|
TERA (OP)
|
 |
May 12, 2014, 05:37:16 AM |
|
Sorry about the grammar in the title - it was due to space constraints.
Lately I have been creating secure cold storage cold storage wallets using offline key generation and either paper or brain to store the key. It is kind of a scary process because deep down I think there's a chance I might generate an invalid key or mess up somehow and then later I won't be able to retrieve the bitcoins I send to the address. So I go through the tedious process of testing the new address by going through all of the secure/offline methods to send a small amount of coins to and from the address, and verify that it works, before I start sending tons of coins there. Well, as this process is tedious and seems to add an unnecessary layer of risk, I was wondering if it is even necessary.
Is it at all possible to create an invalid private key? Of all 256-bit hex numbers, is each and every one a valid key? Also, is it possible for the algorithm that converts the private key into the public key to mess up somehow? If I wrote down any random 256 bit number, and use (offline) brainwallet to derive the public key, is that sufficient enough and can I start sending my coins to it right away without having to 'test' it first?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Once a transaction has 6 confirmations, it is extremely unlikely that an attacker without at least 50% of the network's computation power would be able to reverse it.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
phillipsjk
Legendary
 Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
May 12, 2014, 05:42:04 AM |
|
"testing" an off-line wallet is like testing a match to see if it works or not.
Yes, the are 256bit numbers that are not valid keys (somebody can chime in with the exact range). As a user you don't really have to worry because the software handles it for you.
The method suggested by armory is to try the process a few times with a test wallet, then make a new wallet once you are comfortable with the process.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160 |
|
|
|
cp1
|
|
May 12, 2014, 05:59:48 AM |
|
Don't use a brainwallet. That's terrible. Use a real wallet, armory or electrum offline.
|
|
|
|
|
TERA (OP)
|
|
May 12, 2014, 06:28:57 AM |
|
Don't use a brainwallet. That's terrible. Use a real wallet, armory or electrum offline.
Can you tell me what is bad about a brainwallet or a paper wallet assuming I am using it offline on tails and creating the key in a much more complicated way than their SHA256(passphrase). |
|
|
|
|
spring.yu
Member
Offline
Activity: 115
Merit: 10
Cryptocurrencies is future
|
|
May 12, 2014, 06:52:09 AM |
|
The method suggested by armory is to try the process a few times with a test wallet, then make a new wallet once you are comfortable with the process.
|
|
|
|
|
openyourmind
Member
Offline
Activity: 83
Merit: 10
|
|
May 12, 2014, 07:26:28 AM |
|
of course it's neccessary. testing an off-line wallet shows does it work or not.
|
|
|
|
|
|
fryarminer
|
|
May 12, 2014, 09:48:27 AM |
|
I've made several cold storage keys (Well not nearly as many as Casascius!) and several of the ones I have made were duds. The way I test them (there's probably a better way) is to send a few microbitcoins to them and then look up the address on the blockchain. If you find the address on the blockchain it's usually good. If it doesn't show up then it's not.
|
|
|
|
|
CoolStoryBro
Member
Offline
Activity: 89
Merit: 10
|
|
May 12, 2014, 10:21:19 AM |
|
and creating the key in a much more complicated way than their SHA256(passphrase).
can you eleborate? |
|
|
|
|
|
TERA (OP)
|
|
May 12, 2014, 10:22:11 AM |
|
and creating the key in a much more complicated way than their SHA256(passphrase).
can you eleborate? passing through multiple hashes and using salts for example my key could be sha256('phrase1'+sha256('phrase2'+sha256('phrase3'))) or something more creative than that where portions of the hashes are removed. I've made several cold storage keys (Well not nearly as many as Casascius!) and several of the ones I have made were duds. The way I test them (there's probably a better way) is to send a few microbitcoins to them and then look up the address on the blockchain. If you find the address on the blockchain it's usually good. If it doesn't show up then it's not.
