Bitcoin Forum>Bitcoin>Development & Technical Discussion
Pages:
Author

Topic: New Attack Vector - page 3. (Read 46614 times)

kokjo
legendary
Activity: 1050
Merit: 1000
You are WRONG!
Re: New Attack Vector
July 17, 2013, 01:01:48 PM
#74
Quote from: piotr_n on July 17, 2013, 12:41:04 PM
Quote from: kokjo on July 17, 2013, 12:37:29 PM
Quote from: piotr_n on July 17, 2013, 11:42:24 AM
yeah, we need a standard. the only question is: who is going to develop a voting system that will decide about the standard?
thank god, we have a primitive bitcoin mining concept, backed with a billion dollar stability fund.
because if the future of this currency was based only on getting together the people developing its IT infrastructure, it would have been pretty fucking doomed.
voting is not needed. we just need a guy with some balls to act as a dictator for a short period of time, and an army of typing monkeys implementing the standard.

what is done at https://en.bitcoin.it/wiki/Protocol_specification is usable, but most is yanked out of the satoshi client and lots of stuff have changed so the wiki is not up to date either. again: make a standard and implement it.
from my experience, the only standard there is, is the satoshi source code.
the wiki is very helpful though and it almost nowhere contradicts the actual protocol, but the standard is in the code.
and maybe its not such a bad idea for a standard to be in a code.
as long as this code is not stupid Smiley
it makes it nearly impossible to create a alternative client, when the "standard" mutates all the time. bitcoin needs diversity in clients.
Would you like to only be able to use internet explore? sure it would work good. but really?
piotr_n
legendary
Activity: 2053
Merit: 1356
aka tonikt
Re: New Attack Vector
July 17, 2013, 12:41:04 PM
#73
Quote from: kokjo on July 17, 2013, 12:37:29 PM
Quote from: piotr_n on July 17, 2013, 11:42:24 AM
yeah, we need a standard. the only question is: who is going to develop a voting system that will decide about the standard?
thank god, we have a primitive bitcoin mining concept, backed with a billion dollar stability fund.
because if the future of this currency was based only on getting together the people developing its IT infrastructure, it would have been pretty fucking doomed.
voting is not needed. we just need a guy with some balls to act as a dictator for a short period of time, and an army of typing monkeys implementing the standard.

what is done at https://en.bitcoin.it/wiki/Protocol_specification is usable, but most is yanked out of the satoshi client and lots of stuff have changed so the wiki is not up to date either. again: make a standard and implement it.
from my experience, the only standard there is, is the satoshi source code.
the wiki is very helpful though and it almost nowhere contradicts the actual protocol, but the standard is in the code.
and maybe its not such a bad idea for a standard to be in a code.
as long as this code is not stupid Smiley
kokjo
legendary
Activity: 1050
Merit: 1000
You are WRONG!
Re: New Attack Vector
July 17, 2013, 12:37:29 PM
#72
Quote from: piotr_n on July 17, 2013, 11:42:24 AM
yeah, we need a standard. the only question is: who is going to develop a voting system that will decide about the standard?
thank god, we have a primitive bitcoin mining concept, backed with a billion dollar stability fund.
because if the future of this currency was based only on getting together the people developing its IT infrastructure, it would have been pretty fucking doomed.
voting is not needed. we just need a guy with some balls to act as a dictator for a short period of time, and an army of typing monkeys implementing the standard.

what is done at https://en.bitcoin.it/wiki/Protocol_specification is usable, but most is yanked out of the satoshi client and lots of stuff have changed so the wiki is not up to date either. again: make a standard and implement it.

Quote from: gmaxwell on July 17, 2013, 11:50:49 AM
Quote from: kokjo on July 17, 2013, 11:35:42 AM
+1 you are right, and i have broadcasted a double spend. Thank you.
Perhaps you're competent to review this change? https://github.com/jgarzik/python-bitcoinlib/pull/6  I am not.
looks good enough... i have already committed a similar change to my code.
gmaxwell
staff
Activity: 4284
Merit: 8808
Re: New Attack Vector
July 17, 2013, 11:50:49 AM
#71
Quote from: kokjo on July 17, 2013, 11:35:42 AM
+1 you are right, and i have broadcasted a double spend. Thank you.
Perhaps you're competent to review this change? https://github.com/jgarzik/python-bitcoinlib/pull/6  I am not.
piotr_n
legendary
Activity: 2053
Merit: 1356
aka tonikt
Re: New Attack Vector
July 17, 2013, 11:42:24 AM
#70
yeah, we need a standard. the only question is: who is going to develop a voting system that will decide about the standard?
thank god, we have a primitive bitcoin mining concept, backed with a billion dollar stability fund.
because if the future of this currency was based only on getting together the people developing its IT infrastructure, it would have been pretty fucking doomed.
kokjo
legendary
Activity: 1050
Merit: 1000
You are WRONG!
Re: New Attack Vector
July 17, 2013, 11:35:42 AM
#69
Quote from: gmaxwell on July 17, 2013, 11:23:48 AM
Quote
Code:
       assert 1 == ssl.ECDSA_sign(0, hash, len(hash), mb_sig, ctypes.byref(sig_size0), self.k)
        return mb_sig.raw
I believe this code is wrong.

ECDSA_sign takes a pointer siglen for the length of the buffer. The reason it passes a reference there and not a value is because it writes the resulting length back to it. Otherwise there would be no way to know the length other than the maximum since, obviously, char * doesn't encode a size.  Your code appears to do nothing with the returned size. This is wrong, and it means you're reading past the end of the destination array. Be glad the additional space contains only zeros and not your private key.
+1 you are right, and i have broadcasted a double spend. Thank you.

Quote from: kjj on July 17, 2013, 11:30:32 AM
pwn3d
I accept defeat, but still thinks that we need a standard, and that the satoshi client a bunch of hacks.
kjj
legendary
Activity: 1302
Merit: 1026
Re: New Attack Vector
July 17, 2013, 11:30:32 AM
#68
Quote from: gmaxwell on July 17, 2013, 11:23:48 AM
Quote
Code:
       assert 1 == ssl.ECDSA_sign(0, hash, len(hash), mb_sig, ctypes.byref(sig_size0), self.k)
        return mb_sig.raw
I believe this code is wrong.

ECDSA_sign takes a pointer siglen for the length of the buffer. The reason it passes a reference there and not a value is because it writes the resulting length back to it. Otherwise there would be no way to know the length other than the maximum since, obviously, char * doesn't encode a size.  Your code appears to do nothing with the returned size. This is wrong, and it means you're reading past the end of the destination array. Be glad the additional space contains only zeros and not your private key.

pwn3d
piotr_n
legendary
Activity: 2053
Merit: 1356
aka tonikt
Re: New Attack Vector
July 17, 2013, 11:29:29 AM
#67
Quote from: gmaxwell on July 17, 2013, 11:23:48 AM
Be glad the additional space contains only zeros and not your private key.
Smiley
It could have, indeed.
gmaxwell
staff
Activity: 4284
Merit: 8808
Re: New Attack Vector
July 17, 2013, 11:23:48 AM
#66
Quote
Code:
       assert 1 == ssl.ECDSA_sign(0, hash, len(hash), mb_sig, ctypes.byref(sig_size0), self.k)
        return mb_sig.raw
I believe this code is wrong.

ECDSA_sign takes a pointer siglen for the length of the buffer. The reason it passes a reference there and not a value is because it writes the resulting length back to it. Otherwise there would be no way to know the length other than the maximum since, obviously, char * doesn't encode a size.  Your code appears to do nothing with the returned size. This is wrong, and it means you're reading past the end of the destination array. Be glad the additional space contains only zeros and not your private key.
Pieter Wuille
legendary
Activity: 1072
Merit: 1181
Re: New Attack Vector
July 17, 2013, 11:23:40 AM
#65
The standard was using DER-encoded signatures, we're not making anything up - we're just enforcing a correct encoding rule that should have been there all along. The code comment is just a nice summary of the rules. This was announced several times on the development list and on this forum, and in release notes. We did wait until only a minority of transactions with non-canonical encodings remained, but it's impossible to find every possible (future) misbehaving client code.

If you disagree that standard-conforming signatures should be enforced on the network, we have little to talk about.

In any case, kjj is right - there are 2 weird padding bytes there, and I don't understand why your code is adding them. In any case, it's clearly wrong - go find why and fix it.
piotr_n
legendary
Activity: 2053
Merit: 1356
aka tonikt
Re: New Attack Vector
July 17, 2013, 11:14:20 AM
#64
Quote from: kokjo on July 17, 2013, 11:11:25 AM
Quote from: kjj on July 17, 2013, 11:07:39 AM
The satoshi client is only broken if you got that hex as the output of signrawtransaction.
So the satoshi client can just troll around and smash things up, so no other client gets a fair chance to be able to create transactions.
https://github.com/bitcoin/bitcoin/blob/master/src/script.cpp#L261 <-- this is where the satoshi client fail. the client is bad, and sipa(the dev who commited this) should feel bad.
I disagree that he should feel bad.
Your signature  is inconsistent - one length clearly does not match the other.
IMHO, he's right treating it like he does; a probably broken signature.
kokjo
legendary
Activity: 1050
Merit: 1000
You are WRONG!
Re: New Attack Vector
July 17, 2013, 11:11:25 AM
#63
Quote from: kjj on July 17, 2013, 11:07:39 AM
The satoshi client is only broken if you got that hex as the output of signrawtransaction.
So the satoshi client can just troll around and smash things up, so no other client gets a fair chance to be able to create transactions.
https://github.com/bitcoin/bitcoin/blob/master/src/script.cpp#L261 <-- this is where the satoshi client fail. the client is bad, and sipa(the dev who commited this) should feel bad.
kokjo
legendary
Activity: 1050
Merit: 1000
You are WRONG!
Re: New Attack Vector
July 17, 2013, 11:08:32 AM
#62
Quote from: jackjack on July 17, 2013, 10:58:35 AM
Why should Bitcoin protocol accept all openssl formats?

What we need is a protocol, not mad people whining in a forum. That sure won't make them change.

the fix in the satoshi client includes this:
Code:
   // See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
    // A canonical signature exists of: <30> <02> <02>
    // Where R and S are not negative (their first byte has its highest bit not set), and not
    // excessively padded (do not start with a 0 byte, unless an otherwise negative number follows,
    // in which case a single 0 byte is necessary and even required).

a link to this thread, is not the way of creating a good protocol standard.
Again:
bitcoin is a big hack job, create a standard and stick too it.

btw. would you please include my transaction in a block?
kjj
legendary
Activity: 1302
Merit: 1026
Re: New Attack Vector
July 17, 2013, 11:07:39 AM
#61
Quote from: kokjo on July 17, 2013, 11:04:31 AM
Quote from: Pieter Wuille on July 17, 2013, 10:49:46 AM
@kokjo: mind sharing the code how to embed the OpenSSL-created signature into a sigScript? I expect the problem is caused by how you wrap/pad it, rather than with the signature itself.
Code:
sc = [script.OP_PUSH(sig+"\x01"), script.OP_PUSH(key.publickey)]
tx.inputs[0].script = script.encode_script(sc)

as said before its the statoshi clients problem, not me generating bad(wrongly padded) signatures. i already have tracked down the problem in the satoshi client.

I decoded the transaction you provided by hand.  It is wrong, and I told you where it was wrong.

The satoshi client is only broken if you got that hex as the output of signrawtransaction.
piotr_n
legendary
Activity: 2053
Merit: 1356
aka tonikt
Re: New Attack Vector
July 17, 2013, 11:05:39 AM
#60
Quote from: kokjo on July 17, 2013, 11:04:31 AM
wasn't that the guy that put prayers in the blockchain?

I think i have trolled him a bit too much to ask him to accept my transaction with out appropriate fees, and the satoshi client will not accept the transaction unless its over 11 months old.
No - then don't ask him. Just find the IP of his node and send it there...
gmaxwell
staff
Activity: 4284
Merit: 8808
Re: New Attack Vector
July 17, 2013, 11:05:06 AM
#59
Quote from: jackjack on July 17, 2013, 10:58:35 AM
What we need is a protocol, not mad people whining in a forum. That sure won't make them change.
There is a formal specification for the signature encoding being used. That didn't stop OpenSSL from accepting weirdly encoded signatures. In most kinds of applications it doesn't matter— in the context of a distributed consensus algorithm being overly permissive in what you accept can be a devistaing global consensus failure producing vulnerability.  Practically every blockchain behavior which you'd normally specify has this kind of tight bounding. It's a fairly unusual challenge— the coupling in Bitcoin is much tighter than other protocols, even network routing protocols.

kokjo
legendary
Activity: 1050
Merit: 1000
You are WRONG!
Re: New Attack Vector
July 17, 2013, 11:04:31 AM
#58
Quote from: Pieter Wuille on July 17, 2013, 10:49:46 AM
@kokjo: mind sharing the code how to embed the OpenSSL-created signature into a sigScript? I expect the problem is caused by how you wrap/pad it, rather than with the signature itself.
Code:
sc = [script.OP_PUSH(sig+"\x01"), script.OP_PUSH(key.publickey)]
tx.inputs[0].script = script.encode_script(sc)

as said before its the statoshi clients problem, not me generating bad(wrongly padded) signatures. i already have tracked down the problem in the satoshi client.

Quote from: piotr_n on July 17, 2013, 10:54:09 AM
but the bottom line is: your transaction might get mined after all.
send it to luke-jr - he seems to be running the most liberal mining node out there. or mine it yourself Smiley

wasn't that the guy that put prayers in the blockchain?

I think i have trolled him a bit too much to ask him to accept my transaction with out appropriate fees, and the satoshi client will not accept the transaction unless its over 11 months old.
jackjack
legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
Re: New Attack Vector
July 17, 2013, 10:58:35 AM
#57
Why should Bitcoin protocol accept all openssl formats?

What we need is a protocol, not mad people whining in a forum. That sure won't make them change.
piotr_n
legendary
Activity: 2053
Merit: 1356
aka tonikt
Re: New Attack Vector
July 17, 2013, 10:54:09 AM
#56
but the bottom line is: your transaction might get mined after all.
send it to luke-jr - he seems to be running the most liberal mining node out there.
or mine it yourself, if the copper feeding electricity to your house is thick enough Smiley

as long as the blockchain protocol allows it, I don't mind any software to reject relaying any transaction, by its own subjective rules.
Pieter Wuille
legendary
Activity: 1072
Merit: 1181
Re: New Attack Vector
July 17, 2013, 10:49:46 AM
#55
@kokjo: mind sharing the code how to embed the OpenSSL-created signature into a sigScript? I expect the problem is caused by how you wrap/pad it, rather than with the signature itself.
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: