Researchers describe a way of hacking Brain Wallet

AliceWonderMiscreations

full member

Activity: 182

Merit: 107

Quote from: honeysyd on February 17, 2016, 06:05:19 AM

What I understand from threads, a brain wallet is not safe and can be hacked. What about a seed wallet (e.g., Trezor)? Is it safe?

brain wallet can only be hacked because many people choose pass phrases that are easy to brute force. If it is easy for you to remember then it likely can be brute forced, and brain wallets are about being easy to remember.

With respect to "seed wallet" if the seed is secure then the addresses generated from the seed are secure.

I believe the way Trezor generates the seed is probably secure if it has enough entropy. I suspect it does, but it is a low power device and sometimes low power devices don't. I believe though the Trezor has a way to add external entropy to it.

Trezor really should only be used for long term storage, it really is a pain in the ass to use for day to day spending.

honeysyd

newbie

Activity: 30

Merit: 0

What I understand from threads, a brain wallet is not safe and can be hacked. What about a seed wallet (e.g., Trezor)? Is it safe?

AliceWonderMiscreations

full member

Activity: 182

Merit: 107

Quote from: Amph on February 15, 2016, 03:23:14 AM

Quote from: AliceWonderMiscreations on February 14, 2016, 07:57:07 AM

Private keys can be hacked if you pRNG is flawed.

In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result.

Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher.

they should use a hardware random number generator instead, since it much more akin to a real casual generation than anything else

The android problem I believe was caused by using non blocking entropy source instead of blocking entropy source.

Long term keys should always use /dev/random and /dev/urandom should be used for short term session keys.

Android does some java wrapper to access the kernel entropy pool and if I remember it wasn't obvious how to make it use the blocking instead of non-blocking.

With Linux anyway, you can have a hardware entropy source feed /dev/random so that's what programmers should read entropy from, it is up to the hardware admin whether or not an external entropy source helps to feed it. Smart phones obviously don't have that. PCs I believe there are some that use USB that easily connect but I've never used them.

And with Linux it saves unused entropy as a seed so using /dev/urandom is usually safe if the system install is not fresh but I believe the java layer thing in Android did not do that.

I don't do mobile apps but I believe what happened with Android is the java layer always uses /dev/urandom but Android doesn't save the seed from unused entropy so you had to specifically seed it before using it and the android bitcoin client (and browsers for tls connections) didn't.

Amph

legendary

Activity: 3248

Merit: 1070

Quote from: AliceWonderMiscreations on February 14, 2016, 07:57:07 AM

Private keys can be hacked if you pRNG is flawed.

In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result.

Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher.

they should use a hardware random number generator instead, since it much more akin to a real casual generation than anything else

Kakmakr

legendary

Activity: 3542

Merit: 1965

Leading Crypto Sports Betting & Casino Platform

We all know this is BS, but the average Joe do not know this and we need to stop this kind of reporting. We should have a army of people spreading the truth about Bitcoin and creating articles to counter this FUD. We can complain in forums like this, but it will not reach the average Joe.

Our strategy should be to create more positive content than negative content to a ratio of 5 : 1

AliceWonderMiscreations

full member

Activity: 182

Merit: 107

It wastes entropy but since I run haveged not really a problem - this is what I actually do when generating a private key outside my wallet

Code:

def randomHexAlphabet():
   a = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f']
   for i in range(0, random.randint(27,45)):
   random.shuffle(a)
   return a

def randomByte():
   a = randomHexAlphabet()
   with open("/dev/random", 'rb') as f:
   m = hashlib.md5()
   data = f.read(32)
   m.update(data)
   rhash = m.hexdigest()
   rnum = int(rhash[16:-12], 16)
   rnom = rnum % 256
   return a[rnom % 16] + a[rnom / 16]

I can generate any hex string a byte at a time and since there is activity between generation of each byte (the shuffling of the hex alphabet), the read from /dev/random is not sequential.