Is there a chance that this could work but then when you go to send, sending would not work? |
|
|
|
|
franky1
Legendary
Offline
Activity: 4214
Merit: 4479
|
|
May 12, 2014, 10:33:54 AM |
|
Don't use a brainwallet. That's terrible. Use a real wallet, armory or electrum offline.
Can you tell me what is bad about a brainwallet or a paper wallet assuming I am using it offline on tails and creating the key in a much more complicated way than their SHA256(passphrase). using a brain wallet involves turning natural words into a code. before then encrypting it using standard bitcoin encryption protocols. this brain wallet convertion method may change, or you may mis-spell the words (EG Some instead of some). the best solution is to put a verified/clean bitcoin software onto a memory stick. then install onto a clean computer without the internet. and generate private keys from this. DO NOT rely on brain wallets or wallets that your a keyphrase/seed to generate private keys. as i said before the conversion from phrases into a private key may change in the future. ONLY store actual proper bitcoin private keys. |
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
|
TERA (OP)
|
|
May 12, 2014, 10:40:02 AM |
|
Don't use a brainwallet. That's terrible. Use a real wallet, armory or electrum offline.
Can you tell me what is bad about a brainwallet or a paper wallet assuming I am using it offline on tails and creating the key in a much more complicated way than their SHA256(passphrase). using a brain wallet involves turning natural words into a code. before then encrypting it using standard bitcoin encryption protocols. this brain wallet convertion method may change, or you may mis-spell the words (EG Some instead of some). the best solution is to put a verified/clean bitcoin software onto a memory stick. then install onto a clean computer without the internet. and generate private keys from this. DO NOT rely on brain wallets or wallets that your a keyphrase/seed to generate private keys. as i said before the conversion from phrases into a private key may change in the future. ONLY store actual proper bitcoin private keys. The idea here is that I do NOT want to maintain any hardware or anything physical to hold my bitcoins. I want to know that if there is a nuclear explosion or everything of mine is stolen/hacked/deleted/seized/etc, hardware is lost/stolen/fried, or i go into a coma for the next 5 years, I will still have my bitcoins. I want to have no worries at all. That is why I am going for a brain-wallet-type solution. What is wrong with using sha256? If the hashing algorithm on brainwallet.org changes to something else, I can still use a sha256 script from somewhere else. It is a fairly common hashing algorithm and I dont have to rely on the tool on brainwallet.org. |
|
|
|
|
|
Light
|
|
May 12, 2014, 11:09:32 AM |
|
The idea here is that I do NOT want to maintain any hardware or anything physical to hold my bitcoins. I want to know that if there is a nuclear explosion or everything of mine is stolen/hacked/deleted/seized/etc, hardware is lost/stolen/fried, or i go into a coma for the next 5 years, I will still have my bitcoins. I want to have no worries at all. That is why I am going for a brain-wallet-type solution.
What is wrong with using sha256? If the hashing algorithm on brainwallet.org changes to something else, I can still use a sha256 script from somewhere else. It is a fairly common hashing algorithm and I dont have to rely on the tool on brainwallet.org.
I'm hoping that you're meaning to somehow memorise the private key right? If you're planning on using random words jumbled together to form the basis of it then I would highly recommend reconsidering. Unless you're willing to take the risk that your coins get stolen because you didn't have enough entropy or you used a line from a movie/poem/song then I would stay clear of a brain wallet. Having a soft copy in the cloud (encrypted of course) and a hard copy in meatspace (preferably with BIP38) should more than suffice - your pretty much screwed if you get nuked or get knocked into a coma. There are bigger things to worry about in those scenarios than money (you'll either be dead or won't be able to use those coins till you wake up and still remember everything). |
|
|
|
|
cr1776
Legendary
Offline
Activity: 4032
Merit: 1301
|
|
May 12, 2014, 11:12:29 AM |
|
Don't use a brainwallet. That's terrible. Use a real wallet, armory or electrum offline.
