Author

Topic: BtcIO - Open source, cold, BTC wallet (Read 245 times)

newbie
Activity: 19
Merit: 11
March 27, 2021, 10:52:26 AM
#13
Added user entropy, functionality for opening and saving wallets, anonymous transactions via TOR, hiding WIF and seed.

https://www.youtube.com/watch?v=Oytmq7KVDPE
newbie
Activity: 19
Merit: 11
March 15, 2021, 06:42:39 AM
#12
If the result provided by RNGCryptoServiceProvider were weak or flawed then hash of that result is no different than the original entropy and it too would be weak.
In other words by hashing it n times you aren't really making a meaningful difference. The correct way is to mix it with another source of entropy. For example some use Guid.NewGuid() and mix (eg. using a KDF) the returned 128 bit with the 256 bit entropy, you could use a user input, etc.
100k hashes will slow down brute-force by 100k times, even if the entropy was weak.

But you may be right, I will remove the multi hash and add custom entropy. Thank.


It is better to hide private keys, they cannot be entered from the keyboard Shocked or by copying, it is not safe.

The seed phrase generates an encrypted wallet with a password.

User entropy is also needed, one RNG is not reliable.

Yes, I'll think about it.
newbie
Activity: 4
Merit: 0
March 12, 2021, 07:51:28 AM
#11
A desktop app(console and with a GUI) for Windows and Linux, written in .NET CORE, designed to quickly generate privates and addresses by seed phrase, view balances and send transactions from your private accounts and wallets.

Github https://github.com/avadhuta/BtcIO/releases

screenshots:
https://i.imgur.com/ZxuXYuV.jpeg
https://i.imgur.com/6evZ7YW.jpeg
https://i.imgur.com/M8tslVi.jpg
https://i.imgur.com/kjvhsnS.jpg


The example of use with a test network (with a mainnet it works the same way):

For console https://youtu.be/Mnm2dWqRP8g

For GUI variant https://youtu.be/JiTr551-veE


The libraries used are NBitcoin and QbitNinja, as well as the blockcypher.com API.

It is better to hide private keys, they cannot be entered from the keyboard Shocked or by copying, it is not safe.

The seed phrase generates an encrypted wallet with a password.

User entropy is also needed, one RNG is not reliable.
legendary
Activity: 3472
Merit: 10611
March 06, 2021, 11:05:21 PM
#10
I read more about RNGCryptoServiceProvider, it inspires trust, for now I limit myself to it and a 100k hashes.
If the result provided by RNGCryptoServiceProvider were weak or flawed then hash of that result is no different than the original entropy and it too would be weak.
In other words by hashing it n times you aren't really making a meaningful difference. The correct way is to mix it with another source of entropy. For example some use Guid.NewGuid() and mix (eg. using a KDF) the returned 128 bit with the 256 bit entropy, you could use a user input, etc.
newbie
Activity: 19
Merit: 11
March 06, 2021, 06:59:06 AM
#9
An intelligent user can create seed himself or add any of words and symbols as entropy.
You can and should not ever rely on the user to be the source of entropy, they will never create strong ones ever.

Quote
As an option, I will add the ability to use any arbitrary file as a seed, and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe.  Smiley
This makes your program to be a brainwallet which are very unsafe and 100k hashes does not make brute forcing slow.
...and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe.  Smiley

I don't think that will be effective in the long run. An Nvidia V100 can theoretically do 10x as many hashes as a K520 and they were released just 3 years apart. So I imagine if not the current Ampere cards or next year's cards, one of these years someone's going to be able to pass 100K hashes/s at the same speed people pass 2000 hashes/s (number of PBKDF2 rounds of seed phrase) today.
I read more about RNGCryptoServiceProvider, it inspires trust, for now I limit myself to it and a 100k hashes.

Code:
        public static string[] words = ReadResource("words.txt").Split('\n');

        public static string RandomSeed()
        {
            string res = "";
            for (int i = 0; i < 12; i++) res += words[Rnd2()].ToLower() + (i < 11 ? " " : "");

            return res;
        }


        static RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
        public static uint Rnd2()
        {
            var data = new byte[sizeof(uint)];
            rng.GetBytes(data);
            return (uint) (BitConverter.ToUInt32(data, 0) % (words.Length - 1));
        }


        public static byte[] Sha256(string seed, int itter = 1)
        {
            byte[] b = Encoding.UTF8.GetBytes(seed);
            for (int i = 0; i < itter; i++) b = SHA256.Create().ComputeHash(b);
            b = SHA256.Create().ComputeHash(b);

            return b;
        }

Code:
        public static (string address, string wif) newWifAddr(string seed, string net = "test3", int addrtype = 2)
        {
            var b = Tech.Sha256(seed, 1000000);
            var network = net == "test3" ? Network.TestNet : Network.Main;
            var privateKey = new Key(b);

            return (privateKey.PubKey.GetAddress((ScriptPubKeyType) addrtype, network).ToString(), privateKey.GetWif(network).ToString());

        }
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 05, 2021, 01:26:33 AM
#8
...and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe.  Smiley

I don't think that will be effective in the long run. An Nvidia V100 can theoretically do 10x as many hashes as a K520 and they were released just 3 years apart. So I imagine if not the current Ampere cards or next year's cards, one of these years someone's going to be able to pass 100K hashes/s at the same speed people pass 2000 hashes/s (number of PBKDF2 rounds of seed phrase) today.
legendary
Activity: 3472
Merit: 10611
March 04, 2021, 11:14:22 PM
#7
An intelligent user can create seed himself or add any of words and symbols as entropy.
You can and should not ever rely on the user to be the source of entropy, they will never create strong ones ever.

Quote
As an option, I will add the ability to use any arbitrary file as a seed, and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe.  Smiley
This makes your program to be a brainwallet which are very unsafe and 100k hashes does not make brute forcing slow.
newbie
Activity: 19
Merit: 11
March 04, 2021, 10:06:33 AM
#6
You might want to warn people that you are using a very weak RNG (System.Random) to generate their keys[1] and it is not safe to use this method to get a true random bitcoin private key to be used for real bitcoins.
Also you are using your own defined word list to generate the "seed" which you end up computing its SHA256 only as a "secure" entropy[2]

https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/Tech.cs#L75-L82
https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/WalletTools.cs#L255
You are absolutely right, my logic for generating the passphrase is made elementary, although it is dangerous to use any software RNG for this, especially in open source.

An intelligent user can create seed himself or add any of words and symbols as entropy.

As an option, I will add the ability to use any arbitrary file as a seed, and multiple hash (>100000) to slow down brute-force, this will be really reliable, I believe.  Smiley

It is more secure, in that method, to use the System.Security.Cryptography.RNGCryptoServiceProvider class than Random and then use it's GetBytes method to get a byte value which OP then takes the modulus of words.Length. For example:

Code:
using System.Security.Cryptography;

# ...

public static String RandomSeed() {
    RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
    byte[] randomNumber = new byte[1];
    string res = "";
    for (int i = 0; i < 12; i++) {
        rngCsp.GetBytes(randomNumber);
        int r = (int) randomNumber[0] % words.Length;
        res += words[r].ToLower() + (i < 11 ? " " : "");
    }
    rngCsp.Dispose();
    return res;
}
# ...

Note: I did not test this code for syntax errors.
Thanks for the code, but I don't think that a more complex RNG will change anything in this case, especially in open source, manual entropy is needed.
legendary
Activity: 3472
Merit: 10611
March 02, 2021, 11:02:58 PM
#5
RNGCryptoServiceProvider
It is safer but not safe, you should never use the bare RNG provided by the framework because if a vulnerability is found in it or if there is a backdoor everything built on top of it will become vulnerable. It should always be mixed with another source of entropy.
Your code is broken by the way, all the words in the string will be the same and only from 0 to 255 index is covered.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 02, 2021, 04:21:13 AM
#4
You might want to warn people that you are using a very weak RNG (System.Random) to generate their keys[1] and it is not safe to use this method to get a true random bitcoin private key to be used for real bitcoins.
Also you are using your own defined word list to generate the "seed" which you end up computing its SHA256 only as a "secure" entropy[2]

https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/Tech.cs#L75-L82
https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/WalletTools.cs#L255

It is more secure, in that method, to use the System.Security.Cryptography.RNGCryptoServiceProvider class than Random and then use it's GetBytes method to get a byte value which OP then takes the modulus of words.Length. For example:

Code:
using System.Security.Cryptography;

# ...

public static String RandomSeed() {
    RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
    byte[] randomNumber = new byte[1];
    string res = "";
    for (int i = 0; i < 12; i++) {
        rngCsp.GetBytes(randomNumber);
        int r = (int) randomNumber[0] % words.Length;
        res += words[r].ToLower() + (i < 11 ? " " : "");
    }
    rngCsp.Dispose();
    return res;
}
# ...

Note: I did not test this code for syntax errors.
legendary
Activity: 3472
Merit: 10611
March 01, 2021, 11:07:05 PM
#3
You might want to warn people that you are using a very weak RNG (System.Random) to generate their keys[1] and it is not safe to use this method to get a true random bitcoin private key to be used for real bitcoins.
Also you are using your own defined word list to generate the "seed" which you end up computing its SHA256 only as a "secure" entropy[2]

https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/Tech.cs#L75-L82
https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/WalletTools.cs#L255
newbie
Activity: 19
Merit: 11
March 01, 2021, 07:04:38 AM
#2
You might want to add README.md on your GitHub repository

Yes, you are right. Thank.

.zip Source Code  Cheesy Cheesy Cheesy  Do you think BtcIO is open source?

Sources: https://github.com/avadhuta/BtcIO
newbie
Activity: 19
Merit: 11
February 25, 2021, 06:45:24 AM
#1
A desktop app(console and with a GUI) for Windows and Linux, written in .NET CORE, designed to quickly generate privates and addresses by seed phrase, view balances and send transactions from your private accounts and wallets.

Github https://github.com/avadhuta/BtcIO/releases

screenshots:
https://i.imgur.com/ZxuXYuV.jpeg
https://i.imgur.com/6evZ7YW.jpeg
https://i.imgur.com/M8tslVi.jpg
https://i.imgur.com/kjvhsnS.jpg


The example of use with a test network (with a mainnet it works the same way):

For console https://youtu.be/Mnm2dWqRP8g

For GUI variant https://youtu.be/JiTr551-veE


The library used are NBitcoin and blockcypher.com API.
Jump to: