Check out my awesome site for generating secure OfflineAddress.com

[flatfly]

FWIW, Electrum and Bitcoin-Qt use the industry-standard OpenSSL random number generator, which does collect several types of user input (not just mouse coordinates).

[1715192839]

1715192839

[barbierir]

Thank you, it is a very useful tool. I also found very interesting the technical explanation.

Now I'm a little worried, I've put most of my little stash of bitcoins on some paperwallets generated offline with bitaddress (I downloaded it from github and used it offline on a Ubuntu live cd).
Is it advisable to retrieve these paperwallets, import the keys and make new ones with your method?

Also how does this random numbers thing apply to computer wallets? I mean Bitcoin-Qt, Multibit, Electrum, etc... I've never been asked to move my mouse in order to generate random seeds. Do they use a different method?

[barbierir]

FWIW, Electrum and Bitcoin-Qt use the industry-standard OpenSSL random number generator, which does collect several types of user input (not just mouse coordinates).

ah good to know! I had just asked that question

[mikewoods]

FWIW, Electrum and Bitcoin-Qt use the industry-standard OpenSSL random number generator, which does collect several types of user input (not just mouse coordinates).

That's a great thing, especially if they use smartphone sensors (unfortunately, on desktop clients there isn't much to collect beside mouse movements and keystrokes).

Regarding "industry-standard OpenSSL random number generator" - I'm a bit skeptic because it's know that some 'standards' have been forced by NSA and have a backdoor, for example:
https://en.wikipedia.org/wiki/Dual_EC_DRBG
http://www.researchgate.net/publication/250025759_Chapter_10_An_Elliptic_Curve_Asymmetric_Backdoor_in_OpenSSL_RSA_Key_Generation
, so it's hard to tell if there is more of those 'paid standards' that actually work against us.

Now I'm a little worried, I've put most of my little stash of bitcoins on some paperwallets generated offline with bitaddress (I downloaded it from github and used it offline on a Ubuntu live cd).
Is it advisable to retrieve these paperwallets, import the keys and make new ones with your method?

Also how does this random numbers thing apply to computer wallets? I mean Bitcoin-Qt, Multibit, Electrum, etc... I've never been asked to move my mouse in order to generate random seeds. Do they use a different method?

I personally don't use any wallets to generate my BTC addresses, I always generate secure addresses and import them.
However, if software you're using does use mouse movements, camera snapshots or other input sensors to provide randomness than you don't have to worry (if they have it, and it's well implemented, they'll probably brag about it).

[minimalB]

Very nice site!

It would be nice if we could also include keystrokes into randomness.

Is there a elegant way to print or export to PDF?

[mikewoods]

Very nice site!

It would be nice if we could also include keystrokes into randomness.

Is there a elegant way to print or export to PDF?

Thank you minimalB!

For now you could use browser's printing mechanism to print or export to pdf, but I'm planning to improve printing experience as soon as I get some time to do it (or if someone sends me a pull request on GitHub in the meantime  ).

[Its About Sharing]

Hey guys, with all due respect to Mike, he registered here Yesterday.
His code needs to be thoroughly looked through by the community before you go using it.
Most of us are not coders and open source is nice, once you know it is safe.

And I just checked - Mike opened his Git Hub account yesterday as well!
DO NOT USE this software until it is checked!!!

IAS

[mikewoods]

Hey guys, with all due respect to Mike, he registered here Yesterday.
His code needs to be thoroughly looked through by the community before you go using it.
Most of us are not coders and open source is nice, once you know it is safe.

And I just checked - Mike opened his Git Hub account yesterday as well!
DO NOT USE this software until it is checked!!!

IAS

Thank you Its_About_Sharing - your post is correct.

I did push project on GitHub a few days ago (however it's 4 months old now), I didn't want to share any half-baked or untested product with others before I can call it version 1.0.
(If I were in other people's shoes I'd probably be skeptic at the beginning as well.)
You don't have to worry about math - it's working perfectly.
I didn't want to risk anyone's money with buggy software, so I finished it before sharing.

All the code is clean and as simple as possible (and not compressed for now, so that everyone can read it easily).
It's available here: https://github.com/mikewoods/OfflineAddress.com

I'm looking for all the help I can get to make this site even better.

Cheers!

[empoweoqwj]

wow - thanks for the generous explanation. I do the "mouse shaking" thing with my keyword manager, so I got that part of it. Just didn't realize how serious the issue could be.

So the wallet I use, electrum, is using a pseudo random number generator presumably to generate the keys. So the best way forward would be to use your tool to create new keys and import them into Electrum?

If the software doesn't use mouse movements at all to generate randomness then you are much safer by opening OfflineAddress.com, disconnecting, generating addresses and then importing them in whatever wallet program you prefer (or leave them unimportant and keep as cold storage - so that private key never touches internet).

Also, there is other problem with programs that use mouse movements but do it incorrectly.
The usage of mouse movements is art on its own and it's hard to implement it correctly:
 - It's easy to pick up mouse position every x milliseconds, but if user isn't moving his mouse in the meantime no useful random numbers can be extracted (mouse coordinates will just repeat).
 - The second problem is that some computers extract mouse position faster than others, so some changes in mouse positions must be ignored so that the program doesn't pick up coordinates that are generated too fast and are probably closer to each other (less random).

That's why most programs don't actually show the coordinates they extracted.

And that's why OfflineAddress.com shows those dots flying over the screen - they are not there just for fun, they are real mouse position coordinates extracted to be used for generating truly random addresses.

Yeah I noticed the dots flying over the screen. Nice touch. Thanks for all the advice. Looks like I need to use your service

[BTCLuke]

It's certainly beautiful... I sure hope you are what you say you are Mike.

I downloaded the chrome "web page complete" and while running it locally, it let me do the mouse movements just fine but wouldn't let me go to the next screen upon generation. Oh well.

The more I think about it, the more I really think you need to make the site into a downloadable package that we can use as a portable app... It still seems too easy for the browser to report the priv key back to you after an offline generation. A cookie could store that and be told to report it at next page load, couldn't it?

[Its About Sharing]

It's certainly beautiful... I sure hope you are what you say you are Mike.

I downloaded the chrome "web page complete" and while running it locally, it let me do the mouse movements just fine but wouldn't let me go to the next screen upon generation. Oh well.

The more I think about it, the more I really think you need to make the site into a downloadable package that we can use as a portable app... It still seems too easy for the browser to report the priv key back to you after an offline generation. A cookie could store that and be told to report it at next page load, couldn't it?

I was looking out for the community when I said what I said and I think Mike knows that.
Of course someone could write something in the Java to do what they want. A program does what you tell it. It doesn't have to send things back, it could create Private Keys that it is told to.

I'm not accusing him though (I'm saying to be careful and have someone look at the code), perhaps he is bringing up a VERY important issue regarding those initial seeds not having the required entropy for truly random private keys and that is worrisome.
That needs to be looked at.

But, so does the code here.

[canton]

cool new open-source site for generating safe and truly random offline Bitcoin addresses.

Hi mikewoods,

I quite like the visual display for your entropy gathering. From a psychological perspective, I think it makes it more likely that a user will do the work it takes to make good mouse movements.

I notice you're not taking advantage of window.crypto.getRandomValues(). Do you believe your random number generator is more secure? If so I'd like an explanation. It seems to me that mouse movement and such should either be a fallback or an enhancement to using window.crypto.getRandomValues. Not leveraging getRandomValues at all seems an oversight to me since it's supported by almost every browser now. (IE9 being the notable exception.)

Canton

[bitpop]

Yes watch out for html5 offline storage to. I would use on unnetworked vm that is then destroyed.

Its just cold keys are perfect, you can steal them later and they have large amounts. Be careful people. This looks legit. I didnt see any http requests after load. But someone can clone this site, etc.

Even then, initial ecdsa can be compromised. Like the android hack.

I also don't believe bitaddress takes only one reading

[devthedev]

Wow, very nice site!

Great job.

[mikewoods]

It's certainly beautiful... I sure hope you are what you say you are Mike.

I downloaded the chrome "web page complete" and while running it locally, it let me do the mouse movements just fine but wouldn't let me go to the next screen upon generation. Oh well.

The more I think about it, the more I really think you need to make the site into a downloadable package that we can use as a portable app... It still seems too easy for the browser to report the priv key back to you after an offline generation. A cookie could store that and be told to report it at next page load, couldn't it?

If Chrome makes problems, try Firefox, it should be doable. But anyways, I'll try to implement HTML5 offline version as soon as possible - which should solve this.

cool new open-source site for generating safe and truly random offline Bitcoin addresses.

Hi mikewoods,

I quite like the visual display for your entropy gathering. From a psychological perspective, I think it makes it more likely that a user will do the work it takes to make good mouse movements.

I notice you're not taking advantage of window.crypto.getRandomValues(). Do you believe your random number generator is more secure? If so I'd like an explanation. It seems to me that mouse movement and such should either be a fallback or an enhancement to using window.crypto.getRandomValues. Not leveraging getRandomValues at all seems an oversight to me since it's supported by almost every browser now. (IE9 being the notable exception.)

Canton

Thank Canton, it was very fun to work on those dots  
As for as window.crypto.getRandomValues() goes - there are a few problems:
1) not all browsers support it correct (and I'm trying to support a bit older browser (not really old once) as well, for example I've implemented address computation using both html5 workers, as well as doing it using UI tread with delayed recursives.
2) It's still pseudorandom which makes it conceptually unacceptable because it has limited entropy.
3) (less important then 1) and 2) ) Browser could be compromised (and it's very obvious thing to attack).

Mouse movement are used as primary source of randomness and it has a lot higher entropy then any pseudorandom source. Still, to protect the user a bit more it's xor-ed over pseudorandom sequence.

Anyways, I'd be more happy if this kind of very technical questions are discussed on GitHub, because they can be useful for people that decide to join later.

Yes watch out for html5 offline storage to. I would use on unnetworked vm that is then destroyed.

Its just cold keys are perfect, you can steal them later and they have large amounts. Be careful people. This looks legit. I didnt see any http requests after load. But someone can clone this site, etc.

Even then, initial ecdsa can be compromised. Like the android hack.

I also don't believe bitaddress takes only one reading

Those are valid consideration for possible attack - that's why my site doesn't store (and won't) a single cookie, doesn't include outside .js (no ads, and no analytic software), and that's also the reason why I'll have to support the site using only the donations.

Luckily the ecdsa can not be compromised because the randomness source is from human (bad randomness is what enabled the exploit on android).

Bitpop, I'd be very thankful if you open discussion about possible attack on GitHub, this information is very valuable.

Wow, very nice site!

Great job.

Thanks devthedev!

[Patel]

Has anyone audited this code yet?

Idk whether to trust it or not.

[pointbiz]

BitAddress uses only initial mouse position - which gives you about 20 bits that have fine entropy (and that mouse position is picked even if you don't move your mouse at all [not the case on my site]).

The issue of entropy for a pseudorandom number generator is serious and important. It's true that bitaddress will generate an address for you if you do not move the mouse at all. That feature was requested by users of my site and in hindsight text input from the keyboard should replace mouse movements on devices without a mouse. I am discussing the issue here with other coders, I welcome any comments:
https://github.com/pointbiz/bitaddress.org/issues/35

You can visualize the seed pool of bitaddress.org by using the following query string at the end of the url:
https://www.bitaddress.org/bitaddress.org-v2.7.2-SHA1-364542f1ccc5777c79aebb1692a6265cf3e42e7e.html?showseedpool=true

If you move the mouse then bitaddress takes more than 1 mouse position, here is where it's determined how many mouse movements it will look for:
https://github.com/pointbiz/bitaddress.org/blob/master/bitaddress.org.html#L6638-L6669
https://github.com/pointbiz/bitaddress.org/blob/master/bitaddress.org.html#L5952

I would like to add that in all versions of bitaddress.org the time as well as mouse movements have been used to gather entropy.

Versions >= 2.7 have extra entropy from browser fingerprinting added to the seed pool. Additionally window.crypto.getRandomValues is used to initialize the seed. window.crypto.getRandomValues is also used to XOR the results of the ArcFour PRNG.

With the newest version of bitaddress.org the lowest entropy without mouse movements should be about 64 bits (assuming your browser does not support window.crypto.getRandomValues). If you add mouse movements to that you should be ok depending on your adversary.

Other problems with BitAddress.org are:
- You are online while generating addresses - so you can't generate "offline" addresses, and also brings up the question if your browser or operating system is infected...

I don't follow your logic here ?!? How does your software allow someone to generate offline addresses but bitaddress does not ?
I've specifically packaged my software as an all-in-one HTML document that is hashed then signed by my PGP key. The hash is available on bitaddress.org and bitcointalk.org. The HTML can be downloaded from either bitaddress.org or github.com and verified that you received the document that I authored.

[empoweoqwj]

Has anyone audited this code yet?

Idk whether to trust it or not.

Who's going to pay for that? I think the responses Mike has given us are not those of a scammer, completely the opposite in fact ....

If you want to audit, please go ahead, I'm sure Mike would be delighted

[mikewoods]

...

Other problems with BitAddress.org are:
- You are online while generating addresses - so you can't generate "offline" addresses, and also brings up the question if your browser or operating system is infected...

I don't follow your logic here ?!? How does your software allow someone to generate offline addresses but bitaddress does not ?
I've specifically packaged my software as an all-in-one HTML document that is hashed then signed by my PGP key. The hash is available on bitaddress.org and bitcointalk.org. The HTML can be downloaded from either bitaddress.org or github.com and verified that you received the document that I authored.

Hi 1ninja, I'm very glad you commented on this tread.
Let me first say that my site owes a lot to you marvelous work! Thank you a lot, having your site to look at helped me with my work!

As for the text I've quoted:
My software is notifying user if he's online, so that he can get offline and generate addresses. Your site can be used offline as well, the only difference is that I'm warning people about that.
Also, I must say I'm a bit envious of that all-in-one packaging you've done by embedding all your media into the site. I'll try to do the same thing once code base growth slows down.

We both have a lot to learn from each other, and I'll be happy to listen to any advice you have.

If we ever meet, beers are on me.  Cheers!

[bitpop]

Let's just be glad this isn't a straight up scam (or not yet)

Unlike this site a newbie is using http://flexcoin.com/