Building the Most Basic Bitcoin Wallet Ever (in Facebook Messenger)

maxi_malism

newbie

Activity: 4

Merit: 1

Quote from: ArcCsch on February 23, 2017, 12:41:27 PM

Quote

Actually, the private key for the generated Bitcoin address is encrypted with this PIN code, so as long as the PIN code is safe, the Bitcoin are safe. In Itipu, you can send your Bitcoins to your friend’s wallet by telling the bot to do so, like, “Send 2 dollars to joe.” (You have to enter your PIN code of course).

First, how long is this PIN?
If it is four digits, and the phone is hacked (encrypted key leaked), that would be broken pretty quickly, even with key stretching.
For example, if decrypting takes one minute on your phone, cracking would on average take a bit over eight hours on an identical phone, a powerful GPU could probably crack it in a few minutes.
You could fix that by replacing the PIN with a pass-phrase, until it becomes essentially a salted brain-wallet.
Also, if this is a bitcoin wallet, why does the article say "send 2 dollars to joe", instead of "send two millies to Joe"?

You're right, but i think this type of wallet can still be usable to do casual transactions/tipping. The attacker still needs to have access to the phone, no? I mean, one could totally refute piggy banks as worthless because they're easily broken into. I for one liked this tutorial

bustedsynx

sr. member

Activity: 859

Merit: 251

Do be careful: Even someone with experience can read the thousands of lines of code in
a coins source and not spot a 'payload' or virus. Just because you compiled it yourself
does not mean you are safe from malware. Use virus scanners, websites like virustotal.com
and run unknown sources on separate machines or best in virtual machines for safety.

coinableS

legendary

Activity: 1442

Merit: 1186

Quote

To be on the safe side, my wallet grants 2 Satoshi per byte.

I hope this is a typo. 2 sats/byte is very low.
Other than that, very cool article and project!

ArcCsch

full member

Activity: 224

Merit: 117

▲ Portable backup power source for mining.

Quote from: bob123 on February 24, 2017, 08:09:07 AM

If you affect the Computing time with dummy operations you dont need a long passphrase..

It is relatively easy to set up a cluster thousands of times faster than a phone, this would crack the key about as fast as the phone can decrypt it.
I covered this in my previous post.

Quote from: bob123 on February 24, 2017, 08:09:07 AM

Generally.. you could just use a 4 digit code.. and on 3 wrong enters.. the wallets blocks or deletes the priv keys..
With this option available.. you should make sure that the user of the wallet writes down a "passphrase" to recover the Priv keys
(or write down the priv keys itself).

Most smartphones do not have a secure cryptoprocessor on board, a hacker can take the phone apart, remove the memory storage, and extract the encrypted keys.
After this, the hacker would not have any trouble cracking your key-stretching scheme.
This may require some effort, but it it well worth the stash of bitcoin.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: ArcCsch on February 23, 2017, 12:41:27 PM

Quote

Actually, the private key for the generated Bitcoin address is encrypted with this PIN code, so as long as the PIN code is safe, the Bitcoin are safe. In Itipu, you can send your Bitcoins to your friend’s wallet by telling the bot to do so, like, “Send 2 dollars to joe.” (You have to enter your PIN code of course).

First, how long is this PIN?
If it is four digits, and the phone is hacked (encrypted key leaked), that would be broken pretty quickly, even with key stretching.
For example, if decrypting takes one minute on your phone, cracking would on average take a bit over eight hours on an identical phone, a powerful GPU could probably crack it in a few minutes.
You could fix that by replacing the PIN with a pass-phrase, until it becomes essentially a salted brain-wallet.
Also, if this is a bitcoin wallet, why does the article say "send 2 dollars to joe", instead of "send two millies to Joe"?

If you affect the Computing time with dummy operations you dont need a long passphrase..
Generally.. you could just use a 4 digit code.. and on 3 wrong enters.. the wallets blocks or deletes the priv keys..
With this option available.. you should make sure that the user of the wallet writes down a "passphrase" to recover the Priv keys
(or write down the priv keys itself).

ArcCsch

full member

Activity: 224

Merit: 117

▲ Portable backup power source for mining.

Quote

Actually, the private key for the generated Bitcoin address is encrypted with this PIN code, so as long as the PIN code is safe, the Bitcoin are safe. In Itipu, you can send your Bitcoins to your friend’s wallet by telling the bot to do so, like, “Send 2 dollars to joe.” (You have to enter your PIN code of course).

First, how long is this PIN?
If it is four digits, and the phone is hacked (encrypted key leaked), that would be broken pretty quickly, even with key stretching.
For example, if decrypting takes one minute on your phone, cracking would on average take a bit over eight hours on an identical phone, a powerful GPU could probably crack it in a few minutes.
You could fix that by replacing the PIN with a pass-phrase, until it becomes essentially a salted brain-wallet.
Also, if this is a bitcoin wallet, why does the article say "send 2 dollars to joe", instead of "send two millies to Joe"?

ftreml

newbie

Activity: 11

Merit: 1

Here is an article I wrote for the Chatbots Magazine:

https://chatbotsmagazine.com/building-the-most-basic-bitcoin-wallet-ever-in-facebook-messenger-a71014d46258

Topic: Building the Most Basic Bitcoin Wallet Ever (in Facebook Messenger) (Read 1045 times)