcoin - coming soon!
apetersson
Hero Member
*****
Offline Offline

Activity: 632


mycelium.com


View Profile WWW

Ignore
August 12, 2013, 07:11:32 PM
 #163

another question i have in mind is chrome, firefox, opera mobile or the native android web browser itself. suppose, i'm using one of those on my android phone or tablet, and i'm using a web-wallet like blockchain or a bitaddress generator. do these browsers also rely on this flaw in java or do they circumvent this via native C code?
i think it depends on the browser …

nobody knows. auditing this piece of code is very complex.

just think about why some TLAs were boasting about "phenomenal breakthroughs" in cryptanalysis.
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1

a few months ago most of this speculation was conspiracy theory. now some of this is conspiracy fact.
seeing this kind of code audit failure/randomness failure makes me go shopping for tinfoil hats.

on my back-of the-spreadsheet envelope calculation i have estimated the "real" keyspace of SecureRandom to be very, very low.
definitely not 2^256.
edit: i don't even dare to write the number down - if the calculation is right this is too scary.

https://docs.google.com/spreadsheet/ccc?key=0Av2s7TgXTjFTdDNNZUlrb1ZPUG9EYmZGV0drZ1dWVlE#gid=0
this calculation is based on the fact that we have seen at least 1 collision of random values on android phones.
last time i did statistics was 10 years ago, so please point out any errors.

it also points out a discrepancy. if the entropy would be that low, we would see a massive amount of duplicate addresses. which are absent. i suspect the private key space is large enough - but the entropy provided at signing is too low.
ThomasV
Hero Member
*****
Offline Offline

Activity: 1106



View Profile WWW

Ignore
August 12, 2013, 07:55:26 PM
 #164

Just wondering, would this affect Electrum as well?

http://electrum.org/android.html


From what we can gather, this issue seems to be a Java PRNG implementation issue.
Electrum should be safe from this, because it does not use Java; it uses /dev/urandom directly.
However, there might be other bugs in the Android platform, which is under overall scrutiny following this issue.

Electrum: the convenience of a web wallet, without the risks
LaudaM
Sr. Member
****
Offline Offline

Activity: 378



View Profile

Ignore
August 12, 2013, 07:56:37 PM
 #165

Fixed?

BTC: 19zYTT7QoCqURn5oZw8VMMSo4tbpERUB4i
CurbsideProphet
Hero Member
*****
Offline Offline

Activity: 518


View Profile

Ignore
August 12, 2013, 08:13:36 PM
 #166

Shouldn't the key rotation be performed only on private keys known to be influenced (generation, transaction signatures) by this random generator flaw? I do not want to run Blockchain on my Android to realize that it will re-send and merge (automatically .. ugh) all my savings into another address!


This is why it's better to have your savings in an offline/paper wallet.  Use blockchain only for the Bitcoins you're going to be using for near-term transactions.

1ProphetnvP8ju2SxxRvVvyzCtTXDgLPJV
dwolfman
Full Member
***
Offline Offline

Activity: 126



View Profile WWW

Ignore
August 12, 2013, 08:28:35 PM
 #167

Could the OP be updated to include a list of apps that have been updated against this bug?  I don't want to read through the whole 8 pages to find out which apps have and have not been updated, and I'm sure it'd be helpful to other people as well.

These are the current statuses:



From http://bitcoin.org/en/alert/2013-08-11-android - they should be getting updated daily.

I'm wondering if this means they aren't updating Bitcoin Spinner?  Got my phone set up the way I want it, and this means switching yet another app out.  I don't have any bitcoins in it right now, and probably won't in the near future anyway.  Haven't sent anything from it in months, so I'm not in too big a hurry to update it.

Wanna send coins my way? 1BY2rZduB9j8Exa4158QXPFJoJ2NWU1NGf or just scan the QR code in my avatar.  :-)
Kiwi7
Jr. Member
*
Offline Offline

Activity: 50


Coding in Java in exchange for BTC.


View Profile

Ignore
August 12, 2013, 08:30:53 PM
 #168

Whoa whoa, I've just transferred all my BTC from an Android wallet to inputs.io.

apetersson
Hero Member
*****
Offline Offline

Activity: 632


mycelium.com


View Profile WWW

Ignore
August 12, 2013, 08:38:54 PM
 #169

I'm wondering if this means they aren't updating Bitcoin Spinner?  Got my phone set up the way I want it, and this means switching yet another app out.  I don't have any bitcoins in it right now, and probably won't in the near future anyway.  Haven't sent anything from it in months, so I'm not in too big a hurry to update it.
According to Jan, an update to bitcoinspinner was pushed to google play, will appear soon.
Roy Badami
Sr. Member
****
Offline Offline

Activity: 391


View Profile

Ignore
August 12, 2013, 08:56:57 PM
 #170

This post http://seclists.org/oss-sec/2013/q3/358 mentions deterministic ECDSA signatures and references RFC 6979.

Is there any reason why Bitcoin clients shouldn't use this construction, other than perhaps the possible newness of this exact instantiation?

roy
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 12, 2013, 10:58:18 PM
 #171

That RFC was published only a few days ago. To call it "new" would be an understatement.

IMO it doesn't make much difference. We could implement it, but it would not have avoided the need to do a key rotation.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
millsdmb
Full Member
***
Offline Offline

Activity: 182


View Profile

Ignore
August 12, 2013, 11:35:42 PM
 #172

just got the new wallet app pushed out to my phone, so everyone should have it available by now if you include the links posted a few replies up.

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $5 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
frankenmint
Sr. Member
****
Offline Offline

Activity: 308


I sell and spread Bitcoin Adoptionware


View Profile WWW

Ignore
August 13, 2013, 12:40:37 AM
 #173

what do i do if my wallet address is locked onto another site and I've updated my wallet already? will it go to the old address then be transferred internally into the new one?

blockgenesis
Sr. Member
****
Offline Offline

Activity: 244


View Profile

Ignore
August 13, 2013, 01:40:27 AM
 #174

I'm wondering if this means they aren't updating Bitcoin Spinner?  Got my phone set up the way I want it, and this means switching yet another app out.  I don't have any bitcoins in it right now, and probably won't in the near future anyway.  Haven't sent anything from it in months, so I'm not in too big a hurry to update it.
According to Jan, an update to bitcoinspinner was pushed to google play, will appear soon.

It seems that the update for BitcoinSpinner is pushed to Google Play now according to the version history. I've emailed Jan to ask him to provide short instruction text to be published on bitcoin.org .

Donation: 18XXXQs1vAQGBAZbXKA322r9Zy1nZac2H4
frankenmint
Sr. Member
****
Offline Offline

Activity: 308


I sell and spread Bitcoin Adoptionware


View Profile WWW

Ignore
August 13, 2013, 03:08:50 AM
 #175

BTCy the way, my import/export keys menu options are greyed out.  What do I do?  How can I get my BTC?

rampantparanoia
Sr. Member
****
Offline Offline

Activity: 280



View Profile

Ignore
August 13, 2013, 03:17:50 AM
 #176

what do i do if my wallet address is locked onto another site and I've updated my wallet already? will it go to the old address then be transferred internally into the new one?

no, you need to change the address on the other site.
bitcoin protocol does not link addresses like this

thanks for the announcement & making the community aware. extra thanks to the person who found this flaw

Earn Devcoins by Writing - DVC: 1H9W9Ra92vpDq91Yh8vtuodkz9YxsMTYbk
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 13, 2013, 07:21:46 AM
 #177

actually he is right. Coins received to old insecure addresses will be automatically resent to the new address when it confirms.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
Paladin69
Hero Member
*****
Offline Offline

Activity: 574


View Profile

Ignore
August 13, 2013, 10:21:07 AM
 #178

The blockchain.info wallet doesn't work if you have a secondary password so long that it needs to be pasted in.  Holding your finger on it to paste flashes the field box away.
Hawkix
Hero Member
*****
Offline Offline

Activity: 481



View Profile WWW

Ignore
August 13, 2013, 10:33:20 AM
 #179

Anyone already tested blockchain.info Android wallet with "automatic key rotation"? Is the user possible to skip that step?

Donations: 1Hawkix7GHym6SM98ii5vSHHShA3FUgpV6
http://btcportal.net/ - All about Bitcoin - coming soon!
Kiwi7
Jr. Member
*
Offline Offline

Activity: 50


Coding in Java in exchange for BTC.


View Profile

Ignore
August 13, 2013, 10:49:26 AM
 #180

BTCy the way, my import/export keys menu options are greyed out.  What do I do?  How can I get my BTC?
Transfer all your BTC to an online BTCitcoin wallet, like Inputs.io or BTClockchain.info.

casascius
Mike Caldwell
VIP
Hero Member
*
Offline Offline

Activity: 1204


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW

Ignore
August 13, 2013, 12:25:54 PM
 #181

When I made my key generator for Casascius Coins, I started with the assumption that the secure random number generator could not fully be trusted.  I did it on Windows not Android so it's not at risk, but the paranoid idea I tried would have completely eliminated this problem had it been done in these wallets.

Instead of accepting the output of secure random as truly securely random, I just considered it a "good source of entropy" and XOR'd its output with another lukewarm but "extra" source of entropy: a hash of a string that gets the current time appended to it whenever the user does something (moves mouse, presses a button, etc).  Also included in the hash is a counter that increments each time entropy is read so it can never be the same twice.  (When the string grows too big, it is replaced by a hash of itself)

For my actual coin generation process, I ask the user (myself) for a third string of input: something that will also be included in the hash.  Each time, I mash the keyboard for a line or two of text e.g. weiajeflkjf;iefw;fiowjR[2348RU20389U0R9EWAEO;FIJSDF;KJVNXVDFJKG;lkdjfgosidfjaiwe --- and never record the string.

None of these methods would be "great" by themselves, but by xoring the output of all of them together, I feel well hedged against the possibility of crappy RNG's.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
phatsphere
Hero Member
*****
Offline Offline

Activity: 698


View Profile

Ignore
August 13, 2013, 12:33:08 PM
 #182

@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.

in case you want to be friends with my wallet, you have to send to 1HB9mgo3cdqBoC3jPemDpD8TPHFxcuQ8AD - http://www.bitcoin-austria.at/
casascius
Mike Caldwell
VIP
Hero Member
*
Offline Offline

Activity: 1204


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW

Ignore
August 13, 2013, 12:39:35 PM
 #183

@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.

Sure, though I have every reason to believe their bytes are truly random, for security purposes, I don't.  When I generate keys, the machine doesn't have internet access anyway, so I suppose it's just an alternative (sub)string to paste as a response to the "keyboard mash" if I want to copy it in with a flash drive etc.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 13, 2013, 12:49:10 PM
 #184

What casascius described sounds good. XORing even with a constant will certainly not decrease entropy. Thus, his method can only make things better.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 13, 2013, 12:53:50 PM
 #185

How was SecureRandom seeding implemented in vulnerable wallets? Was it custom-seeded, or left as default?

EDIT - never mind. The problem was not with the implementation in wallet software, but was and still is with Android.
http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf
Quote
When creating a self seeding SecureRandom instance (by calling the constructor without arguments and subsequent setSeed() call), the code fails to adjust the byte offset (a pointer into the state buffer) after inserting a start value. This causes a counter and the beginning of a padding (a 32 bit word) to overwrite parts of the seed instead of appending.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
Huangww
Newbie
*
Offline Offline

Activity: 8


View Profile

Ignore
August 13, 2013, 03:10:14 PM
 #186

very quick。
qwk
Donator
Hero Member
*
Offline Offline

Activity: 602


Bitcoin Foundation Member


View Profile WWW

Ignore
August 13, 2013, 05:13:29 PM
 #187

@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.

Sure, though I have every reason to believe their bytes are truly random, for security purposes, I don't.  When I generate keys, the machine doesn't have internet access anyway, so I suppose it's just an alternative (sub)string to paste as a response to the "keyboard mash" if I want to copy it in with a flash drive etc.

Shouldn't it be possible to just use the hardware RNG from a Raspberry Pi to just create a bunch of addresses?
Could be less painful than hammering your keyboard repetitively ;-)

TippingPoint
Sr. Member
****
Offline Offline

Activity: 336


Live a Quiet Life & Work With Your Hands


View Profile

Ignore
August 13, 2013, 05:45:08 PM
 #188

I like the generate random seed method that KeePass (free and open source) uses.  Your choice of mouse movement and/or keyboard gibberish.



KeePass needs to generate several random bytes (for the IV, the master key salt, etc.). For this, several pseudo-random sources are used: current tick count, performance counter, system date/time, mouse cursor position, memory status (free virtual memory, etc.), active window, clipboard owner, various process and thread IDs, various window handles (active window, desktop, ...), window message stack, process heap status, process startup information and several system information structures. Additionally, KeePass uses random bytes provided by the system's default CSP RNG.

This pseudo-random data is collected in a random pool. To generate 16 random bytes, the pool is hashed (SHA-256) with a counter. The counter is increased after 16 generated bytes. This way, as many secure random bytes can be produced efficiently as needed.

The first rule of fight club is you do not talk about fight club.
Bitmessage BM-2cTpnX2iUZm4V2utSE82SG9RRQ5LQ6Huj3
gbl08ma
Sr. Member
****
Offline Offline

Activity: 294


Donations: http://tny.im/nx


View Profile WWW

Ignore
August 13, 2013, 07:07:02 PM
 #189

I have the blockchain.info app installed on my Android device, but I am sure that I never created a new address within it and I'm also sure that I never created a transaction on that device. Basically the app only acted as a way to check the wallet balance and transaction history (i.e. read-only actions).

Are my private keys and transactions at risk if I don't do a key rotation? With the many small and non-mature inputs I have on my many addresses, I am heading for maybe over 0.02 btc for transaction fees... last time I did a key sweep it was something like 0.01 btc, and to be honest I think my wallet is even more fragmented now.

I don't think the app ever had any reason to request random numbers unless it is creating addresses without user intervention.

On a related thought: many online wallets generate private keys client side with JavaScript. How secure is the PRNG used by JS, or is it not used in a direct way (are there other sources of entropy)?

[To TF: signature ad cancelled due to the problems with inputs.io]
LaudaM
Sr. Member
****
Offline Offline

Activity: 378



View Profile

Ignore
August 13, 2013, 08:29:40 PM
 #190

very quick。
It would be a huge problem if it wasn't quick enough.

BTC: 19zYTT7QoCqURn5oZw8VMMSo4tbpERUB4i
SgtSpike
Hero Member
*****
Online Online

Activity: 1106


Firstbits: 18tkn


View Profile WWW

Ignore
August 13, 2013, 08:45:49 PM
 #191

I have the blockchain.info app installed on my Android device, but I am sure that I never created a new address within it and I'm also sure that I never created a transaction on that device. Basically the app only acted as a way to check the wallet balance and transaction history (i.e. read-only actions).

Are my private keys and transactions at risk if I don't do a key rotation? With the many small and non-mature inputs I have on my many addresses, I am heading for maybe over 0.02 btc for transaction fees... last time I did a key sweep it was something like 0.01 btc, and to be honest I think my wallet is even more fragmented now.

I don't think the app ever had any reason to request random numbers unless it is creating addresses without user intervention.

On a related thought: many online wallets generate private keys client side with JavaScript. How secure is the PRNG used by JS, or is it not used in a direct way (are there other sources of entropy)?
My understanding is that if you sent Bitcoins from any of the addresses in your blockchain.info wallet more than once, it could reveal the private key of said addresses to anyone clever enough looking at the blockchain.  If you didn't generate any addresses or send any Bitcoins from it, then you should be fine.

apetersson
Hero Member
*****
Offline Offline

Activity: 632


mycelium.com


View Profile WWW

Ignore
August 13, 2013, 09:37:08 PM
 #192

My understanding is that if you sent Bitcoins from any of the addresses in your blockchain.info wallet more than once, it could reveal the private key of said addresses to anyone clever enough looking at the blockchain.  If you didn't generate any addresses or send any Bitcoins from it, then you should be fine.

If you did reveal your private key that way, your money should already be gone. if it is not gone its a pretty good indication that everything is fine Smiley
Emm
Newbie
*
Offline Offline

Activity: 28


We provide Bitcoins instantly in Australia


View Profile WWW

Ignore
August 14, 2013, 03:42:27 AM
 #193

Did anyone get their mobile wallet BTC stolen?

