Author

Topic: bitcoin-qt security (Read 855 times)

member
Activity: 287
Merit: 10
October 27, 2013, 07:09:27 AM
#14
So how does the wallet select which keys to use when it uses keys to send Bitcoins. I assume it can't be completely random so surely it uses either the last-in first-out basis or otherwise first-in first-out basis?

E.g. If you received chronologically payments of 4 then 3 then 2 then 2 bitcoins, and you then request an amount of 4 bitcoins to be sent, the bitcoin wallet will use the 4 keys on the first-in first-out basis, or the 2+2 keys on the last-in first-out basis.
legendary
Activity: 3472
Merit: 4801
October 26, 2013, 01:01:07 PM
#13
For interest, does Bitcoin-QT wallet process the bitcoins on a 'last-in, first-out' basis, that is supposing you import a private key associated to 10 BTC into a wallet containing 100 BTC, and then immediately 'send' 10 BTC to a new secure address, does the wallet send off the same 10 BTC you just imported,

No.

or does it send off the earliest 10 BTC balance.

Probably not.

So in this case if the wallet uses 'last-in, first-out' basis,

Which it does not.

then would immediately sending 10 BTC to a secure address solve the security issue,

Which it does not.


If not then I guess you have to empty the whole wallet as outlined in your earlier example.

If you are using Bitcoin-Qt and you are not attempting to create your own raw transactions, then that is correct.

Unlike Bitcoin-QT I believe Armory has the ability to have multi-wallets and may be the best solution to completely washing a wallet of compromised private keys if necessary?

Perhaps.



Lastly, can you recommend a FAQ or other reading material relating to this particular subject?

The subject of risks associated with importing private keys?  I'm not aware of any such FAQ.
member
Activity: 287
Merit: 10
October 26, 2013, 12:54:08 PM
#12
Danny, thanks for your very useful explanation.

Hopefully it has also enlightened others reading through the forum who were unaware of these risks.

I understand now that when you import a private key associated with bitcoins, that those bitcoins still remain vulnerable to theft if the original private key is compromised or stolen.

For interest, does Bitcoin-QT wallet process the bitcoins on a 'last-in, first-out' basis, that is supposing you import a private key associated to 10 BTC into a wallet containing 100 BTC, and then immediately 'send' 10 BTC to a new secure address, does the wallet send off the same 10 BTC you just imported, or does it send off the earliest 10 BTC balance. So in this case if the wallet uses 'last-in, first-out' basis, then would immediately sending 10 BTC to a secure address solve the security issue, on a temporary basis, apart from the inadvertent use of the address in future?  If not then I guess you have to empty the whole wallet as outlined in your earlier example.

Unlike Bitcoin-QT I believe Armory has the ability to have multi-wallets and may be the best solution to completely washing a wallet of compromised private keys if necessary?

Lastly, can you recommend a FAQ or other reading material relating to this particular subject?
legendary
Activity: 3472
Merit: 4801
October 26, 2013, 11:49:30 AM
#11
waiting for this address to be picked up by QT as a change address.

Unless there is some unknown bug in Bitcoin-Qt, this shouldn't happen.

Bitcoin-Qt should always use a new address from the unused keypool for change.
legendary
Activity: 3472
Merit: 4801
October 26, 2013, 11:47:29 AM
#10
What is the potential for me to lose money in future, other than if I were to inadvertently give someone the same 'import' address to 'receive' funds (which is about as unlikely as giving someone their own 'send' address to 'receive' funds) ?

Assuming that we are talking about this scenario:

  • Someone generates a brand new bitcoin address and private key
  • They send bitcoins to the address
  • They give you the private key to import into your wallet
  • You import the private key
  • The bitcoin address associated with the private key shows up in the "Receive" section of your Bitcoin-Qt wallet as a new receiving address for you

There are two possibilities I can think of right away:

One possibility
  • You leave the bitcoins that were sent to that address just sitting there and don't send them anywhere else
  • Some time passes
  • The person who gave you the private key decides they want the bitcoins back
  • The person who gave you the private key imports the same private key into a wallet that they own
  • The person who gave you the private key creates a transaction to send those bitcoins to a different address
  • A transaction suddenly appears in your wallet sending those bitcoins to an address you don't control
  • You are left wondering how someone gained access to your wallet to send a transaction from your wallet
  • Those bitcoins are now under the control of the person who gave you the private key

Instead of that possibility, here's something else entirely that can happen:
  • You realize that those bitcoins are vulnerable to theft while they are still associated with the original imported address
  • You generate a new address of your own that only you have control of
  • You send your entire Bitcoin-Qt balance to the new address to make sure that there are no longer any bitcoins associated with the imported address
  • Over the course of many months you generate many more receiving address
  • You are in a hurry to receive some bitcoins, and just randomly grab a receiving address from the many addresses in the receive section of Bitcoin-Qt
  • You forget that this address you've just randomely chosen is the address that is associated with the imported private key
  • Someone sends you bitcoins to this receiving address that you've just given them
  • The person who originally gave you the private key has a computer program that has been continuously monitoring all the addresses associated with all the private keys they've ever given out
  • The computer program immediately creates a transaction sending those bitcoins that you've just received to some address you don't control
  • Those bitcoins are now under the control of the person who gave you the private key

To clarify and understand this procedure, is it correct to say that as a private key is imported into a bitcoin-qt wallet, then any bitcoins associated with that private key are transferred to a new private key by the wallet?

No.
sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
October 26, 2013, 11:43:39 AM
#9
To clarify and understand this procedure, is it correct to say that as a private key is imported into a bitcoin-qt wallet, then any bitcoins associated with that private key are transferred to a new private key by the wallet?

No, this is incorrect. The unspent output of this private address is shared among all the people who know the private key. First who spends wins (basically).
And I repeat, the guy paying you this way is just waiting for this address to be picked up by QT as a change address. Just consider the guy as a scammer and move on.
member
Activity: 287
Merit: 10
October 26, 2013, 11:10:44 AM
#8
Danny.

What is the potential for me to lose money in future, other than if I were to inadvertently give someone the same 'import' address to 'receive' funds (which is about as unlikely as giving someone their own 'send' address to 'receive' funds) ?

To clarify and understand this procedure, is it correct to say that as a private key is imported into a bitcoin-qt wallet, then any bitcoins associated with that private key are transferred to a new private key by the wallet?

It doesn't work the way you seem to think it works.

There is no washing.

If you import a private key that somebody else knows there is potential for you to lose money in the future, but not for the reason you seem to be implying.
hero member
Activity: 728
Merit: 500
October 26, 2013, 09:18:46 AM
#7
If you receive a private key that controls some coins from another person, import it into a different wallet than your own, transfer the coins to an address you control and then forget about that private key you received.

A private key can always be used to access coins associated with it and whoever gave it to you may still have a copy of it.
legendary
Activity: 3472
Merit: 4801
October 26, 2013, 09:15:54 AM
#6
It doesn't work the way you seem to think it works.

There is no washing.

If you import a private key that somebody else knows there is potential for you to lose money in the future, but not for the reason you seem to be implying.
newbie
Activity: 42
Merit: 0
October 26, 2013, 08:38:27 AM
#5
Bro use coinbase.com is beter

i lost my 4x walet in this sumer i not recomend you make some masturbations in walet coz you lost this very chanse posible

i not recomend you this
sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
October 26, 2013, 08:36:23 AM
#4
So just to confirm, once private keys are imported they are washed and worthless, and providing you receive the standard number of confirmations then there are no further security implications to your wallet if these private keys are later stolen or compromised?

I'm not sure I understand, what you're asking...

If someone is offering to pay you by giving out a private key, just refuse. That's shady as hell.
He's probably hoping that you keep this address in your wallet and that it's picked up by QT as change address some time later.

Do not ever import private keys that other people know to your wallet, if you're not sure.
member
Activity: 287
Merit: 10
October 26, 2013, 05:32:52 AM
#3
So just to confirm, once private keys are imported they are washed and worthless, and providing you receive the standard number of confirmations then there are no further security implications to your wallet if these private keys are later stolen or compromised?
legendary
Activity: 1358
Merit: 1002
October 25, 2013, 05:42:38 PM
#2
If you are not sure that you're the only one to have a private key, don't import it to your wallet.
It may bring issues with double spends(by other party) and get your wallet in a poor state and in need of a fix, but it will not allow other party to access your other private keys. Or you may give that address by mistake, to receive funds, and end up with the funds stolen.
member
Activity: 287
Merit: 10
October 25, 2013, 05:38:35 PM
#1
Hi. A query about bitcoin-qt wallets...

I am uncertain if importing private keys as a method of receiving bitcoins is secure.  If I import private keys (with bitcoin balances) into a secure bitcoin-qt wallet using the 'importprivkey' command in the console, do these private keys become washed and worthless during import, so that in the case these private keys are later compromised or stolen, the imported bitcoins residing in the wallet will still be secure, or is there a security issue with these former private keys?


 
Jump to: