Security of signing a message?

[Speedoguy]

Hello,

I'm being asked to show or prove my wallet for a business deal.  It's basically a show of good faith that I have funds available.  I generally think the person is legit and not a scam or anything but at the same time wanted to obviously protect my wallet.  

They're asking me to sign a message using the sign/verify function.  Is there any inherent danger to using this function with a trezor wallet?  

They're just asking me to send a message like "hi, 3/17/2024".  

I found a couple threads online about how people are being scammed by asking to sign messages although it seems like the details are a bit different.  

https://www.reddit.com/r/ethereum/comments/yohci6/signed_a_scam_message_and_eth_transfer_from_my/

https://medium.com/mycrypto/bad-actors-abusing-erc20-approval-to-steal-your-tokens-c0407b7f7c7c

I guess my question is I'm not sure exactly what signing a message is doing.  I always assumed it was just a way to broadcast a message to the network and it didn't actually allow for sending a transaction.  If you type the wrong thing or sign a message with a transaction hash does it have the power to compromise or send a transaction out of your wallet?
If they ask me to sign a message with a transaction hash is that inherently dangerous?  
Is signing a message with just today's date dangerous?

Is there a difference between signing a message with bitcoin and an ERC20 token (USDT)?

[1714606561]

1714606561

[1714606561]

1714606561

[1714606561]

1714606561

[Upgrade00]

They're asking me to sign a message using the sign/verify function.  Is there any inherent danger to using this function with a trezor wallet?  

No, there is no inherent danger in this that they can steal your coins. It's just a way of proving that you indeed have ownership of the Bitcoin wallet's private keys, and allows others to verify that information without giving them any more access.
There is even a thread on the forum for users to sign messages with addresses that have been posted by an account to prove they own the address and account - https://bitcointalk.org/index.php?topic=996318.0

You didn't give us more information, so we cannot know if the other party should be knowing exactly how much bitcoins you have and the reason for the need to sign a message.

I found a couple threads online about how people are being scammed by asking to sign messages although it seems like the details are a bit different.  

These were cases of users being sent a raw transaction which was created with the public key of the address and they verified it, effectively signing that transaction and sending the coins/tokens out of it.

If they ask me to sign a message with a transaction hash is that inherently dangerous?  
Is signing a message with just today's date dangerous?

If they send you a transaction hash, DO NOT SIGN IT.
You do not need anyone to send you anything when signing a message or a txid.

[ranochigo]

I guess my question is I'm not sure exactly what signing a message is doing.  I always assumed it was just a way to broadcast a message to the network and it didn't actually allow for sending a transaction.  If you type the wrong thing or sign a message with a transaction hash does it have the power to compromise or send a transaction out of your wallet?

Transactions have a signature that ensures that the inputs can be spent and is valid. You should not sign any transactions that you cannot trust; but the way that the signature is generated is quite different. Bitcoin signed message has a very specific syntax, so long as you are using the message signing function (not transaction signing) then it would be fine.

If they ask me to sign a message with a transaction hash is that inherently dangerous?  
Is signing a message with just today's date dangerous?

No and yes. Nothing would happen if you sign a transaction ID using the message signing tool**, though there is really no reason why you should be doing so. Using the signed message tool for Bitcoin Core would guarantee an invalid signature if used. The transaction data isn't just the transaction hash and since the message prepends "Bitcoin Signed Message:", it wouldn't be valid for a transaction signature regardless.

I recommend including more details like the purpose and for whom, just to ensure that it can't be reused or otherwise misconstrued.

** I'm not familiar about the implementation of Ethereum's wallet but it is not an issue with Bitcoin wallets to my knowledge because the message signing is distinctively different from transaction signing.

[Speedoguy]

[/quote]
No and yes. Nothing would happen if you sign a transaction ID using the message signing tool**, though there is really no reason why you should be doing so. Using the signed message tool for Bitcoin Core would guarantee an invalid signature if used. The transaction data isn't just the transaction hash and since the message prepends "Bitcoin Signed Message:", it wouldn't be valid for a transaction signature regardless.

I recommend including more details like the purpose and for whom, just to ensure that it can't be reused or otherwise misconstrued.

** I'm not familiar about the implementation of Ethereum's wallet but it is not an issue with Bitcoin wallets to my knowledge because the message signing is distinctively different from transaction signing.
[/quote]

Maybe this is a distinction I wasn't aware of.  I'd just be using the message signing tool from Trezor as seen here
https://blog.trezor.io/featurefriday-sign-verify-2c657af39b0c#:~:text=Click%20%E2%80%9CSign.%E2%80%9D,box%20on%20your%20computer%20screen.

and (hopefully) not using any kind of transaction signing.  Maybe in the case of these hacks people were signing transactions rather than messages?  I guess I was just trying to make sure I could type anything into the "message" section using the sign message feature shown above on Trezor and it would be safe.  At the very least though I can avoid typing any kind of transaction hashes or programming language as it shouldn't be necessary and would raise red flags if they asked something like that to be the message.   

[BlackHatCoiner]

I guess my question is I'm not sure exactly what signing a message is doing.

A signed message proves that you're the owner of a public key, because the only way to sign a message of a public key is to own its private key. This is how coin ownership is retained without disclosing the private key. You simply sign a message that says what you want to spend etc.

Signing a message shouldn't be a trouble, but after reading the reddit post, I wouldn't feel as comfortable as I do with Bitcoin signed messages. I have no idea how Ethereum works, but as it turns out from the first reply, signing transaction hash can grant ETH ownership. Signing a simple "hi, this is <date>" would never harm you in Bitcoin, but I wouldn't cross my fingers it will neither harm in crazy-Etherland.

[Lucius]

@Speedoguy, I would just add that perhaps you should take privacy into account when you sign a message as proof that you own a certain amount of BTC. What I want to say is that maybe it would be smart to send the amount you want to prove that you own to a new address in a new wallet - and it would be ideal to break the link between the main storage and the new wallet (using a mixer).

I don't know what it is specifically about in your case, but it is possible that there are scammers who are trying to find out how many coins you actually own in order to try to scam you in some way. Think about it, if someone has $1000 worth of BTC, they are not as valuable a target as someone who has $10 000 or maybe ten times as much.

[DannyHamilton]

I recommend including more details like the purpose and for whom, just to ensure that it can't be reused or otherwise misconstrued.

Please take note of what is said there.

Imagine this scenario:

I have no bitcoins at all. I pretend to be you.  I contact John Smith and tell them that I have some number of bitcoins that I want to send to them in exchange for something.  They ask me to send a signed message proving that I'm you.

Meanwhile, I've been talking to you about a "business deal" with you, and I get you to send me a signed a message that just says "Hi, 2024-03-17".

I then take the exact signed message that you've provided to me, and send it on to John Smith.  John Smith is now convinced that I'm Speedoguy. I get John smith to provide me whatever he's selling.  Next, I disappear.

John Smith now contacts YOU demanding the Bitcoins that he says YOU owe him. You claim that you never received anything from him. You claim you've never even talked to or heard of him.  He shows the message where he asked me (pretending to be Speedoguy) for a signed message, and then he shows YOUR signed message saying that it PROVES that YOU did talk to him and that you agreed to send him bitcoins.

What a mess.

All that could have been avoided, if you were just a bit more careful about what you had signed.  Instead of just "Hi".  Make sure that The message is very clear about details such as who it's from, who it's to, why it's being sent, when it was requested, what it's intended to prove. That will make it much more difficult for the message to be reused.

If instead of "Hi, 2024-03-17" you had signed a message that said:

"This message was requested of Speedoguy by DannyHamilton in an email sent from notDannyHamiltonsEmail@gmail.com at 17:25 UTC on 2024-03-17 to notSpeedoGuysEmail@gmail.com. This message is intended to prove that address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh contains exactly 0.30834147 as of 17:42 UTC on 2024-03-17. This message was requested as part of a business deal where Speedoguy would put up 0.2 BTC as collateral for a loan of $5,000 from DannyHamilton, to be paid back by SpeedoGuy (with interest) in payments of $1,100 on the first day of five consecutive months beginning with the first payment due on 2024-05-01".

It's going to be a lot harder for me to forward that message on to John Smith and convince him that I'm Speedoguy and that I'm providing him 0.30834147 bitcoins to him in exchange for $20,000 of his Monero.

[Speedoguy]

I recommend including more details like the purpose and for whom, just to ensure that it can't be reused or otherwise misconstrued.

Please take note of what is said there.

Imagine this scenario:

I have no bitcoins at all. I pretend to be you.  I contact John Smith and tell them that I have some number of bitcoins that I want to send to them in exchange for something.  They ask me to send a signed message proving that I'm you.

Meanwhile, I've been talking to you about a "business deal" with you, and I get you to send me a signed a message that just says "Hi, 2024-03-17".

I then take the exact signed message that you've provided to me, and send it on to John Smith.  John Smith is now convinced that I'm Speedoguy. I get John smith to provide me whatever he's selling.  Next, I disappear.

John Smith now contacts YOU demanding the Bitcoins that he says YOU owe him. You claim that you never received anything from him. You claim you've never even talked to or heard of him.  He shows the message where he asked me (pretending to be Speedoguy) for a signed message, and then he shows YOUR signed message saying that it PROVES that YOU did talk to him and that you agreed to send him bitcoins.

What a mess.

All that could have been avoided, if you were just a bit more careful about what you had signed.  Instead of just "Hi".  Make sure that The message is very clear about details such as who it's from, who it's to, why it's being sent, when it was requested, what it's intended to prove. That will make it much more difficult for the message to be reused.

If instead of "Hi, 2024-03-17" you had signed a message that said:

"This message was requested of Speedoguy by DannyHamilton in an email sent from notDannyHamiltonsEmail@gmail.com at 17:25 UTC on 2024-03-17 to notSpeedoGuysEmail@gmail.com. This message is intended to prove that address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh contains exactly 0.30834147 as of 17:42 UTC on 2024-03-17. This message was requested as part of a business deal where Speedoguy would put up 0.2 BTC as collateral for a loan of $5,000 from DannyHamilton, to be paid back by SpeedoGuy (with interest) in payments of $1,100 on the first day of five consecutive months beginning with the first payment due on 2024-05-01".

It's going to be a lot harder for me to forward that message on to John Smith and convince him that I'm Speedoguy and that I'm providing him 0.30834147 bitcoins to him in exchange for $20,000 of his Monero.

Ya good point about making the message specific.  I thought this sort of man in the middle thing was a very real possibility and the most likely scam angle, but I generally think the person is pretty legit, met them, they're using real name verifiable by social media etc and vouched for by others.  It's obviously not foolproof though and just trying to make sure the wallet is as secure as possible.  They've supposedly done similar deals in the past and acted like signing a message was very standard for showing ownership of funds on a blockchain (which I kind of assume is the main purpose behind the signing feature)  but just wanted to make sure there wasn't some possible attack vector 

[seoincorporation]

To sign the message you need the address's private key, and that is where the risk comes from. If you know how to do it and use your own wallet to sign a message, then it's fine. But if the guy asks you to use his software to sign the message then you are risking your coins because they could use malware where they get a copy of the Private key while you sign the message.

Personally, i have used online wallets to sign messages and never had a risk or a problem while doing that. For it I used blockchain.com, i had to import the PK, and after that signing a message was simple. But not many people would agree about this method, if you are looking for security, then use your own node.

[hosseinimr93]

if you are looking for security, then use your own node.

Using you own node for a signing a message?

Signing a message has nothing to do with nodes. Signing a message is mathematical process in which you create a digital signature for a message. When you sign a message, you don't need any connection to nodes and you don't broadcast anything.

[seoincorporation]

if you are looking for security, then use your own node.

Using you own node for a signing a message?

Signing a message has nothing to do with nodes. Signing a message is mathematical process in which you create a digital signature for a message. When you sign a message, you don't need any connection to nodes and you don't broadcast anything.

With node i mean a Bitcoin core wallet, but you are right for this process we don't need a wallet, but is important to mention how most of the wallets let us sign a message.

With bitcoin core qt version users can sign messages with the next steps:

→Go to the "File" menu, then select "Sign Message".
→In the dialog that appears, enter the Bitcoin address you want to sign the message with.
→Enter the message you want to sign in the "Message" field.
→Click on "Sign Message".

