Pages:
Author

Topic: Check out my awesome site for generating secure OfflineAddress.com - page 3. (Read 12180 times)

newbie
Activity: 50
Merit: 0
mike, why did you register to Bitcointalk the day before you released this? I'm a skeptic because it could be easy for this software to generate bad seeds, which lead to bad private keys.

Its hard for anyone to use this kind of software, even if it does provide excellent security as you claim. But your a new user, who suddenly releases a software to generate private keys.

I want to use it because of added security compared to bitaddress, but its a risk..

I registered to tell you all about this site. I'm not kind of person to brag about something without first having something to show.

Bad seeds can't effect the security of the site because all users mouse movements are used to create exact number of bits needed for generating all the addresses - which are then XORed over pseudorandom sequence, making is unnecessary from theoretical perspective.
If user shakes his mouse well, there is absolutely no benefit of using seeded number at all.
In other words - even if seed is bad, total provided entropy will still be enough to generate all address with perfect (maximum theoretically possible) entropy - providing perfect security.  Grin

In code, there is 'randomnessContainer' in https://github.com/mikewoods/OfflineAddress.com/blob/master/index.html which is the only thing used for providing randomness for generating addresses, and it's this.array contain the truly random data - which you can inspect using your favorite debug tool.


legendary
Activity: 1321
Merit: 1007
mike, why did you register to Bitcointalk the day before you released this? I'm a skeptic because it could be easy for this software to generate bad seeds, which lead to bad private keys.

Its hard for anyone to use this kind of software, even if it does provide excellent security as you claim. But your a new user, who suddenly releases a software to generate private keys.

I want to use it because of added security compared to bitaddress, but its a risk..
newbie
Activity: 50
Merit: 0
I downloaded the chrome "web page complete" and while running it locally, it let me do the mouse movements just fine but wouldn't let me go to the next screen upon generation. Oh well.

Solved  Cool

Now site supports html5 caching!
This means that once you load the site, everything will work perfect even if you try reloading it when you offline, or after you restart your browser.  Grin
This mechanism only stores static files, no other data like cookies or anything else is stored.

Could you try it out and let me know if everything works fine for you now?

legendary
Activity: 2912
Merit: 1060
Let's just be glad this isn't a straight up scam (or not yet)

Unlike this site a newbie is using http://flexcoin.com/
newbie
Activity: 50
Merit: 0

...

Other problems with BitAddress.org are:
- You are online while generating addresses - so you can't generate "offline" addresses, and also brings up the question if your browser or operating system is infected...

I don't follow your logic here ?!? How does your software allow someone to generate offline addresses but bitaddress does not ?
I've specifically packaged my software as an all-in-one HTML document that is hashed then signed by my PGP key. The hash is available on bitaddress.org and bitcointalk.org. The HTML can be downloaded from either bitaddress.org or github.com and verified that you received the document that I authored.

Hi 1ninja, I'm very glad you commented on this tread.
Let me first say that my site owes a lot to you marvelous work! Thank you a lot, having your site to look at helped me with my work!

As for the text I've quoted:
My software is notifying user if he's online, so that he can get offline and generate addresses. Your site can be used offline as well, the only difference is that I'm warning people about that.
Also, I must say I'm a bit envious of that all-in-one packaging you've done by embedding all your media into the site. I'll try to do the same thing once code base growth slows down.

We both have a lot to learn from each other, and I'll be happy to listen to any advice you have.

If we ever meet, beers are on me.  Grin Cheers!
hero member
Activity: 518
Merit: 500
Has anyone audited this code yet?

Idk whether to trust it or not.

Who's going to pay for that? I think the responses Mike has given us are not those of a scammer, completely the opposite in fact ....

If you want to audit, please go ahead, I'm sure Mike would be delighted Smiley
sr. member
Activity: 437
Merit: 415
1ninja
BitAddress uses only initial mouse position - which gives you about 20 bits that have fine entropy (and that mouse position is picked even if you don't move your mouse at all [not the case on my site]).

The issue of entropy for a pseudorandom number generator is serious and important. It's true that bitaddress will generate an address for you if you do not move the mouse at all. That feature was requested by users of my site and in hindsight text input from the keyboard should replace mouse movements on devices without a mouse. I am discussing the issue here with other coders, I welcome any comments:
https://github.com/pointbiz/bitaddress.org/issues/35

You can visualize the seed pool of bitaddress.org by using the following query string at the end of the url:
https://www.bitaddress.org/bitaddress.org-v2.7.2-SHA1-364542f1ccc5777c79aebb1692a6265cf3e42e7e.html?showseedpool=true

If you move the mouse then bitaddress takes more than 1 mouse position, here is where it's determined how many mouse movements it will look for:
https://github.com/pointbiz/bitaddress.org/blob/master/bitaddress.org.html#L6638-L6669
https://github.com/pointbiz/bitaddress.org/blob/master/bitaddress.org.html#L5952

I would like to add that in all versions of bitaddress.org the time as well as mouse movements have been used to gather entropy.

Versions >= 2.7 have extra entropy from browser fingerprinting added to the seed pool. Additionally window.crypto.getRandomValues is used to initialize the seed. window.crypto.getRandomValues is also used to XOR the results of the ArcFour PRNG.

With the newest version of bitaddress.org the lowest entropy without mouse movements should be about 64 bits (assuming your browser does not support window.crypto.getRandomValues). If you add mouse movements to that you should be ok depending on your adversary.

Other problems with BitAddress.org are:
- You are online while generating addresses - so you can't generate "offline" addresses, and also brings up the question if your browser or operating system is infected...

I don't follow your logic here ?!? How does your software allow someone to generate offline addresses but bitaddress does not ?
I've specifically packaged my software as an all-in-one HTML document that is hashed then signed by my PGP key. The hash is available on bitaddress.org and bitcointalk.org. The HTML can be downloaded from either bitaddress.org or github.com and verified that you received the document that I authored.
legendary
Activity: 1321
Merit: 1007
Has anyone audited this code yet?

Idk whether to trust it or not.
newbie
Activity: 50
Merit: 0
It's certainly beautiful... I sure hope you are what you say you are Mike.

I downloaded the chrome "web page complete" and while running it locally, it let me do the mouse movements just fine but wouldn't let me go to the next screen upon generation. Oh well.

The more I think about it, the more I really think you need to make the site into a downloadable package that we can use as a portable app... It still seems too easy for the browser to report the priv key back to you after an offline generation. A cookie could store that and be told to report it at next page load, couldn't it?

If Chrome makes problems, try Firefox, it should be doable. But anyways, I'll try to implement HTML5 offline version as soon as possible - which should solve this.

cool new open-source site for generating safe and truly random offline Bitcoin addresses.

Hi mikewoods,

I quite like the visual display for your entropy gathering. From a psychological perspective, I think it makes it more likely that a user will do the work it takes to make good mouse movements.

I notice you're not taking advantage of window.crypto.getRandomValues(). Do you believe your random number generator is more secure? If so I'd like an explanation. It seems to me that mouse movement and such should either be a fallback or an enhancement to using window.crypto.getRandomValues. Not leveraging getRandomValues at all seems an oversight to me since it's supported by almost every browser now. (IE9 being the notable exception.)

Canton

Thank Canton, it was very fun to work on those dots  Grin
As for as window.crypto.getRandomValues() goes - there are a few problems:
1) not all browsers support it correct (and I'm trying to support a bit older browser (not really old once) as well, for example I've implemented address computation using both html5 workers, as well as doing it using UI tread with delayed recursives.
2) It's still pseudorandom which makes it conceptually unacceptable because it has limited entropy.
3) (less important then 1) and 2) ) Browser could be compromised (and it's very obvious thing to attack).

Mouse movement are used as primary source of randomness and it has a lot higher entropy then any pseudorandom source. Still, to protect the user a bit more it's xor-ed over pseudorandom sequence.

Anyways, I'd be more happy if this kind of very technical questions are discussed on GitHub, because they can be useful for people that decide to join later.

Yes watch out for html5 offline storage to. I would use on unnetworked vm that is then destroyed.

Its just cold keys are perfect, you can steal them later and they have large amounts. Be careful people. This looks legit. I didnt see any http requests after load. But someone can clone this site, etc.

Even then, initial ecdsa can be compromised. Like the android hack.

I also don't believe bitaddress takes only one reading

Those are valid consideration for possible attack - that's why my site doesn't store (and won't) a single cookie, doesn't include outside .js (no ads, and no analytic software), and that's also the reason why I'll have to support the site using only the donations.

Luckily the ecdsa can not be compromised because the randomness source is from human (bad randomness is what enabled the exploit on android).

Bitpop, I'd be very thankful if you open discussion about possible attack on GitHub, this information is very valuable.

Wow, very nice site!

Great job.

Thanks devthedev!

legendary
Activity: 1050
Merit: 1004
Wow, very nice site!

Great job.
legendary
Activity: 2912
Merit: 1060
Yes watch out for html5 offline storage to. I would use on unnetworked vm that is then destroyed.

Its just cold keys are perfect, you can steal them later and they have large amounts. Be careful people. This looks legit. I didnt see any http requests after load. But someone can clone this site, etc.

Even then, initial ecdsa can be compromised. Like the android hack.

I also don't believe bitaddress takes only one reading
sr. member
Activity: 261
Merit: 285
cool new open-source site for generating safe and truly random offline Bitcoin addresses.

Hi mikewoods,

I quite like the visual display for your entropy gathering. From a psychological perspective, I think it makes it more likely that a user will do the work it takes to make good mouse movements.

I notice you're not taking advantage of window.crypto.getRandomValues(). Do you believe your random number generator is more secure? If so I'd like an explanation. It seems to me that mouse movement and such should either be a fallback or an enhancement to using window.crypto.getRandomValues. Not leveraging getRandomValues at all seems an oversight to me since it's supported by almost every browser now. (IE9 being the notable exception.)

Canton
legendary
Activity: 1442
Merit: 1000
Antifragile
It's certainly beautiful... I sure hope you are what you say you are Mike.

I downloaded the chrome "web page complete" and while running it locally, it let me do the mouse movements just fine but wouldn't let me go to the next screen upon generation. Oh well.

The more I think about it, the more I really think you need to make the site into a downloadable package that we can use as a portable app... It still seems too easy for the browser to report the priv key back to you after an offline generation. A cookie could store that and be told to report it at next page load, couldn't it?



I was looking out for the community when I said what I said and I think Mike knows that.
Of course someone could write something in the Java to do what they want. A program does what you tell it. It doesn't have to send things back, it could create Private Keys that it is told to.

I'm not accusing him though (I'm saying to be careful and have someone look at the code), perhaps he is bringing up a VERY important issue regarding those initial seeds not having the required entropy for truly random private keys and that is worrisome.
That needs to be looked at.

But, so does the code here.
hero member
Activity: 526
Merit: 508
My other Avatar is also Scrooge McDuck
It's certainly beautiful... I sure hope you are what you say you are Mike.

I downloaded the chrome "web page complete" and while running it locally, it let me do the mouse movements just fine but wouldn't let me go to the next screen upon generation. Oh well.

The more I think about it, the more I really think you need to make the site into a downloadable package that we can use as a portable app... It still seems too easy for the browser to report the priv key back to you after an offline generation. A cookie could store that and be told to report it at next page load, couldn't it?

hero member
Activity: 518
Merit: 500

wow - thanks for the generous explanation. I do the "mouse shaking" thing with my keyword manager, so I got that part of it. Just didn't realize how serious the issue could be.

So the wallet I use, electrum, is using a pseudo random number generator presumably to generate the keys. So the best way forward would be to use your tool to create new keys and import them into Electrum?

If the software doesn't use mouse movements at all to generate randomness then you are much safer by opening OfflineAddress.com, disconnecting, generating addresses and then importing them in whatever wallet program you prefer (or leave them unimportant and keep as cold storage - so that private key never touches internet).

Also, there is other problem with programs that use mouse movements but do it incorrectly.
The usage of mouse movements is art on its own and it's hard to implement it correctly:
 - It's easy to pick up mouse position every x milliseconds, but if user isn't moving his mouse in the meantime no useful random numbers can be extracted (mouse coordinates will just repeat).
 - The second problem is that some computers extract mouse position faster than others, so some changes in mouse positions must be ignored so that the program doesn't pick up coordinates that are generated too fast and are probably closer to each other (less random).

That's why most programs don't actually show the coordinates they extracted.

And that's why OfflineAddress.com shows those dots flying over the screen - they are not there just for fun, they are real mouse position coordinates extracted to be used for generating truly random addresses.


Yeah I noticed the dots flying over the screen. Nice touch. Thanks for all the advice. Looks like I need to use your service Smiley
newbie
Activity: 50
Merit: 0
Hey guys, with all due respect to Mike, he registered here Yesterday.
His code needs to be thoroughly looked through by the community before you go using it.
Most of us are not coders and open source is nice, once you know it is safe.

And I just checked - Mike opened his Git Hub account yesterday as well!
DO NOT USE this software until it is checked!!!

IAS

Thank you Its_About_Sharing - your post is correct.

I did push project on GitHub a few days ago (however it's 4 months old now), I didn't want to share any half-baked or untested product with others before I can call it version 1.0.
(If I were in other people's shoes I'd probably be skeptic at the beginning as well.)
You don't have to worry about math - it's working perfectly.
I didn't want to risk anyone's money with buggy software, so I finished it before sharing.

All the code is clean and as simple as possible (and not compressed for now, so that everyone can read it easily).
It's available here: https://github.com/mikewoods/OfflineAddress.com

I'm looking for all the help I can get to make this site even better.

Cheers!

legendary
Activity: 1442
Merit: 1000
Antifragile
Hey guys, with all due respect to Mike, he registered here Yesterday.
His code needs to be thoroughly looked through by the community before you go using it.
Most of us are not coders and open source is nice, once you know it is safe.

And I just checked - Mike opened his Git Hub account yesterday as well!
DO NOT USE this software until it is checked!!!

IAS
newbie
Activity: 50
Merit: 0
Very nice site!

It would be nice if we could also include keystrokes into randomness.

Is there a elegant way to print or export to PDF?


Thank you minimalB!

For now you could use browser's printing mechanism to print or export to pdf, but I'm planning to improve printing experience as soon as I get some time to do it (or if someone sends me a pull request on GitHub in the meantime  Grin).
donator
Activity: 674
Merit: 523
Very nice site!

It would be nice if we could also include keystrokes into randomness.

Is there a elegant way to print or export to PDF?
newbie
Activity: 50
Merit: 0
FWIW, Electrum and Bitcoin-Qt use the industry-standard OpenSSL random number generator, which does collect several types of user input (not just mouse coordinates).

That's a great thing, especially if they use smartphone sensors (unfortunately, on desktop clients there isn't much to collect beside mouse movements and keystrokes).

Regarding "industry-standard OpenSSL random number generator" - I'm a bit skeptic because it's know that some 'standards' have been forced by NSA and have a backdoor, for example:
https://en.wikipedia.org/wiki/Dual_EC_DRBG
http://www.researchgate.net/publication/250025759_Chapter_10_An_Elliptic_Curve_Asymmetric_Backdoor_in_OpenSSL_RSA_Key_Generation
, so it's hard to tell if there is more of those 'paid standards' that actually work against us.


Now I'm a little worried, I've put most of my little stash of bitcoins on some paperwallets generated offline with bitaddress (I downloaded it from github and used it offline on a Ubuntu live cd).
Is it advisable to retrieve these paperwallets, import the keys and make new ones with your method?

Also how does this random numbers thing apply to computer wallets? I mean Bitcoin-Qt, Multibit, Electrum, etc... I've never been asked to move my mouse in order to generate random seeds. Do they use a different method?

I personally don't use any wallets to generate my BTC addresses, I always generate secure addresses and import them.
However, if software you're using does use mouse movements, camera snapshots or other input sensors to provide randomness than you don't have to worry (if they have it, and it's well implemented, they'll probably brag about it).

Pages:
Jump to: