Bitcoin Forum
December 07, 2016, 08:35:52 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Poll
Question: Will you support Gavin's new block size limit hard fork of 8MB by January 1, 2016 then doubling every 2 years?
1.  yes
2.  no

Pages: « 1 ... 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 [952] 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 ... 1560 »
  Print  
Author Topic: Gold collapsing. Bitcoin UP.  (Read 1805693 times)
NewLiberty
Legendary
*
Offline Offline

Activity: 1064


Gresham's Lawyer


View Profile WWW
December 24, 2014, 02:29:48 PM
 #19021

out of curiosity to the security experts here.

which do you consider more secure, Armory or Trezor?

I'm not a security expert, but I would say trezor (with passphrase).

It's also easier to use securely.


Trezor seems safe. A simple paper wallet generated offline on a new computer running linux is safe too  Wink

Did you miss Rocks post above discussing the vulnerability of using new computers, or just saying it is safe enough for you because you disagree with the risk?

FREE MONEY1 Bitcoin for Silver and Gold NewLibertyDollar.com and now BITCOIN SPECIE (silver 1 ozt) shows value by QR
Bulk premiums as low as .0012 BTC "BETTER, MORE COLLECTIBLE, AND CHEAPER THAN SILVER EAGLES" 1Free of Government
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481142952
Hero Member
*
Offline Offline

Posts: 1481142952

View Profile Personal Message (Offline)

Ignore
1481142952
Reply with quote  #2

1481142952
Report to moderator
1481142952
Hero Member
*
Offline Offline

Posts: 1481142952

View Profile Personal Message (Offline)

Ignore
1481142952
Reply with quote  #2

1481142952
Report to moderator
1481142952
Hero Member
*
Offline Offline

Posts: 1481142952

View Profile Personal Message (Offline)

Ignore
1481142952
Reply with quote  #2

1481142952
Report to moderator
thezerg
Legendary
*
Offline Offline

Activity: 1246


View Profile
December 24, 2014, 03:33:47 PM
 #19022

out of curiosity to the security experts here.

which do you consider more secure, Armory or Trezor?

I'm not a security expert, but I would say trezor (with passphrase).

It's also easier to use securely.


Trezor seems safe. A simple paper wallet generated offline on a new computer running linux is safe too  Wink

One idea is that a small custom device like the trezor could have put an accelerometer in for just a few bucks

Haveged might be really bad on an isolated device.  No interrupts coming in...
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
December 24, 2014, 05:58:44 PM
 #19023

Mycelium Entropy:

https://www.indiegogo.com/projects/mycelium-entropy
rocks
Legendary
*
Offline Offline

Activity: 1153


View Profile
December 24, 2014, 07:54:08 PM
 #19024

I use http://www.issihosts.com/haveged/ to get more entropy (based on "processor flutter").


Those are both really cool projects, thanks for sharing. If anything their existence shows that generating true randomness on deterministic computers is hard and it is necessary to resort to the variability that is found in the real physical world.
lebing
Legendary
*
Offline Offline

Activity: 1274


Bitcoin: The honey badger of currencies


View Profile
December 24, 2014, 08:19:01 PM
 #19025


Cool, but I won't bite until they offer bip32

Bro, do you even blockchain?
-E Voorhees
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
December 24, 2014, 11:14:45 PM
 #19026


they already do
HeliKopterBen
Hero Member
*****
Offline Offline

Activity: 622



View Profile
December 25, 2014, 05:45:24 AM
 #19027


"This way the paper wallet has never touched a computer or a network, and as soon as you eject the device the private key is wiped from memory"

This is not true.  Anyone printing paper wallet should be careful of what printer they are using.  Larger industrial printers have hard drives that record all spooled print data in some cases, especially older models.  Most of them are also connected to the internet.  Some of the newer models have data security or drive encryption installed by default but not all.  Smaller personal and desktop printers that don't have hard drives may be ok.  IMO dedicated hardware wallets are the better option.

http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/


Counterfeit:  made in imitation of something else with intent to deceive:  merriam-webster
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
December 25, 2014, 06:14:07 AM
 #19028


"This way the paper wallet has never touched a computer or a network, and as soon as you eject the device the private key is wiped from memory"

This is not true.  Anyone printing paper wallet should be careful of what printer they are using.  Larger industrial printers have hard drives that record all spooled print data in some cases, especially older models.  Most of them are also connected to the internet.  Some of the newer models have data security or drive encryption installed by default but not all.  Smaller personal and desktop printers that don't have hard drives may be ok.  IMO dedicated hardware wallets are the better option.

