decryption of wallet

[LoyceV]

why does it need to be different software than you used to create it?

I like being thorough What if the software I used uses a non-standard encryption and it turns out I can only decrypt it with that software? Then, 20 years later, I can't find it anymore.
I've already seen many people who had a hard time recovering their old storage format. I even created [overview] Recover Bitcoin from any old storage format for it, but it's far from complete.

[1715097171]

1715097171

[1715097171]

1715097171

[1715097171]

1715097171

[1715097171]

1715097171

[1715097171]

1715097171

[o_e_l_e_o]

What if the software I used uses a non-standard encryption and it turns out I can only decrypt it with that software? Then, 20 years later, I can't find it anymore.

There is already precedence for this. Blockchain.com, for example, used to give out recovery phrases which were not BIP39 phrases, but rather simply to recover access to wallet files on their platform if uses had forgotten their passwords. Now, many years later, although they claim to still support these phrases many users find themselves unable to recover their wallets. Another example is Coinbase, which used to run multi-sig vaults, have discontinued their support of them, and users can no longer recover access to their funds despite possessing the necessary back ups. Even something as simple as a wallet using a non-standard derivation path is enough to cause huge amounts of problems trying to recover your coins. And that's without even mentioning bugged, flawed, or malicious software, which might not derive the correct keys like you think it is doing.

It is always smart to test your back up or private keys with different software.

[larry_vw_1955]

What if the software I used uses a non-standard encryption and it turns out I can only decrypt it with that software? Then, 20 years later, I can't find it anymore.

There is already precedence for this.

The examples you give below of blockchain.com and coinbase are poor examples since they are not software, rather they are services. To really make the point, we should be sticking to software that one runs on one's computer to generate bitcoin addresses not services they log into and use. There is a distinction between the two things which should not be overlooked or glossed over.

Blockchain.com, for example, used to give out recovery phrases which were not BIP39 phrases, but rather simply to recover access to wallet files on their platform if uses had forgotten their passwords. Now, many years later, although they claim to still support these phrases many users find themselves unable to recover their wallets. Another example is Coinbase, which used to run multi-sig vaults, have discontinued their support of them, and users can no longer recover access to their funds despite possessing the necessary back ups.

they were relying upon a black box. when the black box went out of service or had bugs or whatnot there was no way to fix it. different situation than software you were supposed to be able to run on your own independently of anyone.

Even something as simple as a wallet using a non-standard derivation path is enough to cause huge amounts of problems trying to recover your coins.

well, the link you provided has to do with the breadwallet to coinbase migration situation. if someone doesn't keep track of the derivation path their funds are on then that is a big mistake on their part. but it doesn't mean the software doesn't work.

And that's without even mentioning bugged, flawed, or malicious software, which might not derive the correct keys like you think it is doing.

well yeah that can happen but with bitaddress? how about some links.

It is always smart to test your back up or private keys with different software.

but once you tested it once, you don't need to test it again right? as long as nothing changes like upgrading the software.

I've already seen many people who had a hard time recovering their old storage format. I even created [overview] Recover Bitcoin from any old storage format for it, but it's far from complete.

hopefully these day people are only using standard bitcoin formats not proprietary. there's really no reason for using proprietary formats otherwise they might end up being an avid reader of your thread there.

[LoyceV]

It is always smart to test your back up or private keys with different software.

but once you tested it once, you don't need to test it again right?

Correct. One of the reasons for testing in the first place is peace of mind: I know I can decrypt it.

hopefully these day people are only using standard bitcoin formats

I'm not as optimistic as you are

[o_e_l_e_o]

The examples you give below of blockchain.com and coinbase are poor examples since they are not software, rather they are services.

The example I gave of Bread wallet is absolutely software which runs on your own device. Another example would maybe be Schildbach's bitcoin wallet, which does not use seed phrases but its own unique encrypted back ups which can only be recovered using the same software.

well, the link you provided has to do with the breadwallet to coinbase migration situation. if someone doesn't keep track of the derivation path their funds are on then that is a big mistake on their part. but it doesn't mean the software doesn't work.

The point here is that Bread wallet didn't tell its users what derivation path was being used. Many wrongly assumed it was the standard BIP 44/49/84 paths, but because they never tested their recovery using independent software (as we are advocating here), they never found out they were wrong until they couldn't access their coins.

hopefully these day people are only using standard bitcoin formats not proprietary. there's really no reason for using proprietary formats otherwise they might end up being an avid reader of your thread there.

Not only are plenty of people still using non-standard formats, but there are plenty more still in development, such as Block's new hardware device, which will not use seed phrases and be completely dependent on Block for recovery.

[LoyceV]

The point here is that Bread wallet didn't tell its users what derivation path was being used. Many wrongly assumed it was the standard BIP 44/49/84 paths, but because they never tested their recovery using independent software (as we are advocating here), they never found out they were wrong until they couldn't access their coins.

I even tested my recovering my hardware wallet before funding it: I used Ian Coleman's site (obviously on an air-gapped system, running live Linux from RAM) to see if I could reproduce the same addresses as my hardware wallet showed.
For what it's worth: so far, all my testing always confirmed what I was hoping to see. But without testing, I wouldn't know that for sure.

[larry_vw_1955]

The example I gave of Bread wallet is absolutely software which runs on your own device. Another example would maybe be Schildbach's bitcoin wallet, which does not use seed phrases but its own unique encrypted back ups which can only be recovered using the same software.

Surely there are android bitcoin wallets that adhere to standards like bip39. and are open source but the best bet is dont use android wallets period. you can't really trust them.

The point here is that Bread wallet didn't tell its users what derivation path was being used. Many wrongly assumed it was the standard BIP 44/49/84 paths, but because they never tested their recovery using independent software (as we are advocating here), they never found out they were wrong until they couldn't access their coins.

what kind of person puts their money into some wallet without knowing what derivation path is being used though?

Not only are plenty of people still using non-standard formats, but there are plenty more still in development, such as Block's new hardware device, which will not use seed phrases and be completely dependent on Block for recovery.

you have to ask yourself why you would use something other than a trezor or nano though. as far as I have seen most of these new hardware wallets that come out are overpriced and not nearly as well tested as trezor or nano, how could they be ? they are new! only way i would use one of this things is if they gave it to me for free but no way am i buying one.  

Correct. One of the reasons for testing in the first place is peace of mind: I know I can decrypt it.

So if you tested it with a particular address and it worked, then you can generate new addresses and not need to test those right? because you trust the software works since it worked with that one particular address that one time. just trying to clarify.

For what it's worth: so far, all my testing always confirmed what I was hoping to see. But without testing, I wouldn't know that for sure.

So you test every single address or just one address and if that one works, you consider it "good to go" for any further addresses without checking them.

[LoyceV]

what kind of person puts their money into some wallet without knowing what derivation path is being used though?

If I have to guess: 98% of all Bitcoin users who don't keep their coins on an exchange.

So if you tested it with a particular address and it worked, then you can generate new addresses and not need to test those right? because you trust the software works since it worked with that one particular address that one time. just trying to clarify.

I checked only the first few addresses indeed. You now make me feel sloppy for not testing the first 100.

[o_e_l_e_o]

Surely there are android bitcoin wallets that adhere to standards like bip39. and are open source but the best bet is dont use android wallets period. you can't really trust them.

Of course, but the point we are making is that some people don't do that. And even if you do only use reputable, open source wallets, have you scanned every single line of code to make sure it is doing what you think it is doing? Doubtful. And even if you do, you cannot be 100% sure that you have not made a mistake when writing down your seed phrase or similar unless you test your back ups. There is literally no reason to not test your back ups before you fund the wallet.

what kind of person puts their money into some wallet without knowing what derivation path is being used though?

I would wager that the majority of people don't even know what a derivation path is.

you have to ask yourself why you would use something other than a trezor or nano though.

Again, I won't, but lots of people do.

So you test every single address or just one address and if that one works, you consider it "good to go" for any further addresses without checking them.

Checking the first address matches is sufficient. The chance of a different seed phrase or incorrect back up generating the same first address is essentially zero.

[larry_vw_1955]

I would wager that the majority of people don't even know what a derivation path is.

I would love to put their funds on some derivation path 240 levels deep and see how they felt about it then. They would probably never find their funds. Then they would realize that knowing their derivation path is just as important as knowing their seed phrase - well almost. Just like you need an ID to make a withdrawal at your bank, you need your derivation path...well you MIGHT need it sometime. If you ever go to the bank that is!

I checked only the first few addresses indeed. You now make me feel sloppy for not testing the first 100.

If you really feel you need to check the first 100 then I would humbly suggest you have a trust issue with whatever software you are using and probably should ask yourself why you distrust it so much. Software that works shouldn't need to be doublechecked all the time. Unless you wrote it yourself, then you might want to run more extensive tests. But not every time you generate an address. There should be some level of trust in the functionality that you say " i know it worked because i did unit tests with 100 different addresses so I'll trust what it generates for me going forward". otherwise it's not software, it is just a crutch. using it as a crutch with something else.

[LoyceV]

I would wager that the majority of people don't even know what a derivation path is.

I would love to put their funds on some derivation path 240 levels deep and see how they felt about it then. They would probably never find their funds. Then they would realize that knowing their derivation path is just as important

No. They would realize letting larry_vw_1955 touch their wallet was a big mistake
I've seen problems caused by weird derivation paths, but as long as it's created by known software, you can probably find the derivation path by searching the internet.
If you use Electrum, you can be pretty sure you can recover the funds from your seed words without understanding anything else.

I checked only the first few addresses indeed. You now make me feel sloppy for not testing the first 100.

If you really feel you need to check the first 100 then I would humbly suggest you have a trust issue with whatever software you are using and probably should ask yourself why you distrust it so much.

Example: you use a hardware wallet, with Electrum. When you create a new deposit address, you should confirm the address on the hardware wallet. It's not about trusting Electrum, you're using a hardware wallet so that you don't have to. Whatever happens to your software, you want to know for sure your funds are going to your own address.

[o_e_l_e_o]

I would love to put their funds on some derivation path 240 levels deep and see how they felt about it then. They would probably never find their funds.

Absolutely. Which goes back to the original point of testing your back up with different software. What if you accidentally, either through user error or bugged software, created a wallet using some crazy derivation path with 200+ levels, did not test your recovery, and then loaded it with funds? You now have a useless seed phrase back up securing coins in a derivation path you would never find again, all while being completely unaware of that fact.

Example: you use a hardware wallet, with Electrum. When you create a new deposit address, you should confirm the address on the hardware wallet. It's not about trusting Electrum, you're using a hardware wallet so that you don't have to. Whatever happens to your software, you want to know for sure your funds are going to your own address.

This is a slightly different issue. When I check my back ups, I only ever check the first addresses. That is enough for me to be sure that I am using the right seed phrase at the right derivation path with the right script type to reproduce the wallet again in the future. When I check each new Electrum address on the screen of my hardware wallet, I am checking that my computer or my Electrum install has not been infected with malware or subjected to some other malicious attack which results in it displaying an incorrect address.

[larry_vw_1955]

No. They would realize letting larry_vw_1955 touch their wallet was a big mistake

letting anyone touch their wallet might be a big mistake  

Example: you use a hardware wallet, with Electrum. When you create a new deposit address, you should confirm the address on the hardware wallet. It's not about trusting Electrum, you're using a hardware wallet so that you don't have to. Whatever happens to your software, you want to know for sure your funds are going to your own address.

yeah that's a different useage scenario but consider this: i got a cheap hardware wallet long time ago (or rather, a hardware wallet that was on sale for very cheap, how about that?) but never trusted it enough to actually want to use it. i'd rather use software or paper wallets than use something that I don't fully understand. i tried to understand it but it seemed very confusing and i wasn't sure what it relied on like what company's servers to send and receive transactions and what software would need to be installed on my computer,etc etc not really worth the time and effort to try and figure it out.

Absolutely. Which goes back to the original point of testing your back up with different software. What if you accidentally, either through user error or bugged software, created a wallet using some crazy derivation path with 200+ levels, did not test your recovery, and then loaded it with funds? You now have a useless seed phrase back up securing coins in a derivation path you would never find again, all while being completely unaware of that fact.

Well, maybe my initial question was misunderstood. What I'm talking about is someone that generates paper wallets using something like bitaddress. Do they need to check every single address or just a few of them and then as long as those check out, they can assume bitaddress works correctly so there is no further need to keep checking newly generated addresses. I would think "yes" with a few caveats but in general "yes".

[o_e_l_e_o]

What I'm talking about is someone that generates paper wallets using something like bitaddress. Do they need to check every single address or just a few of them and then as long as those check out, they can assume bitaddress works correctly so there is no further need to keep checking newly generated addresses. I would think "yes" with a few caveats but in general "yes".

Up to the individual, probably. You need to differentiate between whether you are checking for accuracy or checking for maliciousness. If your copy of bitaddress generates one address accurately, then you can be pretty sure if it is non-malicious then it will generate all addresses accurately. However, a malicious piece of software may generate one or two addresses accurately and then start generating fake addresses.

However, given that any malicious software could generate addresses from predetermined seed phrases or private keys which are known to an attacker, then testing them in this manner does not protect against attack. That can only be done by reviewing the source code.

[larry_vw_1955]

Up to the individual, probably. You need to differentiate between whether you are checking for accuracy or checking for maliciousness. If your copy of bitaddress generates one address accurately, then you can be pretty sure if it is non-malicious then it will generate all addresses accurately. However, a malicious piece of software may generate one or two addresses accurately and then start generating fake addresses.

Yeah I think we were talking about the former situation, not the latter. Detecting maliciousness is a whole different thing that you can't do by just comparing outputs.

However, given that any malicious software could generate addresses from predetermined seed phrases or private keys which are known to an attacker, then testing them in this manner does not protect against attack. That can only be done by reviewing the source code.

or maybe there's a software that you could run on a piece of other software to detect if it was malicious or not. it seems plausible that this would be a reasonable thing to want to do. because reviewing by hand not everyone has that type of expertise.

[o_e_l_e_o]

or maybe there's a software that you could run on a piece of other software to detect if it was malicious or not.

There would be no way to write a piece of software which could detect every possible way a wallet could be malicious, and even if someone attempted such a piece of software, then an attacker could also download it and find a work around.

If you are completely paranoid about how your seed phrase was generated and do not trust any piece of software, then the best option would be to do it manually, using 128 coin flips and an airgapped Linux machine to calculate the checksum.

[larry_vw_1955]

There would be no way to write a piece of software which could detect every possible way a wallet could be malicious,

what you do is make a list of all the possible ways. then you have to have subroutines that check each way. the program will run the software through each subroutine.

and even if someone attempted such a piece of software, then an attacker could also download it and find a work around.

if someone did that and somehow found a loophole, then you patch it by adding their workaround as another item in your list. but at some point they would have to really be clever to find more workarounds. at some point there might not be anymore.

If you are completely paranoid about how your seed phrase was generated and do not trust any piece of software, then the best option would be to do it manually, using 128 coin flips and an airgapped Linux machine to calculate the checksum.

thats better than using the random number generator on your computer? 

[LoyceV]

if someone did that and somehow found a loophole, then you patch it by adding their workaround as another item in your list. but at some point they would have to really be clever to find more workarounds.

That sounds a lot like virus scanners, where companies make a living of selling updates for dozens of new virusses per day. It will never be secure.

If you are completely paranoid about how your seed phrase was generated and do not trust any piece of software, then the best option would be to do it manually, using 128 coin flips and an airgapped Linux machine to calculate the checksum.

thats better than using the random number generator on your computer?  

Yes! It's very difficult to verify the randomness of your computer, but it's very easy to verify that a coin flip is random. It's not perfect, but it's not something anyone else can reproduce.

I've seen people lose their Bitcoins because a once trusted paper wallet website got sold and turned into a scam. Even offline, it creates compromised paper wallets because it doesn't create random private keys. That won't happen with coin flips. You should still make sure the software you use to create a private key out of it isn't compromised.

[o_e_l_e_o]

but at some point they would have to really be clever to find more workarounds. at some point there might not be anymore.

If this were true, then malware would no longer exist because every possible workaround had been patched. There will also be a new workaround.

thats better than using the random number generator on your computer? 

Depends on the random number generator on your computer. Is it better than some javascript RNG? Yes. Is it better than /dev/urandom? Probably not. However, it is also harder to do, easier to make a mistake, and easier to do in an insecure manner, so I wouldn't generally recommend it to most people.

[larry_vw_1955]

That sounds a lot like virus scanners, where companies make a living of selling updates for dozens of new virusses per day. It will never be secure.

well viruses are different since computers have to connect to the internet and be forced to interact with all different types of software that a user might decide to install. you can't just lock them down too much or else the user wouldn't be able to do anything.

I've seen people lose their Bitcoins because a once trusted paper wallet website got sold and turned into a scam. Even offline, it creates compromised paper wallets because it doesn't create random private keys.

so they took the website offline then once it became a scam right? they can't allow a provable scam to continue operating and stealing peoples' money.
imagine that website still existing on the internet and someone downloaded it before it became a scam and used it with no ill affects but then they decided to "upgrade" by downloading the latest version and then got scammed. that would really throw them for a loop   and it would be their fault though for not monitoring the situation.

If this were true, then malware would no longer exist because every possible workaround had been patched. There will also be a new workaround.

the validity checker could publish a list of methods that were allowed and then inside each method it would inspect to make sure that the only things that were happening were the standard bitcoin address generation process. anything that was there that did not belong would mean "invalid program". simple as that. a seed phrase inside the random number generator? invalid. some unknown decimal or hex number just being defined somewhere? invalid. an attempt to connect to the internet? invalid. anything unknown? need to write better code. invalid!

Depends on the random number generator on your computer. Is it better than some javascript RNG? Yes. Is it better than /dev/urandom? Probably not. However, it is also harder to do, easier to make a mistake, and easier to do in an insecure manner, so I wouldn't generally recommend it to most people.

i would think rolling dice or flipping coins is better than any algorithm that produces pseudo random numbers. now if you're talking about true random like linux /dev/random maybe that's different. windows doesn't have that though.