And if you want to do it from the command line, there is a command for this purpose.

Code:

bitcoin-cli signmessage "your_address" "your_message"

I will leave some sources:
https://en.bitcoin.it/wiki/Message_signing
https://medium.com/coinmonks/bitcoin-cryptography-signing-and-verifying-messages-with-node-js-645d05013f4f
https://coinguides.org/sign-verify-bitcoin-address/

[ranochigo]

Maybe this is a distinction I wasn't aware of.  I'd just be using the message signing tool from Trezor as seen here
https://blog.trezor.io/featurefriday-sign-verify-2c657af39b0c#:~:text=Click%20%E2%80%9CSign.%E2%80%9D,box%20on%20your%20computer%20screen.

Yeah, it's fine.

and (hopefully) not using any kind of transaction signing.  Maybe in the case of these hacks people were signing transactions rather than messages?  I guess I was just trying to make sure I could type anything into the "message" section using the sign message feature shown above on Trezor and it would be safe.  At the very least though I can avoid typing any kind of transaction hashes or programming language as it shouldn't be necessary and would raise red flags if they asked something like that to be the message.   

Ethereum works quite differently from Bitcoin. With Bitcoin, the message signing function is solely used for the message signing/verification purpose. It is very different from signing a transaction, you cannot just sign a transaction using the transaction ID. It's just common sense for people to not sign messages with content that they don't fully understand.

[hosseinimr93]

With node i mean a Bitcoin core wallet, but you are right for this process we don't need a wallet, but is important to mention how most of the wallets let us sign a message.

But it's not that you would have more security, if you sign your message with bitcoin core.

If you want to sign a message and be sure that your private key is kept secure, you should sign your message on an air-gapped device. It doesn't matter whether you sign your message using bitcoin core or electrum.

[mcdouglasx]

The only way for your signature to be compromised is to sign 2 messages using the same nonce K, which must be random between 1 and N-1 (where N is the order of the curve), as long as you do the signing in a secure environment. There will be problems, if they ask you to sign using their website or software provided by them, run away, it's probably a signature scam.
If you make 2 signatures using the same nonce, they can derive your private key.

[COBRAS]

Hello,

I'm being asked to show or prove my wallet for a business deal.  It's basically a show of good faith that I have funds available.  I generally think the person is legit and not a scam or anything but at the same time wanted to obviously protect my wallet. 

They're asking me to sign a message using the sign/verify function.  Is there any inherent danger to using this function with a trezor wallet? 

They're just asking me to send a message like "hi, 3/17/2024". 

I found a couple threads online about how people are being scammed by asking to sign messages although it seems like the details are a bit different. 

https://www.reddit.com/r/ethereum/comments/yohci6/signed_a_scam_message_and_eth_transfer_from_my/

https://medium.com/mycrypto/bad-actors-abusing-erc20-approval-to-steal-your-tokens-c0407b7f7c7c

I guess my question is I'm not sure exactly what signing a message is doing.  I always assumed it was just a way to broadcast a message to the network and it didn't actually allow for sending a transaction.  If you type the wrong thing or sign a message with a transaction hash does it have the power to compromise or send a transaction out of your wallet?
If they ask me to sign a message with a transaction hash is that inherently dangerous? 
Is signing a message with just today's date dangerous?

Is there a difference between signing a message with bitcoin and an ERC20 token (USDT)?

diffinitelly you can be scamed, but with not only one message, but any sighnet message can leaks some part om privkey:


"


What is special about the ECDH is that your peer's pubkey defines the curve being used, not your secret key!
So if an attacker provides a pubkey from a weaker curve, and you respond with the product of their weak pubkey * your secret, they can use brute-force to factor out and reveal your secret."

https://stacker.news/items/361797

I recommend including more details like the purpose and for whom, just to ensure that it can't be reused or otherwise misconstrued.

Please take note of what is said there.

Imagine this scenario:

I have no bitcoins at all. I pretend to be you.  I contact John Smith and tell them that I have some number of bitcoins that I want to send to them in exchange for something.  They ask me to send a signed message proving that I'm you.

Meanwhile, I've been talking to you about a "business deal" with you, and I get you to send me a signed a message that just says "Hi, 2024-03-17".

I then take the exact signed message that you've provided to me, and send it on to John Smith.  John Smith is now convinced that I'm Speedoguy. I get John smith to provide me whatever he's selling.  Next, I disappear.

John Smith now contacts YOU demanding the Bitcoins that he says YOU owe him. You claim that you never received anything from him. You claim you've never even talked to or heard of him.  He shows the message where he asked me (pretending to be Speedoguy) for a signed message, and then he shows YOUR signed message saying that it PROVES that YOU did talk to him and that you agreed to send him bitcoins.

What a mess.

All that could have been avoided, if you were just a bit more careful about what you had signed.  Instead of just "Hi".  Make sure that The message is very clear about details such as who it's from, who it's to, why it's being sent, when it was requested, what it's intended to prove. That will make it much more difficult for the message to be reused.

If instead of "Hi, 2024-03-17" you had signed a message that said:

"This message was requested of Speedoguy by DannyHamilton in an email sent from notDannyHamiltonsEmail@gmail.com at 17:25 UTC on 2024-03-17 to notSpeedoGuysEmail@gmail.com. This message is intended to prove that address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh contains exactly 0.30834147 as of 17:42 UTC on 2024-03-17. This message was requested as part of a business deal where Speedoguy would put up 0.2 BTC as collateral for a loan of $5,000 from DannyHamilton, to be paid back by SpeedoGuy (with interest) in payments of $1,100 on the first day of five consecutive months beginning with the first payment due on 2024-05-01".

It's going to be a lot harder for me to forward that message on to John Smith and convince him that I'm Speedoguy and that I'm providing him 0.30834147 bitcoins to him in exchange for $20,000 of his Monero.

Reciver of your message mast send you message first, abd you see what his pubkey is not pubkey for scam... Scam pubkeys cant send  any messages

[moderator's note: consecutive posts merged]

[DannyHamilton]

So if an attacker provides a pubkey from a weaker curve, and you respond with the product of their weak pubkey * your secret, they can use brute-force to factor out and reveal your secret."

That doesn't make any sense. Why would you respond with "the product of their weak pubkey * your secret" ??

When signing a message, you generate a hash of the message, then you generate a signature using your private key and the hash that you generated. The other person's public key isn't used at all.

You only use their public key to verify a signature that they send you.

[COBRAS]

So if an attacker provides a pubkey from a weaker curve, and you respond with the product of their weak pubkey * your secret, they can use brute-force to factor out and reveal your secret."

That doesn't make any sense. Why would you respond with "the product of their weak pubkey * your secret" ??

When signing a message, you generate a hash of the message, then you generate a signature using your private key and the hash that you generated. The other person's public key isn't used at all.

You only use their public key to verify a signature that they send you.

and then used pubkey of attacker ?

[Cricktor]

diffinitelly you can be scamed, but with not only one message, but any sighnet message can leaks some part om privkey:

"What is special about the ECDH is that your peer's pubkey defines the curve being used, not your secret key!
So if an attacker provides a pubkey from a weaker curve, and you respond with the product of their weak pubkey * your secret, they can use brute-force to factor out and reveal your secret."

https://stacker.news/items/361797

If your signing software is working properly (at minimum using a random non-predictable nonce) your message with signature doesn't leak anything about the used private key. You would need to be able to break ECDSA completely and apparently no-one is able to do this.

You should probably read and understand more of the context of a cited piece of text. I understood, I certainly could be wrong too, the pieces behind your cited source that it's about issues of naive implementations of secp256k1 curve being susceptible to twist attacks when the implementation naively accepts wrong pubkeys which are not on the curve (because they fail to detect this).

I can't quite believe that something like this could be foisted on mature implementations of secp256k1 curve like Bitcoin Core or Electrum use.

...

You only use their public key to verify a signature that they send you.

Read again and try to understand, also in context of usage with proper software. As far as I understand it, a Twist attack isn't possible with proper implementations.

and then used pubkey of attacker ?

A twisted pubkey of an attacker should and would be rejected, his signature should fail to be verified. By checking yourself, you don't reveal anything of your private key. Do you understand what DannyHamilton explained to you?