Author

Topic: brainwallet.org offline transactions safe from reused R values? (Read 1576 times)

full member
Activity: 125
Merit: 101
You really shouldn't use anything from "brainwallet". It's had multiple serious vulnerabilities in the past (such as using an insecure RNG).  Its anonymous author got his start creating it after being frustrated that not more people were using H(password) strings;. More recently the creator was complaining about being broke, then a few hours later asking in #bitcoin-dev for help using our crypto library to create a very high speed pubkey generator (read: brainwallet cracker).

In general you should _never_ use a "brain wallet" (at least of the kind that site promotes), humans are remarkably bad sources of randomness and often when you think you're being "random" its actually making you more predictable. Human memory is also fairly fragile and many people have spontaneously forgotten strings they used almost every day (and if you use your brain wallet every day you're going to manage to leak it)... and the structure that makes some strings easier to remember make them faster to search.  Keep in mind that you may have attackers with FPGA (or asic) farms testing billions per second.

When a network service is compromised and their password database is stolen and people find out that it didn't use salted passwords everyone is up in arms calling them grossly incompetent.  But brainwallets are the ultimate unsalted password ... the database is inherently public all the time, there is huge value attached, and it cannot be effectively salted (if it could: just randomly generate a key, encrypt it, and save that instead of the salt...).  And yet, people who deploy unsalted passwords on private servers that later get compromised (as seems to happen to all servers eventually...) find it hard to find future employment, but in Bitcoin creating a crappy JS or python "brainwallet" tool and you're crowned a big brain on the conference circuit. Tongue It's a strange world.

I would never use a brain wallet, my question was only about the safety of the tool for signing transactions (https://brainwallet.github.io/#tx). It's convenient to use for signing transactions offline since you only need a live OS and a web browser. I've been using it for about a year without issues but if I understand correctly you're saying brainwallet.org has a bad reputation and should not be used because of that... Would you recommend another similar tool?

http://bitkey.io ?
legendary
Activity: 1260
Merit: 1019
Quote
Any software doing signing should do the smart thing and call multiple security libraries for random [...]

... or use deterministic ECDSA signing RFC6979 without any calls to random
http://tools.ietf.org/html/rfc6979
legendary
Activity: 1512
Merit: 1036
Any software doing signing should do the smart thing and call multiple security libraries for random, and/or mix those with native calls to /dev/random. Every individual random lib should not only be considered potentially backdoored when used exclusively (only safe when XORed with another source), but also equally likely to be broken on any given platform from library or hardware/system access failure.

Additionally, there should be checks to disqualify the whole process if any individual element or the random function code as a whole fails robustness tests. What if the getRandom function in your code is returning all 0s or 1s or the same value every call? Probably not random. More creative thinking could detect and abort on other flawed random scenarios that have previously been seen in libraries or have been introduced in code.

A random function should be compartmentalized in code, with methods/APIs to check each entropy element, and we should have a standard-practices algorithm to prequalify and detect the worst kinds of broken that could lead to lost coin. Publish and community-review this meta-code function and demand its use from anyone operating any Bitcoin service.


I echo the sentiment that it is not worth developing any kind of "brain" based wallet, and that people who trust people to make their own passphrases are not people to be trusted with people's passphrases.

I had contemplated making a brainphrase-to-deterministic-wallet creator, but even if it used ten minutes of GPU time hashing through various combined key derivation functions per passphrase, it still could not be secure, being limited by the unbounded inventiveness of dummies using easily guessable passwords.
staff
Activity: 4284
Merit: 8808
You really shouldn't use anything from "brainwallet". It's had multiple serious vulnerabilities in the past (such as using an insecure RNG).  Its anonymous author got his start creating it after being frustrated that not more people were using H(password) strings;. More recently the creator was complaining about being broke, then a few hours later asking in #bitcoin-dev for help using our crypto library to create a very high speed pubkey generator (read: brainwallet cracker).

In general you should _never_ use a "brain wallet" (at least of the kind that site promotes), humans are remarkably bad sources of randomness and often when you think you're being "random" its actually making you more predictable. Human memory is also fairly fragile and many people have spontaneously forgotten strings they used almost every day (and if you use your brain wallet every day you're going to manage to leak it)... and the structure that makes some strings easier to remember make them faster to search.  Keep in mind that you may have attackers with FPGA (or asic) farms testing billions per second.

When a network service is compromised and their password database is stolen and people find out that it didn't use salted passwords everyone is up in arms calling them grossly incompetent.  But brainwallets are the ultimate unsalted password ... the database is inherently public all the time, there is huge value attached, and it cannot be effectively salted (if it could: just randomly generate a key, encrypt it, and save that instead of the salt...).  And yet, people who deploy unsalted passwords on private servers that later get compromised (as seems to happen to all servers eventually...) find it hard to find future employment, but in Bitcoin creating a crappy JS or python "brainwallet" tool and you're crowned a big brain on the conference circuit. Tongue It's a strange world.
legendary
Activity: 3472
Merit: 4801
I suspect that if this software had a problem with re-using R values, we'd already have heard about it.

However, it is possible that a future version of the software might introduce a problem.  As such, you should avoid using new versions of the software in the future until after the new software has been well reviewed.

Note that this software is using the following command to generate the signature:

Code:
var signature = eckey.sign(hash);

Therefore, even if the javascript program from https://github.com/brainwallet/brainwallet.github.io/blob/master/js/tx.js doesn't change, you could be exposed to a problem if the javascript library that your browser is using is updated.
full member
Activity: 125
Merit: 101
I've been using brainwallet.org's transaction tool (https://brainwallet.github.io/#tx) in a secure offline environment for spending paper wallets.

With the recent news I'm worried whether the tool could reuse R values. The source code is here: https://github.com/brainwallet/brainwallet.github.io/blob/master/js/tx.js
Jump to: