Pages:
Author

Topic: More Signatures with Repeated Nonces. - page 3. (Read 8083 times)

member
Activity: 108
Merit: 10
April 10, 2016, 11:38:02 AM
#18
Hello
i have 1 question.
Suppose i use two electrum wallets on two different machines one offline and one online.If i use offline machine to just sign transactions via electrum and then transfer the signed transaction to the online electr wallet on another PC for broadcasting.Am i safe?
Do i risk getting my bitcoins stolen?Can my private keys leak? and if so how's that possible?
full member
Activity: 217
Merit: 241
April 10, 2016, 09:41:24 AM
#17
1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

2. Blockchain.info has recently introduced HD wallets. Are they safe now ?

3. Are multisig addresses (starting with 3) unaffected by this ?

4. If https://coinb.in (https://github.com/OutCast3k/coinbin/) is run from local machine to spend from addresses generated by https://www.bitaddress.org (https://github.com/pointbiz/bitaddress.org) running at local machine, will that be safe ?

1. If you empty the wallet with a single transaction there is only a very tiny chance that you are affected.  For this the client must be really buggy selecting the same nonce twice in this transaction, and someone (amaclin  Grin) needs to have his bot running that tries to immediately double spend your transaction after seeing it.  I have seen such a double-spend attempt once but it didn't succeed; although if it had succeeded, I wouldn't have seen it.

2. Probably no bitcoin client is completely safe.  With regards to this problem, they are safe since they use deterministic signatures (January 2015).

3. No.  My script also scans for multisig (at least I intended to do that).  But I haven't found a reused nonce in a multisig so far.

4. They claim to use deterministic signatures.  If that is correct, they are safe.
legendary
Activity: 1792
Merit: 1087
April 10, 2016, 09:10:39 AM
#16
I have a few questions here...

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

You won't be affected if you NEVER spend, of course

Quote

3. Are multisig addresses (starting with 3) unaffected by this ?

yes

EDIT: yes, they are affected
legendary
Activity: 1904
Merit: 1073
April 10, 2016, 08:06:53 AM
#15
Hey, OP once again thank you for your honesty. I doubt if these funds will be claimed if they connected to the Darkweb. A typical reason to setup a virtual machine is to evade

tracking and eliminating footprints. {Starting from a clean image} If this is in any way linked to illegal activities, please report it to the authorities. We do not need any bad

publicity. Good work, I hope you will run your script more regularly to expose these compromised signatures.  Wink
hero member
Activity: 784
Merit: 500
April 10, 2016, 07:40:56 AM
#14
I have a few questions here...

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

2. Blockchain.info has recently introduced HD wallets. Are they safe now ?

3. Are multisig addresses (starting with 3) unaffected by this ?

4. If https://coinb.in (https://github.com/OutCast3k/coinbin/) is run from local machine to spend from addresses generated by https://www.bitaddress.org (https://github.com/pointbiz/bitaddress.org) running at local machine, will that be safe ?
full member
Activity: 217
Merit: 241
April 10, 2016, 06:24:55 AM
#13
So how much BTC have you so far "swept"?

I updated the first post, so far 7 BTC.

I have a paper wallet from bitcoinpaperwallet.com, created a few years ago and use mycelium to spend a little from it every so often. The change always goes back to the address should I move all those funds to a new wallet and not spend from paper wallets like that?

It's better to empty the paper wallet at once into Mycelium and never use it again.  If that contains too much, create several paper wallets with smaller amounts.
Mycelium is not affected by this bug (I think they use deterministic signatures).
newbie
Activity: 12
Merit: 0
April 10, 2016, 05:53:28 AM
#12
I have a paper wallet from bitcoinpaperwallet.com, created a few years ago and use mycelium to spend a little from it every so often. The change always goes back to the address should I move all those funds to a new wallet and not spend from paper wallets like that?
legendary
Activity: 2296
Merit: 2262
BTC or BUST
April 10, 2016, 01:31:01 AM
#11

I setup a bot to sweep the compromised keys.  If you can prove that it is your address, you can contact me to get the collected funds back.

So how much BTC have you so far "swept"?
legendary
Activity: 1792
Merit: 1087
April 10, 2016, 01:18:05 AM
#10
Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

Only, if you spend the paper wallet with a broken client.  But if you don't reuse paper wallets after emptying them, you are not affected by this problem.


Don't reuse paper wallets after emptying them, and don't reuse paper wallets before emptying them
hero member
Activity: 644
Merit: 500
April 09, 2016, 08:48:17 PM
#9
I would have thought that among all the other noise that an RNG should be using to seed itself, one of those inputs would be tied to the date and time? So that even if you had cloned a VM, and started it a few days late, it would have new seed data to generate randoms from than the original before it was cloned?
full member
Activity: 217
Merit: 241
April 09, 2016, 05:38:37 PM
#8
What in your estimation is the source of this problem?

My guess is a cloned virtual machine state. 

Observation: The reuse happened several days apart and then the nonces are repeated in roughly the same order.  This happened three times.  Then another completely different set of 10 nonces were repeated again after a few days. 

Possible Explanation: The nonces are generated by a random number generator whose state is stored in a virtual machine image.  After a few days the machine was restored to an earlier snapshot and restarted.  Then again after a few days the machine was restored to this state. 
legendary
Activity: 1092
Merit: 1001
April 09, 2016, 05:14:56 PM
#7
...
EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b.  This address doesn't seem to be compromised yet.  Note that this address has also been exposed and should not be used any more.

After looking at some of the tx going into and out of one of the compromised addresses,
it seems to me (but of course in Bitcoin we can never really know), the address's connections
may have some associations with a few different darknet markets.

So, if the above is true, I assume we will never hear from the true owner of the compromised addresses
and learn what was the wallet used and the cause of this reuse issue.


hero member
Activity: 1092
Merit: 520
April 09, 2016, 05:07:38 PM
#6
Great job johoe, i admire your honesty Sir.  What in your estimation is the source of this problem?
full member
Activity: 217
Merit: 241
April 09, 2016, 04:57:16 PM
#5
Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

Only, if you spend the paper wallet with a broken client.  But if you don't reuse paper wallets after emptying them, you are not affected by this problem.
full member
Activity: 160
Merit: 100
April 09, 2016, 03:40:38 PM
#4
Please tell me this wouldn't affect paper wallets generated with bitaddress.org.
full member
Activity: 217
Merit: 241
April 09, 2016, 07:23:36 AM
#3
The last time this happened was the Blockchain.info December 2014 incident.  You can read it up here

  https://bitcointalk.org/index.php?topic=581411.0

AFAIK all hardware wallets use deterministic signatures by now, so I don't think it is a hardware wallet.  The wallet is reusing random nonces to generate the signatures.  It could be a bad random number generator or someone cloned the random state (e.g. by cloning a virtual machine or forking processes) or maybe even another openssl problem.  I guess a cloned virtual machine is most likely from the pattern I observe.  It wouldn't have happened if they had used deterministic signatures.

https://blockchain.info/tx/fc9c8c56ce09b48f1e593a0df3f9a03f8dc33ba2027621e047fc5fc4f86f93f6
https://blockchain.info/tx/34535e979bf3e0b960d7e3be85713fa6561a4d9642c7199a7bdf93b721b529a7
https://blockchain.info/tx/e1c9b009cfa861501ae6f3379148fcc5c0de98c5774a6c576fb9f9e6eb2879eb

All three transactions use r = 538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951

hero member
Activity: 910
Merit: 509
April 09, 2016, 02:10:07 AM
#2
The mentioned signature can be used in wallets typically hardware wallets Only?

Please also give us the link to generate new Signature with repeated nonces.
full member
Activity: 217
Merit: 241
April 09, 2016, 01:30:49 AM
#1
My script that I still occasionally run has detected repeated nonces (r-value) in signatures again.  Looks like a bad random number generator; the repetitions usually happen some days apart.  The problem seems already to be fixed but the addresses that were compromised are still used.

There were at least 135 keys involved of which at least 82 are compromised now.  Most keys are related to 1BTrViTDX... (in the sense that they are inputs in the same transaction).

I setup a bot to sweep the compromised keys.  If you can prove that it is your address, you can contact me to get the collected funds back.

But don't use the addresses again.  There will probably be other persons setting up bots soon...

EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b.  This address doesn't seem to be compromised yet.  Note that this address has also been exposed and should not be used any more.

So far I have collected about 7 BTC.

EDIT2: Fixed the number of addresses.  I accidently counted five unrelated addresses.  Here is a complete list (addresses marked with + can be cracked):
http://johoe.mooo.com/bitcoin/2016-03-compromised.txt
Pages:
Jump to: