Topic: Check out my awesome site for generating secure OfflineAddress.com - page 4. (Read 12219 times)

That's a great thing, especially if they use smartphone sensors (unfortunately, on desktop clients there isn't much to collect beside mouse movements and keystrokes).

Regarding "industry-standard OpenSSL random number generator" - I'm a bit skeptic because it's know that some 'standards' have been forced by NSA and have a backdoor, for example:
https://en.wikipedia.org/wiki/Dual_EC_DRBG
http://www.researchgate.net/publication/250025759_Chapter_10_An_Elliptic_Curve_Asymmetric_Backdoor_in_OpenSSL_RSA_Key_Generation
, so it's hard to tell if there is more of those 'paid standards' that actually work against us.



I personally don't use any wallets to generate my BTC addresses, I always generate secure addresses and import them.
However, if software you're using does use mouse movements, camera snapshots or other input sensors to provide randomness than you don't have to worry (if they have it, and it's well implemented, they'll probably brag about it).

ah good to know! I had just asked that question

Thank you, it is a very useful tool. I also found very interesting the technical explanation.

Now I'm a little worried, I've put most of my little stash of bitcoins on some paperwallets generated offline with bitaddress (I downloaded it from github and used it offline on a Ubuntu live cd).
Is it advisable to retrieve these paperwallets, import the keys and make new ones with your method?

Also how does this random numbers thing apply to computer wallets? I mean Bitcoin-Qt, Multibit, Electrum, etc... I've never been asked to move my mouse in order to generate random seeds. Do they use a different method?

FWIW, Electrum and Bitcoin-Qt use the industry-standard OpenSSL random number generator, which does collect several types of user input (not just mouse coordinates).

It's possible to never be online as well - all you have to do is load the site and store it on you local machine (some browsers are capable of doing that, while some other might fail - so try out a few browsers), copy the site to other machine that was never connected to internet, and use it from there (this is for most skeptic users who are afraid that their machine is infected).

I've created a site so that it preloads all the resources it might need in the future right after it loads (this feature will also be enhanced in future when I switch to using HTML5 offline mechanism).

After you store the site locally, you can just use site from your machine without ever being online (and get the new version again when you see some new cool feature that I've added in the meantime).

Not just disconnect, never have connected

I liked the idea of using mouse movements to generate addresses, and is fun too 
The "Printable Notes" section is great, I can now give out nice looking bitcoin gift vouchers.

(Thanks for the "disconnect from internet warning")

BitAddress.org isn't all that bad (it's just that it could be better, check this message: https://bitcointalksearch.org/topic/m.4315842)
BitAddress.org does use one mouse position, which is better then nothing, but still far from enough to make private keys as secure as possible.

Attacker has to brute force the start of pseudorandom sequence from which keys ware created, and doesn't have to brute force all numbers in sequence - which makes the brute-force attack easier.
Attacker doesn't attack directly the site (but it has to simulate it's behavioral), or the user. It just needs to brute force the set of addresses that could have been generated using pseudorandom sequences - because the set of addresses created using pseudorandom numbers is much smaller that number of all possible addresses. So it wouldn't be the hacker who attacks you, but instead entity with enough processing power to go through that limited set of addresses that could have been generated using random source with small entropy.
In other words - soon (if not already) it makes sense to start mining addresses that are not random enough, instead of mining bitcoins directly.



I was shocked myself how everyone ignored this problem (except some exceptional cryptographic programs like TrueCrypt that actually use mouse to generate better randomness) although it's well known problem and written all over wikipedia.
That's why I was motivated to do this in the first place.
I guess it's just the laziness of programmers, and that nobody would care until someone gets hurt.

You got it all wrong:

This website runs in your browser, not on servers, the private key never leaves your computer - I can't know it even if i wanted to.

But in order not to need to trust me (or the community looking at the code, which is open-source) the site even suggest to disconnect from internet so that you can be sure that there is no way private key could ever be sent to the internet.

If the software doesn't use mouse movements at all to generate randomness then you are much safer by opening OfflineAddress.com, disconnecting, generating addresses and then importing them in whatever wallet program you prefer (or leave them unimportant and keep as cold storage - so that private key never touches internet).

Also, there is other problem with programs that use mouse movements but do it incorrectly.
The usage of mouse movements is art on its own and it's hard to implement it correctly:
 - It's easy to pick up mouse position every x milliseconds, but if user isn't moving his mouse in the meantime no useful random numbers can be extracted (mouse coordinates will just repeat).
 - The second problem is that some computers extract mouse position faster than others, so some changes in mouse positions must be ignored so that the program doesn't pick up coordinates that are generated too fast and are probably closer to each other (less random).

That's why most programs don't actually show the coordinates they extracted.

And that's why OfflineAddress.com shows those dots flying over the screen - they are not there just for fun, they are real mouse position coordinates extracted to be used for generating truly random addresses.

This is against everything I know.

RRandom numbers can not be generate inside a computer, and pseudorandom number can be easily predicted.
Keys that are not random enough can be guessed, and Bitcoins stolen.
Real randomness has to be human-provided.
Dots flying around are real random data used to generate truly random private keys and addresses.

Seriously? And a person should trust you with their private key, why?

Very cool that people are working together to find solutions for these types of issues Kudos!

I have a Q and I am not tech oriented so if anyone could reply in plain English it would be incredibly appreciated.

If someone used bit address.org to generate addresses offline from a computer that continues to be offline but might also be brought back online at some point, is there any way that the private keys can be brute forced by a hacker? If so, in layman's terms, what are the odds of success in each case (offline, online)?

In other words, would an attacker brute force the site bitaddress.org to come up with these addresses or would they brute force the computer? Or both?

thx much

Congratulations on your new website also i think the site looks appealing, i hope you achieve your goal with this site
and it goes to plan. All the best and good luck with i, it can be hard to maintain:)

wow - thanks for the generous explanation. I do the "mouse shaking" thing with my keyword manager, so I got that part of it. Just didn't realize how serious the issue could be.

So the wallet I use, electrum, is using a pseudo random number generator presumably to generate the keys. So the best way forward would be to use your tool to create new keys and import them into Electrum?

That's a good idea! Almost all sensors on phone could be used for generating fairly good randomness, and the more information the sensor can produce the better.
Accelerometer is a nice idea - but I don't know if native phone sensors can be used from a website (not native app).

Nice site..does look great (and pretty too) and going to use it in the future.  Thanks for contributing it to the community.

This looks good. Would it be possible to allow it to harvest randomness from the accelerometer in a phone or tablet? Not that those make the best choice for an offline machine but would be a fun way to generate randomness.

Yes, there is a serious security problem when generating bitcoin addresses using pseudorandom numbers.

For short (technical) answer: Pseudorandom numbers have very small entropy (equal to size of the seed) and can be easily guessed.

Longer elaborate answer:

To make sure your BTC are secure you have to store them on address created with strongly random private key.
The more random private key is - the harder it is to guess it.
To make it the most secure - it has to be generate from truly random sequence of bits.

Random numbers created inside a computer are not really random and shouldn't be used inside programs with critical security (see: https://en.wikipedia.org/wiki/Pseudorandomness#Cryptography).
Random numbers inside computer are created using simple mathematical equations that provide a sequence of numbers that looks random, but can be easily guessed by just looking at one or two number from a sequence (commonly used mechanism is: https://en.wikipedia.org/wiki/Linear_congruential_generator).

Let's make an simplified example of how this sequences of PSEUDOrandom numbers are created:
Let's try to make sequence of one-digit pseudorandom numbers (usually sequences have 13-digit numbers or more):

We'll start with x=5 and use formula next_x = (x*7 +3) %10. (%10 means: "take last digit")
The first number in sequence is choosen to be 5, the second is then:
(5*7+3)%10 = 8. The third is
(8*7+3)%10 = 9. The next digit is:
(9*7+3)%10 = 6, and so on (it starts to repeat).

The sequence 5, 8, 9, 6 look like it's 4 random digits, but if you know formula how they are created (and formulas are well known), all you need to know is that you started from 5, the rest can be calculated.

So, if you use numbers from sequence of pseudorandom numbers, even if sequence is milliion digits long, you just need to know one or two digits to be able to calculate all of them.

So if you create 1000 bitcoin addresses in one go on you computer, someone could guess a few numbers and be able to get bitcoins from all 1000 addresses.

That's why pseudorandom numbers should be replaced with random numbers when creating secure addresses, but normal computer don't have a way to roll a real dice inside - so the randomness has to be provided from humans (for example by randomly shaking your mouse).

Thanks jonanon.

BitAddress is a great site, but it's far from secure.
I don't want to spam by copying my own reply, so please just take a look at this post:
https://bitcointalksearch.org/topic/m.4315842