All messages signed with the signmessage command have "Bitcoin Signed Message:\n" prepended to them for exactly this reason.
That is what I supposed, thanks for confirming it!
Topic: Can signmessage be used to spend coins? (Read 688 times)
That is what I supposed, thanks for confirming it!
All messages signed with the signmessage command have "Bitcoin Signed Message:\n" prepended to them for exactly this reason.
I'm working on a project which will require users to sign server-provided challenge messages with the private key of one of their addresses. Since a signature with that key is basically also what allows to spend coins from that address, I want to be sure about the security implications for my users.
Assuming a user can be tricked to "signmessage" arbitrary strings provided by an attacker, can this be used to spend the user's coins? I presume there is some safeguard in the protocol such that the data signed with signmessage is of a different "format" than signing of transaction outputs ... is this the case, or can a message be crafted such that the signature on it can be recast in a form to validate spending a transaction output?
Of course my server is not going to issue rogue challenges to sign, but before I tell people to sign randomly provided strings and make them used to it, I want to make sure this can't be used to attack their coins.
Assuming a user can be tricked to "signmessage" arbitrary strings provided by an attacker, can this be used to spend the user's coins? I presume there is some safeguard in the protocol such that the data signed with signmessage is of a different "format" than signing of transaction outputs ... is this the case, or can a message be crafted such that the signature on it can be recast in a form to validate spending a transaction output?
Of course my server is not going to issue rogue challenges to sign, but before I tell people to sign randomly provided strings and make them used to it, I want to make sure this can't be used to attack their coins.
Jump to: