Pages:
Author

Topic: [ANNOUNCE] Android key rotation - page 4. (Read 66313 times)

hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
August 14, 2013, 12:33:34 AM
Did anyone get their mobile wallet BTC stolen?
Yes. A total of 55 coins so far. https://bitcointalksearch.org/topic/bad-signatures-leading-to-5582152538-btc-theft-so-far-271486

The relatively small amount is partly due to quick response of the community, and partly due to the fact that Android bug does not lead to every transaction being exploitable. Still, the bug has been public for many months now. Everyone - from obviously overpaid Google developers, to obviously underpaid Bitcoin developers, should be even more careful moving forward from here. This flaw was not catastrophic, but the next one may be. Tread carefully.
b!z
legendary
Activity: 1582
Merit: 1010
Emm
newbie
Activity: 28
Merit: 0
August 13, 2013, 10:42:27 PM
Did anyone get their mobile wallet BTC stolen?
hero member
Activity: 668
Merit: 501
August 13, 2013, 04:37:08 PM
My understanding is that if you sent Bitcoins from any of the addresses in your blockchain.info wallet more than once, it could reveal the private key of said addresses to anyone clever enough looking at the blockchain.  If you didn't generate any addresses or send any Bitcoins from it, then you should be fine.

If you did reveal your private key that way, your money should already be gone. if it is not gone its a pretty good indication that everything is fine Smiley
legendary
Activity: 1400
Merit: 1005
August 13, 2013, 03:45:49 PM
I have the blockchain.info app installed on my Android device, but I am sure that I never created a new address within it and I'm also sure that I never created a transaction on that device. Basically the app only acted as a way to check the wallet balance and transaction history (i.e. read-only actions).

Are my private keys and transactions at risk if I don't do a key rotation? With the many small and non-mature inputs I have on my many addresses, I am heading for maybe over 0.02 btc for transaction fees... last time I did a key sweep it was something like 0.01 btc, and to be honest I think my wallet is even more fragmented now.

I don't think the app ever had any reason to request random numbers unless it is creating addresses without user intervention.

On a related thought: many online wallets generate private keys client side with JavaScript. How secure is the PRNG used by JS, or is it not used in a direct way (are there other sources of entropy)?
My understanding is that if you sent Bitcoins from any of the addresses in your blockchain.info wallet more than once, it could reveal the private key of said addresses to anyone clever enough looking at the blockchain.  If you didn't generate any addresses or send any Bitcoins from it, then you should be fine.
legendary
Activity: 2674
Merit: 3000
Terminated.
August 13, 2013, 03:29:40 PM
very quick。
It would be a huge problem if it wasn't quick enough.
sr. member
Activity: 306
Merit: 250
Donations: http://tny.im/nx
August 13, 2013, 02:07:02 PM
I have the blockchain.info app installed on my Android device, but I am sure that I never created a new address within it and I'm also sure that I never created a transaction on that device. Basically the app only acted as a way to check the wallet balance and transaction history (i.e. read-only actions).

Are my private keys and transactions at risk if I don't do a key rotation? With the many small and non-mature inputs I have on my many addresses, I am heading for maybe over 0.02 btc for transaction fees... last time I did a key sweep it was something like 0.01 btc, and to be honest I think my wallet is even more fragmented now.

I don't think the app ever had any reason to request random numbers unless it is creating addresses without user intervention.

On a related thought: many online wallets generate private keys client side with JavaScript. How secure is the PRNG used by JS, or is it not used in a direct way (are there other sources of entropy)?
legendary
Activity: 905
Merit: 1000
August 13, 2013, 12:45:08 PM
I like the generate random seed method that KeePass (free and open source) uses.  Your choice of mouse movement and/or keyboard gibberish.



KeePass needs to generate several random bytes (for the IV, the master key salt, etc.). For this, several pseudo-random sources are used: current tick count, performance counter, system date/time, mouse cursor position, memory status (free virtual memory, etc.), active window, clipboard owner, various process and thread IDs, various window handles (active window, desktop, ...), window message stack, process heap status, process startup information and several system information structures. Additionally, KeePass uses random bytes provided by the system's default CSP RNG.

This pseudo-random data is collected in a random pool. To generate 16 random bytes, the pool is hashed (SHA-256) with a counter. The counter is increased after 16 generated bytes. This way, as many secure random bytes can be produced efficiently as needed.
qwk
donator
Activity: 3542
Merit: 3413
Shitcoin Minimalist
August 13, 2013, 12:13:29 PM
@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.

Sure, though I have every reason to believe their bytes are truly random, for security purposes, I don't.  When I generate keys, the machine doesn't have internet access anyway, so I suppose it's just an alternative (sub)string to paste as a response to the "keyboard mash" if I want to copy it in with a flash drive etc.

Shouldn't it be possible to just use the hardware RNG from a Raspberry Pi to just create a bunch of addresses?
Could be less painful than hammering your keyboard repetitively ;-)
member
Activity: 115
Merit: 10
August 13, 2013, 10:10:14 AM
very quick。
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
August 13, 2013, 07:53:50 AM
How was SecureRandom seeding implemented in vulnerable wallets? Was it custom-seeded, or left as default?

EDIT - never mind. The problem was not with the implementation in wallet software, but was and still is with Android.
http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf
Quote
When creating a self seeding SecureRandom instance (by calling the constructor without arguments and subsequent setSeed() call), the code fails to adjust the byte offset (a pointer into the state buffer) after inserting a start value. This causes a counter and the beginning of a padding (a 32 bit word) to overwrite parts of the seed instead of appending.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
August 13, 2013, 07:49:10 AM
What casascius described sounds good. XORing even with a constant will certainly not decrease entropy. Thus, his method can only make things better.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
August 13, 2013, 07:39:35 AM
@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.

Sure, though I have every reason to believe their bytes are truly random, for security purposes, I don't.  When I generate keys, the machine doesn't have internet access anyway, so I suppose it's just an alternative (sub)string to paste as a response to the "keyboard mash" if I want to copy it in with a flash drive etc.
hero member
Activity: 763
Merit: 500
August 13, 2013, 07:33:08 AM
@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
August 13, 2013, 07:25:54 AM
When I made my key generator for Casascius Coins, I started with the assumption that the secure random number generator could not fully be trusted.  I did it on Windows not Android so it's not at risk, but the paranoid idea I tried would have completely eliminated this problem had it been done in these wallets.

Instead of accepting the output of secure random as truly securely random, I just considered it a "good source of entropy" and XOR'd its output with another lukewarm but "extra" source of entropy: a hash of a string that gets the current time appended to it whenever the user does something (moves mouse, presses a button, etc).  Also included in the hash is a counter that increments each time entropy is read so it can never be the same twice.  (When the string grows too big, it is replaced by a hash of itself)

For my actual coin generation process, I ask the user (myself) for a third string of input: something that will also be included in the hash.  Each time, I mash the keyboard for a line or two of text e.g. weiajeflkjf;iefw;fiowjR[2348RU20389U0R9EWAEO;FIJSDF;KJVNXVDFJKG;lkdjfgosidfjaiwe --- and never record the string.

None of these methods would be "great" by themselves, but by xoring the output of all of them together, I feel well hedged against the possibility of crappy RNG's.
newbie
Activity: 50
Merit: 0
August 13, 2013, 05:49:26 AM
BTCy the way, my import/export keys menu options are greyed out.  What do I do?  How can I get my BTC?
Transfer all your BTC to an online BTCitcoin wallet, like Inputs.io or BTClockchain.info.
hero member
Activity: 531
Merit: 505
August 13, 2013, 05:33:20 AM
Anyone already tested blockchain.info Android wallet with "automatic key rotation"? Is the user possible to skip that step?
hero member
Activity: 784
Merit: 1000
August 13, 2013, 05:21:07 AM
The blockchain.info wallet doesn't work if you have a secondary password so long that it needs to be pasted in.  Holding your finger on it to paste flashes the field box away.
legendary
Activity: 1526
Merit: 1134
August 13, 2013, 02:21:46 AM
actually he is right. Coins received to old insecure addresses will be automatically resent to the new address when it confirms.
sr. member
Activity: 516
Merit: 283
August 12, 2013, 10:17:50 PM
what do i do if my wallet address is locked onto another site and I've updated my wallet already? will it go to the old address then be transferred internally into the new one?

no, you need to change the address on the other site.
bitcoin protocol does not link addresses like this

thanks for the announcement & making the community aware. extra thanks to the person who found this flaw
Pages:
Jump to: