During my unrelated efforts of porting the blockstack wallet recovery source code to Python 3 (which uses what feels like a dozen abandoned dependencies) I found inside the Wallet class of bitmerchant, a pypi package (
github repo) the following method:
def crack_private_key(self, child_private_key):
"""Crack the parent private key given a child private key.
BIP32 has a vulnerability/feature that allows you to recover the
master private key if you're given a master public key and any of its
publicly-derived child private keys. This is a pretty serious security
vulnerability that looks as innocuous as this:
>>> w = Wallet.new_random_wallet()
>>> child = w.get_child(0, is_prime=False)
>>> w_pub = w.public_copy()
>>> assert w_pub.private_key is None
>>> master_public_key = w_pub.serialize_b58(private=False)
>>> # Now you put master_public_key on your website
>>> # and give somebody a private key
>>> public_master = Wallet.deserialize(master_public_key)
>>> cracked_private_master = public_master.crack_private_key(child)
>>> assert w == cracked_private_master # :(
Implementation details from http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/ # nopep8
If I go to the Bitcoin magazine link it states how if you know a child private key and the master public key you can derive its master private key. And to me this sounds like a very serious bug that's apparently unfixable. Given how old it is (the fact that it's from 2013 is damning) and the severity of this have there been any efforts to deprecate BIP32 and introduce another key derivation BIP that doesn't have this flaw?
Perhaps more importantly, given that BIP44 and friends uses at least one hardened child key, are hardened keys resistant to this?