Bitcoin Forum
March 29, 2024, 08:31:51 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: [ANNOUNCE] Android key rotation  (Read 66319 times)
Mike Hearn (OP)
Legendary
*
Offline Offline

Activity: 1526
Merit: 1128


View Profile
August 11, 2013, 05:41:04 PM
 #21

Could you please clarify:

1. Is this the same, or a different, issue from the one being discussed in the "Bad signatures" thread?

2. Is it absolutely and completely true that this is an Android issue, ie. hosted Blockchain.info wallets and other wallet software written in Java is not affected?

3. I generated my wallet keys off-device. Am I still vulnerable?

4. I generated my wallet keys on-device but have only received funds and not sent any, so no transactions were actually generated by the Android application. Am I still vulnerable?

5. If it turns out from any of the above two reasons that I am not vulnerable, will the update to Android Wallet specifically still rotate my wallet? There are probably a lot of wallets out there who would be greatly hurt by unnecessary transaction fees.

1. It's the same issue

2. It's an Android issue, not a Java issue.

3. The key would not have an issue in this case. However if you spent money from it then there's a small chance the key may have been exposed. However someone has been monitoring the network for this and claims it only happens a few times a month worldwide, what's more, someone appears to be stealing the money when it does happen. So if you haven't already suffered a theft, you probably haven't been exposed in this way, and simply upgrading and rotating the wallet is sufficient.

4. Your key may be vulnerable.

5. All wallets will be rotated automatically. The Bitcoin Wallet app doesn't really support importing arbitrary private keys. You can do it by re-using the backup mechanism, but key imports/exports in general have all kinds of problems and if you do it, you are "on your own". It's not an official feature of the app.
1711701111
Hero Member
*
Offline Offline

Posts: 1711701111

View Profile Personal Message (Offline)

Ignore
1711701111
Reply with quote  #2

1711701111
Report to moderator
"Bitcoin: mining our own business since 2009" -- Pieter Wuille
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711701111
Hero Member
*
Offline Offline

Posts: 1711701111

View Profile Personal Message (Offline)

Ignore
1711701111
Reply with quote  #2

1711701111
Report to moderator
Andreas Schildbach
Hero Member
*****
Offline Offline

Activity: 483
Merit: 501


View Profile
August 11, 2013, 05:42:11 PM
 #22

I see a lot of questions here about which keys are affected and which not.

As far as Bitcoin Wallet goes, it will rotate your keys no matter how you created them and if you used them for signing. This is because there is no supported way of importing keys from other sources than itself (backup), so all keys must have been created using the flaky random number generator.

I can't tell about the other apps, but I hope they will rotate all keys as well.
AliceWonder
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
August 11, 2013, 05:51:22 PM
 #23

Could this be what was behind all those random 1 mBTC payments that were going around?

As they are spent, if the wallet was Android they are now multiple spends from same address possibly allowing attacker to figure out private key.

QuarkCoin - what I believe bitcoin was intended to be. On reddit: http://www.reddit.com/r/QuarkCoin/
n4ru
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
August 11, 2013, 05:52:29 PM
 #24

Could this be what was behind all those random 1 mBTC payments that were going around?

As they are spent, if the wallet was Android they are now multiple spends from same address possibly allowing attacker to figure out private key.
Interesting thought... it would make a bit of sense.
millsdmb
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


View Profile
August 11, 2013, 05:55:37 PM
 #25

pink is a really crappy color, fwiw.

