[ANNOUNCE] Android key rotation

[Mike Hearn]

Could you please clarify:

1. Is this the same, or a different, issue from the one being discussed in the "Bad signatures" thread?

2. Is it absolutely and completely true that this is an Android issue, ie. hosted Blockchain.info wallets and other wallet software written in Java is not affected?

3. I generated my wallet keys off-device. Am I still vulnerable?

4. I generated my wallet keys on-device but have only received funds and not sent any, so no transactions were actually generated by the Android application. Am I still vulnerable?

5. If it turns out from any of the above two reasons that I am not vulnerable, will the update to Android Wallet specifically still rotate my wallet? There are probably a lot of wallets out there who would be greatly hurt by unnecessary transaction fees.

1. It's the same issue

2. It's an Android issue, not a Java issue.

3. The key would not have an issue in this case. However if you spent money from it then there's a small chance the key may have been exposed. However someone has been monitoring the network for this and claims it only happens a few times a month worldwide, what's more, someone appears to be stealing the money when it does happen. So if you haven't already suffered a theft, you probably haven't been exposed in this way, and simply upgrading and rotating the wallet is sufficient.

4. Your key may be vulnerable.

5. All wallets will be rotated automatically. The Bitcoin Wallet app doesn't really support importing arbitrary private keys. You can do it by re-using the backup mechanism, but key imports/exports in general have all kinds of problems and if you do it, you are "on your own". It's not an official feature of the app.

[Andreas Schildbach]

I see a lot of questions here about which keys are affected and which not.

As far as Bitcoin Wallet goes, it will rotate your keys no matter how you created them and if you used them for signing. This is because there is no supported way of importing keys from other sources than itself (backup), so all keys must have been created using the flaky random number generator.

I can't tell about the other apps, but I hope they will rotate all keys as well.

[AliceWonder]

Could this be what was behind all those random 1 mBTC payments that were going around?

As they are spent, if the wallet was Android they are now multiple spends from same address possibly allowing attacker to figure out private key.

[n4ru]

Could this be what was behind all those random 1 mBTC payments that were going around?

As they are spent, if the wallet was Android they are now multiple spends from same address possibly allowing attacker to figure out private key.

Interesting thought... it would make a bit of sense.

[millsdmb]

pink is a really crappy color, fwiw.

[piotr_n]

pink is a really crappy color, fwiw.

indeed - it's barely visible.

[DiamondCardz]

I noticed it instantly, actually. 

[al.matic]

So basically, Google pulled a Sony...

https://i.imgur.com/e9jUO.png

So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...

[n4ru]

So basically, Google pulled a Sony...

So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...

The exploit isn't in the algorithm, it's in generating a secure random number. It also wasn't the PSN hack, it was the PS3 hack.

With Sony, they used the same number every single time. It simply wasn't random, and was a horrible, or rather, *not* an implementation of the encryption in the right manner.

With Android, the same random number apparently comes up once in a while. Still horrible considering the money involved (probably worse), but there's only a chance to get the same random number (as opposed to guaranteed with Sony).

[No_2]

Interesting bug. Thanks for the info.

[millsdmb]

I noticed it instantly, actually. 

I did too, just couldnt read it. Thought it was a new ad at first =P

[theymos]

It's hard to get a good color due to the gradient.

[justusranvier]

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.

[Anon136]

in case anyone is confused about the color coding.

[BurtW]

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.

Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).

[millsdmb]

in case anyone is confused about the color coding.

I withdrew all my BTC from vulnerable addresses.

This image reminds me how my crazy (in hindsight) mother did the same with her cash from the bank on Sept 11.
 

[piotr_n]

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.

You must be joking.
If you cannot use the same private key again, to sign a different stuff, then it is not even a digital signature application - you can as well start using random and their hashes, or something..

Of course it must work multiple times - just like PGP/RSA has been working, ever since it was invented.
And nobody says that you using the same PGP key twice "should be considered negligent" - it would just defeat the purpose of a digital signature

[AliceWonder]

This vulnerability is yet another reason address reuse in Bitcoin clients must be eliminated.

Prior to this, using non-deterministic wallets was either a privacy disaster (single key model) or else a usability nightmare (random key model).

Now anything which encourages address reuse should be considered negligent.

Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).

Yes really. Payment addresses should not be re-used after money is spent. If you do not re-use the address then you can not fall victim to this if your random generator is not as random as it should be.

But that has nothing to do with deterministic wallets. Non deterministic wallets do not require address re-use.

[justusranvier]

Not really.  This is a problem with a specific implementation of a specific secure random number generator (android).

If addresses are never reused, it doesn't matter if individual private keys are compromised after the fact.

[justusranvier]

But that has nothing to do with deterministic wallets. Non deterministic wallets do not require address re-use.

The reason that clients reuse addresses is because random key wallets are unsuitable for general use.

Requiring users to update their backups after every n transactions results in permanently lost funds.

The solution is to implement BIP32.