http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/



Is Trezor a single address that is reused?
brg444
Hero Member
*****
Offline Offline

Activity: 630

Bitcoin replaces central, not commercial, banks


View Profile
December 25, 2014, 06:39:30 AM
 #19029


"This way the paper wallet has never touched a computer or a network, and as soon as you eject the device the private key is wiped from memory"

This is not true.  Anyone printing paper wallet should be careful of what printer they are using.  Larger industrial printers have hard drives that record all spooled print data in some cases, especially older models.  Most of them are also connected to the internet.  Some of the newer models have data security or drive encryption installed by default but not all.  Smaller personal and desktop printers that don't have hard drives may be ok.  IMO dedicated hardware wallets are the better option.

http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/



Is Trezor a single address that is reused?

no trezor has bip32 HD wallet

"I believe this will be the ultimate fate of Bitcoin, to be the "high-powered money" that serves as a reserve currency for banks that issue their own digital cash." Hal Finney, Dec. 2010
smoothie
Legendary
*
Offline Offline

Activity: 1848


LEALANA Monero Physical Silver Coins


View Profile
December 25, 2014, 07:27:36 AM
 #19030

I wonder if you could use the current CPU temperature to the first or second decimal place as a source of entropy.

The least significant bit of a 16 bit audio sample always seemed a good idea to me.

The nice thing about randomness: you can mix many sources (using xor or whatever) and you'll not lose anything even if one source is bad.

Unfortunately what you may get wrong if you are too careless about this is how much useful randomness you have.

If I recall correctly some sources in the Linux kernel rng are added to the pool but counted as zero entropy.


this is why understanding the inner workings of predifined rng's or procedure calls to generate entropy is essential.

Also making sure that entropy is explicitly used properly is key. Simply make sure entropy is being used for what it is being generated for.

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.        SMOOTHIE'S HEALTH AND FITNESS JOURNAL          History of Monero development Visualization ★☆ .
LEALANA  PHYSICAL MONERO COINS 999 FINE SILVER.
 
dnaleor
Legendary
*
Offline Offline

Activity: 1274


Want privacy? Use Monero!


View Profile
December 25, 2014, 08:34:34 AM
 #19031

out of curiosity to the security experts here.

which do you consider more secure, Armory or Trezor?

I'm not a security expert, but I would say trezor (with passphrase).

It's also easier to use securely.


Trezor seems safe. A simple paper wallet generated offline on a new computer running linux is safe too  Wink

the problem with a paper wallet is to spend the coins safely.
An average bitcoin user these days isn't able to create a linux live CD, import a private key, export the transaction by USB and broadcast it on another online computer running a full node.

Searching for a trusted escrow service? Check my trust. I use a Trezor device for my escrow services, so your coins are safe. Fee: 0.5% or 0.05 BTC, whichever is lower
I support the largest public transparent p2p ledger Bitcoin (16TwXyEmpz7xKHbyVufZECXGFmUH9wHUyW) and the best private fungible digital cash Monero (dnaleor.weuse.cash)
Cetere mi opinias ke Dasho estas detruenda.     |     1Credit - Fair emission, better than BTC > CLCqECaYpCahgKRsXJiVBzgsiz57ZHfr4u
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
December 25, 2014, 10:22:20 AM
 #19032

out of curiosity to the security experts here.

which do you consider more secure, Armory or Trezor?

I'm not a security expert, but I would say trezor (with passphrase).

It's also easier to use securely.


Trezor seems safe. A simple paper wallet generated offline on a new computer running linux is safe too  Wink

the problem with a paper wallet is to spend the coins safely.
An average bitcoin user these days isn't able to create a linux live CD, import a private key, export the transaction by USB and broadcast it on another online computer running a full node.

Exactly. Like I said above: trezor (with additional passphrase against theft of seed backup) is quite secure, but most importantly: it's both easy to use securely (hard to fuck up) and very convenient. I use it as a day-to-day wallet (plus mycelium on the phone)

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
December 25, 2014, 11:18:53 AM
 #19033

I wonder if you could use the current CPU temperature to the first or second decimal place as a source of entropy.

The least significant bit of a 16 bit audio sample always seemed a good idea to me.

The nice thing about randomness: you can mix many sources (using xor or whatever) and you'll not lose anything even if one source is bad.

Unfortunately what you may get wrong if you are too careless about this is how much useful randomness you have.

If I recall correctly some sources in the Linux kernel rng are added to the pool but counted as zero entropy.


this is why understanding the inner workings of predifined rng's or procedure calls to generate entropy is essential.

Also making sure that entropy is explicitly used properly is key. Simply make sure entropy is being used for what it is being generated for.

