Topic: [ANN] bitaddress.org Safe JavaScript Bitcoin address/private key - page 15. (Read 153371 times)

You are so harshing my mellow!
Time to get a VPN?  Or use a live USB with tails, which goes through tor.  But the tor exit node might just be run by the NSA.

yes, https is an encrypted tunnel that should be your default whenever possible.

you don't want the NSA accusing you of generating Bitcoin keys now do you?  

plus, i wonder if http://www.random.org/ a monitored site?

Touche'
Looks like both url's go to www.random.org, the difference is whether you use SSL, am I right about that? 

Depending on what you want to use it for, you might want to make sure you get the one that uses SSL.

For instance, why do these 2 urls go to the same apparent website?

https://www.random.org/
http://www.random.org/

Yep, not ezackly

But I think it's better because it's a physical method not susceptible to a website compromise.

I had to go look at the bitaddress.org website to see what you're talking about.
I didn't know bitaddress.org had a place where you could input a raw number as a key, and have it do the WIF conversion for you.
Whether you use random.org, dice or cards, it's the same thing.  You generate a 256 bit number (randomly).  That's your key.
Actually, 6^99 = 2^255.9112876 so it's not ezackly 256 bits.

why isn't the 99 dice roll method better than this?

Yes.
By generating a random 256 bit number you are skipping the first step of making a passphrase, and the second step of hashing the passphrase to get a 256 bit number.
I just generated a 256 bit number by going to random.org and telling it to generate a random number in the range of 0 to 65535.  That's 65536 possibilities, which is 16^4 or four hex characters.  So if you do this 16 times, you can get 64 hex characters, which is a private key.  Random.org generates decimal numbers, so you convert 16 numbers from random.org into hex and you get sixteen four-digit hex numbers that you can concatenate for the private key.  Then you can encode it into base58check.  Brainwallet.org will do that for you, but for the paranoid, it can be done at the linux command line.

did you mean "Skip the passphrase"?

It occurs to me that if one wants to go to the trouble of generating truly random strings, then you don't have to go through bitaddress.org to make your key.
Bitaddress.org uses a hash to generate a 256 bit number from your passphrase.  But if you are going to generate entropy legitimately, you can just cut straight to the chase.  Skip the hash.  Generate a 256 bit random number and use the number itself as the payload.  This 256 bits is your real private key; you just have to encode it in base58check (Wallet Import Format) to make a key you can use.  There's a fairly simple process to do that, involving a couple of hashes to generate the checksum (this is built into Bitaddress.org, but you are skipping the passphrase hashing step so you have to do the encoding yourself).  
Any linux distro ought to be able to do the hashes.

Normally they aren't but with the recent vulnerabilities in PRNGs seen in the android and DBRG curve and potentially in other hardware with the NSA revelations, here we have people turning to dice and card shuffling as the optimum and safest means to generate random seeds.

How is a RNG a physical means for maximum security? Am I missing something?

Thanks. I find it interesting that in this day of the digitalization of money, we find ourselves resorting to physical means for maximum security, ie, RNGs and paper wallets.

In principle, no difference.  But when the average person takes a deck of card and gives it a few shuffles, the deck may have some residual order.  I don't think a fair die exhibits the same potential weakness.  Physical intuition tells me that as long as the die bounces a few times before settling down, the result is essentially unpredictable.  So in this respect, cards may be the weaker choice.

Having said that, I still think that cards are quite adequate for generating entropy, as long as you know what you're doing.  Start by reading the wikipedia page on card shuffling:
http://en.wikipedia.org/wiki/Shuffling
I find this sentence particularly interesting:
"seven shuffles of a new deck leaves an 81% probability of winning New Age Solitaire where the probability is 50% with a uniform random deck"

Considering the sophistication of hackers and the computing power at their command, having any residual pattern to the arrangement of the cards poses a risk.  If cards become a commonly used technique for generating passphrases, the hackers will know about it and tailor their cracking techniques to any pattern known to result from weak shuffling.  Therefore

Good shuffling is critically important.  

I don't limit my shuffling to riffles.  I also use an overhand shuffle where I hold the deck in my right hand and slide a few cards at a time off the top of the deck into my left hand.  This is a very easy shuffle.  I guess a dozen overhand shuffles alternating with a dozen riffles would do it, but considering how easy and quick it is to shuffle a deck of cards, it wouldn't hurt you to do more.  

Each passphrase only uses a couple of dozen cards, so you can generate two passphrases from a shuffled deck.

How would you equate this with the dice roll method in the Wallet Detail tab of the html utility?

I would make a brain wallet using cards like this:
Take a pack of cards and a sharpie.  Go through the deck and on each card write one symbol from the base58 list, which you can find here:
https://en.bitcoin.it/wiki/Base58Check_encoding
(That list leaves out zero and capital O, and it leaves out capital I and small l (ell), helping to avoid confusion.)
You won't use up all the symbols in the list, but that's ok.
Riffle shuffle the deck a dozen times or more, you want to completely randomize it.
Take a stack of about 20 to 24 cards from the shuffled deck, depending on how much entropy you think you need (see previous post).  Go get a piece of paper and pen.  Then turn over the cards one by one and write down each letter and number in sequence.  This is your passphrase, which you need to type into your offline bitaddress utility to generate the WIF private key and bitcoin address for your new wallet.  Best practice is to use a live cd or usb with the bitaddress html stored on it, and your machine's wifi turned off.
To save your passphrase, you can keep the deck and make sure the cards don't get mixed up, but it's easier to keep the piece of paper you wrote the passphrase on and forget about the cards.  I think it's safer too, because with a stack of cards there's always the risk of dropping them and getting them mixed up.

Re: live usb.  If you make a live usb that's non-persistent, you can still put the bitaddress html on it.  Just plug the usb into a machine that's already booted up and save a file with the html code in the root directory.  Then when you boot from the live usb, there should be a directory with the html code in it.  On my ubuntu live usb, it appears in a directory called CD, or CDRom, something like that.

52 different cards, thoroughly shuffled, and I mean thoroughly, would get you 225 bits of entropy.  More than you really need for a secure key.
Let's say you chose twenty cards randomly from a full deck of 52, and throw away the leftover cards.  Now you have twenty objects chosen randomly from a set of 52.
Adopting the strategy in your post, we preserve the order of the cards -- so we can treat this as an ordered set.  There are 52 possibilities for the first card, 51 possibilities for the second card, and so on.  So the number of possible twenty-card ordered decks is 52 factorial divided by 32 factorial.  (Assuming complete randomness in the selection.)  If you have a thoroughly shuffled 52 card deck, you can just take the top twenty cards, in order, and go with that.
Type "52!/32!" (without the quotes) in the Google search box and it tells you the answer is 3.065 x 10^32.  This is the entropy, but you want it expressed as a power of two, so
2^x=3.065x10^32  solving x =  107.9 bits of entropy
That's generally accepted as enough passphrase strength for today's computers and some decades into the future.  If you want a stronger password use more cards and recalculate.  If you add just one more card, it will garner you exactly 5 bits more entropy, because it is chosen from exactly 32 leftover cards, and 2^5=32.  
Thus 21 cards gives 112.9 bits of entropy.  Each card you add after that will add entropy, but not as much.

Okay, that covers the math, the next question is how do you convert a deck of cards into a passphrase.  You could convert the ordered cards into a base58 string by assigning a letter or number to each card in any way that seems logical to you, using 52 symbols out of the base 58 set.  You convert that string into a key by treating it as your passphrase.

Of course you have to record the numbering scheme you used and store that somewhere, if you ever want to regenerate the passphrase.  So you have to keep the deck and a list of the letters and numbers you assigned to the cards.  Also, you have to know which end of the deck you're counting from.  It would be less work just to write down the passphrase.

So what advantage would you get from using a deck of cards?  Keep the cards in one location and the symbols list in another location, I suppose...
Mostly, the utility comes from the ability to get a random string by shuffling cards.  The actual storing of the passphrase is another issue that might be solved more effectively by some other method than holding a deck of cards.

Bitcoin 0.9 introduced reduced minimum relaying fees. So 0.9 nodes will relay a transaction with a fee as low as 0.00001, but the miners will not yet include it in a block.

When 0.9.2 or higher maybe comes out, the fee will probably be reduced then.

I agree with your suggestion there needs to be a way to do that. I think I've been trying to keep the wallet details tab about viewing stuff about a key you already have. Instead of making a key. Although, I'm not sure I really stuck to that. So I could add a checkbox and input field for people who want to see the BIP38 for the key they enter with whatever passphrase they choose and they probably want to generate a QR code for that.

For a more complex solution but hopefully a better UI I'm trying to brainstorm a way where some of the tabs like Paper Wallet, Bulk Wallet, Brain Wallet have a merged/unified UI. Where there would be a default RNG type but allow you to change RNGs actually more like key generation methods. Because if you provide 99 dice roll entropy you dont need an RNG.

Multiple key generation methods:
1) The current bitaddress/ArcFour/TomWu mouse/key entropy XOR'd with hardware randonmess based generator "ECDSA.getBigRandom(n) / SecureRandom".
2) One that Casascius described in this thread which was roughly SHA256(seed + human text input + incrementor) = key. Display "seed + human text input + incrementor" next to each private key (when in this mode) so that user can verify (at any time) that his WIF key was derived from a source that included the "human text input".
3) B6 Dice wallet key "new BigInteger(input, 6)". Would need to add some incrementor so you could use it as a seed for a bulk wallet.

I like the feature that allows me to enter 99 dice rolls to generate a truly random address, but it is lacking the ability to encrypt the keys with BIP38 and so leaves the paper wallet vulnerable to physical theft.

How hard would it be to allow BIP38 encryption on the 'details' tab?  It seems I currently have to choose between allowing bitaddress to generate the randomness or having my paper wallets unencrypted.  Please let me use true randomness and encryption at the same time.