The fastest and easiest way for Australians to buy Bitcoins.
Available 24/7. Pay via internet banking transfer.
BuyBitcoinAustralia.com.au (http://www.BuyBitcoinAustralia.com.au)  -  Instant bitcoins. Anytime.
b!z
Hero Member
*****
Offline Offline

Activity: 588


BitcoinReviewer.com


View Profile WWW

Ignore
August 14, 2013, 05:20:57 AM
 #194

Did anyone get their mobile wallet BTC stolen?

Yes, https://gist.github.com/anonymous/6204930

Bitcoin Reviewer - Unbiased Bitcoin Gambling Site Reviews
MyExchange  - Start your own Bitcoin Exchange for 0.25 BTC!
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 14, 2013, 05:33:34 AM
 #195

Did anyone get their mobile wallet BTC stolen?
Yes. A total of 55 coins so far. https://bitcointalk.org/index.php?topic=271486.0

The relatively small amount is partly due to quick response of the community, and partly due to the fact that Android bug does not lead to every transaction being exploitable. Still, the bug has been public for many months now. Everyone - from obviously overpaid Google developers, to obviously underpaid Bitcoin developers, should be even more careful moving forward from here. This flaw was not catastrophic, but the next one may be. Tread carefully.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
wopwop
Sr. Member
****
Offline Offline

Activity: 252



View Profile

Ignore
August 14, 2013, 10:30:58 AM
 #196

pseudo random number generation used in security systems is nothing more than *security through obscurity*
Tommy76
Member
**
Offline Offline

Activity: 101



View Profile

Ignore
August 14, 2013, 11:38:33 AM
 #197

very quick。
It would be a huge problem if it wasn't quick enough.

So, I think it's a huge problem, check the date of this post:
http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
Mike Hearn
Hero Member
*****
Offline Offline

Activity: 1232


View Profile

Ignore
August 14, 2013, 12:36:52 PM
 #198

That post is unrelated to issues on Android.

12LMm82ZgAzf7yNDpPydEYxEr4Ap7XtSSK
Jan
Hero Member
*****
Offline Offline

Activity: 942



View Profile

Ignore
August 14, 2013, 12:46:10 PM
 #199

very quick。
It would be a huge problem if it wasn't quick enough.

So, I think it's a huge problem, check the date of this post:
http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

What this blog post doesn't tell is that in this particular instance the repeated use of the same K value was on purpose.
When making unit tests it is often desirable to be able to create results that can be repeated. By reusing the same K value you get the same signature, which is valuable during development. I know the developer in for this instance, and no, it is not me.

Mycelium Bitcoin Wallet, a swift & secure Bitcoin client for Android. Join the fun, we are hiring
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 14, 2013, 03:33:25 PM
 #200

very quick。
It would be a huge problem if it wasn't quick enough.

So, I think it's a huge problem, check the date of this post:
http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

That post is unrelated to issues on Android.

It definitely is related to the exploit. And this one is also related, and was presented to the public almost half a year ago. Granted, it appears that android securerandom is broken beyond what is described in the RSA 2013 paper.



They're there, in their room.
Your mining rig is on fire, yet you're very calm.
ReCat
Sr. Member
****
Offline Offline

Activity: 378



View Profile WWW

Ignore
August 14, 2013, 03:43:07 PM
 #201

@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.

Sure, though I have every reason to believe their bytes are truly random, for security purposes, I don't.  When I generate keys, the machine doesn't have internet access anyway, so I suppose it's just an alternative (sub)string to paste as a response to the "keyboard mash" if I want to copy it in with a flash drive etc.

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )

BTC: 1recatirpHBjR9sxgabB3RDtM6TgntYUW
Hold onto what you love with all your might, Because you can never know when - Oh. What you love is now gone.
molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
August 14, 2013, 04:36:42 PM
 #202

very quick。
It would be a huge problem if it wasn't quick enough.

So, I think it's a huge problem, check the date of this post:
http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

This was known for even longer. The news was discovery of weakness in apache harmony RNG used by android.

niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 14, 2013, 04:50:30 PM
 #203

@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.

Sure, though I have every reason to believe their bytes are truly random, for security purposes, I don't.  When I generate keys, the machine doesn't have internet access anyway, so I suppose it's just an alternative (sub)string to paste as a response to the "keyboard mash" if I want to copy it in with a flash drive etc.

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )
You may be missing the point here. There is more than enough entropy available in a phone or a PC. The problem is with human errors when coding and otherwise implementing the RNG. In this case, lazy Google employees who copy-pasted broken Apache code without reviewing it, and didn't even bother fixing it or rewriting the documentation when some of the flaws were made public half a year ago.
Building your own hardware, by yourself, will likely lead to more errors.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
casascius
Mike Caldwell
VIP
Hero Member
*
Offline Offline

Activity: 1204


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW

Ignore
August 14, 2013, 05:27:18 PM
 #204

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )

I would have, but at the time, I was fresh out of radioactive material. Maybe next time.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
phatsphere
Hero Member
*****
Offline Offline

Activity: 698


View Profile

Ignore
August 14, 2013, 05:54:57 PM
 #205

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )

I would have, but at the time, I was fresh out of radioactive material. Maybe next time.
instead of *radio*active material, you can use *radio*waves. just tune in a lower kHz frequency where a lot of noise from the earth's atmosphere is audible. that's one of the sources providers like random.org use. i guess it's pretty easy to get this running and then pulling the bytes from the A/D converter of your soundcard.

in case you want to be friends with my wallet, you have to send to 1HB9mgo3cdqBoC3jPemDpD8TPHFxcuQ8AD - http://www.bitcoin-austria.at/
justusranvier
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW

Ignore
August 14, 2013, 06:21:46 PM
 #206

I would have, but at the time, I was fresh out of radioactive material. Maybe next time.
Pick up some banana from the grocery store next time.

P_Shep
Hero Member
*****
Offline Offline

Activity: 826


View Profile WWW

Ignore
August 14, 2013, 07:02:52 PM
 #207

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )

I would have, but at the time, I was fresh out of radioactive material. Maybe next time.

dismantle a smoke detector

Anubis cgminer web frontend: https://bitcointalk.org/index.php?topic=57342.0
Files and instructions for CGminer on DD-WRT: https://bitcointalk.org/index.php?topic=76685.0
Pan handling: 1Fxpijq1NN52LzSzD2WtGbT3ZTWq366ejj
stereotype
Sr. Member
****
Offline Offline

Activity: 420



View Profile

Ignore
August 14, 2013, 09:05:21 PM
 #208

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )

I would have, but at the time, I was fresh out of radioactive material. Maybe next time.

dismantle a smoke detector

Or a bowl of brazil nuts

I know nothing, i consider everything.
ralree
Hero Member
*****
Offline Offline

Activity: 518


Manateeeeeeees


View Profile

Ignore
August 15, 2013, 12:03:32 AM
 #209

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )

I would have, but at the time, I was fresh out of radioactive material. Maybe next time.

Actually, you can just push a transistor into avalanche - it only take a few discrete components:

http://holdenc.altervista.org/avalanche/

1MANaTeEZoH4YkgMYz61E5y4s9BYhAuUjG
TippingPoint
Sr. Member
****
Offline Offline

Activity: 336


Live a Quiet Life & Work With Your Hands


View Profile

Ignore
August 15, 2013, 12:14:47 AM
 #210

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )

I would have, but at the time, I was fresh out of radioactive material. Maybe next time.

dismantle a smoke detector

Or a bowl of brazil nuts

Formerly known as ...

The first rule of fight club is you do not talk about fight club.
Bitmessage BM-2cTpnX2iUZm4V2utSE82SG9RRQ5LQ6Huj3
LaudaM
Sr. Member
****
Offline Offline

Activity: 378



View Profile

Ignore
August 15, 2013, 11:10:37 PM
 #211


dismantle a smoke detector

Or a bowl of brazil nuts

Formerly known as ...

the hero of?

