Bitcoin Forum
November 16, 2024, 05:04:04 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 [5] 6 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: [ANNOUNCE] Android key rotation  (Read 66322 times)
n4ru
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
August 11, 2013, 09:09:07 PM
 #81

Just wondering, would this affect Electrum as well?

I m asking as it uses Google Scripting Layer & Python for Android

http://electrum.org/android.html
The issue appears to be in the java implementation of secureRandom that Google uses.
Mike Hearn (OP)
Legendary
*
Offline Offline

Activity: 1526
Merit: 1134


View Profile
August 11, 2013, 09:09:19 PM
 #82

Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.
Andreas Schildbach
Hero Member
*****
Offline Offline

Activity: 483
Merit: 551


View Profile
August 11, 2013, 09:16:25 PM
 #83

Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.

At least its not running on Java, afaik. So it can't be affected by the same issues.
ReCat
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
August 11, 2013, 09:32:09 PM
 #84

Thank god I have an iPhone Smiley
As far as apple is concerned. Bitcoin wallets don't exist for iOS. Tongue Security through obscurity is good, I think.

BTC: 1recatirpHBjR9sxgabB3RDtM6TgntYUW
Hold onto what you love with all your might, Because you can never know when - Oh. What you love is now gone.
btcsql
Sr. Member
****
Offline Offline

Activity: 292
Merit: 250


View Profile
August 11, 2013, 09:35:41 PM
 #85

Mike Hearn, you are the man now dog!
bitcool
Legendary
*
Offline Offline

Activity: 1441
Merit: 1000

Live and enjoy experiments


View Profile
August 11, 2013, 10:35:07 PM
 #86

How "critical" is it? Has there been any successful attack using this weakness?
niko
Hero Member
*****
Offline Offline

Activity: 756
Merit: 501


There is more to Bitcoin than bitcoins.


View Profile
August 11, 2013, 10:44:24 PM
 #87

How "critical" is it? Has there been any successful attack using this weakness?

Sounds extremely critical, see links below.


done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? Smiley

This post is over one month old, while this one over half a year...
Watchfulness my ass Smiley

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1918
Merit: 1570


Bitcoin: An Idea Worth Spending


View Profile WWW
August 11, 2013, 10:48:08 PM
 #88

So basically, Google pulled a Sony...




So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...
The exploit isn't in the algorithm, it's in generating a secure random number. It also wasn't the PSN hack, it was the PS3 hack.

With Sony, they used the same number every single time. It simply wasn't random, and was a horrible, or rather, *not* an implementation of the encryption in the right manner.

With Android, the same random number apparently comes up once in a while. Still horrible considering the money involved (probably worse), but there's only a chance to get the same random number (as opposed to guaranteed with Sony).

As I get my head wrapped around this, what comes to mind is after reading the above is that if a random number is picked from a finite set of 10K elements, e.g., a duplicate is more apt to appear then choosing a random number from a finite set of 10100,000 elements. Does this make sense?
kano
Legendary
*
Offline Offline

Activity: 4620
Merit: 1851


Linux since 1997 RedHat 4


View Profile
August 11, 2013, 11:22:06 PM
 #89

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
Nothing can generate a random number. Us included. Only pseudo-random.
So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that?
Ah, that's how Apple solved it?
Their phones have uranium in them Smiley

Pool: https://kano.is - low 0.5% fee PPLNS 3 Days - Most reliable Solo with ONLY 0.5% fee   Bitcointalk thread: Forum
Discord support invite at https://kano.is/ Majority developer of the ckpool code - k for kano
The ONLY active original developer of cgminer. Original master git: https://github.com/kanoi/cgminer
Xer0
Hero Member
*****
Offline Offline

Activity: 826
Merit: 1000


°^°


View Profile
August 11, 2013, 11:52:53 PM
 #90

explains the price...
ionstorm
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile
August 12, 2013, 12:58:34 AM
 #91

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
Sukrim
Legendary
*
Offline Offline

Activity: 2618
Merit: 1007


View Profile
August 12, 2013, 01:05:01 AM
 #92

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
Most likely not, either someone wanted to give a present to you or something else happened. It is not very likely that you would get MORE funds through this issue! Wink

https://www.coinlend.org <-- automated lending at various exchanges.
https://www.bitfinex.com <-- Trade BTC for other currencies and vice versa.
EagleTM
Newbie
*
Offline Offline

Activity: 46
Merit: 0


View Profile
August 12, 2013, 01:10:25 AM
 #93

Regarding Electrum:

We need to look into this further but as far as I'm aware Electrum relies on python's random implementation which is usually the operating system's PRNG. This would make running Electrum on Android vulnerable to the same vectors as described in this post for other wallets.

Even If you created the seed on another platfrom it may be possible to reveal the ECDSA private key of one of the addresses by spending (signing) multiple times from one address on Android. The seed itself should be safe.

The userbase of Electrum on Android (SL4A) is small because of the cumbersome setup. Still, if you are a user and want to be safe don't spend from Android until further news are available and secure funds from addresses which you have spent from in Android and still have funds on.
millsdmb
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


View Profile
August 12, 2013, 01:12:56 AM
 #94

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?
did you google the sending address?

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $10 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
EagleTM
Newbie
*
Offline Offline

Activity: 46
Merit: 0


View Profile
August 12, 2013, 01:15:21 AM
 #95

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?

Though unlikely I suppose if you (not so) "randomly" happened to create a collision on Android you may have gained .15 BTC of an other user and both of you could spend it. It may well be related but certainly a coincidence. Would be interesting if this is followed up...
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
August 12, 2013, 01:25:27 AM
 #96

Of course it must work multiple times - just like PGP/RSA has been working, ever since it was invented.
And nobody says that you using the same PGP key twice "should be considered negligent" - it would just defeat the purpose of a digital signature Smiley
A better analogy would compare Bitcoin addresses to session keys.
ironfalcon
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
August 12, 2013, 01:55:03 AM
 #97

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

http://bitcoin.org/en/alert/2013-08-11-android

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.

as a former Google employee I thank you for your vigilance!
millsdmb
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


View Profile
August 12, 2013, 02:08:16 AM
 #98

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

http://bitcoin.org/en/alert/2013-08-11-android

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.

as a former Google employee I thank you for your vigilance!
How many BTC you want for that crazy hat they give you?

Hitler Finds out about the Butterfly Labs Monarch http://www.youtube.com/watch?v=4jYNMKdv36w
Get $10 worth of BTC Free when you buy $100 worth at coinbase.com/?r=51dffa8970f85a53bd000034
grau
Hero Member
*****
Offline Offline

Activity: 836
Merit: 1030


bits of proof


View Profile WWW
August 12, 2013, 03:17:53 AM
 #99

The new bitcoinj release that will be announced shortly has some initial code for BIP32. It's definitely something I want to integrate. It's difficult on mobile devices because they don't have any swapfile, so you can't just use as much memory as you want. You have to define a key window in which money can be received. Coins sent to keys that fall outside that window won't show up which is obviously very problematic. All in all, it's delicate and will require some careful experimentation and testing to make it work.

The BOP android wallet to be released in conjunction with our payment solution uses BIP32.

The mobile uses the next even index of BIP32 as change and odd as next receiver addresses. The server implements a single pass scan using a BIP32 public key, that generates an increasing look ahead window from last seen address on the block chain.
tgeller
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile
August 12, 2013, 03:31:12 AM
 #100

What about other Android wallets that are derived from Schildbach's code, such as Litecoin-Qt and Feathercoin-Qt??? I assume they have the same vulnerability. Any plans to update those?
Pages: « 1 2 3 4 [5] 6 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!