EDIT

The %256 isn't needed, it will always be the last byte of the two bytes read from the md5sum.
Things you don't see until you read it outside of a text editor...

European Central Bank

legendary

Activity: 1288

Merit: 1087

They're hacking human dumbness. That's way more predictable and less secure than anything genuinely randomly generated.

AliceWonderMiscreations

full member

Activity: 182

Merit: 107

Quote from: jonald_fyookball on February 14, 2016, 10:45:56 AM

Quote from: AliceWonderMiscreations on February 14, 2016, 07:57:07 AM

Private keys can be hacked if you pRNG is flawed.

In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result.

Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher.

Thats why the ultimate form of cold storage involves generating physical entropy to eliminate this attack vector.

Physical entropy is also sometimes not very random.

I have no clue about windows, but /dev/random on Linux is a blocking entropy pool and the problems in Linux usually come from /dev/urandom being used fresh after install without enough of a seed because the install is fresh.

The distributions often use /dev/urandom because they don't want users to have to be forced to wait - waiting can be a problem for example when generating the ssh keys on first boot. /dev/urandom is probably good enough for short term one use keys but long term like ssh keys, TLS keys for x509 certs, and bitcoin private keys really should be using /dev/random even if it means the user has to wait because there's not enough entropy.

Bigger problem on servers where there isn't keyboard / mouse / sound card.

jonald_fyookball

legendary

Activity: 1302

Merit: 1008

Core dev leaves me neg feedback #abuse #political

Quote from: AliceWonderMiscreations on February 14, 2016, 07:57:07 AM

Private keys can be hacked if you pRNG is flawed.

In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result.

Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher.

Thats why the ultimate form of cold storage involves generating physical entropy to eliminate this attack vector.

jonald_fyookball

legendary

Activity: 1302

Merit: 1008

Core dev leaves me neg feedback #abuse #political

Quote from: bitbaby on February 14, 2016, 04:54:07 AM

Cracking brain wallets with weak pass phrases is same as cracking online accounts such as email/social-media/etc, which is why brain wallets are not recommended. Who ever tells you that bitcoin private keys can be cracked, tell them to go ahead and do it, instead of telling you.

actually its worse. With online accounts, you can slow down the number of attempts with captchas, IP blocking, etc. But with private keys, you are free to throw as much computing power at it as you want. That is one reason that extra care should be taken with Bitcoin.

AliceWonderMiscreations

full member

Activity: 182

Merit: 107

When I generated vanity addresses, I just read from /dev/urandom until private key resulting from hashing the data gave me the address I wanted.

Actually what I did is put every address into a database and then looked through the database containing millions of addresses until I found ones that looked neat.

I doubt they can be cracked any easier than non vanity addresses. The 25 byte hex address has nothing about it that is vanity, and that's what has to be cracked. Well, the ripemd160 part of it.

franky1

legendary

Activity: 4424

Merit: 4794

Quote from: xqus on February 14, 2016, 08:07:47 AM

Quote from: franky1 on February 14, 2016, 07:58:54 AM

Quote from: tobacco123 on February 14, 2016, 07:16:40 AM

If private key can be hacked, then that will be the end of bitcoin.

Come, hack this address : 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF

vanity addresses are easier to hack compared to totally random addresses..

imagine it. if it only took you half an hour for the owner to gen that address.. it wont take long for someone else to follow the same steps.
some of the flaws of vanity address is that some coders base it from the same starting nonce(not random initially).. so others can follow the same steps.

vanity addresses have more entropy than a brain wallet. but not as much as totally random

That is true, but not that easy. It's not like since it took half an hour to generate an address with for example the first 4 characters predefined, it will take a looooooooooot longer to generate they key for one specific address.

if the original owner of 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF used a dodgy vanitygen that had a nonce that started at 0
then for someone else, they too can use that same program and generate it in the same time.

however
if the original owner of 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF used a good vanitygen that had a nonce that started at RANDOM+X
then for someone else, just to find 1Feex would give for examlple
1FeexGFqW9sb6uQMjJrcV6bAHb8ybZjCrH
1FeexqW9sb6uQMbZjCrHG6bAHbFjJrcV8y
1FeexQMbZjCqW6urH9sbAH8ybFjJrcVG6b
over an hour and a half period. and it would take YEARS (even grand children would be pensioners) by the time they happen upon
1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF

depending ofcourse on how much entropy RANDOM was

Pursuer

legendary

Activity: 1638

Merit: 1163

Where is my ring of blades...

for the love of god some mod change this topic's topic!
OP is spreading FUD (with or without purpose) with only removing a simple word of "Brainwallet" from the news. there is a lot of new users that are going to panic by reading this stuff and the article on cryptocoinsnews itself does not help either, they don't care as long as they receive traffic to their news site.

xqus

full member

Activity: 172

Merit: 100

Quote from: franky1 on February 14, 2016, 07:58:54 AM

Quote from: tobacco123 on February 14, 2016, 07:16:40 AM

If private key can be hacked, then that will be the end of bitcoin.

Come, hack this address : 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF

vanity addresses are easier to hack compared to totally random addresses..

imagine it. if it only took you half an hour for the owner to gen that address.. it wont take long for someone else to follow the same steps.
some of the flaws of vanity address is that some coders base it from the same starting nonce(not random initially).. so others can follow the same steps.

vanity addresses have more entropy than a brain wallet. but not as much as totally random

That is true, but not that easy. It's not like since it took half an hour to generate an address with for example the first 4 characters predefined, it will take a looooooooooot longer to generate they key for one specific address.

NorrisK

legendary

Activity: 1946

Merit: 1007

This type of news is just spreading fear to people who are not familiar with the technology. Although it may make them think twice about the type of seed they use (not made up yourself), it is still confusing for most.

It is an idditional reason I like the system of a trezor for instance. 20 random words you have no control over to pick and in addition you can add a password or as many passwords to it which act like a salt at the end of your seed for every private key derived from the seed. If you spread your coins around multiple added salts it is basically impossible to crack. (they'd have to guess the 20 words correctly and than a completely unrelated and random salt, good luck).

franky1

legendary

Activity: 4424

Merit: 4794

Quote from: tobacco123 on February 14, 2016, 07:16:40 AM

If private key can be hacked, then that will be the end of bitcoin.

Come, hack this address : 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF

vanity addresses are easier to hack compared to totally random addresses..

imagine it. if it only took you half an hour for the owner to gen that address.. it wont take long for someone else to follow the same steps.
some of the flaws of vanity address is that some coders base it from the same starting nonce(not random initially).. so others can follow the same steps.

vanity addresses have more entropy than a brain wallet. but not as much as totally random

AliceWonderMiscreations

full member

Activity: 182

Merit: 107

Quote from: Anddos on February 14, 2016, 07:52:20 AM

Such threads are pointless and only create panic and discomfort.

The bliss of ignorance is much better.

AliceWonderMiscreations

full member

Activity: 182

Merit: 107

Private keys can be hacked if you pRNG is flawed.

In fact I believed it happened with the Android bitcoin client where actual value was stolen as a result.

Flawed pRNG is analogous to a brain wallet but you are not likely to know your pRNG is flawed until it is disclosed by a security researcher.

Anddos

sr. member

Activity: 378

Merit: 250

Such threads are pointless and only create panic and discomfort.

Mickeyb

hero member

Activity: 798

Merit: 1000

Move On !!!!!!

Quote from: lister storm on February 14, 2016, 07:16:50 AM

it is impossible to hack a wallet with a good password, i dont think that they found out something new

This guy from yobit knows everything, and we were all thinking addresses are made with random private keys, nope we use "good passwords"

Topic: Researchers describe a way of hacking Brain Wallet (Read 2891 times)