BTC: 19zYTT7QoCqURn5oZw8VMMSo4tbpERUB4i
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 16, 2013, 04:14:18 AM
 #212

Quit generating randomness, and get back to the topic. I read in the news that Google has acknowledged the problem, and recommends developers use dev/(u)rand. Good luck patching Android with third parties between Google and your phone.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
justusranvier
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW

Ignore
August 16, 2013, 04:15:30 AM
 #213

Good luck patching Android with third parties between Google and your phone.
It bet Cyanogenmod users get access to the patches first.

allbiznessman
Member
**
Offline Offline

Activity: 74


SudoSuRootDev... AKA... AllBiznessMan


View Profile WWW

Ignore
August 19, 2013, 03:08:40 PM
 #214

So, does this only affect Android wallets (Private Keys) generated by the Android wallet apps, or would my BTC address which I already had and then added to the blockchain wallet app also be affected? I hope not, cause I like keeping the same address for Public use, and then moving the BTC into my private addresses, never revealing public keys or addresses.

Rannasha
Sr. Member
****
Offline Offline

Activity: 364


View Profile

Ignore
August 19, 2013, 03:21:17 PM
 #215

So, does this only affect Android wallets (Private Keys) generated by the Android wallet apps, or would my BTC address which I already had and then added to the blockchain wallet app also be affected? I hope not, cause I like keeping the same address for Public use, and then moving the BTC into my private addresses, never revealing public keys or addresses.

It only affects addresses/keys that are generated on Android.

Carlton Banks
Hero Member
*****
Offline Offline

Activity: 602



View Profile

Ignore
August 19, 2013, 03:44:18 PM
 #216

You should make your own hardware for pulling random data for your coins. Something like a geiger counter near a radiation source. Now that would be truly the best source for truly random data.

(Unless if you distrust the laws of physics  Cheesy )

I would have, but at the time, I was fresh out of radioactive material. Maybe next time.

Lol, how long before the FBI kicks your door in? Didn't everyone get the memo that making online jokes about possessing WMD's are indistinguishable from sincere admissions?  Grin
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile

Ignore
August 19, 2013, 04:23:58 PM
 #217

So, does this only affect Android wallets (Private Keys) generated by the Android wallet apps, or would my BTC address which I already had and then added to the blockchain wallet app also be affected? I hope not, cause I like keeping the same address for Public use, and then moving the BTC into my private addresses, never revealing public keys or addresses.

It only affects addresses/keys that are generated on Android.
This is incorrect. The problem also affects imported keys if they were ever used to send funds from an android client.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
Gator-hex
Sr. Member
****
Offline Offline

Activity: 350


View Profile

Ignore
August 19, 2013, 05:43:19 PM
 #218

Quote
a component of Android responsible for generating secure random numbers contains critical weaknesses

or did someone just forget to seed it properly?

"Everytime I give a seed and try to generate 100 numbers, they all are the same. Please help."
http://stackoverflow.com/questions/12458383/java-random-numbers-using-a-seed

 Wink

BurtW
Hero Member
*****
Offline Offline

Activity: 1050

I no longer support vanity addresses


View Profile

Ignore
August 19, 2013, 07:20:45 PM
 #219

Quote
a component of Android responsible for generating secure random numbers contains critical weaknesses

or did someone just forget to seed it properly?

"Everytime I give a seed and try to generate 100 numbers, they all are the same. Please help."
http://stackoverflow.com/questions/12458383/java-random-numbers-using-a-seed

 Wink
The referenced posting is unrelated.  It concerns a person not understanding the Random() function and the fact that every time you use the same seed for that function you get the same sequence.

They are using Random() we are discussing SecureRandom(), two different functions.

However, as far as I can tell the problem with the SecureRandom() function did have to do with seeding, it is just not the same seeding issue discussed in the link.

Bitcoin must have unqualified fungibility to survive as a form of money.  We must support all efforts that protect and improve the fungible nature of Bitcoin and stand firmly against anyone or anything which threatens this essential property.
molecular
Donator
Hero Member
*
Offline Offline

Activity: 1190



View Profile

Ignore
August 19, 2013, 07:34:18 PM
 #220

Let's talk bitcoin episode about the issue. http://www.youtube.com/watch?v=4zTocJflyS8

Contains interesting interview with Andreas Pettersen ((co-)author of mycelium wallet)

Apparently under certain circumstances (some fallbacks) the entropy of the android RNG drops to just 9 bits.

Did anyone find more information about what exactly is going wrong?