Can you tell me what is bad about a brainwallet or a paper wallet assuming I am using it offline on tails and creating the key in a much more complicated way than their SHA256(passphrase). using a brain wallet involves turning natural words into a code. before then encrypting it using standard bitcoin encryption protocols. this brain wallet convertion method may change, or you may mis-spell the words (EG Some instead of some). the best solution is to put a verified/clean bitcoin software onto a memory stick. then install onto a clean computer without the internet. and generate private keys from this. DO NOT rely on brain wallets or wallets that your a keyphrase/seed to generate private keys. as i said before the conversion from phrases into a private key may change in the future. ONLY store actual proper bitcoin private keys. The idea here is that I do NOT want to maintain any hardware or anything physical to hold my bitcoins. I want to know that if there is a nuclear explosion or everything of mine is stolen/hacked/deleted/seized/etc, hardware is lost/stolen/fried, or i go into a coma for the next 5 years, I will still have my bitcoins. I want to have no worries at all. That is why I am going for a brain-wallet-type solution. What is wrong with using sha256? If the hashing algorithm on brainwallet.org changes to something else, I can still use a sha256 script from somewhere else. It is a fairly common hashing algorithm and I dont have to rely on the tool on brainwallet.org. Some don't like brain wallets for several reasons: 1. People are generally bad at picking a sufficiently random group of characters (words or whatever). 2. People forget the characters. 3. People forget the salt. 4. Sometimes the code changes or there are bugs (Safari 6.05, had a Javascript BIP38 bug). (Save the current version somewhere as a backup, note the version so you can get it from github as a 2nd backup). The animus toward brain wallets occurs because they are usually poor, see this for some discussion: https://bitcointalk.org/index.php?topic=311000.msg3345309#msg3345309http://cryptocoinblog.com/brainwallets-and-why-you-shouldnt/ |
|
|
|
|
franky1
Legendary
Offline
Activity: 4214
Merit: 4479
|
|
May 12, 2014, 11:47:42 AM |
|
What is wrong with using sha256? If the hashing algorithm on brainwallet.org changes to something else, I can still use a sha256 script from somewhere else. It is a fairly common hashing algorithm and I dont have to rely on the tool on brainwallet.org.
using sha is fine to convert your own sentance into your own bases for making a privkey. as long as you take these precautions 1. you dont forget your own process (sentance->sha->privkey EG if you need to chop off characters at the start, end to make your sha'd sentence into a key) 2. you dont rely on other peoples process as they may change (research how someone used bitaddress.org a couple years ago and now using a different browser or the version updated that his sentence no longer produces the same privkey) 3. try not to get amnesia during your holocaust/coma its simpler to find a landmark.. dig a hole. and put a heatproof box with a metal sheath that has a privkey engraved into it.. if a holocaust occured that had enough heat to melt the metal underground.. loss of bitcoins would be the last thing on your mind. brain wallets should be short term, (think amnesia, alzheimer's or simply forgetting due to not being in long term memory) |
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
medUSA
Legendary
Offline
Activity: 952
Merit: 1003
--Signature Designs-- http://bit.ly/1Pjbx77
|
|
May 12, 2014, 11:58:32 AM |
|
So I go through the tedious process of testing the new address by going through all of the secure/offline methods to send a small amount of coins to and from the address, and verify that it works, before I start sending tons of coins there.
I think testing cold wallet keys before you send savings there is being prudent. Some would argue that once you send a transaction, you disclose your public key and the security of that address drops, and it is not a "cold" storage anymore. |
|
|
|
|
|
TERA (OP)
|
|
May 12, 2014, 11:59:13 AM |
|
What is wrong with using sha256? If the hashing algorithm on brainwallet.org changes to something else, I can still use a sha256 script from somewhere else. It is a fairly common hashing algorithm and I dont have to rely on the tool on brainwallet.org.
using sha is fine to convert your own sentance into your own bases for making a privkey. as long as you take these precautions 1. you dont forget your own process (sentance->sha->privkey EG if you need to chop off characters at the start, end to make your sha'd sentence into a key) 2. you dont rely on other peoples process as they may change (research how someone used bitaddress.org a couple years ago and now using a different browser or the version updated that his sentence no longer produces the same privkey) 3. try not to get amnesia during your holocaust/coma its simpler to find a landmark.. dig a hole. and put a heatproof box with a metal sheath that has a privkey engraved into it.. if a holocaust occured that had enough heat to melt the metal underground.. loss of bitcoins would be the last thing on your mind. brain wallets should be short term, (think amnesia, alzheimer's or simply forgetting due to not being in long term memory) but if I got amnesia, wouldn't I forget the password to the encrypted hardware wallet or the location where I hid it anyway? |
|
|
|
|
|
blatchcorn
|
|
May 12, 2014, 12:12:12 PM |
|
I thought a bear like TERA would be selling, not holding  |
|
|
|
|
|
TERA (OP)
|
|
May 12, 2014, 12:25:49 PM |
|
I thought a bear like TERA would be selling, not holding If you only knew how much fiat I've already cashed out, you would understand. Anyway let's keep this in the Speculation forum. Something else that is off-topic here is the viability of brainwallets. I simply want to know if the process of creating a brainwallet requires that it be tested with transactions (separate question for both TO and FROM) |
|
|
|
|
cr1776
Legendary
Offline
Activity: 4032
Merit: 1301
|
|
May 12, 2014, 12:34:47 PM |
|
I thought a bear like TERA would be selling, not holding If you only knew how much fiat I've already cashed out, you would understand. Anyway let's keep this in speculation. Something else that is off-topic here is the viability of brainwallets. I simply want to know if the process of creating a brainwallet requires that it be tested with transactions (separate question for both TO and FROM) It doesn't hurt to test sending TO. Plus multiple checks to ensure that the phrase is correct. Sending FROM though somewhat negates the purpose of cold storage. Also once you spend an output that has been sent to the address the only protection is ECDSA, so other unspent outputs become more vulnerable since your public key is known (prior to sending only the RIPMD hash of the SHA256 hash is known, iirc). The amount of the increase in vulnerability is probably low, but it does reduce security. This is one reason why it is recommended to avoid reusing addresses. ;-) |
|
|
|
|
BillyBobJoe
Member
Offline
Activity: 119
Merit: 10
|
|
May 12, 2014, 03:06:51 PM |
|
OK, now I am confused, again.
Paper wallets. I was under the impression that when you spend from a paper wallet you should empty the it, sweep the entire amount out. This is because of "change" problems.
Now I see where some recommend spending a small amount as a test.
Could somebody clear this up for me?
Regards,
BBJ
|
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 12, 2014, 03:18:24 PM |
|
I've made several cold storage keys (Well not nearly as many as Casascius!) and several of the ones I have made were duds. The way I test them (there's probably a better way) is to send a few microbitcoins to them and then look up the address on the blockchain. If you find the address on the blockchain it's usually good. If it doesn't show up then it's not.
This is nonsense. Please provide some examples of these bad keys. If you generated "invalid" keys then it is user error or a bug in your code. Either way the solution is improved code not random testing. To OP for ECDSA the private key is a random number less than n and greater than zero. For Secp256k1 n is FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 any non zero 256 bit value less than n is a valid key. https://en.bitcoin.it/wiki/Secp256k1 |
|
|
|
|
Peter R
Legendary
Offline
Activity: 1162
Merit: 1007
|
|
May 12, 2014, 03:58:31 PM |
|
I've made several cold storage keys (Well not nearly as many as Casascius!) and several of the ones I have made were duds. The way I test them (there's probably a better way) is to send a few microbitcoins to them and then look up the address on the blockchain. If you find the address on the blockchain it's usually good. If it doesn't show up then it's not.
