millsdmb
|
|
August 12, 2013, 03:36:28 AM |
|
What about other Android wallets that are derived from Schildbach's code, such as Litecoin-Qt and Feathercoin-Qt??? I assume they have the same vulnerability. Any plans to update those?
no BTC no care. don't they call Feather Coin "Fork that Coin"??
|
|
|
|
tgeller
Newbie
Offline
Activity: 6
Merit: 0
|
|
August 12, 2013, 03:53:59 AM |
|
@millsdmb, that's not helpful. Your opinion about Litecoin is less important than helping prevent theft, and hope others in this forum will have useful information for the community at large.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
August 12, 2013, 05:04:44 AM |
|
@millsdmb, that's not helpful. Your opinion about Litecoin is less important than helping prevent theft, and hope others in this forum will have useful information for the community at large.
Not all consider all alt coins part of the community and while I consider most alt coins blatant scams and therefore would not bother helping them not loosing their premined coins or whatever, I wouldn't consider the bitcoin community at large responsible for those rare alt coins that are no scams.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
BitPirate
Full Member
Offline
Activity: 238
Merit: 100
RMBTB.com: The secure BTC:CNY exchange. 0% fee!
|
|
August 12, 2013, 05:12:29 AM Last edit: August 12, 2013, 07:52:59 AM by BitPirate |
|
How are the patches working around the problem?
Are they using a different source of entropy, or are they checking that the two R-values don't collide?
In my mind, best practice would be to do both.
I see a lot of cases in code where people need multiple random and unique values, (e.g. UUIDs)... where the only two requirements are that they are indeterminate and unique... but because the domain of random outcomes is so huge they rely on the vanishingly small probability of collision, and don't bother to check uniqueness.
But as we have found, that "vanishingly small probability" isn't so small if the PRNG is broken. A simple collision check isn't a waste of CPU cycles -- it guards against this kind of system problem.
As such, can all Bitcoin clients, Android or otherwise, be updated to check that the two R-values are unique?
On a different note, I don't see much discussion about the broken Android PRNG, does anyone have a link to the bug reports? This must have some pretty far-reaching consequences outside Bitcoinland too...?
|
|
|
|
westkybitcoins
Legendary
Offline
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
|
|
August 12, 2013, 05:28:23 AM |
|
i randomly received .15 btc yesterday to one of my android generated addresses. Why would I randomly get free money? this never happened to me before, is this related to the flaw?
Potentially different (worrisome) issue. https://bitcointalk.org/index.php?topic=269231.0There is the chance that spending that "free money" could result in the private key of that address being exposed.
|
Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
... ... In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber... ... ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)... ... The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
|
|
|
emibe
Newbie
Offline
Activity: 41
Merit: 0
|
|
August 12, 2013, 05:39:48 AM |
|
Thanks for the update.
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
August 12, 2013, 06:24:01 AM |
|
But that has nothing to do with deterministic wallets. Non deterministic wallets do not require address re-use. The reason that clients reuse addresses is because random key wallets are unsuitable for general use. Requiring users to update their backups after every n transactions results in permanently lost funds. The solution is to implement BIP32. correct me if I'm wrong... type 2 deterministic wallets pose a danger in themselves: rf one key gets compromised, all of them are. It's possible a user exportet a single key from his electrum wallet and used it in mycelium (for example). It could get compromised by the bad RNG in android and compromise all keys of the wallet. I'm all for using deterministic wallets and use them myself. I just don't ever export private keys from them.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
August 12, 2013, 06:34:17 AM |
|
Ive always thought computers could not generate random numbers. I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
Nothing can generate a random number. Us included. Only pseudo-random. So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that? God ;-). He makes decisions based on discussion with the other gods. It's not random, but based on divine rationality. Just believe me, I talk to the spaghetti monster every day and it never utters random nonsense. side-note: Oh hey cool. Here's another reason to found the "church of random".
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
August 12, 2013, 06:38:46 AM |
|
It's possible a user exportet a single key from his electrum wallet and used it in mycelium (for example). It could get compromised by the bad RNG in android and compromise all keys of the wallet. Does Electrum have "watching only" copies of deterministic wallets like Armory does? The attacker would need access to that in order to compromise the entire wallet instead of just the single private key that was exported and then used on a vulnerable client. I just don't ever export private keys from them. Private keys are called "private" for a reason, the belief of some people that it's a good idea to share them notwithstanding...
|
|
|
|
Snail2
Legendary
Offline
Activity: 1512
Merit: 1000
|
|
August 12, 2013, 07:44:18 AM |
|
Thanks for the update.
|
|
|
|
phatsphere
|
|
August 12, 2013, 08:02:28 AM |
|
this thread should be closed, and only updated with news reagrding the actual problem. we don't need yet another fee discussion.
also, one should answer the question, if imported vanity addresses are a problem. i would say no, only the possible other addresses where some change might have gone.
|
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
August 12, 2013, 08:10:57 AM |
|
you can look at some signatures and check the random numbers. If they're equal, RNG is flawed. If not there is a chance it's not flawed. One could also look at the implementation. Not sure which random generator electrum uses. It's written in python, chances are it falls back to OS-specific native implementation. I'm pretty sure the mobile version doesn't use the android java implementation.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
grau
|
|
August 12, 2013, 08:24:17 AM |
|
The new bitcoinj release that will be announced shortly has some initial code for BIP32. It's definitely something I want to integrate. It's difficult on mobile devices because they don't have any swapfile, so you can't just use as much memory as you want. You have to define a key window in which money can be received. Coins sent to keys that fall outside that window won't show up which is obviously very problematic. All in all, it's delicate and will require some careful experimentation and testing to make it work.
The BOP android wallet to be released in conjunction with our payment solution uses BIP32. The mobile uses the next even index of BIP32 as change and odd as next receiver addresses. The server implements a single pass scan using a BIP32 public key, that generates an increasing look ahead window from last seen address on the block chain. I was asked in a PM if that increases the load on the server with every new transaction. Yes it does, but we have a strategy to reset the effort. Knowing current master key birth time point limits scan as we only have to scan blocks thereafter. Now, the BOP wallet does not directly use the root BIP32 master, but a current master child of that and rolls to a new master child at user's request thereby resetting birth and scan effort. I consider making these rolls mandatory after a threshold use.
|
|
|
|
xenog
Jr. Member
Offline
Activity: 38
Merit: 1
|
|
August 12, 2013, 10:04:56 AM |
|
I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.
|
|
|
|
solex
Legendary
Offline
Activity: 1078
Merit: 1006
100 satoshis -> ISO code
|
|
August 12, 2013, 10:06:25 AM |
|
I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.
Well done! The Daily Telegraph is claiming it was known about since January. Is this media disinformation? The source: http://nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
|
|
|
|
piotr_n
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
August 12, 2013, 10:08:33 AM |
|
I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.
Well done! The Daily Telegraph is claiming it was known about since January. Is this media disinformation? Depends how you define "it". http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
willphase
|
|
August 12, 2013, 10:37:33 AM |
|
It's always been known that ECDSA with same random number allows private key discovery. It's been known since earlier this year that some hardware wallets were not using decent random numbers, but as far as I know it's only very recently that it was found that Android PRNG also suffered from this issue. Will
|
|
|
|
piotr_n
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
August 12, 2013, 10:39:41 AM |
|
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
jubalix
Legendary
Offline
Activity: 2632
Merit: 1022
|
|
August 12, 2013, 10:40:58 AM |
|
Got error 157 'Unknown error code' from NDBCLUSTER
when trying to check sigs on blockchain.info.....
is this deliberate!!!!
while this is sorted out
|
|
|
|
|