antonimasso (OP)
Member
 Offline
Activity: 73
Merit: 10
|
 |
August 25, 2014, 06:45:11 PM |
|
Hello, My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs). https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys? I used very simple passwords to generate the public keys. Could this person have used an application that uses multiple private keys to test and build a valid TX? Thanks |
|
|
|
|
|
|
|
|
|
|
|
|
|
According to NIST and ECRYPT II, the cryptographic algorithms used in
Bitcoin are expected to be strong until at least 2030. (After that, it
will not be too difficult to transition to different algorithms.)
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3374
Merit: 4606
|
|
August 25, 2014, 06:50:12 PM |
|
Hello, My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs). https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys? Either you accidentally leaked the private keys, or you didn't use randomly generated private keys. I used very simple passwords to generate the public keys.
Rainbow tables have been created for all private/public key pairs generated from simple passwords. Any transaction that uses a public key or bitcoin address that was generated from a password instead of being generated randomly should be considered insecure. Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Could this person have used an application that uses multiple private keys to test and build a valid TX?
yes. This was all explained to you already in the past: I used very simple passwords to generate the bitcoin addresses yeah, that's probably it. many easy keys have some bots, that capture money from them as it comes. as well as many stolen keys - such are definitely being monitored for a potential theft and robbed immediately as they receive any coins. |
|
|
|
|
antonimasso (OP)
Member
Offline
Activity: 73
Merit: 10
|
|
August 25, 2014, 06:55:49 PM |
|
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.
|
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
August 25, 2014, 06:56:56 PM |
|
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.
It's pretty easy, and he can attack all multisigs at once. This is why brainwallets are the dumbest idea ever... |
|
|
|
antonimasso (OP)
Member
Offline
Activity: 73
Merit: 10
|
|
August 25, 2014, 07:04:14 PM |
|
Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough.
|
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
August 25, 2014, 07:06:38 PM |
|
Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough.
Not likely. Humans are a terrible source of entropy. Anything you come up with that you think seems random, a computer can guess easier than actually trying to find it randomly. |
|
|
|
instagibbs
Member
Offline
Activity: 114
Merit: 12
|
|
August 25, 2014, 07:23:25 PM |
|
Much better off just making a wallet with mnemonics, and memorizing the word list.
|
|
|
|
|
antonimasso (OP)
Member
Offline
Activity: 73
Merit: 10
|
|
August 25, 2014, 07:24:04 PM |
|
Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password?
|
|
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3374
Merit: 4606
|
|
August 25, 2014, 07:28:55 PM
Last edit: August 25, 2014, 08:03:05 PM by DannyHamilton |
|
Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password?
Brute force? Yes. But, because humans are VERY bad at doing things in a completely random way, a program can be written to take advantage of biases in human thought and human behavior. Such a program could significantly reduce the search space necessary to find the password used. At the moment, an arbitrarily long password might be sufficient for short term storage, but since private keys can be randomly generated, why bother with such long and indecipherable passwords (which may fall to weaknesses in the future)? Wouldn't it be simpler to just randomly generate a private key? |
|
|
|
|
antonimasso (OP)
Member
Offline
Activity: 73
Merit: 10
|
|
August 25, 2014, 07:58:28 PM |
|
Well I think you're right, I might need to generate new addresses for my bitcoins...
|
|
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
August 26, 2014, 04:17:28 AM
Last edit: August 26, 2014, 04:59:30 AM by amaclin |
|
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.
Multisig redeem script contains public keys. this was your transaction: https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806public keys are: "043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"
it was not too difficult to check associated private keys for these public keys  two of three to redeem: { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
{ "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },
Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Unfortunately, my script had a bug  No luck yet |
|
|
|
|
|
dreamhouse
|
|
August 26, 2014, 05:17:48 AM |
|
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.
Multisig redeem script contains public keys. this was your transaction: https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806public keys are: "043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"
two of three to redeem: { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
{ "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },
Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Unfortunately, my script had a bug No luck yet how? by brute force? |
|
|
|
|
antonimasso (OP)
Member
Offline
Activity: 73
Merit: 10
|
|
August 26, 2014, 06:15:29 AM |
|
I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.
Multisig redeem script contains public keys. this was your transaction: https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806public keys are: "043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"
it was not too difficult to check associated private keys for these public keys two of three to redeem: { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
{ "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },
Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Unfortunately, my script had a bug No luck yet Did you select my Multisig address manually or do you have a script that tries combinations of public keys? Soon before you tried to steal my funds  I made a TX with no fee and now these funds seem to be blocked or lost. |
|
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
August 26, 2014, 06:36:51 AM |
|
Soon before you tried to steal my funds I do not like the words "my" & "steal". Bitcoins belong the person who knows private keys. I know. Let us say that you have bought some knowledge for small price. And I can sell you more. Just ask me. I will be happy to share my knowledge with everyone else. I made a TX with no fee and now these funds seem to be blocked or lost. Bitcoins can not be lost such way. The game is not over. |
|
|
|
|
antonimasso (OP)
Member
Offline
Activity: 73
Merit: 10
|
|
August 26, 2014, 06:42:18 AM |
|
Please do share your knowledge, the Bitcoin community will thank you for doing so.
|
|
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
August 26, 2014, 06:47:24 AM |
|
Did you select my Multisig address manually or do you have a script that tries combinations of public keys? There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hashDo you think it is possible to check them manually? |
|
|
|
|
antonimasso (OP)
Member
Offline
Activity: 73
Merit: 10
|
|
August 26, 2014, 07:00:58 AM |
|
Did you select my Multisig address manually or do you have a script that tries combinations of public keys? There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hashDo you think it is possible to check them manually? Not manually one by one, but if you knew mine and tried to get the public keys values from the redeem script. |
|
|
|
|
|
rapport
|
|
August 26, 2014, 09:54:48 AM |
|
Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough.
Not likely. Humans are a terrible source of entropy. Anything you come up with that you think seems random, a computer can guess easier than actually trying to find it randomly. How would a computer guess the above password? |
|
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
August 26, 2014, 10:35:22 AM |
|
using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P How would a computer guess the above password? How would human remember the password above? It will be more easy to remember the private key in hex/wif format itself |
|
|
|
|
|
