Does this still count?

[satscraper]

Depends on your setup. If you're using an air-gapped device that makes no use of random number generation, then the attacker can't take advantage of it to sign with insecure k-values (as an example). Transactions are signed using the RFC 6979 which doesn't generate random k-values. You would also need to use dice or coin to generate the entropy of your wallet. In that case, and by assuming the OS does not hide any backdoors for the specific type of wallet software you will use, then it's safe to assume you'll be fine.

I have always wondered what can affect the RNG and generating keys with enough entropy? For instance, do we know which hardware and software are always good sources of entropy and which aren't? Is there a list of models and versions that are specially good or bad? Also, can a good source of entropy suddenly go "bad" and generate insufficient entropy due to hardware defects or software misconfiguration?

I never gave it much thought.

These  are  very intriguing questions which appeal to the imagination of many learners  in the field. NIST has developed the software set  that  "provides a standardized means of estimating the quality of a source of entropy." and almost each year organizes numerous workshops on this matter where you can find some answers. I would focused on     Random Bit Generation Workshop series and Entropy Source Validation Workshop, Just go to NIST site and search.

[1714236409]

1714236409

[1714236409]

1714236409

[1714236409]

1714236409

[1714236409]

1714236409

[BlackHatCoiner]

I have always wondered what can affect the RNG and generating keys with enough entropy? For instance, do we know which hardware and software are always good sources of entropy and which aren't?

If only it was that simple. If you make a quick search, you will notice that even from experts in the field, there's a moment of doubt when it comes to verifying that the RNG is true. Intel and AMD chips come with an RNG that is impossible to verify completely as far as I'm concerned. You cannot distinguish a pseudo-RNG from a true RNG, because you cannot detect if there is a function that deems deterministic the number generation.

When it comes to software, /dev/urandom and /dev/random are good sources, as for hardware there has been development, but if you merely want to run a Bitcoin wallet in an air-gapped device, then you don't need hardware for that purpose. Just roll a dice or flip a coin. It is trivial and completely verifiable.

[ABCbits]

I get your point, but
1. AFAIK any OS disable bluetooth by default.

That's true most of the Operating System disable default Bluetooth by default but sometimes the users enable it and don't really care much about it because of the short range it has. Some people enable to it connect Bluetooth speakers and headphones and don't really care much about security when it comes to Bluetooth connection and that's can make things easier for hackers.

2. Bluetooth if OP already uninstall all network driver.

The same answer here as well like most people don't really care much about Bluetooth when it comes to security and they may not disable it only to connect some Bluetooth enabled devices.

That doesn't apply for OP though since he has some security awareness and plan to use his PC only to manage his Bitcoin. As for people who don't care about security/bluetooth is likely to be connected to internet all the time anyway.

For instance, do we know which hardware and software are always good sources of entropy and which aren't?

It's easy to know bad entropy source, such as current time. But even source of entropy which usually deemed good/secure can't be always good/reliable. For example, /dev/urandom output used to be predictable for about a minute on embedded device[1].

[1] https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final228.pdf

[Fivestar4everMVP]

Well, I have never done or tried such on a pc though, but I've done something similar on a mobile phone, like' I bought a small android device for this purpose alone, I turned it on, installed a sim and connected to the internet, downloaded mycelium bitcoin wallet, moved most of my bitcoin in there, and after the transaction was confirmed and I was sure of it, I went into my settings, located the network setting and deleted the internet configuration, and immediately, I was disconnected from the internet even with sim card installed and data connection turned on, I then turned the phone off, remove the battery as well as the Sim card, and kept the phone some safe.

I assumed it to be a hardware wallet or a cold bitcoin storage, i left it like that for over eight( months before I decide to turn the phone back on, Installed the Sim and requested a new internet configuration from my service provider which was sent immediately, I install it and was able to connect to the internet again, open mycelium wallet and my bitcoins were sitting right there waiting for me.

[Pmalek]

If only it was that simple. If you make a quick search, you will notice that even from experts in the field, there's a moment of doubt when it comes to verifying that the RNG is true. Intel and AMD chips come with an RNG that is impossible to verify completely as far as I'm concerned. You cannot distinguish a pseudo-RNG from a true RNG, because you cannot detect if there is a function that deems deterministic the number generation.

Regarding Intel and AMD chips, their RNGs aren't being used to generate the entropy, right? I mean, if I am creating a seed for a software wallet on my computer, I will be using the entropy of my OS, regardless if on Linux or Windows. And if I am working with a hardware wallet, they have their own RNGs inside the device.

When you say that Intel and AMD's RNGs can't be verified, I doubt it's weak and affects seed generation. Otherwise, almost all wallets generated on such chips wouldn't be secure, and we would have many complaints and reports of mysteriously lost coins.

[BlackHatCoiner]

[...]

You shouldn't be using a mobile phone as your main Bitcoin wallet. Here's why: https://bitcointalk.org/index.php?topic=5463259.msg62732682#msg62732682

Regarding Intel and AMD chips, their RNGs aren't being used to generate the entropy, right?

They are. When you request from your computer to generate a random number, it utilizes RDRAND, which varies slightly as instruction from Intel to AMD. It's basically the same functionality. From the link, you can read the "Reception" part to confirm that engineers can insert backdoors there.

When you say that Intel and AMD's RNGs can't be verified, I doubt it's weak and affects seed generation. Otherwise, almost all wallets generated on such chips wouldn't be secure, and we would have many complaints and reports of mysteriously lost coins.

I have never heard of a case where someone lost bitcoin because of backdoored RNG, but just as we can't verify it's generating true randomness, we can't complain they're stealing bitcoin either. I mean, think about it. You wake up the next morning, and your wallet is emptied. What do you do? You tell a journalist that AMD and Intel insert backdoors? With what evidence?

I neither believe they're doing it as it isn't worth the risk, but why worrying for being one in the million customers who bought the backdoored hardware? Just flip a coin and sleep easy.

[Pmalek]

I have never heard of a case where someone lost bitcoin because of backdoored RNG, but just as we can't verify it's generating true randomness, we can't complain they're stealing bitcoin either. I mean, think about it. You wake up the next morning, and your wallet is emptied. What do you do? You tell a journalist that AMD and Intel insert backdoors? With what evidence?

I understand what you are saying. But considering how big of a market share AMD and Intel chips have, and if it was a widespread backdooring problem, I think we would have too many complaints not to understand that something is seriously wrong. Especially if governments have a way to meddle and apply blows to Bitcoin that they hate. It would be a great way for them to attack Bitcoin and then spread FUD how unsafe and a big scam it is. They wouldn't be able to restrain themselves.

[Kakmakr]

I do not think you have to go that far to protect your tokens, because most people store their coins in hardware wallets and they are Ok. I have some coins in hardware wallets and the long-term coins are stored on Paper Walets.. that I created with a air-gapped computer.

If you are very paranoid, you can buy a cheap second hand computer and you can create those paper wallets with the computer not connected to the Internet and then you can destroy it. (So if some Malware were storing information and waiting for it to connect, before it send the information.. then you can prevent that) 

[Silberman]

I do not think you have to go that far to protect your tokens, because most people store their coins in hardware wallets and they are Ok. I have some coins in hardware wallets and the long-term coins are stored on Paper Walets.. that I created with a air-gapped computer.

If you are very paranoid, you can buy a cheap second hand computer and you can create those paper wallets with the computer not connected to the Internet and then you can destroy it. (So if some Malware were storing information and waiting for it to connect, before it send the information.. then you can prevent that) 

While it is true that it may not necessary to go that far to secure our coins, this is also a way to have peace of mind and tranquility, after all we hear stories every day of people losing their coins to hackers and scammers, so if this helps the OP to be more at ease knowing their coins are as secure as they could be then this is something they must do, otherwise they will always be worried about the possibility of losing their coins and that is not really a healthy way of living.

[suzanne5223]

I do not think you have to go that far to protect your tokens, because most people store their coins in hardware wallets and they are Ok. I have some coins in hardware wallets and the long-term coins are stored on Paper Walets.. that I created with a air-gapped computer.

If you are very paranoid, you can buy a cheap second hand computer and you can create those paper wallets with the computer not connected to the Internet and then you can destroy it. (So if some Malware were storing information and waiting for it to connect, before it send the information.. then you can prevent that) 

While it is true that it may not necessary to go that far to secure our coins, this is also a way to have peace of mind and tranquility, after all we hear stories every day of people losing their coins to hackers and scammers, so if this helps the OP to be more at ease knowing their coins are as secure as they could be then this is something they must do, otherwise they will always be worried about the possibility of losing their coins and that is not really a healthy way of living.

I think there's nothing bad in going extra for the sake of securing our cryptocurrency holding but in the case of the OP, I believe he needs to format the old computer since it's a computer that was once connected to the internet long ago cause when we talk about airgap we're talking about wallet that's not connected to the internet.
@Kakmakr I hope you set up transaction notifications for the paper wallet cause we have a situation where some people think they created their paper wallet on Airgap computer but it's the other way around.

[Pmalek]

I do not think you have to go that far to protect your tokens, because most people store their coins in hardware wallets and they are Ok. I have some coins in hardware wallets and the long-term coins are stored on Paper Walets.. that I created with a air-gapped computer.

Don't you think it's a bit weird that you are suggesting it isn't necessary to go the extra mile in protecting your keys when you admitted that you used a similar airgapped system when you generated your paper wallets? I hope you did it properly, and that you used a completely airgapped system and not something that is semi-airgapped or a computer with its LAN cable disconnected during seed generation. You wouldn't want the keys for your long-term holding to be less secure than those created by the hardware wallet you are using.

[BlackHatCoiner]

I understand what you are saying. But considering how big of a market share AMD and Intel chips have, and if it was a widespread backdooring problem, I think we would have too many complaints not to understand that something is seriously wrong.

There have been bug reports regarding RDRAND, which were noticed in some minority of processors.

- https://www.techpowerup.com/255294/some-amd-processors-have-a-hardware-rng-bug-losing-randomness-after-suspend-resume
- https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
- http://web.archive.org/web/20221117235141/https://linuxreviews.org/RDRAND_stops_returning_random_values_on_older_AMD_CPUs_after_suspend

As you can see, there have been instances of faulty behavior, and I'm sure you can find more if you dig up the space. I think it's possible for some hardware to be backdoored. (but not all)

[Pmalek]

<Snip>

The first link you shared, says that Linux doesn't rely on RDRAND by default when it generates entropy. I guess it's harder to know its full impact on the close-source Windows. So, the biggest danger would be waking the computer up from sleep mode/hibernate and then attempting to generate a secure-enough seed. Affected CPUs wouldn't generate enough randomness.

[BlackHatCoiner]

The first link you shared, says that Linux doesn't rely on RDRAND by default when it generates entropy.

According to Linus Torvalds, it doesn't rely entirely on RdRand. But /dev/random does make use of it.

Linus Torvalds dismissed concerns about the use of RDRAND in the Linux kernel and pointed out that it is not used as the only source of entropy for /dev/random, but rather used to improve the entropy by combining the values received from RDRAND with other sources of randomness.

You can also read this response by Linus, in which he pretty much sums up his concerns regarding RdRand: https://www.theregister.com/2013/09/10/torvalds_on_rrrand_nsa_gchq/. He's also clarifying that RdRand is one of the many inputs used:

However, as Torvalds pointed out in response to the petition RdRand is one of many inputs used by the Linux kernel’s pool to generate random characters.

The kernel chieftain wrote: “We use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random. Really short answer: you're ignorant.”

So, probably Linux is safe to an extent.

I guess it's harder to know its full impact on the close-source Windows.

We don't know with certainty: https://security.stackexchange.com/questions/195515/is-rdrand-used-in-a-safe-way-by-windows-10

[Pmalek]

OK, so RDRAND definitely has a hand in the game. It's used to some extent, but because there are many other sources of entropy, even if it has insufficiently secure RNGs, it wouldn't be able to weaken the overall entropy to an alarming level. That's what I get from all this. It might be troublesome on its own, but when combined with better sources of entropy, it evens out. Maybe it's better to say it doesn't get noticed.   

I don't agree with Torvalds estimate in the last quote you posted. A weaker entropy source can't strengthen the overall security of a system despite being pooled together with better sources. 

[o_e_l_e_o]

I assumed it to be a hardware wallet or a cold bitcoin storage

What you have described is neither a hardware wallet nor cold storage. It is a hot wallet which you turned off for a few months, and is only marginally more secure than a hot wallet which is always on.


In terms of  the discussion about RDRAND and entropy sources, this is relevant:

Most good wallets will be based on entropy directly from the OS and the computer's hardware. Bitcoin Core, as an example, draws entropy from /dev/urandom (which is from the OS, or the equivalent on non-Linux systems), RDSEED/RDRAND (which is from the processor), and a whole host of data from the computer itself, such as current resource usage, timestamps, kernel parameters, network data, version data, etc. All of this is then combined through a variety of techniques such as XORs and hashes, so if one source of entropy is weak or compromised then your final result should still be secure.

You can read more in the code here:
https://github.com/bitcoin/bitcoin/blob/master/src/random.h
https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp

And of course, if you really don't trust any of this and still think your entropy might be compromised, then as BHC says, just flip a coin.