Topic: [ANNOUNCE] Android key rotation - page 4. (Read 66313 times)

Yes. A total of 55 coins so far. https://bitcointalksearch.org/topic/bad-signatures-leading-to-5582152538-btc-theft-so-far-271486

The relatively small amount is partly due to quick response of the community, and partly due to the fact that Android bug does not lead to every transaction being exploitable. Still, the bug has been public for many months now. Everyone - from obviously overpaid Google developers, to obviously underpaid Bitcoin developers, should be even more careful moving forward from here. This flaw was not catastrophic, but the next one may be. Tread carefully.

Yes, https://gist.github.com/anonymous/6204930

Did anyone get their mobile wallet BTC stolen?

If you did reveal your private key that way, your money should already be gone. if it is not gone its a pretty good indication that everything is fine

My understanding is that if you sent Bitcoins from any of the addresses in your blockchain.info wallet more than once, it could reveal the private key of said addresses to anyone clever enough looking at the blockchain.  If you didn't generate any addresses or send any Bitcoins from it, then you should be fine.

It would be a huge problem if it wasn't quick enough.

I have the blockchain.info app installed on my Android device, but I am sure that I never created a new address within it and I'm also sure that I never created a transaction on that device. Basically the app only acted as a way to check the wallet balance and transaction history (i.e. read-only actions).

Are my private keys and transactions at risk if I don't do a key rotation? With the many small and non-mature inputs I have on my many addresses, I am heading for maybe over 0.02 btc for transaction fees... last time I did a key sweep it was something like 0.01 btc, and to be honest I think my wallet is even more fragmented now.

I don't think the app ever had any reason to request random numbers unless it is creating addresses without user intervention.

On a related thought: many online wallets generate private keys client side with JavaScript. How secure is the PRNG used by JS, or is it not used in a direct way (are there other sources of entropy)?

I like the generate random seed method that KeePass (free and open source) uses.  Your choice of mouse movement and/or keyboard gibberish.



KeePass needs to generate several random bytes (for the IV, the master key salt, etc.). For this, several pseudo-random sources are used: current tick count, performance counter, system date/time, mouse cursor position, memory status (free virtual memory, etc.), active window, clipboard owner, various process and thread IDs, various window handles (active window, desktop, ...), window message stack, process heap status, process startup information and several system information structures. Additionally, KeePass uses random bytes provided by the system's default CSP RNG.

This pseudo-random data is collected in a random pool. To generate 16 random bytes, the pool is hashed (SHA-256) with a counter. The counter is increased after 16 generated bytes. This way, as many secure random bytes can be produced efficiently as needed.

Shouldn't it be possible to just use the hardware RNG from a Raspberry Pi to just create a bunch of addresses?
Could be less painful than hammering your keyboard repetitively ;-)

very quick。

How was SecureRandom seeding implemented in vulnerable wallets? Was it custom-seeded, or left as default?

EDIT - never mind. The problem was not with the implementation in wallet software, but was and still is with Android.
http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf

What casascius described sounds good. XORing even with a constant will certainly not decrease entropy. Thus, his method can only make things better.

Sure, though I have every reason to believe their bytes are truly random, for security purposes, I don't.  When I generate keys, the machine doesn't have internet access anyway, so I suppose it's just an alternative (sub)string to paste as a response to the "keyboard mash" if I want to copy it in with a flash drive etc.

@casascius: do you know about this page: http://www.random.org/bytes/ ? that could also be a source, which could replace the mouse-moving-timestamp thing because it comes from an external source.

When I made my key generator for Casascius Coins, I started with the assumption that the secure random number generator could not fully be trusted.  I did it on Windows not Android so it's not at risk, but the paranoid idea I tried would have completely eliminated this problem had it been done in these wallets.

Instead of accepting the output of secure random as truly securely random, I just considered it a "good source of entropy" and XOR'd its output with another lukewarm but "extra" source of entropy: a hash of a string that gets the current time appended to it whenever the user does something (moves mouse, presses a button, etc).  Also included in the hash is a counter that increments each time entropy is read so it can never be the same twice.  (When the string grows too big, it is replaced by a hash of itself)

For my actual coin generation process, I ask the user (myself) for a third string of input: something that will also be included in the hash.  Each time, I mash the keyboard for a line or two of text e.g. weiajeflkjf;iefw;fiowjR[2348RU20389U0R9EWAEO;FIJSDF;KJVNXVDFJKG;lkdjfgosidfjaiwe --- and never record the string.

None of these methods would be "great" by themselves, but by xoring the output of all of them together, I feel well hedged against the possibility of crappy RNG's.

Transfer all your BTC to an online BTCitcoin wallet, like Inputs.io or BTClockchain.info.

Anyone already tested blockchain.info Android wallet with "automatic key rotation"? Is the user possible to skip that step?

The blockchain.info wallet doesn't work if you have a secondary password so long that it needs to be pasted in.  Holding your finger on it to paste flashes the field box away.

actually he is right. Coins received to old insecure addresses will be automatically resent to the new address when it confirms.

no, you need to change the address on the other site.
bitcoin protocol does not link addresses like this

thanks for the announcement & making the community aware. extra thanks to the person who found this flaw