Topic: Explain wallets to me (Read 1265 times)

Thanks! This thread was extremely useful

That's a very useful contribution, thank you!

That does indeed clear up some FUD



Alan

The key is in understanding some cryptography concepts, in this case primarily Public-Private key cryptography.

You also need to understand the 'compromised keys' comments in context. The context can be found in the minds of cryptographers. Paranoia rules (with good reason). The rules are black and white. Something is only secure if it can be mathematically proven, so even the perception, however slight, and in real life, however unlikely it is, that a secret is compromised, it will be labeled as such. It makes it easier to talk about these concepts as there is a clear boundary between what is secure and what not and what lies inside this boundAry.

So labelling something as 'compromised' means that it is not protected by a cryptographic boundary anymore and is now probably only as secure as the rest of the files on your computer. By no means is it exposed to the whole world all of a sudden.

magic

Correct.


Absolutely. It is definitely bat-poo crazy to use such a service from "a Windows machine touching the internet".


Correct.  The javascript that the website sends to your browser is completely viewable and has been reviewed by several knowledgeable peers.


The javascript program that runs in your browser?  Yes, they are broadcasting that program across the internet as plain text.  The keypair?  No. That is created locally in your browser by a javascript program.


The keypair? Correct.


Probably not.  That's why it is generally recommended that you save the webpage to a file, copy that file to removable media (such as a CD or USB flash drive), and then open that webpage file from an offline computer.  This way you can ensure that the page is unable to send anything back to the server.

If you are really paranoid about it, you can format the boot drive on the offline computer and install a trusted fresh copy of an operating system.  This way you can make sure that the offline computer doesn't have some sort of malware that might be keeping track of what you are doing.  Then when you are done generating keypairs, before you ever connect that computer to the internet in the future, you can reformat the hard drive and reboot the computer to make sure that no trace is left behind for any future malware to find.

With that bitaddress.org thing, how is that safe?

I'm guessing that, in theory, it creates the public/private key pair in your own browser and they never get to see it (since it says 'client side').

But considering the understandable paranoia about a Windows machine touching the internet, possibly getting infected and thus compromising your .dat/.key files, surely using an online service from strangers must be bat-poo crazy dangerous?

Why should we trust them?

I'm hoping the answer is because their site is somehow open source (can a website be open source?) and we can be sure they won't see the matching pair. But they're still broadcasting that across the internet as plain text...? Or is it genuinely created in your own browser? And if so, are browsers safe anyway?

?



A.

the .key file is multibits way of storing the information you generated on bitaddress.org, this varies from client to client. in most clients its a wallet.dat file. a private key doesn't HAVE to be made on bitaddress.org, thats just an easy way to make a private key from a live-cd without being online for maximum (probably unnecessary) paranoia.

I meant to compare exposing your private key to the internet with exposing your credit number to the internet, not a signed transaction. My bad on the lack of clarity

I want to point out that I'm no expert, and will gracefully accept criticism from other members of the community if I'm wrong in the advice I'm handing out, but you guys seem to need help so I'm gonna give this my best shot.


It will become more mass friendly when there is a cd you can buy in the store, or a hardware wallet thats fully secure that you can buy and run, and be totally secure that experts made this (ridiculously easy to use) software and nobody is going to hack it. I know there's a thread here where somebody is working on a solution that simplifies everything to a wallet device one can plug into any usb drive and be secure.


What was the first one you tried? Was it the client from bitcoin.org?


nope, because your wallet.dat file (which contains the private key) is what they'd hypothetically be after


I'm personally unfamiliar with multibit so I can't answer the question of what the resulting file was conclusively. Multibit is a wallet that can handle different kinds of coins, right?

I would guess that the resulting file is something made by multibit, for reference by multibit, and isnt really designed to work in other wallet programs. I'm assuming they used a different format so they can store wallet.dat files for different coins all as on and you can save it as one wallet file (instead of one file for each coin).


and this is where bitcoin needs to get more mainstream friendly...

the "keyhole" for the number you generated at bitaddress.org depends on the particular client you're using.

I have no idea how to import it into multibit, but there's more than likely a way.

for the client from www.bitcoin.org you have run bitcoind.exe file with a --importprivkey (i think, you'll prolly wanna google around for a more concise tutorial) flag tacked on.

here's how I got it to work:

1) run the client as normal.
2) run cmd.exe from the start menu
3) run bitcoind.exe with the --importprivkey (i think) flag AND your private key after that (this is the keyhole)
4) my bitcoin popped up in my wallet

alternatively (and less safely, but more easily) you can use the client offered online by www.blockchain.info -- then theres a section on that site where you can go type your private key in, and it will load your private key into a wallet for you.


pretty sure the .key file is just a format designed for this multibit program you found.

you're getting confused because the word "import" is ambiguous. yes you can import a wallet designed just for multibit into a multibit client (this is apparently a .key file).

but in the context of this thread, when I've been saying "import" I meant loading your private key into a client of any kind (i just described a couple of way to do this above).

importing a .key file into multibit counts as doing this, because your private key is stored inside the .key file (same for wallet.dat files on the other clients)


i think you're talking about multibit, which I can't answer for you being unfamiliar with that program.

in general though, private keys are mathematically linked to a set of addresses. bitaddress.org generates you a private key and one such address linked to that key. in most clients, once youve loaded up a wallet.dat (or imported a private key), you can generate a new address as often as you want.


like how .key files are made for multibit, a wallet.dat file gets generated by the "bitcoin-qt" client (and similar clients for other coins, this is the one at www.bitcoin.org, and is the most common). it contains the raw private key information (which you could alternatively generate at www.bitaddress.org, and loading one of those into a client causes the client to generate a wallet.dat for that particular private key, just as multibit generates a .key file)

if you have the qt client installed, you'll be able to find the wallet.dat file by typing "%appdata%" into an explorer window, then clicking on the folder for the appropriate client.

or, you could just use the export option in the qt client itself, that'd actually prolly be easier (i think it works the same way as in multibit).

I doubt you'd remember it, as it's around twice the length of a phone number, with letters as well as numbers.

No, you should not just keep it on your PC.

First you need at least one or two backups, such as printing it out and keeping that paper (very) safe, also perhaps as a file on a USB thumbdrive or CD etc.

I also recommend Axcrypt, if you're using Windows:

http://www.axantum.com/axcrypt/

You could use that to encrypt the key file backups.

I'm still not really positive about what I'm doing, in that I'm by no means sure how one can tell if one's PC has malware or how to transfer or buy stuff without going online, which can potentially compromise your machine. Once I really understand that I'll be a lot more confident...




A.

So should i just save this number to one of my folder on my computer desk? or is it possible just to remember it? maybe its safer?

Thanks!

I just tried that, seems to work. Well I can rename a notepad file as test.key anyway.

Mmm....  Have set my PC to open with notepad, instead of the registry editor.

OK, still experimenting a bit but this makes a lot more sense.

I'm still not sure what a .dat file is though?




Alan

don't save the key only in the HDD, any problem and you loose your money

Notepad, copy-paste the private key there, save and rename in .key and ta-dah you will be able to import it into Multibit. Probably in the future versions of Multibit you will be able to import keys directly via the program 

OK, I get the bit about signing with your private key, how that's the thing that confirms sending the money and such.

I'm still somewhat confused over the actual file/format of the thing.

It seems the 'key' is just a number. I get the idea it's a number from a website that makes such numbers for you, bitaddress.org.


Yet with Multibit it's a "XX.key" file. This is awkward because how do I turn a number into a .key file in order to use it with that software? There's nowhere in the software I can just type in a number, so if I DO have the number written down somewhere, what use is it?


That software only seems to be able to import or export .key files, so:

If I export I have a .key file, but I don't have a number.

If I have a number (bitaddress.org) I don't have a .key file

And it seems there's something else, called a .dat file? Is that only for the 'thick' client, because I see no sign of such a thing with Multibit?


I hope my confusion is clear!



Alan

No, bitcoin is much safer than sending credit card information. If somebody intercepts your credit card information then they can go use your credit card information anywhere they want. If somebody intercepts your bitcoins transaction message, they can do nothing because it does not include the private key, just a message signed by the private key. They could not generate any other spends because they do not have the key.

You just have to understand cryptography to understand why that is not the case, and sending bitcoins does not compromise your bitcoins. See my post above, but I will try to explain it again:

The wallet contains two things, an address (a public key) and a private key. When people send you bitcoins, they send them to the public address. When you want to send bitcoins, you do not give anybody your private key, you use they key to sign a message saying X bitcoins are moving from this address to another address. Again, you do not give out your private key, only the public key. Nobody can sign the message unless they have the private key, but anybody can check that the message was signed correctly and that you control the key for that address.

Maybe reading more about cryptography, like starting here http://en.wikipedia.org/wiki/Public_key_cryptography might help.

I had an offline wallet but I was tired of it taking up 10GB on my C drive so I uninstalled it. however there are some others that don't hog so much hard drive space and I will try one of those soon instead.

Above someone says to backup 'wallet.dat'

Well where the heck is THAT?


 

OK, I think, thanks.

How's it going to get more mass-friendly when it's like this now though?

I had 2 'wallets' the full-size one and the Multibit thing. The full-size version took forever to finally catch up with the chain thing, then today when I opened it gave some error message and started again from the beginning. That's totally unacceptable, so I've uninstalled that version.

3 questions regarding the 'Multibit' version

1.  I can encrypt the main .exe using AxCrypt, so it cannot be run without a password. Does that help in the slightest, or not?

2. Regarding the private key/s, how does one actually use them? I tried exporting from Multibit, the resulting file seems to be a registry entry. I presume it isn't one - but what is it, exactly?

To use such a key (keys?) do you have to place that file in the folder Multibit is installed in? There doesn't seem to be any keys in the folder at present, so where exactly is the "key hole", so's to speak, for these keys?

Hang on... I can "import" keys? OK, so it's a ".key" file. But there are NO .key files in the folder at present, so what keys is/are it using NOW then?

3. How do you know which keys go with which address? I can't even see what keys it's using, so how do I know if it's the right key, or even which key?



I'm 46, been messing around with computers since I was 22, yet for some reason I'm having a really hard time understanding this system. My actual job is helping people understand technical systems and selling them on the benefits, yet here I am feeling clueless. As soon as I think I understand something it seems that's wrong, or even dangerous.

It's just paralyzing.