This is nonsense. Please provide some examples of these bad keys. If you generated "invalid" keys then it is user error or a bug in your code. Either way the solution is improved code not random testing. To OP for ECDSA the private key is a random number less than n and greater than zero. For Secp256k1 n is FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 any non zero 256 bit value less than n is a valid key.https://en.bitcoin.it/wiki/Secp256k1In other words, if you generate 256 random bits for example by flipping 256 coins, it will be a valid key 99.99999999999999999999999999999999999962655% of the time. Like DeathAndTaxes implied, the only way to generate an "invalid" key is by user error or a bug. An example of a bug would be if the software used a different key to find the associated bitcoin address. An example of user error would be generating a private key by rolling die, writing down the numbers on a piece of paper, and then transcribing those numbers incorrectly when generating the bitcoin address. When I generate cold storage addresses, I "test" all my keys using a second piece of software to the one that created them. I use this second piece of software to produce a bitcoin-signed message and then check that it verifies to the same bitcoin address that the first piece of software told me. I think this is a good sanity check if you want to test your keys without making your ECDSA public key known to the network. |
|
|
|
sickpig
Legendary
Offline
Activity: 1260
Merit: 1008
|
|
May 12, 2014, 05:04:29 PM |
|
Sorry about the grammar in the title - it was due to space constraints.
Lately I have been creating secure cold storage cold storage wallets using offline key generation and either paper or brain to store the key. It is kind of a scary process because deep down I think there's a chance I might generate an invalid key or mess up somehow and then later I won't be able to retrieve the bitcoins I send to the address. So I go through the tedious process of testing the new address by going through all of the secure/offline methods to send a small amount of coins to and from the address, and verify that it works, before I start sending tons of coins there. Well, as this process is tedious and seems to add an unnecessary layer of risk, I was wondering if it is even necessary.
Is it at all possible to create an invalid private key? Of all 256-bit hex numbers, is each and every one a valid key? Also, is it possible for the algorithm that converts the private key into the public key to mess up somehow? If I wrote down any random 256 bit number, and use (offline) brainwallet to derive the public key, is that sufficient enough and can I start sending my coins to it right away without having to 'test' it first?
not necessarily what you're looking for but you could find a lot of useful info here: http://falkvinge.net/2014/02/10/placing-your-crypto-wealth-in-cold-storage-installing-armory-on-ubuntu/and also the BIP on HD wallets could be a worth reading: https://en.bitcoin.it/wiki/BIP_0032 |
Bitcoin is a participatory system which ought to respect the right of self determinism of all of its users - Gregory Maxwell.
|
|
|
|
TERA (OP)
|
|
May 14, 2014, 12:48:22 AM |
|
So the consensus here is that I should test receiving coins but I don't have to test sending them?
|
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1004
Core dev leaves me neg feedback #abuse #political
|
|
May 14, 2014, 02:29:05 AM |
|
Don't use a brainwallet. That's terrible. Use a real wallet, armory or electrum offline.
Can you tell me what is bad about a brainwallet or a paper wallet assuming I am using it offline on tails and creating the key in a much more complicated way than their SHA256(passphrase). using a brain wallet involves turning natural words into a code. before then encrypting it using standard bitcoin encryption protocols. this brain wallet convertion method may change, or you may mis-spell the words (EG Some instead of some). the best solution is to put a verified/clean bitcoin software onto a memory stick. then install onto a clean computer without the internet. and generate private keys from this. DO NOT rely on brain wallets or wallets that your a keyphrase/seed to generate private keys. as i said before the conversion from phrases into a private key may change in the future. ONLY store actual proper bitcoin private keys. I put up a bounty to consolidate electrum seed recovery validation into a single python file. This will greatly mitigate the risks you're talking about. I'll make an announcement when its available. |
|
|
|
Boussac
Legendary
Offline
Activity: 1220
Merit: 1015
e-ducat.fr
|
|
May 14, 2014, 02:54:44 PM |
|
I've made several cold storage keys (Well not nearly as many as Casascius!) and several of the ones I have made were duds. The way I test them (there's probably a better way) is to send a few microbitcoins to them and then look up the address on the blockchain. If you find the address on the blockchain it's usually good. If it doesn't show up then it's not.
Actually, yes and no. You can find a valid bitcoin address in the blockchain for which there is no known private key. An example is 1BitcoinEaterAddressDontSendf59kuE. However, if you derived the bitcoin address from a private key, then you can spend the coins with the private key. |
|
|
|
|
cp1
|
|
May 14, 2014, 03:43:46 PM |
|
If you generate an invalid address then you're doing it wrong. There's no warning to test every bitcoin qt key that it generates for you. What's different about doing it offline? The only difference is that rolling your own cryptography is always a bad idea.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 14, 2014, 05:05:38 PM |
|
So the consensus here is that I should test receiving coins but I don't have to test sending them?
Well that is the problem with consensus. Is it a consensus of informed people? There is no reason to manually test cold storage addresses. Do you manually test all your bitcoin wallet addresses as well? The software should be tested with unit tests. The creation of Bitcoin keypairs and addresses is deterministic. The cold storage address generator could use the exact same unit tests that the bitcoin-core client does. Test the implementation to ensure it generates correct output instead of trying to test every usage. If whatever solution you are using doesn't have unit tests then run away quickly. |
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1004
Core dev leaves me neg feedback #abuse #political
|
|
May 14, 2014, 05:29:26 PM |
|
So the consensus here is that I should test receiving coins but I don't have to test sending them?
I just used the electrum cold storage solution. If you do it properly, you will be secure. And you can restore your wallet from cold storage using the seed. You can also test the process on a small amount of coins (in a different electrum wallet) as far as signing an offline transaction, so you are confident in the process. |
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1004
Core dev leaves me neg feedback #abuse #political
|
|
May 16, 2014, 10:24:06 PM |
|
Don't use a brainwallet. That's terrible. Use a real wallet, armory or electrum offline.
Can you tell me what is bad about a brainwallet or a paper wallet assuming I am using it offline on tails and creating the key in a much more complicated way than their SHA256(passphrase). using a brain wallet involves turning natural words into a code. before then encrypting it using standard bitcoin encryption protocols. this brain wallet convertion method may change, or you may mis-spell the words (EG Some instead of some). the best solution is to put a verified/clean bitcoin software onto a memory stick. then install onto a clean computer without the internet. and generate private keys from this. DO NOT rely on brain wallets or wallets that your a keyphrase/seed to generate private keys. as i said before the conversion from phrases into a private key may change in the future. ONLY store actual proper bitcoin private keys. I put up a bounty to consolidate electrum seed recovery validation into a single python file. This will greatly mitigate the risks you're talking about. I'll make an announcement when its available. Ended up coding this myself  Check it out: https://bitcointalk.org/index.php?topic=612143.0 |
|
|
|
ShakyhandsBTCer
Sr. Member
Offline
Activity: 448
Merit: 250
It's Money 2.0| It’s gold for nerds | It's Bitcoin
|
|
June 14, 2014, 07:03:36 PM |
|
So the consensus here is that I should test receiving coins but I don't have to test sending them?
You could test the private key by attempting to sign a message with the public address and then use a separate computer/client to validate the signature. This would be a completely off chain validation. |
|
|
|
|
|
Beliathon
|
|
June 14, 2014, 07:10:33 PM |
|
Don't use a brainwallet. That's terrible. It's only terrible if you're not smart enough to use it correctly. To be fair though, many people aren't. |
|
|
|
ShakyhandsBTCer
Sr. Member
Offline
Activity: 448
Merit: 250
It's Money 2.0| It’s gold for nerds | It's Bitcoin
|
|
June 15, 2014, 05:53:10 AM |
|
Don't use a brainwallet. That's terrible. It's only terrible if you're not smart enough to use it correctly. To be fair though, many people aren't. Even if used correctly a brain wallet can be less secure then other types of security for wallets. The only real time when a brain wallet should be used is when there is a good chance that others will have extended access to your possessions. |
|
|
|
|
|
