How Much Trust does Bitaddress.org deserve?

[traderjoe]

Newbie here wondering how much confidence more veteran members put in the addresses generated by Bitaddress.org.  I understand from watching deterministic wallets like Armory that apparently random private addresses can be generated from a single seed.  I'm not skilled enough to review the code generating the private keys to verify the author has not used a deterministic seed, known only to himself, to generate all of the apparently random addresses.  Or, maybe the libraries used for making the address do not have access to enough entropy, making collisions more likely than they should be.  --Or-- even using the site feature to generate a private key from a passphrase, it might not actually be using the hash of the passphrase to create the private key, just saying it did and doing the translation in a consistent way.  I did verify the page's checksum and the author's signature on the changelog.

So, are there many people here who have reviewed the code behind bitaddress.org and have a lot of confidence in the way the addresses are generated?  

Short of that, if there are other forum members who have been using addresses created by bitaddress.org for a long time and trust it, I'd love to hear from you about how much confidence to put on the page.  Or if you know the author of the pages from the forum here & form an opinion based on that.

[1713892344]

1713892344

[1713892344]

1713892344

[1713892344]

1713892344

[anu]

I read the code - there is no Trojan in there. Since I use that code often, I stored it on my own site to make sure this wouldn't change and so I have it.

If you want to be absolutely sure, do this:
1. Load the page in the browser
2. Disconnect the network
3. Create your Brain or Paper Wallet
4. Shut down your box, reconnect and boot.

[unclemantis]

I use it all the time. It is a universally os compatable solution. I have bitaddress.org and everpassword.com/aes-encryptor saved to my usb drive.

When I want to make a new offline wallet I just fire up ubuntu OS on a live disc. Insert my usb drive. Open up bitaddress.org. Generate my keypairs. Copy and paste them into the aes-encryptor. Choose a strong password. Encrypt. Copy and paste the encrypted string into a txt file on the usb drive. Copy and paste just the public keys in plain txt into the same file. Restart into windows. Print the file with OCR text and presto!

[traderjoe]

Thank you very much for sharing what you know of bitaddress.org and paper wallets.

I have to say, the bitaddress.org + everpassword.com/aes-encryptor  combo to create paper wallets on a Ubuntu live disk or usb, has got to be one of the slickest ways to make them that I have seen so far!  I've spent a long time studying alternatives that people on this board are using, thanks for sharing another alternative.

After thinking about security for a long time, I am inclined to backup an aes-encrypted digital copy of the private keys somewhere on my windows hard drive where it will be backed up (for protection from losing them).  But to keep the strong password to the aes-encrypted private keys, "offline" in a hard copy with the rest of my important documents.  That keeps the offline copy from itself needing another layer of protection from physical access.  If any readers have other great easy ways to do this, I'd like to hear.  But the everpassword.com/aes-encryptor combo on a live Ubuntu CD, looks like a great way to get there.

[nimda]

bitaddress.org is great for brainwallets. I've looked at the source code, monitored network activity while generating addresses, and tried to generate addresses after unplugging the ethernet cord (it worked). I am reasonably convinced that it does not store your private keys.
I have a copy of the website saved to my flash drive. In order to get into my brainwallet, you'd need to know my full name, SSN, driver's license ID number, and other things, not to mention the several-word salt I memorized. The novel part is that due to hashing algorithms, the brainwallet's passphrase includes none of this information

[TangibleCryptography]

In order to get into my brainwallet, you'd need to know my full name, SSN, driver's license ID number, and other things, not to mention the several-word salt I memorized. The novel part is that due to hashing algorithms, the brainwallet's passphrase includes none of this information

Security through obscurity?

1) What does adding publicly available information to a strong passphrase add?
2) If you have to memorize it then it isn't a salt.

[anu]

In order to get into my brainwallet, you'd need to know my full name, SSN, driver's license ID number, and other things, not to mention the several-word salt I memorized. The novel part is that due to hashing algorithms, the brainwallet's passphrase includes none of this information

Security through obscurity?

1) What does adding publicly available information to a strong passphrase add?
2) If you have to memorize it then it isn't a salt.

It adds to security because this stuff applies to you only.  This means an attack can't be directed against all brain wallets any more - it is specifically against you. But one of them is certainly enough.

So my suggestion is: use your SSN OR drivers license number, then use a string of words that is easy to remember for YOU, but not easy to guess for others - so you won't forget it. You can use some of these words in a foreign language or add some deliberate miss-spelling to them.

[DublinBrian]

My main concern is whether Bitaddress generates truly random keypairs. This is a problem whether your box is offline or not. And its irrelevant whether you have booted from a CD or not.

If the developers of Bitaddress know what keypairs their program will generate then they can steal your funds, even if you never go online again. They can steal the funds of everyone who ever used their program, by regenerating the same keypairs that users generated.

How do we know that Bitaddress isnt only capable of generating 100 million keypairs. The developers can wait until there is a good quantity of funds, scattered around those 100 million addresses and then they can regenerate all 100 million private keys and steal the funds.

Im not saying that they are doing this, Im simply saying that, as someone who doesnt have the competence to review source code, or even compile source code, I cannot be 100% sure that this is impossible.

[anu]

My main concern is whether Bitaddress generates truly random keypairs. This is a problem whether your box is offline or not. And its irrelevant whether you have booted from a CD or not.

The code uses your mouse movements as a source of entropy. For deterministic (brain) wallets, that is irrelevant, anyway, because the entropy comes from the passphrase you dream up.

[DublinBrian]

The code uses your mouse movements as a source of entropy. For deterministic (brain) wallets, that is irrelevant, anyway, because the entropy comes from the passphrase you dream up.

How do we know that the Bitaddress.org program is actually the compiled source code that is published?

If a government actor were trying to damage bitcoin, this would be the kind of trick they would use.

[mcorlett]

I read the code - there is no Trojan in there. Since I use that code often, I stored it on my own site to make sure this wouldn't change and so I have it.

If you want to be absolutely sure, do this:
1. Load the page in the browser
2. Disconnect the network
3. Create your Brain or Paper Wallet
4. Shut down your box, reconnect and boot.

Sure, you might be able to check that it's not phoning home to some server somewhere with the generated private keys, but you'd have to be an experienced cryptographer to check for more advanced vulnerabilities.

[anu]

Sure, you might be able to check that it's not phoning home to some server somewhere with the generated private keys, but you'd have to be an experienced cryptographer to check for more advanced vulnerabilities.

Indeed, it's possible to use the mouse movements to do something deterministic or something. I did not go to great length to establish the integrity of the code, so I may have overlooked something - it's 4000 lines, after all.

But the brain wallet is straightforward: It's private key is SHA256(Passphrase) and the SHA256 code does just that: It creates a sha256 hash. And that is a very small amount of code. You can create it with JS and verify that on the command line:

Code:

$ printf 'my really diffficult Paßphrase (made from P. Cubensis and A. Uigedail)' | sha256sum

That said: I obviously don't guarantee anything.

[mcorlett]

Indeed, it's possible to use the mouse movements to do something deterministic or something. I did not go to great length to establish the integrity of the code, so I may have overlooked something - it's 4000 lines, after all.

I was thinking that using the number of milliseconds since some kind of epoch as n in the standard deterministic wallet would be a good idea. That's about 86,400,000 possible keys per day, which would be trivial to check with a local copy of the blockchain.

But the brain wallet is straightforward: It's private key is SHA256(Passphrase) and the SHA256 code does just that: It creates a sha256 hash. And that is a very small amount of code. You can create it with JS and verify that on the command line:

Code:

$ printf 'my really diffficult Paßphrase (made from P. Cubensis and A. Uigedail)' | sha256sum

That's a good tip!

[TangibleCryptography]

It adds to security because this stuff applies to you only.  This means an attack can't be directed against all brain wallets any more - it is specifically against you. But one of them is certainly enough.

That is the purpose of salt.  No need to memorize salt though it isn't a secret.

[DublinBrian]

But the brain wallet is straightforward: It's private key is SHA256(Passphrase) and the SHA256 code does just that: It creates a sha256 hash. And that is a very small amount of code. You can create it with JS and verify that on the command line:

Code:

$ printf 'my really diffficult Paßphrase (made from P. Cubensis and A. Uigedail)' | sha256sum

If its that easy, why are people using Bitaddress? Just generate your own keypair.

(Im not trying to be argumentative here, I genuinely want to know. Im not a coder but Ive put a lot of trust in Bitaddress.org key generator, and I do not want to lose any funds)

[anu]

That is the purpose of salt.  No need to memorize salt though it isn't a secret.

If it isn't, you are surely able to post my drivers license number here.

Such information isn't strictly secret, but it's most likely unavailable to a cracker - especially the brand who are simply trying every address in the blockchain if it was created by a simple password.

[mcorlett]

But the brain wallet is straightforward: It's private key is SHA256(Passphrase) and the SHA256 code does just that: It creates a sha256 hash. And that is a very small amount of code. You can create it with JS and verify that on the command line:

Code:

$ printf 'my really diffficult Paßphrase (made from P. Cubensis and A. Uigedail)' | sha256sum

If its that easy, why are people using Bitaddress? Just generate your own keypair.

(Im not trying to be argumentative here, I genuinely want to know. Im not a coder but Ive put a lot of trust in Bitaddress.org key generator, and I do not want to lose any funds)

That only gives you the private key in hex. You need to derive a public key from that, and in turn a Bitcoin address from that.

[nimda]

The code uses your mouse movements as a source of entropy. For deterministic (brain) wallets, that is irrelevant, anyway, because the entropy comes from the passphrase you dream up.

How do we know that the Bitaddress.org program is actually the compiled source code that is published?

If a government actor were trying to damage bitcoin, this would be the kind of trick they would use.

I haven't seen an answer to this yet.
We know that the bitaddress.org program is the code which is published because it is not compiled. Javascript is by nature a client-side scripting-language, so you can just "view source" to see what code it is using.

[TangibleCryptography]

That is the purpose of salt.  No need to memorize salt though it isn't a secret.

If it isn't, you are surely able to post my drivers license number here.

Such information isn't strictly secret, but it's most likely unavailable to a cracker - especially the brand who are simply trying every address in the blockchain if it was created by a simple password.

One more time before I give up.
THE CRYPTOGRAPHIC METHOD TO ENSURE THE ATTACKER CAN'T PERFORM A PRECOMPUTATION ATTACK IS SALT!
While an attacker may be able to precompute SHA256(password) he can't precompute SHA256(password+salt).  Where salt is a random 128 bit number.

Using things like personal information doesn't provide sufficient entropy.  While he may not be able to find your driver's license number a modern GPU could attempt every possible drivers license number in a second or two.  So you merely adding complexity without adding any real security.  More complexity increases the chance you will not be able to recover the private key later.   Say it is 20 years from now and you need to recover your private key.  Hmm was that (passphrase+name+driver's license) or was it (passphrase+drivers license+name)? Wait did I capitalize the name?  The driver's license has dashes now but did it have dashes 20 years ago?  Did the DMV ever change my driver's license?  etc. 

There is no cryptographic value to adding personal information to a passphrase.   We use salt to ensure the attacker needs to isolate and attack one passphrase. 

To be truly secure you need:
a) strong passphrase
b) salt of sufficient size (128 bit recommended)
c) private key derived from password using a multi-round process (PBKDF2, bcrypt, scrypt, etc)

[anu]

But the brain wallet is straightforward: It's private key is SHA256(Passphrase) and the SHA256 code does just that: It creates a sha256 hash. And that is a very small amount of code. You can create it with JS and verify that on the command line:

Code:

$ printf 'my really diffficult Paßphrase (made from P. Cubensis and A. Uigedail)' | sha256sum

If its that easy, why are people using Bitaddress? Just generate your own keypair.

(Im not trying to be argumentative here, I genuinely want to know. Im not a coder but Ive put a lot of trust in Bitaddress.org key generator, and I do not want to lose any funds)

Because this command simply creates a "random" 256-bit number, which can be interpreted as a private key. This command doesn't give you the address that belongs to that key so you cannot send funds to it. And it doesn't give you the key in WIF format which is what you need to import it into a wallet - so you can spend it.