BitcoinSpinner

[Jan]

Could a Trojan on the phone not steal the private key and send it somewhere?

If you use two devices (online/offline) you are still subject to a trojan.
However, the trojan can only hide in what is on the device. This is why you nuke it, install cyanogenmod, and install a single app 

[Rassah]

I've been waiting for this thing since the San Jose Bitcoin Conference, but didn't know it was under a new name. Jan demoed it to us while there, and I really really liked the features, so I'm glad I found it (Jan PM'ed me) and can finally use it. This thing is definitely Rassah-approved 

[molecular]

I guess both spinner and mycelium are affected by this vulnerability in android random source?

http://bitcoin.org/en/alert/2013-08-11-android

I hope I can expect an update also for the old bitcoinspinner (still haven't migrated to mycelium (still beta, right?))

[Jan]

A security vulnerability has been discovered that affects key generation on all Android wallets: Blockchain.info, Android Bitcoin Wallet, BitcoinSpinner, and Mycelium Bitcoin Wallet
Please read this thread for details: https://bitcointalk.org/index.php?topic=271831.0

We are working hard to send out a new build which allows you to:
1. Generate new keys for vulnerable keys
2. Send all funds to the newly generated key
3. Archive the vulnerable key in such a way that you can still access it.

We have been working on this since Friday and will get a new version as soon as possible while doing everything we can to ensure stability.

[Jan]

I guess both spinner and mycelium are affected by this vulnerability in android random source?

http://bitcoin.org/en/alert/2013-08-11-android

I hope I can expect an update also for the old bitcoinspinner (still haven't migrated to mycelium (still beta, right?))

Since BitcoinSpinner cannot handle more than one key at a time upgrade path for BitcoinSpinner is either:

1. Send funds elsewhere
2. Uninstall
3. Install new BitcoinSpinner version (once it gets published)

or

1. Install Mycelium wallet
2. Send funds to it.
3. Uninstall BitcoinSpinner

Andreas and I were about to ad the final touches to declare Mycelium as a 1.0 when this turned up last Friday. There are over 800 Mycelium wallet users, and it has been throughly battle tested over the summer. It is my impression that the Mycelium wallet is as safe to use as BitcoinSpinner, which also happens to be in beta.

[Rassah]

I think Mycelium is already functional enough to avoid this issue: Go to https://www.bitaddress.org, generate a key, print a backup, scan it into mycelium, and stash the backup safe somewhere. Of course any fixes will also help a lot. Thanks guys!

[Jan]

I think Mycelium is already functional enough to avoid this issue: Go to https://www.bitaddress.org, generate a key, print a backup, scan it into mycelium, and stash the backup safe somewhere. Of course any fixes will also help a lot. Thanks guys!

Rassah is right. However, there will shortly be a new version out that generates safe keys. Stay tuned...

[elebit]

I think Mycelium is already functional enough to avoid this issue: Go to https://www.bitaddress.org, generate a key, print a backup, scan it into mycelium, and stash the backup safe somewhere. Of course any fixes will also help a lot. Thanks guys!

I understand that the affected wallets generate transactions that might leak key information.

So even if you generated your key in a secure way, as soon as you generated one transaction with one of the affected clients *bam!* anyone could steal all your funds.

That would make your advice dangerous and misleading. The only way to be sure is to transfer all your funds to a fixed version (or to bitcoin-qt, or to a paper wallet...).

[apetersson]

If you are using Mycelium Wallet, a fix has been published to the play store (still pending review) and to mycelium.com

if you download it from mycelium.com, you can check the sha1sum

Code:

dba000cad4cbf94a7b4c621f57482322c0a96678  mbw-v0.6.5.apk

There will be a wizard guiding you through the process in an upcoming version, but for now, you can simply download version 0.6.5 (or greater) and move the keys to newly generated addresses.

• generate a new key
• backup this key (to sdcard or similar)
• manually send funds to the new secure address.
• move your empty old key to the Archive category

Please take care. The most likely chance of lost bitcoins is the loss of private keys. Don't use our wallet without a backup of the keys.

[Rassah]

I understand that the affected wallets generate transactions that might leak key information.

So even if you generated your key in a secure way, as soon as you generated one transaction with one of the affected clients *bam!* anyone could steal all your funds.

That's a pretty serious issue, which I thought was only a concern with quantum computing. Or is this still the extension of the bad random generator issue, in which case using something like bitaddress.org solves it. Do you have any more info about that?

EDIT: Found it https://bitcointalk.org/index.php?topic=271486.0 Quite disturbing

[elebit]

That's a pretty serious issue, which I thought was only a concern with quantum computing. Or is this still the extension of the bad random generator issue, in which case using something like bitaddress.org solves it. Do you have any more info about that?

That's how the issue was described in the first place. ECDSA requires a (cryptographically secure) random number in order to create signatures. If you re-use these nonces one can trivially deduce the secret key. Apparently the blockchain contains a bunch of signatures which are broken in exactly this way and people started reporting lost funds. This bit about how keys generated on Android should be considered insecure was added to the final advisory.

Presumably both problems stem from the same underlying randomness problem, but no one's telling exactly what's happened here. Over time it will be more clear exactly who are affected by this, but you might not want to wait for that.

[Jan]

I understand that the affected wallets generate transactions that might leak key information.

So even if you generated your key in a secure way, as soon as you generated one transaction with one of the affected clients *bam!* anyone could steal all your funds.

That's a pretty serious issue, which I thought was only a concern with quantum computing. Or is this still the extension of the bad random generator issue, in which case using something like bitaddress.org solves it. Do you have any more info about that?

The thing is that whenever you make a signature, a random component is part of the signature calculation. If you generate two signatures with the same key and random component (the stuff you sign is obviously different), then you reveal enough information for an attacker to calculate the key. So, there is apparently a non-trivial probability that signatures generated by Android apps have used the same random component for the same key.

EDIT: elebit beat me to it ;-)

[molecular]

thanks guys for acting fast and responsibly.

[apetersson]

So even if you generated your key in a secure way, as soon as you generated one transaction with one of the affected clients *bam!* anyone could steal all your funds.

I don't think this was the case with old, versions with weak SecureRandom, since Mycelium Wallet re-seeded the weak SecureRandom for each transaction. But hopefully we will never know

I suspect (don't know) that the issue of duplicate R values had not occurred with our software. Nevertheless the theoretical weakness of the private keys themselves warrant a key change.

btw, play store has updated the latest apk now. feel free to update. To upgrade to more secure keys move your old keys to archive, create a new one and move funds over.

[Jan]

The key migration wizard is now feature complete, and we are testing it vigorously.

First of all let me introduce a nice new feature, which the key migration wizard relies on:
As of version 0.6.5 there is a new concept of a key archive. A key/address can either be Active or Archived. You can move a key back and forth between the Active and Archive set in "Keys & Addresses". It is somewhat similar to what you see in the Blockchain.info wallet for iPhone.
When the wallet is in Aggregate mode (the default) the balance view displays the aggregate value of all your Active keys. Keys in the Archive set are not included.
While this gives some nifty key control features for advanced users, it also allows us to make the Vulnerable Key Migration Wizard (tm) safer to use.

Here is how the migration wizard works in version 0.7.0:

When you open the wallet it will investigate whether the Active set contains any keys that were present from before 0.6.5. If there are any it will show you a dialog explaining that you have X potentially vulnerable keys
. You can then choose to launch a (5 step) migration wizard, which:

1. creates a new key

2. swipes the funds to it

3. archives your vulnerable key

This way the vulnerable key is not deleted, but merely archived. This is nice as someone may still send funds to your old keys. If you select an archived key and go into the balance view you will monitor this single key, just as if you were in segregated mode.

We are still testing the migration wizard, stay tuned...

[Jan]

In the meantime, if you want to migrate your keys manually with version 0.6.5 here it how:
1. Go to settings and uncheck Aggregate View to get segregated view (you now manage one key at a time)
2. Go to Keys & Addresses
3. Click + and choose Random to create a new random (strong) key
4. Give the new key a name, e.g. "Migration 1" (long press it and click Set Label)
5. Select one of your old keys
6. Go to Balance view
7. Click Send and choose "Migration 1" from the address book as the receiver
8. Click MAX to send the full amount (swipe), Next, Send
9. Go to Keys & Addresses
10. Long press the old key that you just swiped and select Archive.

Repeat for each key

Finally go to settings and enable Aggregate View.

Note: If you have selected an archived key and go into the balance view you will only see the balance of that key.

[Rassah]

After all this madness is done with, will you guys be able to add a deterministic key feature to allow for a new Bitcoin address for every change transaction?

[molecular]

Jan, you should change the thread title to "BitcoinSpinner / Mycelium".

It's confusing... I take it your last posts are about Mycelium?

[Jan]

After all this madness is done with, will you guys be able to add a deterministic key feature to allow for a new Bitcoin address for every change transaction?

Using new deterministic addresses for every transaction is quite tricky with the model that we use. Instead of downloading the blockchain we query a server for the unspent outputs of the addresses we are interested in. If the number of addresses grows infinitely something is bound to break down. Andreas has some nifty ideas on how to mitigate that, so this is something we will investigate.

[Jan]

Jan, you should change the thread title to "BitcoinSpinner / Mycelium".

It's confusing... I take it your last posts are about Mycelium?

Done. Mycelium should really have its own thread. I'll look into that once all this is sorted out.

In other news: An update for BitcoinSpinner is in the works. Everything has been coded and tested. I am just waiting for the signer to verify and sign the APK. It will be published later today.