Bitcoin Forum
November 11, 2024, 04:53:02 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: possible security issue due to stupid users?  (Read 3181 times)
Costia (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0



View Profile
January 25, 2012, 03:55:10 AM
 #1

It looks to me from reading about ECDSA that the private key can be anything - a random number
Currently a lot of users are afraid to lose access to their wallets - so they make backups etc..
I am concerned that some users will find out the private key can be anything they want and will generate\use easy to remember keys like DEADBEEF (address:1KNrMaMfiqKzRC5fzi1gqTeDC96PAqJPZy)
Whenever I need to change the password for my bank account - there is a minimal complexity required - it won't let me use a simple password.
Can something like this be implemented for the bitcoin client? some kind of a complexity check of the private key?
rejecting the key will cause a lot of trouble, but for example the client can create a new address and transfer all the funds there if a simple private key is detected, or at least warn the user that the key is bad.
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
January 25, 2012, 04:53:11 AM
Merited by xandry (2)
 #2

The stock client doesn't accept human input for private keys, it generates them at random.  To get a custom key in, you need to manipulate the wallet database.  If you are clever enough to do that, you are clever enough to accept your own losses.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
Costia (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0



View Profile
January 25, 2012, 04:55:12 AM
 #3

Fair enough
I thought there was an import private key feature in the workings, which will allow that.
Maged
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
January 25, 2012, 05:35:58 AM
Merited by xandry (2)
 #4

Fair enough
I thought there was an import private key feature in the workings, which will allow that.
Even that doesn't use a raw hex format. You'd first need to use a tool to covert the hex into Sipa Wallet Import Format, and if you know how to do that, you clearly know how to run a wallet tool that will let you bypass any stupidity checks.

Also, I'd love to know your algorithm for detecting stupid inputs. Even then, all you do is create a better idiot that will defeat your idiot checks.

payb.tc
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000



View Profile
January 25, 2012, 05:38:36 AM
 #5

Fair enough
I thought there was an import private key feature in the workings, which will allow that.
Even that doesn't use a raw hex format.

whaaaaaaaaa? disappointed.

*goes back to qt tutorials*
kjj
Legendary
*
Offline Offline

Activity: 1302
Merit: 1026



View Profile
January 25, 2012, 05:41:51 AM
 #6

Also, I'd be surprised if there aren't already a half dozen people running scripts to find and sweep transactions signed by weak keys.

17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs.  You should too.
Costia (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0



View Profile
January 25, 2012, 05:44:33 AM
 #7

Quote
Also, I'd love to know your algorithm for detecting stupid inputs. Even then, all you do is create a better idiot that will defeat your idiot checks.
I want it to be regular idiot proof, not malicious\suicidal idiot proof
meaning that your answer for not letting input hex private keys is good enough for me
Maged
Legendary
*
Offline Offline

Activity: 1204
Merit: 1015


View Profile
January 25, 2012, 06:10:18 AM
 #8

Quote
Also, I'd love to know your algorithm for detecting stupid inputs. Even then, all you do is create a better idiot that will defeat your idiot checks.
I want it to be regular idiot proof, not malicious\suicidal idiot proof
meaning that your answer for not letting input hex private keys is good enough for me
Although... It looks like Armory allows the import of hex keys, so there may be some concern there.

Costia (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0



View Profile
January 25, 2012, 06:26:06 AM
 #9

And someone (could be malicious)  can write a "vanity private key" script\software to allow the creation of weak WIF formatted keys
Though this seems quite unlikely to me.
Steve
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1008



View Profile WWW
January 25, 2012, 04:27:50 PM
 #10

Wallets shouldn't really allow private keys to be imported easily…instead they should sweep the coins of a private key into other addresses that the wallet contains.  Similarly, they shouldn't easily allow private keys to be extracted from the wallet, instead they should allow funds to be transferred to a newly generated private key that is not considered a part of the wallet (though the wallet might want to remember them in case it becomes necessary to later sweep those coins back into the wallet).  You could think of the new private key as a wallet itself (or maybe like an envelope with cash in it).  With import/export, the risk of multiple wallets getting the same private keys in them and thoroughly confusing your typical user is too great.

(gasteve on IRC) Does your website accept cash? https://bitpay.com
jim618
Legendary
*
Offline Offline

Activity: 1708
Merit: 1066



View Profile WWW
January 25, 2012, 09:48:26 PM
 #11

@Steve
I agree with you that it can be very confusing to have the same key in multiple wallets.
It can be very powerful however - you can have a wallet in, say, blockchain.info and MultiBit that have the same private keys and both get updated in lockstep with each other.

See this post:
https://bitcointalk.org/index.php?topic=43616.msg711171#msg711171

This would be very useful to monitor what was going on (and say topup a child's account).
I agree though that people would have to understand private keys in detail for it not to all go wrong.

I have the feeling people will start to "preload" a private key and then simply email it to a friend (with all the security risks that entails).  In which case you would have to do a sweep just for peace of mind.

MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
Costia (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 0



View Profile
January 25, 2012, 09:54:55 PM
 #12

storing your private keys on the web is a big no no (at least for me)
ZodiacDragon84
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


The king and the pawn go in the same box @ endgame


View Profile
January 25, 2012, 09:59:40 PM
 #13

storing your private keys on the web is a big no no (at least for me)

Agreed. I think etotheipi  should see this too, as mention of Armory is involved security wise.

Looking for a quick easy mining solution? Check out
www.bitminter.com

See my trader rep at Bitcoinfeedback.com
!
Joric
Member
**
Offline Offline

Activity: 67
Merit: 130


View Profile
January 26, 2012, 02:37:07 AM
 #14

"I'm gonna go out on a limb here. I think your friend... is you."

1JoricCBkW8C5m7QUZMwoRz9rBCM6ZSy96
ZodiacDragon84
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


The king and the pawn go in the same box @ endgame


View Profile
January 26, 2012, 02:41:04 AM
 #15

"I'm gonna go out on a limb here. I think your friend... is you."


Huh

Looking for a quick easy mining solution? Check out
www.bitminter.com

See my trader rep at Bitcoinfeedback.com
!
etotheipi
Legendary
*
expert
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
February 18, 2012, 12:24:01 AM
Merited by xandry (4)
 #16

storing your private keys on the web is a big no no (at least for me)

Agreed. I think etotheipi  should see this too, as mention of Armory is involved security wise.

Just noticing this thread, now.  This discussion is exactly the reason I never implement "brainwallets," and why I added entropy/salt into the deterministic wallet algorithm.  I was concerned that users might start using simple, memorizable root keys, and end up sharing wallets. 

Unfortunately, there is just no way to avoid this.  All keys are 32-bytes exactly, so I can't filter based on length.  All keys will have all letters of the hex alphabet in them, so I can't filter based on any kind of special-character like used on passwords.  I could implement some kind of entropy-measurement algorithm, but it doesn't stop users from simply hashing their password as the private key (or root key, for that matter).  By design, the hash is supposed to look like pure entropy, so it's a lost cause at that point.

Sure, I can do a sanity check and catch a few of the most obvious violators.   But, I think the title of this thread says it all:  there's only so far you can go to protect stupid users.  If they're protecting a lot of money behind a simple private key... well they're likely to do other grossly-insecure things and compromise themselves, anyway (such as copying their unencrypted wallet to Dropbox because they believe no one else has access to it).


Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Pieter Wuille
Legendary
*
qt
Offline Offline

Activity: 1072
Merit: 1181


View Profile WWW
February 18, 2012, 12:38:24 AM
Merited by xandry (4)
 #17

@Steve
I agree with you that it can be very confusing to have the same key in multiple wallets.
It can be very powerful however - you can have a wallet in, say, blockchain.info and MultiBit that have the same private keys and both get updated in lockstep with each other.

Jim,

that feature is called "determinstic wallets" usually - it is specifically designed for ease of backup and the ability to have several clients share the same (piece of) wallet without them diverging from eachother. Using some EC math tricks, you can do very nice things, such as a "read only" version that does not allow spending.

Read more here.

I do Bitcoin stuff.
jim618
Legendary
*
Offline Offline

Activity: 1708
Merit: 1066



View Profile WWW
February 18, 2012, 12:55:22 PM
 #18

Hi Pieter,

Thanks for the reference link.

Note that the export and then reimport of an arbitary private key from one wallet to another is not the same "word usage" as what is commonly refered to as a deterministic wallet (as I understand it).

AFAIK With a deterministic wallet there is usually some key definition function that uses a passphrase to generate the private keys for the wallet.   With an export of an arbitary key and then a reimport somewhere else there is no private key synthesis, just a straightforward key copy.

The net result - the same key in two wallets - is the same mind.

Jim


MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
goodlord666
Sr. Member
****
Offline Offline

Activity: 434
Merit: 250


100%


View Profile
February 22, 2012, 12:35:59 PM
 #19

I am concerned that some users will find out the private key can be anything they want and will generate\use easy to remember keys like DEADBEEF (address:1KNrMaMfiqKzRC5fzi1gqTeDC96PAqJPZy)

How is DEADBEEF a key? I thought the Hex of a private key was much longer than that, i.e.:
9A 32 B7 50 A3 26 8C 74 79 D8 A0 F7 FE 9C 59 DF B9 09 86 9B 1B F4 83 E5 6D 11 BA E1 CC 3E 42 37




etotheipi
Legendary
*
expert
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
February 22, 2012, 01:17:57 PM
 #20

And also: why would having people being punished
for their own stupidity be a problem ? Seems to me
like a feature rather than a bug.

I absolutely love the concept of negative reinforcement for being stupid, but it's not always that simple.  They may have created their private keys months before any kind of security breach happens, and even forgotten or not realized that their private key was so simple.  Then, 6 months later, they're on the forums complaining about how their BTC were stolen, and sending all the client developers on a security breach investigation.  Their refusal, of forgetfulness, to mention that they used a simple password is irrelevant:  they will still waste a lot of people's time and generate negative exposure for Bitcoin (about how it's insecure, etc).

Since I'm a client developer, liability issues enter my mind quite frequently (not legally liable, but guilty-conscience liability).  Even if it wasn't my fault, I don't want to deal with figuring out what happened, especially since users don't like to admit that they did something else most other people would criticize them for (like 4-char passphrases).   At least if you have to go through a lot of effort to make that mistake, then you should already be aware of the consequences and how likely they would be.


Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!