[ANNOUNCE] Android key rotation

[Hawkix]

Shouldn't the key rotation be performed only on private keys known to be influenced (generation, transaction signatures) by this random generator flaw? I do not want to run Blockchain on my Android to realize that it will re-send and merge (automatically .. ugh) all my savings into another address!

[apetersson]

another question i have in mind is chrome, firefox, opera mobile or the native android web browser itself. suppose, i'm using one of those on my android phone or tablet, and i'm using a web-wallet like blockchain or a bitaddress generator. do these browsers also rely on this flaw in java or do they circumvent this via native C code?
i think it depends on the browser …

nobody knows. auditing this piece of code is very complex.

just think about why some TLAs were boasting about "phenomenal breakthroughs" in cryptanalysis.
http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1

a few months ago most of this speculation was conspiracy theory. now some of this is conspiracy fact.
seeing this kind of code audit failure/randomness failure makes me go shopping for tinfoil hats.

on my back-of the-spreadsheet envelope calculation i have estimated the "real" keyspace of SecureRandom to be very, very low.
definitely not 2^256.
edit: i don't even dare to write the number down - if the calculation is right this is too scary.

https://docs.google.com/spreadsheet/ccc?key=0Av2s7TgXTjFTdDNNZUlrb1ZPUG9EYmZGV0drZ1dWVlE#gid=0
this calculation is based on the fact that we have seen at least 1 collision of random values on android phones.
last time i did statistics was 10 years ago, so please point out any errors.

it also points out a discrepancy. if the entropy would be that low, we would see a massive amount of duplicate addresses. which are absent. i suspect the private key space is large enough - but the entropy provided at signing is too low.

[ThomasV]

Just wondering, would this affect Electrum as well?

http://electrum.org/android.html

From what we can gather, this issue seems to be a Java PRNG implementation issue.
Electrum should be safe from this, because it does not use Java; it uses /dev/urandom directly.
However, there might be other bugs in the Android platform, which is under overall scrutiny following this issue.

[Lauda]

Fixed?

[CurbsideProphet]

Shouldn't the key rotation be performed only on private keys known to be influenced (generation, transaction signatures) by this random generator flaw? I do not want to run Blockchain on my Android to realize that it will re-send and merge (automatically .. ugh) all my savings into another address!

This is why it's better to have your savings in an offline/paper wallet.  Use blockchain only for the Bitcoins you're going to be using for near-term transactions.

[dwolfman]

Could the OP be updated to include a list of apps that have been updated against this bug?  I don't want to read through the whole 8 pages to find out which apps have and have not been updated, and I'm sure it'd be helpful to other people as well.

These are the current statuses:



From http://bitcoin.org/en/alert/2013-08-11-android - they should be getting updated daily.

I'm wondering if this means they aren't updating Bitcoin Spinner?  Got my phone set up the way I want it, and this means switching yet another app out.  I don't have any bitcoins in it right now, and probably won't in the near future anyway.  Haven't sent anything from it in months, so I'm not in too big a hurry to update it.

[Kiwi7]

Whoa whoa, I've just transferred all my BTC from an Android wallet to inputs.io.

[apetersson]

I'm wondering if this means they aren't updating Bitcoin Spinner?  Got my phone set up the way I want it, and this means switching yet another app out.  I don't have any bitcoins in it right now, and probably won't in the near future anyway.  Haven't sent anything from it in months, so I'm not in too big a hurry to update it.

According to Jan, an update to bitcoinspinner was pushed to google play, will appear soon.

[Roy Badami]

This post http://seclists.org/oss-sec/2013/q3/358 mentions deterministic ECDSA signatures and references RFC 6979.

Is there any reason why Bitcoin clients shouldn't use this construction, other than perhaps the possible newness of this exact instantiation?

roy

[Mike Hearn]

That RFC was published only a few days ago. To call it "new" would be an understatement.

IMO it doesn't make much difference. We could implement it, but it would not have avoided the need to do a key rotation.

[millsdmb]

just got the new wallet app pushed out to my phone, so everyone should have it available by now if you include the links posted a few replies up.

[frankenmint]

what do i do if my wallet address is locked onto another site and I've updated my wallet already? will it go to the old address then be transferred internally into the new one?

[blockgenesis]

I'm wondering if this means they aren't updating Bitcoin Spinner?  Got my phone set up the way I want it, and this means switching yet another app out.  I don't have any bitcoins in it right now, and probably won't in the near future anyway.  Haven't sent anything from it in months, so I'm not in too big a hurry to update it.

According to Jan, an update to bitcoinspinner was pushed to google play, will appear soon.

It seems that the update for BitcoinSpinner is pushed to Google Play now according to the version history. I've emailed Jan to ask him to provide short instruction text to be published on bitcoin.org .

[frankenmint]

BTCy the way, my import/export keys menu options are greyed out.  What do I do?  How can I get my BTC?

[rampantparanoia]

what do i do if my wallet address is locked onto another site and I've updated my wallet already? will it go to the old address then be transferred internally into the new one?

no, you need to change the address on the other site.
bitcoin protocol does not link addresses like this

thanks for the announcement & making the community aware. extra thanks to the person who found this flaw

[Mike Hearn]

actually he is right. Coins received to old insecure addresses will be automatically resent to the new address when it confirms.

[Paladin69]

The blockchain.info wallet doesn't work if you have a secondary password so long that it needs to be pasted in.  Holding your finger on it to paste flashes the field box away.

[Hawkix]

Anyone already tested blockchain.info Android wallet with "automatic key rotation"? Is the user possible to skip that step?

[Kiwi7]

BTCy the way, my import/export keys menu options are greyed out.  What do I do?  How can I get my BTC?

Transfer all your BTC to an online BTCitcoin wallet, like Inputs.io or BTClockchain.info.

[casascius]

When I made my key generator for Casascius Coins, I started with the assumption that the secure random number generator could not fully be trusted.  I did it on Windows not Android so it's not at risk, but the paranoid idea I tried would have completely eliminated this problem had it been done in these wallets.

Instead of accepting the output of secure random as truly securely random, I just considered it a "good source of entropy" and XOR'd its output with another lukewarm but "extra" source of entropy: a hash of a string that gets the current time appended to it whenever the user does something (moves mouse, presses a button, etc).  Also included in the hash is a counter that increments each time entropy is read so it can never be the same twice.  (When the string grows too big, it is replaced by a hash of itself)

For my actual coin generation process, I ask the user (myself) for a third string of input: something that will also be included in the hash.  Each time, I mash the keyboard for a line or two of text e.g. weiajeflkjf;iefw;fiowjR[2348RU20389U0R9EWAEO;FIJSDF;KJVNXVDFJKG;lkdjfgosidfjaiwe --- and never record the string.

None of these methods would be "great" by themselves, but by xoring the output of all of them together, I feel well hedged against the possibility of crappy RNG's.