Bitcoin Forum
November 14, 2024, 11:28:37 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 »  All
  Print  
Author Topic: [ANNOUNCE] Android key rotation  (Read 66322 times)
piotr_n
Legendary
*
Offline Offline

Activity: 2055
Merit: 1359


aka tonikt


View Profile WWW
August 12, 2013, 10:41:59 AM
 #121

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out
blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
xenog
Jr. Member
*
Offline Offline

Activity: 38
Merit: 1



View Profile WWW
August 12, 2013, 10:48:25 AM
 #122

I emailed to a journalist from The Register how I discovered that the Android PRNG affected BitcoinJ applications in Android. Here's a copy of the email I sent to the journalist:

Quote
I discovered the flaw thanks to a small stash of stolen bitcoins.

It all started with a missed call from a friend at 00:30 on August 5, and a subsequent SMS telling me that he got 0.91 bitcoins stolen from his Android wallet. "Somebody hacked my Android phone" he would repeat. I did not believe this to be likely. He is the most security conscious person I know. Besides, he is a computer scientist and knows the Bitcoin protocol in and out. Android phones are known to be vulnerable, but it's very unlikely that a phone that only ran reputable apps from Google Play got hacked. I thought about Spock, who quoted Arthur Conan Doyle: "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth". The impossible was that his phone got hacked. The truth then should be that somebody found his private key through cryptanalysis on the Bitcoin blockchain (the public ledger were all transactions are kept).

A lookup on the address that the funds were sent to revealed a forum post https://bitcointalk.org/index.php?topic=251743, so I put on my detective hat and read the post. I also published a message to it stating what had happened to my friend. The common factor seemed to be Android, and I immediately thought about the possibility of a flaw in its pseudo-random number generator (PRNG).

I investigated online and found this paper http://www.scribd.com/doc/131955288/Randomly-Failed-The-State-of-Randomness-in-Current-Java-Implementations#page=9, which I sent to Mike Hearn pointing him to page 9 in which the flaw in Apache Harmony's PRNG (the one used by Android) was described. I also pointed to him that his BitcoinJ code was using that PRNG in the regular non-seeded way, which triggered the flaw.

I originally suggested that private key collisions may have being found and exploited. Later on the weekend a reply to the Bitcoin forum post by johoe clarified that the issue with the PRNG was leading to collisions in the random number parameter k that the elliptic curve signature algorithm needs in order to be secure, making it trivial to extract the private key from two transactions that used the same k.
gmaxwell
Staff
Legendary
*
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
August 12, 2013, 10:57:33 AM
 #123

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?
I'm not sure it thats entirely inaccurate, go look at the bitcoin-dev logs from January. IIRC, there was reason to suspect that some of the duplicate nonce signatures were coming from BitcoinJ and there was some speculation about broken java RNGs that went nowhere.
narayan
Member
**
Offline Offline

Activity: 98
Merit: 10


I do not sell Bitcoins. I sell SHA256(SHA256()).


View Profile
August 12, 2013, 11:00:31 AM
 #124

What do I do?? I have 20 BTC in Blockchain.info and now it doesn't even load

Did someone steal my coins??

Got error 157 'Unknown error code' from NDBCLUSTER

BTC: 1PiPooLvcEoBLuXBHbwUnN5rShs2nas223
LTC: LRq7YPMDoERSZcte9ZPNHQkUbfiPsY55VM
jubalix
Legendary
*
Offline Offline

Activity: 2646
Merit: 1023


View Profile WWW
August 12, 2013, 11:02:04 AM
 #125

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out
blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

hmm deliberate


but surley bitcoind can do this as well. a program tha compares sigs must be able to run through and auto check

Admitted Practicing Lawyer::BTC/Crypto Specialist. B.Engineering/B.Laws

https://www.binance.com/?ref=10062065
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
August 12, 2013, 11:04:01 AM
 #126

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out
blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

hmm deliberate


but surley bitcoind can do this as well. a program tha compares sigs must be able to run through and auto check

You should have been emailed a copy of your wallet every time you made changes to it. Import it to Multibit with your passphrase.
theDF
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
August 12, 2013, 11:17:21 AM
 #127

What do I do?? I have 20 BTC in Blockchain.info and now it doesn't even load

Did someone steal my coins??

Got error 157 'Unknown error code' from NDBCLUSTER

Calm down, and check you wallet right now because blockchain.info already back to normal *so far
Mike Hearn (OP)
Legendary
*
Offline Offline

Activity: 1526
Merit: 1134


View Profile
August 12, 2013, 12:27:01 PM
 #128

It's got nothing to do with bitcoinj. The issue is with SecureRandom itself. As far as I know all Bitcoin signing implementations on Android use this API.
becoin
Legendary
*
Offline Offline

Activity: 3431
Merit: 1233



View Profile
August 12, 2013, 12:33:22 PM
 #129

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? Smiley

This post is over one month old, while this one over half a year...
Watchfulness my ass Smiley
As always, Bitcoin is mercilessly exposing every shady practice on everything it touches. I don't trust Google. Like MS they are also in bed with the US government. They try to promote Android as open source but keep the JVM for Android closed. This is why every Java based app for Android is not truly open sourced! Period. Paragraph.
Predictious
Sr. Member
****
Offline Offline

Activity: 290
Merit: 250



View Profile WWW
August 12, 2013, 01:16:02 PM
 #130

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.
Well done guys! It would have been fair that Mike Hearn gave you credits.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
August 12, 2013, 01:33:34 PM
 #131

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Thank you so much for your prudence!

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
westkybitcoins
Legendary
*
Offline Offline

Activity: 980
Merit: 1004

Firstbits: Compromised. Thanks, Android!


View Profile
August 12, 2013, 01:37:24 PM
 #132

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? Smiley

This post is over one month old, while this one over half a year...
Watchfulness my ass Smiley
As always, Bitcoin is mercilessly exposing every shady practice on everything it touches. I don't trust Google. Like MS they are also in bed with the US government. They try to promote Android as open source but keep the JVM for Android closed. This is why every Java based app for Android is not truly open sourced! Period. Paragraph.


Hmph.

I think if this were common knowledge it might raise a few eyebrows. I was under the impression it was open-source through and through.

*re-investigates cyanogenmod*

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
August 12, 2013, 01:39:19 PM
 #133

I just remembered: There was a "workshop" at CCC end of last year I attended. Transactions were shown in the blockchain with identical R in signatures. The source was supposedly traced to "bitcoincard" test transactions.

Now I'm not so sure it was the only source.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
westkybitcoins
Legendary
*
Offline Offline

Activity: 980
Merit: 1004

Firstbits: Compromised. Thanks, Android!


View Profile
August 12, 2013, 01:49:31 PM
 #134

also, one should answer the question, if imported vanity addresses are a problem. i would say no, only the possible other addresses where some change might have gone.

Yes, they are.

This particular problem isn't about the private keys themselves (although I wouldn't trust private keys generated with a broken psuedo-random number generator anyway.) The problem is that securely signing a transaction requires using a unique random value each time. If you use the same private key in two different transactions/spends, and this includes vanity addresses, but the same random value is involved in the signing process both times, then your key is compromised.

It doesn't matter what the private key is. If you can't get decent random values to use for the signing, you're going to be exposed. It's a pretty disturbing oversight on the part of those who wrote the Android PRNG library.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
phatsphere
Hero Member
*****
Offline Offline

Activity: 763
Merit: 500


View Profile
August 12, 2013, 02:34:17 PM
 #135

It's a pretty disturbing oversight on the part of those who wrote the Android PRNG library.

yes. that's what's baffling me, too. especially given the fact, that an android device has much more sources of random information than a commodity pc. just think about gyroscope, magnetism, acceleration, ...
theDF
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
August 12, 2013, 02:52:47 PM
 #136

yes. that's what's baffling me, too. especially given the fact, that an android device has much more sources of random information than a commodity pc. just think about gyroscope, magnetism, acceleration, ...

Oh yeah, why the developers never think about it.. using sensors as random generator that almost impossible to generate same pattern, brilliant!
piotr_n
Legendary
*
Offline Offline

Activity: 2055
Merit: 1359


aka tonikt


View Profile WWW
August 12, 2013, 02:54:43 PM
 #137

Oh yeah, why the developers never think about it.. using sensors as random generator that almost impossible to generate same pattern, brilliant!
Because this should be a duty of an OS, to get adventage of whatever entropy sources it has and provide the apps with an API for a secured random numbers.
At least a modern OS - nobody had expected it from MS-DOS back then Smiley

Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.
PGP fingerprint: AB9E A551 E262 A87A 13BB  9059 1BE7 B545 CDF3 FD0E
Mike Hearn (OP)
Legendary
*
Offline Offline

Activity: 1526
Merit: 1134


View Profile
August 12, 2013, 03:32:41 PM
 #138

I already updated the second post after my announcement to give some credit to Jean-Pierre, though I guess most of the credit goes to the researchers who uncovered the vulnerabilities in the first place. But still, it was very useful for Jean-Pierre to inform us privately.

The Android JVM is open source. It's called Dalvik. I don't know where anyone would get the idea it's not open source from.

HBBZ
Sr. Member
****
Offline Offline

Activity: 570
Merit: 250


View Profile
August 12, 2013, 03:54:31 PM
 #139

This is a sign of a healthy community. Bravo!
phatsphere
Hero Member
*****
Offline Offline

Activity: 763
Merit: 500


View Profile
August 12, 2013, 03:55:30 PM
 #140

Oh yeah, why the developers never think about it..
well, "java" in general has the idea that you do not have to think about this. as a developer you assume that it works – which in reverse is a good way to shoot yourself in the foot. in that case, the implementation of java is the problem. i don't know any details about google's modifications on the underlying linux itself, but my guess is, that it's random number source is also a good one. it's more or less just this broken link between low level to a higher levels which causes this.
if the android linux-os developers are as smart as i think, they're already using all available input sensors as sources for randomness.
Pages: « 1 2 3 4 5 6 [7] 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!