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $10 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
piotr_n
Legendary
*
Offline Offline

Activity: 2053
Merit: 1344


aka tonikt


View Profile WWW
August 11, 2013, 05:58:14 PM
 #26

pink is a really crappy color, fwiw.
indeed - it's barely visible.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
DiamondCardz
Legendary
*
Offline Offline

Activity: 1134
Merit: 1105



View Profile WWW
August 11, 2013, 05:58:53 PM
 #27

I noticed it instantly, actually.  Lips sealed

BA Computer Science, University of Oxford
Dissertation was about threat modelling on distributed ledgers.
al.matic
Newbie
*
Offline Offline

Activity: 57
Merit: 0


View Profile
August 11, 2013, 06:00:31 PM
 #28

So basically, Google pulled a Sony...

https://i.imgur.com/e9jUO.png


So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...
n4ru
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
August 11, 2013, 06:09:58 PM
 #29

So basically, Google pulled a Sony...




So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...
The exploit isn't in the algorithm, it's in generating a secure random number. It also wasn't the PSN hack, it was the PS3 hack.

With Sony, they used the same number every single time. It simply wasn't random, and was a horrible, or rather, *not* an implementation of the encryption in the right manner.

With Android, the same random number apparently comes up once in a while. Still horrible considering the money involved (probably worse), but there's only a chance to get the same random number (as opposed to guaranteed with Sony).
No_2
Hero Member
*****
Offline Offline

Activity: 901
Merit: 1031


BTC: the beginning of stake-based public resources


View Profile
August 11, 2013, 06:24:47 PM
 #30

Interesting bug. Thanks for the info.
millsdmb
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


View Profile
August 11, 2013, 06:28:14 PM
 #31

I noticed it instantly, actually.  Lips sealed
I did too, just couldnt read it. Thought it was a new ad at first =P

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $10 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5152
Merit: 12580


View Profile
August 11, 2013, 06:33:02 PM
 #32

It's hard to get a good color due to the gradient.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
August 11, 2013, 06:37:29 PM
 #33

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.
Anon136
Legendary
*
Offline Offline

Activity: 1722
Merit: 1217



View Profile
August 11, 2013, 06:39:19 PM
 #34



in case anyone is confused about the color coding.

Rep Thread: https://bitcointalk.org/index.php?topic=381041
If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
BurtW
Legendary
*
Offline Offline

Activity: 2646
Merit: 1129

All paid signature campaigns should be banned.


View Profile WWW
August 11, 2013, 06:42:16 PM
 #35

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.
Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
millsdmb
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


View Profile
August 11, 2013, 06:43:03 PM
 #36


in case anyone is confused about the color coding.

I withdrew all my BTC from vulnerable addresses.

This image reminds me how my crazy (in hindsight) mother did the same with her cash from the bank on Sept 11.
 

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $10 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
piotr_n
Legendary
*
Offline Offline

Activity: 2053
Merit: 1344


aka tonikt


View Profile WWW
August 11, 2013, 06:45:00 PM
Last edit: August 11, 2013, 07:04:40 PM by piotr_n
 #37

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.
You must be joking.
If you cannot use the same private key again, to sign a different stuff, then it is not even a digital signature application - you can as well start using random and their hashes, or something..

Of course it must work multiple times - just like PGP/RSA has been working, ever since it was invented.
And nobody says that you using the same PGP key twice "should be considered negligent" - it would just defeat the purpose of a digital signature Smiley

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
AliceWonder
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
August 11, 2013, 06:47:14 PM
 #38

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.
Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).

Yes really. Payment addresses should not be re-used after money is spent. If you do not re-use the address then you can not fall victim to this if your random generator is not as random as it should be.

But that has nothing to do with deterministic wallets. Non deterministic wallets do not require address re-use.

QuarkCoin - what I believe bitcoin was intended to be. On reddit: http://www.reddit.com/r/QuarkCoin/
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
August 11, 2013, 06:48:25 PM
 #39

Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).
If addresses are never reused, it doesn't matter if individual private keys are compromised after the fact.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
August 11, 2013, 06:51:30 PM
 #40

But that has nothing to do with deterministic wallets. Non deterministic wallets do not require address re-use.
The reason that clients reuse addresses is because random key wallets are unsuitable for general use.

Requiring users to update their backups after every n transactions results in permanently lost funds.

The solution is to implement BIP32.
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!