[ANNOUNCE] Android key rotation - page 7.

westkybitcoins

legendary

Activity: 980

Merit: 1004

Firstbits: Compromised. Thanks, Android!

Quote from: phatsphere on August 12, 2013, 04:02:28 AM

also, one should answer the question, if imported vanity addresses are a problem. i would say no, only the possible other addresses where some change might have gone.

Yes, they are.

This particular problem isn't about the private keys themselves (although I wouldn't trust private keys generated with a broken psuedo-random number generator anyway.) The problem is that securely signing a transaction requires using a unique random value each time. If you use the same private key in two different transactions/spends, and this includes vanity addresses, but the same random value is involved in the signing process both times, then your key is compromised.

It doesn't matter what the private key is. If you can't get decent random values to use for the signing, you're going to be exposed. It's a pretty disturbing oversight on the part of those who wrote the Android PRNG library.

molecular

donator

Activity: 2772

Merit: 1019

I just remembered: There was a "workshop" at CCC end of last year I attended. Transactions were shown in the blockchain with identical R in signatures. The source was supposedly traced to "bitcoincard" test transactions.

Now I'm not so sure it was the only source.

westkybitcoins

legendary

Activity: 980

Merit: 1004

Firstbits: Compromised. Thanks, Android!

Quote from: becoin on August 12, 2013, 08:33:22 AM

Quote from: piotr_n on August 11, 2013, 12:56:12 PM

Quote from: beerbeerbeer on August 11, 2013, 12:45:00 PM

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.

You're joking, aren't you?

This post is over one month old, while this one over half a year...
Watchfulness my ass

As always, Bitcoin is mercilessly exposing every shady practice on everything it touches. I don't trust Google. Like MS they are also in bed with the US government. They try to promote Android as open source but keep the JVM for Android closed. This is why every Java based app for Android is not truly open sourced! Period. Paragraph.

Hmph.

I think if this were common knowledge it might raise a few eyebrows. I was under the impression it was open-source through and through.

*re-investigates cyanogenmod*

molecular

donator

Activity: 2772

Merit: 1019

Quote from: xenog on August 12, 2013, 06:04:56 AM

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Thank you so much for your prudence!

Predictious

sr. member

Activity: 290

Merit: 250

Quote from: xenog on August 12, 2013, 06:04:56 AM

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Well done guys! It would have been fair that Mike Hearn gave you credits.

becoin

legendary

Activity: 3431

Merit: 1233

Quote from: piotr_n on August 11, 2013, 12:56:12 PM

Quote from: beerbeerbeer on August 11, 2013, 12:45:00 PM

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.

You're joking, aren't you?

This post is over one month old, while this one over half a year...
Watchfulness my ass

As always, Bitcoin is mercilessly exposing every shady practice on everything it touches. I don't trust Google. Like MS they are also in bed with the US government. They try to promote Android as open source but keep the JVM for Android closed. This is why every Java based app for Android is not truly open sourced! Period. Paragraph.

Mike Hearn

legendary

Activity: 1526

Merit: 1129

It's got nothing to do with bitcoinj. The issue is with SecureRandom itself. As far as I know all Bitcoin signing implementations on Android use this API.

theDF

newbie

Activity: 56

Merit: 0

Quote from: narayan on August 12, 2013, 07:00:31 AM

What do I do?? I have 20 BTC in Blockchain.info and now it doesn't even load

Did someone steal my coins??

Got error 157 'Unknown error code' from NDBCLUSTER

Calm down, and check you wallet right now because blockchain.info already back to normal *so far

🏰 TradeFortress 🏰

vip

Activity: 1302

Merit: 1042

👻

Quote from: jubalix on August 12, 2013, 07:02:04 AM

Quote from: piotr_n on August 12, 2013, 06:41:59 AM

Quote from: jubalix on August 12, 2013, 06:40:58 AM

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out

blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

hmm deliberate

but surley bitcoind can do this as well. a program tha compares sigs must be able to run through and auto check

You should have been emailed a copy of your wallet every time you made changes to it. Import it to Multibit with your passphrase.

jubalix

legendary

Activity: 2618

Merit: 1022

Quote from: piotr_n on August 12, 2013, 06:41:59 AM

Quote from: jubalix on August 12, 2013, 06:40:58 AM

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out

blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

hmm deliberate

but surley bitcoind can do this as well. a program tha compares sigs must be able to run through and auto check

narayan

member

Activity: 98

Merit: 10

I do not sell Bitcoins. I sell SHA256(SHA256()).

What do I do?? I have 20 BTC in Blockchain.info and now it doesn't even load

Did someone steal my coins??

Got error 157 'Unknown error code' from NDBCLUSTER

gmaxwell

staff

Activity: 4172

Merit: 8419

Quote from: solex on August 12, 2013, 06:06:25 AM

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?

I'm not sure it thats entirely inaccurate, go look at the bitcoin-dev logs from January. IIRC, there was reason to suspect that some of the duplicate nonce signatures were coming from BitcoinJ and there was some speculation about broken java RNGs that went nowhere.

xenog

jr. member

Activity: 38

Merit: 1

I emailed to a journalist from The Register how I discovered that the Android PRNG affected BitcoinJ applications in Android. Here's a copy of the email I sent to the journalist:

Quote

I discovered the flaw thanks to a small stash of stolen bitcoins.

It all started with a missed call from a friend at 00:30 on August 5, and a subsequent SMS telling me that he got 0.91 bitcoins stolen from his Android wallet. "Somebody hacked my Android phone" he would repeat. I did not believe this to be likely. He is the most security conscious person I know. Besides, he is a computer scientist and knows the Bitcoin protocol in and out. Android phones are known to be vulnerable, but it's very unlikely that a phone that only ran reputable apps from Google Play got hacked. I thought about Spock, who quoted Arthur Conan Doyle: "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth". The impossible was that his phone got hacked. The truth then should be that somebody found his private key through cryptanalysis on the Bitcoin blockchain (the public ledger were all transactions are kept).

A lookup on the address that the funds were sent to revealed a forum post https://bitcointalksearch.org/topic/have-i-been-hacked-how-251743, so I put on my detective hat and read the post. I also published a message to it stating what had happened to my friend. The common factor seemed to be Android, and I immediately thought about the possibility of a flaw in its pseudo-random number generator (PRNG).

I investigated online and found this paper http://www.scribd.com/doc/131955288/Randomly-Failed-The-State-of-Randomness-in-Current-Java-Implementations#page=9, which I sent to Mike Hearn pointing him to page 9 in which the flaw in Apache Harmony's PRNG (the one used by Android) was described. I also pointed to him that his BitcoinJ code was using that PRNG in the regular non-seeded way, which triggered the flaw.

I originally suggested that private key collisions may have being found and exploited. Later on the weekend a reply to the Bitcoin forum post by johoe clarified that the issue with the PRNG was leading to collisions in the random number parameter k that the elliptic curve signature algorithm needs in order to be secure, making it trivial to extract the private key from two transactions that used the same k.

piotr_n

legendary

Activity: 2053

Merit: 1354

aka tonikt

Quote from: jubalix on August 12, 2013, 06:40:58 AM

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out

blockchain.info has been sort of offline, for over 5 hrs already.

Moreover blockexplorer.com has also been stopped - somewhere yesterday.

jubalix

legendary

Activity: 2618

Merit: 1022

Got error 157 'Unknown error code' from NDBCLUSTER

when trying to check sigs on blockchain.info.....

is this deliberate!!!!

while this is sorted out

piotr_n

legendary

Activity: 2053

Merit: 1354

aka tonikt

Quote from: willphase on August 12, 2013, 06:37:33 AM

as far as I know it's only very recently that it was found that Android PRNG also suffered from this issue.

Then look at this document - published several months ago:
https://bitcointalksearch.org/topic/m.2913741
http://www.scribd.com/doc/131955288/Randomly-Failed-The-State-of-Randomness-in-Current-Java-Implementations

willphase

hero member

Activity: 767

Merit: 500

Quote from: piotr_n on August 12, 2013, 06:08:33 AM

Quote from: solex on August 12, 2013, 06:06:25 AM

Quote from: xenog on August 12, 2013, 06:04:56 AM

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Well done!

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?

Depends how you define "it".
http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

It's always been known that ECDSA with same random number allows private key discovery. It's been known since earlier this year that some hardware wallets were not using decent random numbers, but as far as I know it's only very recently that it was found that Android PRNG also suffered from this issue.

Will

piotr_n

legendary

Activity: 2053

Merit: 1354

aka tonikt

Quote from: solex on August 12, 2013, 06:06:25 AM

Quote from: xenog on August 12, 2013, 06:04:56 AM

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Well done!

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?

Depends how you define "it".
http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

solex

legendary

Activity: 1078

Merit: 1002

100 satoshis -> ISO code

Quote from: xenog on August 12, 2013, 06:04:56 AM

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Well done!

The Daily Telegraph is claiming it was known about since January. Is this media disinformation?
The source: http://nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

xenog

jr. member

Activity: 38

Merit: 1

I discovered this flaw and made it known to Mike Hearn, Andreas Schildbach and Ben Reeves. It's been quite a week.

Topic: [ANNOUNCE] Android key rotation - page 7. (Read 66313 times)