Somebody should code  up an entropy "meter"  to go in the menu bar of Linux   distros.
oakpacific
Hero Member
*****
Offline Offline

Activity: 798


View Profile
December 25, 2014, 11:20:16 AM
 #19034

out of curiosity to the security experts here.

which do you consider more secure, Armory or Trezor?

I'm not a security expert, but I would say trezor (with passphrase).

It's also easier to use securely.


Trezor seems safe. A simple paper wallet generated offline on a new computer running linux is safe too  Wink

the problem with a paper wallet is to spend the coins safely.
An average bitcoin user these days isn't able to create a linux live CD, import a private key, export the transaction by USB and broadcast it on another online computer running a full node.

Exactly. Like I said above: trezor (with additional passphrase against theft of seed backup) is quite secure, but most importantly: it's both easy to use securely (hard to fuck up) and very convenient. I use it as a day-to-day wallet (plus mycelium on the phone)


Has anybody noticed that Bitcoin actually has the potential to eliminate theft, like, for real?

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
December 25, 2014, 02:54:16 PM
 #19035

what is "constant time"?

Improved signing security

For 0.10 the security of signing against unusual attacks has been improved by making the signatures constant time and deterministic.

This change is a result of switching signing to use libsecp256k1 instead of OpenSSL. Libsecp256k1 is a cryptographic library optimized for the curve Bitcoin uses which was created by Bitcoin Core developer Pieter Wuille.

There exist attacks[1] against most ECC implementations where an attacker on shared virtual machine hardware could extract a private key if they could cause a target to sign using the same key hundreds of times. While using shared hosts and reusing keys are inadvisable for other reasons, it's a better practice to avoid the exposure.

OpenSSL has code in their source repository for derandomization and reduction in timing leaks, and we've eagerly wanted to use it for a long time but this functionality has still not made its way into a released version of OpenSSL. Libsecp256k1 achieves significantly stronger protection: As far as we're aware this is the only deployed implementation of constant time signing for the curve Bitcoin uses and we have reason to believe that libsecp256k1 is better tested and more thoroughly reviewed than the implementation in OpenSSL.

[1] https://eprint.iacr.org/2014/161.pdf


A countermeasure against

http://en.m.wikipedia.org/wiki/Timing_attack

?

Although I can't think of a practical scenario where a typical user would ever be exposed to this, yes, the concern is side-channel attacks (e.g., a timing attack):

Quote from: N Benger et al
ABSTRACT. We apply the Flush+Reload side-channel attack based on cache hits/misses to extract a small amount of data from OpenSSL ECDSA signature requests. We then apply a “standard” lattice technique to extract the private key, but unlike previous attacks we are able to make use of the side-channel information from almost all of the observed executions. This means we obtain private key recovery by observing a relatively small number of executions, and by expending a relatively small amount of post-processing via lattice reduction. We demonstrate our analysis via experiments using the curve secp256k1 used in the Bitcoin protocol. In particular we show that with as little as 200 signatures we are able to achieve a reasonable level of success in recovering the secret key for a 256-bit curve. This is significantly better than prior methods of applying lattice reduction techniques to similar side channel information.

From: N. Benger, J van de Pol, N.P. Smart, Y. Yar, “‘Ooh Aah... Just a Little Bit’: A small amount of side channel can go a long way,” from International Association for Cryptologic Research, 2014.

Basically, there's a bunch of number crunching done by your CPU each time your wallet signs a bitcoin transaction.  If a "constant time" algorithm is used, it takes the same amount of time to produce an ECDSA signature regardless of the message being signed (or the k value or private key used).  If the signing time is always the same, then an attacker cannot learn anything about your private keys by inspecting the timing variations (since there are none) when you sign various messages.  

Where does "timing variation" come from?  As one example, your wallet needs to perform the following elliptic curve point multiplication as part of the ECDSA signing process:

  (x1, y1) = k x G

There's several different algorithms that can be used to carry out this multiplication.  The simplest is probably the "double and add" method.  However, the amount of time it takes this algorithm to execute depends on the specific value of k (G is always constant for bitcoin).  On the other hand, the "Montgomery Ladder" approach computes the point multiplication in a fixed amount of time (regardless of the specific value of k).  So a wallet would use a constant-time approach like the Montgomery Ladder technique rather than the double-and-add method as part of ensuring "constant time" ECDSA signatures.

Why does "constant time" matter?  In most cases I don't think it really does.  But let's imagine a contrived scenario where an attacker can get my wallet to produce several bitcoin-signed message with one of its funded private keys.  The attacker can pass it any piece of text, and my wallet will sign that text and relay the signature back to the attacker.  Normally this shouldn't be a problem because bitcoin-signed messages are safe.  But if the attacker can somehow accurately time how long my CPU takes to produce each signature, and then fiddle with the messages that it's requesting my wallet to sign, perhaps it can leach out enough information to determine my private key…

I think deterministic signatures are much more important than constant-time signatures (there's been a non-trivial amount of funds lost due to the repeat k-value problem but I doubt a single satoshi has ever been lost due to a genuine side-channel attack).  Someone like gmaxwell could comment better on the practical risks here…




I take it the time to do the multiplication varies directly with the size of the number k? Would it be linearly related?

And this applies whether or not we use deterministic signatures?
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
December 25, 2014, 02:59:34 PM
 #19036

Has anybody noticed that Bitcoin actually has the potential to eliminate theft, like, for real?
Yes. Probably in more ways than you were anticipating:

Quote from: Wei Dai
I am fascinated by Tim May's crypto-anarchy. Unlike the communities traditionally associated with the word "anarchy", in a crypto-anarchy the government is not temporarily destroyed but permanently forbidden and permanently unnecessary. It's a community where the threat of violence is impotent because violence is impossible, and violence is impossible because its participants cannot be linked to their true names or physical locations.
NotLambchop
Sr. Member
****
Offline Offline

Activity: 378


View Profile
December 25, 2014, 03:09:31 PM
 #19037

...
Quote from: Wei Dai
...violence is impossible because its participants cannot be linked to their true names or physical locations.

Not quite...



cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
December 26, 2014, 02:34:05 AM
 #19038

https://m.youtube.com/watch?v=v6JUyK5dHoE
NewLiberty
Legendary
*
Offline Offline

Activity: 1064


Gresham's Lawyer


View Profile WWW
December 26, 2014, 03:38:12 AM
 #19039

...
Quote from: Wei Dai
...violence is impossible because its participants cannot be linked to their true names or physical locations.

Not quite...



LOL, you know Wei Dai wrote that like a decade before Bitcoin right?
Justus is merely pointing out that the anti-theft elements of cryptographic solutions were contemplated long before it occurred to oakpacific this week.
The potential to do what governing that needs to be done with less of a central authority is one of the values crypto has the potential to add.

And Charlie pled out to a Money Transmission violation, not theft anyway.  The MTLs are arbitrary barriers to entry set up by banking to wall off their industry from competition.  I don't know who Charlie's victim is there... Citibank? for not being able to collect their customary fees?

The MTLs are part of banking's war on cash.  So that they can control the ledgers.  The Bank Secrecy Act laws preventing un-monitored transfers of US$10K were written when? in 1970? They haven't been adjusted for inflation since?

In today's dollars that would be over US$60K
http://www.dollartimes.com/inflation/inflation.php?amount=10000&year=1970

So what may have been thought of as a reasonable law then, is insane today.   The frog is well and truly boiled.

FREE MONEY1 Bitcoin for Silver and Gold NewLibertyDollar.com and now BITCOIN SPECIE (silver 1 ozt) shows value by QR
Bulk premiums as low as .0012 BTC "BETTER, MORE COLLECTIBLE, AND CHEAPER THAN SILVER EAGLES" 1Free of Government
smoothie
Legendary
*
Offline Offline

Activity: 1848


LEALANA Monero Physical Silver Coins


View Profile
December 27, 2014, 09:07:19 AM
 #19040

I wonder if you could use the current CPU temperature to the first or second decimal place as a source of entropy.

The least significant bit of a 16 bit audio sample always seemed a good idea to me.

The nice thing about randomness: you can mix many sources (using xor or whatever) and you'll not lose anything even if one source is bad.

Unfortunately what you may get wrong if you are too careless about this is how much useful randomness you have.

If I recall correctly some sources in the Linux kernel rng are added to the pool but counted as zero entropy.


this is why understanding the inner workings of predifined rng's or procedure calls to generate entropy is essential.

Also making sure that entropy is explicitly used properly is key. Simply make sure entropy is being used for what it is being generated for.

Somebody should code  up an entropy "meter"  to go in the menu bar of Linux   distros.

This would be interesting to see as well as a current list of entropy sources.

At some point you only need so much entropy from real world randomness but it is cool to come up with new ideas on ways to generate even more randomness.

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.        SMOOTHIE'S HEALTH AND FITNESS JOURNAL          History of Monero development Visualization ★☆ .
LEALANA  PHYSICAL MONERO COINS 999 FINE SILVER.
 
Pages: « 1 ... 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 [952] 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 ... 1560 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!