Author

Topic: Does watch-only wallet have a Master Public Key you should keep safe? (Read 2843 times)

legendary
Activity: 2126
Merit: 1001
You should always assume that revealing a private key from a deterministic wallet will reveal all siblings.   In Armory wallets, if private key x is revealed with the chaincode, all private keys >= X+1 are revealed.

But I don't spend much time worrying about this.  We do not support or claim to support any use cases where private keys are intentionally revealed.  And if your wallet is unintentionally compromised, they will all be revealed anyway. 

Yes, normally that's not an issue.
For me, however, this would turn out to be a problem:

I hold a small Bitcoin sum for a family member (that's what happens when you talk about Bitcoin all the time, eh?). I gave that person a paperwallet with the private key of where the funds are. I have a copy of that address to do things with the funds when asked.
I used an address in my regular wallet, with other funds inside too.

So, now I have the situation that I intentionally gave away a privatekey to a wallet with more funds than on that key. No matter if or if not I trust that family member, anyone able to obtail that paper wallet endangers my whole wallet.

I guess there's no way around that. I can't have both "independent addresses without a chaincode" and a "one seed backs up everything" at the same time. So I need to fall back to an individual wallet for that person, or stick with a single address. Both would make two backups necessary, one for my regular wallet, one for that person's funds.

Ente
newbie
Activity: 19
Merit: 0
OK, thanks for clarifying.
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
How about any derived private key, which is not the root key? How serious a leak would that make? Does it compromise all the other private keys as well, if the attacker knows the chain code? (which I assumed is the same for both, private and public chains).


You should always assume that revealing a private key from a deterministic wallet will reveal all siblings.   In Armory wallets, if private key x is revealed with the chaincode, all private keys >= X+1 are revealed.

But I don't spend much time worrying about this.  We do not support or claim to support any use cases where private keys are intentionally revealed.  And if your wallet is unintentionally compromised, they will all be revealed anyway. 
newbie
Activity: 19
Merit: 0
How about any derived private key, which is not the root key? How serious a leak would that make? Does it compromise all the other private keys as well, if the attacker knows the chain code? (which I assumed is the same for both, private and public chains).
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
A full Armory wallet is just

1x Root Private Key
1x Root Public Key
1x Chaincode


A watching-only Armory wallet is just

1x Root Public Key
1x Chaincode

So basically watching-only wallets don't have any private key data at all, and the chain code is just a constant that is carried through all the calculations.  With the priv key + chaincode, you can compute all private keys.  With public key + chain, you can compute all public keys that match the private keys produced on the full/offline wallet.

The chaincode and public key are not security-sensitive.  Someone getting them is a breach of privacy, not security.  All internet security is based on the fact that the public key is widely distributed (i.e. "public") and that the scheme maintains full security as long as no one else has the private key.
newbie
Activity: 19
Merit: 0
Revealing any private key for any type of Bitcoin wallet software kind of lets the person you revealed it to steal all your money.

I don't understand. I don't think you meant that non-deterministic wallet's keys have some kind of relationship that would allow revealing all the other private keys if any one of them is revealed, did you? And I wouldn't use only one private key in my wallet. More like one per transaction. Did you assume a single-key wallet when saying this?

I think that possibly the Bitcoin Magazine article has a mistake in it, or is maybe written in a way that gave you the wrong impression.

Did you have time to check out the article? If not, could you check it out, for example starting by searching for "crack_electrum_wallet(mpubkey,priv0,0)", a utility function Mr. Buterin mentions he has coded to demonstrate the issue?

Perhaps the subject of a hierarchical wallet is more interesting in this context, but if it applies to Armory's wallet, too, I still believe an arbitrary wallet user could easily think sharing a single private key with someone wouldn't add any risk, which actually would.

If you want to keep a backup for a gift to your friend, just keeping the private key won't be enough. You need the Chain Code too, as that determines all the addresses that the private key unlocks. The private key on it's own is like having a real-life key, but you don't know which lock it opens. When you know the house (think: address), and you have the key, then you can get through the door.

You are talking about deterministic wallets specifically, right? In case of Armory, I thought only the root key is something that fits all the wallet addresses. Do you mean that the rest of the private key chain can be figured out from any private address of the chain, even without the chain code? Or do you mean that Armory's wallet is hierarchical in such a way that not just the root key is something that works on multiple addresses, that any other private key had a similar property?
legendary
Activity: 3430
Merit: 3080
Yes, Mater Public Key = Chain Code

Revealing any private key for any type of Bitcoin wallet software kind of lets the person you revealed it to steal all your money. I think that possibly the Bitcoin Magazine article has a mistake in it, or is maybe written in a way that gave you the wrong impression.

If you want to keep a backup for a gift to your friend, just keeping the private key won't be enough. You need the Chain Code too, as that determines all the addresses that the private key unlocks. The private key on it's own is like having a real-life key, but you don't know which lock it opens. When you know the house (think: address), and you have the key, then you can get through the door.
newbie
Activity: 19
Merit: 0
I think you're mixing up the definitions slightly.

Armory wallet (offline or online) contains:


x1 private key
x1 chain code
infinite public keys (derived from the chain code)

Armory watching only wallet contains:

x1 chain code
infinite public keys (derived from the chain code)


Plus stuff like transaction comments and so on, but I'm sticking to the keys here. If you give someone else the chain code, they can indeed determine the amount of Bitcoin at every address in the wallet. But the Chain Code is always packaged up together with the private key, either in the same wallet file or in the same paper backup. You need both the private key and chain code for a paper backup.

Is the chain code the same thing as the "master public key"?

Quote
In the case of the situation you're describing, there is no real need to panic.

If you're providing an individual public key to someone to pay you with, they know nothing about the rest of the wallet except that one address (represented by the one public key. "Public key" and "address" = same thing).

I meant revealing a private key. Say, I wanted to give my yet unenlightened friend a gift and keep the private key myself as well, for my friend's backup.

Quote
There's no way to make a mistake and accidentally give them the Chain Code, it's not accessible in any part of the Armory application except for the paper backup feature. You'd never make that mistake.

I could have been more specific. What I was worried about was the issue mentioned in the article: Any one private key plus the master public key in single, wrong hands could compromise a whole deterministic wallet.

Why I thought this was worth keeping in mind was that you probably should assume online wallet is pretty open to exposure eventually (therefore, the MPK/CC as well) and any private keys you shared aren't anymore under your control.
legendary
Activity: 3430
Merit: 3080
I think you're mixing up the definitions slightly.

Armory wallet (offline or online) contains:


x1 private key
x1 chain code
infinite public keys (derived from the chain code)

Armory watching only wallet contains:

x1 chain code
infinite public keys (derived from the chain code)


Plus stuff like transaction comments and so on, but I'm sticking to the keys here. If you give someone else the chain code, they can indeed determine the amount of Bitcoin at every address in the wallet. But the Chain Code is always packaged up together with the private key, either in the same wallet file or in the same paper backup. You need both the private key and chain code for a paper backup.

In the case of the situation you're describing, there is no real need to panic. If you're providing an individual public key to someone to pay you with, they know nothing about the rest of the wallet except that one address (represented by the one public key. "Public key" and "address" = same thing). There's no way to make a mistake and accidentally give them the Chain Code, it's not accessible in any part of the Armory application except for the paper backup feature. You'd never make that mistake.
newbie
Activity: 19
Merit: 0
After reading about the drawbacks of deterministic wallets from http://bitcoinmagazine.com/8396/deterministic-wallets-advantages-flaw/, it seems to me like Armory's watch-only wallets (and offline wallets as well, actually) have the "master public key" mentioned in the article, easily obtainable.

Does this mean I should never reveal any of the private keys of my deterministic Armory wallet? If I did, I would risk compromising all the private keys when someone gets hold of both, the master public key and any single private key of my wallet.

Someone, please verify!
Jump to: