Pages:
Author

Topic: NXT Coin Security - page 5. (Read 8408 times)

legendary
Activity: 2142
Merit: 1010
Newbie
December 10, 2013, 02:49:56 PM
#19
Migrating to a new addressing system seems like a tough transition though from my limited knowledge.

No. That requires little changes.
full member
Activity: 238
Merit: 100
December 10, 2013, 02:49:51 PM
#18
Yes it seems all it takes is the correct passphrase to open any wallet.  

I learned that the hard way, lost just about 30,000 nxt because my password was too easy. I saw in front of my eyes someone send my coins to a new account.  I've triple checked my machine and there is no back door or keylogger (if there was I think they would have gone for my btc first before the nxt anyday).  Someone used the same password as me and therefore they were able to spend all my coins.  

I didn't understand that the password was network wide, I thought it was local to my machine only so it was simple, despite the warning.



legendary
Activity: 2142
Merit: 1010
Newbie
December 10, 2013, 02:48:29 PM
#17
Quote
I ask someone to send me 1000 NXT to my public 20 digit address say 111111111111111111111

Now you also ask someone to send you 2000 NXT to your 20 digit public address also 111111111111111111111

Ok, I'll repeat again. Add some math. What are the odds that u get the same address within a short period of time?
newbie
Activity: 52
Merit: 0
December 10, 2013, 02:47:07 PM
#16
Still, compare the number of possible 'wallets' with the number of possible passwords.

The number of collisions is HUGE.

Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.

This is my thought exactly and if the dev wants NXT to grow and stick around, they need to fix this. I was just thinking about this yesterday. Migrating to a new addressing system seems like a tough transition though from my limited knowledge.

Edit: Nevermind, just read the dev's response. Although I must say it is somewhat misleading for those who don't know that part of the address is hidden. I'm guessing the reason for this is that your mapping system isn't alphanumerical, thus to make things easier on the eyes you provide only that.

But what would happen if the first 20 digits of two addresses happen to be the same, and someone sends NXT to that address? That still seems risky of a conflict occurring.
legendary
Activity: 2142
Merit: 1010
Newbie
December 10, 2013, 02:44:20 PM
#15
You spoke good enough english in the thread you argued that BTC was insecure because of a 10^24 chance of collision, whereas it's 10^20 with NXT. How does that figure?

Did u read my answer on nextcoin.org? I bet no, coz u again compare 10^24 apples with 10^20 oranges.
sr. member
Activity: 432
Merit: 500
December 10, 2013, 02:42:29 PM
#14
This from the NXT thread:


I can't work out whether you're intentionally lying or just wrong....

Tell me how I need the full 256 bit private key to access my coins?

Because the way I see it is that with only 10^20 possible RECEIVING addresses and MANY MANY more possibilities for passwords, then multiple passwords MUST have the same receiving addresses. Therefore if you send NXT to one receiving address, many many passwords will open a wallet that will have received those same coins.

Yes, many passphrases will open that account but only 1 will be able to spend the coins. Coz software checks that all 256 bits match.




Again, is this a lie or misunderstanding?

Tell me this:

You and I both have our own passwords, each happens to create the same 20 digit wallet number.

I ask someone to send me 1000 NXT to my public 20 digit address say 111111111111111111111

Now you also ask someone to send you 2000 NXT to your 20 digit public address also 111111111111111111111

We both open our wallets using our different passwords, both show our public address to be 111111111111111111111

Now, who sees which coins?

Do I see 1000 NXT and you see 2000 NXT, do we both see 3000 NXT?

If it's the former, how did NXT know you should receive 2000 and me 1000 just from our public addresses?

The fact is, it didn't.

The coins are sent to a public address that can be created by more than 1 password. How is that secure?
sr. member
Activity: 432
Merit: 500
December 10, 2013, 02:40:06 PM
#13
You spoke good enough english in the thread you argued that BTC was insecure because of a 10^24 chance of collision, whereas it's 10^20 with NXT. How does that figure?
legendary
Activity: 2142
Merit: 1010
Newbie
December 10, 2013, 02:29:40 PM
#12

So how does that affect chances of collision?

I keep seeing posts from you with no real answers. Never answers. The closest you have got is a post saying "wait until the source revealed and all will be clear".

It really is like one of those auctions where a guy tries to sell you a black box that looks like it contains something valuable, without actually telling you what's inside. When you buy it and open it, it's just junk.

I did answer ur questions. Sorry, but my English is not so good to explain something that requires knowledge of statistics or crypto. Any chance u speak Russian?
sr. member
Activity: 432
Merit: 500
December 10, 2013, 02:24:20 PM
#11

So how does that affect chances of collision?

I keep seeing posts from you with no real answers. Never answers. The closest you have got is a post saying "wait until the source revealed and all will be clear".

It really is like one of those auctions where a guy tries to sell you a black box that looks like it contains something valuable, without actually telling you what's inside. When you buy it and open it, it's just junk.
legendary
Activity: 980
Merit: 1000
December 10, 2013, 02:21:46 PM
#10
This thing has been a poorly designed cashgrab since day 1.
legendary
Activity: 2142
Merit: 1010
Newbie
December 10, 2013, 02:13:18 PM
#9
sr. member
Activity: 317
Merit: 250
December 10, 2013, 02:06:06 PM
#8
Isn't it 1-20 digits for account?
Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

Here is 16 digits
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337
legendary
Activity: 2142
Merit: 1010
Newbie
December 10, 2013, 01:57:20 PM
#7
Still, compare the number of possible 'wallets' with the number of possible passwords.

The number of collisions is HUGE.

Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.

U should post here ur math from nextcoin.org. It will make someone's day. Smiley
sr. member
Activity: 432
Merit: 500
December 10, 2013, 01:54:17 PM
#6
Still, compare the number of possible 'wallets' with the number of possible passwords.

The number of collisions is HUGE.

Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.
full member
Activity: 224
Merit: 100
December 10, 2013, 01:39:11 PM
#5
Isn't it 1-20 digits for account?
Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.
sr. member
Activity: 317
Merit: 250
December 10, 2013, 01:33:44 PM
#4
Isn't it 1-20 digits for account?
full member
Activity: 224
Merit: 100
December 10, 2013, 01:31:27 PM
#3
I won't speak on how many hash collisions there are without doing the math myself but one thing I'd like to point out is that NXT addresses can be 18 to 20 digits long (As far as I know that is, the gap could be bigger). This increases the amount of possible addresses significantly.
full member
Activity: 168
Merit: 100
December 10, 2013, 01:29:30 PM
#2
What am I missing here?
An opportunity to make lots of money.
sr. member
Activity: 432
Merit: 500
December 10, 2013, 01:24:33 PM
#1
Can someone here with better knowledge re Cryptography and security than me (or anyone on NXT forum it seems) please answer this:

NXT receiving address is 20 characters long made up of only numbers - therefore 10^20 combinations.

Passwords to open wallets can be many more characters, therefore many many more combinations to open only 10^20 possible wallets.

Secret phrase can be any 100 unicode chars.

SHA256(secret_phrase) gives private key.
Curve25519(private_key) gives public key.
SHA256(public_key) gives account id.
First 64 bits give VISIBLE account id.


Now, if I send coins to one account using their VISIBLE account ID (20 characters long) which is all that is required with NXT, then multiple passwords can open a wallet with the SAME visible account ID.

Apparently, the first account to send those coins on has ownership.

What am I missing here?
Pages:
Jump to: