Topic: [ANN] bitaddress.org Safe JavaScript Bitcoin address/private key - page 34. (Read 153019 times)

Wow. I can't believe this topic got moved after more than a year in Discussions. I thought it was always left there as being of key interest to so many.

As an aid to VanityPools I have created a new version of bitaddress at:
http://bitcoinstatus.rowit.co.uk/other/address.html
with a new tab "Vanity Private Key".

I have just put it there for comments etc...

Requirement was to get keys in different format (mainly to stop users getting confused!), and to be able to ADD two private keys together. See:
https://bitcointalksearch.org/topic/vanity-pool-vanity-address-generator-pool-84569
for why this is needed.

Maths I have tested against:
http://gobittest.appspot.com/VanitySum
that I am assuming is correct.

This is my 1st hack at bitaddress.org so feel free to correct my bad coding - is a bit of a monster all in one file!

2 Questions:
1) If I tidy up code will you accept the adding of this additional tab to the master version?
2) What tidying up do I need to do?


Other thing was that in V7 you can import private keys from the GUI via the debug console. I have started updating wiki at:
https://en.bitcoin.it/wiki/How_to_import_private_keys_v7%2B
(I need to add screenshots etc..)
but are there any security issues about importing keys this way?

Seems much more user friendly than the previous ways.

Heh, well using View Source after loading the page will show source that I can ensure is identical  to the source from the BitAddress.org site   (though I can't do a checksum as View Source shows a tag was added.  But all the elements and javascript can be verified as being identical. )

Obviously I wouldn't trust this Data URL if I received it from anyone else but if I created it and validated it wasn't altered I would trust using it myself the way I described (from my own e-mail).

Point taken though ... for larger amounts I would only load a bitaddress .html directly where I know it has not been tampered with.  Using this data url, any tampering would be harder to notice.

Make sure they don't sneak in some code to report your keys back to them (or make your keys not very random, etc.).

Thanks to a post by Jerry Brito, I learned that just like how you can turn a .jpg into a data:  so that your images can be included in the .html file, I see that the entire html can also go in as a data.  Here's his blog post:

 - http://jerrybrito.org/post/31469161810


So I was able to make a Data URL / link using the .html served by BitAddress.org into an URL that does not require any web server or locally stored .html file.

[Edit: Bah, this forum's url= forces an http://  so links with data:  are not usable here after they get prefixed with http://  so I can't show an example.  Here's a paste of the data: URL for a Hello World page.  That data: can be selected and copied, then pasted in your browser's URL field.

 - http://bitbin.it/raw.php?id=KnRQtiAj  ]

But this provides a solution to a problem I saw.  For a device that is essentially has security locked down with no local storage, I then can't just save the .html to allow me to generate a paper wallet after disabling the device's network connectivity.

And without network connectivity I can no longer access the web site to get the .html that way either.    But I can receive e-mail messages (though attachments are not supported).  Those previously received e-mail message are accessible even after disconnecting the device's network connectivity.

So using this Data URL method I now have a way to load the html that was originally from BitAddress.org without having either a local filesystem or network connectivity.

Here's the service that makes the data: URL:

 - http://dataurl.net/#dataurlmaker

I made a fork/addition to bitaddress.org that allows easy printing of blockchain.info wallet exports.  If this is interesting/useful to you then you can read more here:

https://bitcointalksearch.org/topic/ann-bitaddressorg-printing-of-existing-backups-105066

EDIT: I have updated the script to be a generic Export (to QR) option.  It supports the original BCI wallet export as well as vanity gen output now.

You can test them with Casascius Bitcoin Address Utility (https://casascius.com/btcaddress.zip).  BUt you will encounter more risk entering them into the computer within the reach of malware, than you ever will on the account of the private key being wrong!

As a test, I generated 10,000 addresses with BitAddress.org and verified them with my utility, which comes from a completely different codebase.  100% of them were correct.  This is something I don't worry much about.

Sorry, if this was answered somewhere I missed.... If I get public and private key pairs, that I have never used before, is there a way to check their integrity without spending the Bitcoins? I'd hate to think I have a good paper wallet stored somewhere but then find out there was some computer glitch, typo I made writing them down, or printer issue that screws up an address and makes the BTC no longer spendable. It'd be nice if there was a way to check these pairs are good, entirely offline.

Thanks, that was it.

Control-Shift-R in Chromium fixed the problem the 2nd time I tried it, though I had to log in again.

I had the same problem at first. It didn't show up on Import/Export. I had to try force it to fully reload and then it showed up. But first couple times I tried it wasn't there. Which is a bit odd but perhaps something isn't quite right with cache handling and FF doesn't load the new version.

Import / Export   

I'm not seeing it.  Where can I find the brain wallet support on blockchain.info?

Thanks.

Might it be useful/possible to add a feature to wallet details that could sum keys like the vanitygen keyconv utility?

I think the wallet details tab can be used to create a hex public key for input to vanitygen. This allows third party vanity address generation now. The result is a partial key that must be combined back with the original hex private key to form the new trusted private key (and address).

But currently users would have to trust a third party to compile the keyconv utility, or compile it themselves. So having bitaddress.org with such a sum tool would make it easier for third party address generation to be workable.

Not sure how hard that sum process is but it seems like it may be useful, and perhaps could be used in other applications involving third party private keys.

Blockchain.info has now added Brain Wallet support with the same format.

Note that the value above,

daa0f2bcf5f0ea99d3df46a07af6202f781ff46016ce14b94b66eee000b0056b

is the hex version of the private key. You can verify that by plugging it into the Wallet Details tab on bitaddress.org and see that you get the same WIF format private key. I also verified that the hex version can be imported into blockchain.info directly.

So if bitaddress.org were to vanish you could still use blockchain.info. But vanishing is impossible if you save the page to your local computer first (since it can be opened in a browser locally any time later and still function).

bitaddress is just doing an sha256 hash of the brain wallet passphrase to get the private key, and then encoding it into wallet import format in the standard way.  So creating an alternative would be trivial.  I don't know of existing software that will do the job, but it probably already exists.

For the first step:

[newb]

Re:the brain wallet tab:

Is there a minimum recommended passphrase ? Are 30 characters enough?

[/newb] thanks!

And further: is bitaddress.org the only way to recover the private key, or are there alternatives?

Maybe also the option to have 2 boxes where I can type the passphrase twice, have it not show up, but have an indication of whether I typed it the same both times.  I understand some people might want the passphrase displayed on-screen, so they can check whether they typed it right, but for those who don't want it displayed it's useful to have a "type it again to make sure" box.

That's a good point. I think it's worthwhile to have the ability to toggle show/hide for passphrase text.
I'll add that to the next version.

I have already added the QR stuff, I have just done so many dirty hacks to my code to perform one-off tasks that it's now a total mess and I'd be embarrassed to check it in.  But I'd zip it up and e-mail it to you if you wanted to start where I left off.  It will print QR paper wallets and dump the bitcoin addresses to a text file, but prints a hard coded quantity and dumps to a hard coded text file because I was just in a hurry to get some more coldwallets I could use with my website (where the private key is on paper but the bitcoin address stays online so the server can serve it)

Funnily enough, initially I was thinking the best approach was to modify your dot.net wallet app to include private key encryption and a QR renderer.  Then I thought it would be easier for this BitAddress tool, but if thats already been discussed and rejected I guess its back to modifying your dot.net app.  If the code is generic enough it should compile and run in Mono and be cross platform.

I like your proposal.  Keep us posted.