Pages:
Author

Topic: Reused R values again - page 6. (Read 121295 times)

full member
Activity: 168
Merit: 103
December 19, 2014, 11:55:40 AM
I robot that scans new transactions (timestamped or not), awsome! 

The thief's transaction was even in the same block. That thief was quick.
full member
Activity: 164
Merit: 126
Amazing times are coming
December 19, 2014, 10:44:06 AM

They were sent to this address at approximatly 00:50:20 GMT 1M77fUCzQrmY8jHRRgpzDVPAK5eQ31bwxZ
Within 17 seconds of me depositing 100 btc into my account they were stolen and transfered to another address without me even being logged into the blockchain wallet servce.


I robot that scans new transactions (timestamped or not), awsome! 
sr. member
Activity: 431
Merit: 261
December 19, 2014, 09:06:45 AM
The Blockchain.info issue should be fixed by now.  There are still coming some bad transactions but they dwindled down to one or two per day.  Also there are still transactions to the broken addresses, which usually get sweeped by either amaclin or bc.i or others, whoever is fastest.

I wanted to do a little after-math of how much money was moved by whom.  It is hard to get exact numbers.  Often I have no way to know whether a transaction is legitimate or if someone is stealing money from weak addresses.  I think every item on the following list is correct but there may be more.

  • 870.7 BTC saved by me (they went through 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP)
  • 105.9 BTC stolen by 1M77fUCzQrmY8jHRRgpzDVPAK5eQ31bwxZ
  • 53.0 BTC saved by Blockchain.info
  • 36.2 BTC stolen by various 1xy and 1aa addresses.
  • 3.7 BTC saved by bithernet (1PGfLgFtRHgdgvPNvmHMjtsWwF4fyG1jvh), not yet returned
  • 0.24 + 0.084 + 0.016 BTC stolen by 1824bso2XgKTm7XThA75A2gdMpt3jSxW5M, 15hM4CMs7JZ3JjQHmvGhS4NKSsqhKMsQXu, and 1MKSWH9pShsLdV54cRLDQ9JKarsjXK4ms5

That's about 1070 BTC total.
Did I forget something important?   For all I know, there could be 100 BTC sweeped to various addresses, or the list could be complete.


Thanks!
full member
Activity: 217
Merit: 259
December 19, 2014, 09:04:30 AM
The Blockchain.info issue should be fixed by now.  There are still coming some bad transactions but they dwindled down to one or two per day.  Also there are still transactions to the broken addresses, which usually get sweeped by either amaclin or bc.i or others, whoever is fastest.

I wanted to do a little after-math of how much money was moved by whom.  It is hard to get exact numbers.  Often I have no way to know whether a transaction is legitimate or if someone is stealing money from weak addresses.  I think every item on the following list is correct but there may be more.

  • 870.7 BTC saved by me (they went through 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP)
  • 105.9 BTC stolen by 1M77fUCzQrmY8jHRRgpzDVPAK5eQ31bwxZ
  • 53.0 BTC saved by Blockchain.info
  • 36.2 BTC stolen by various 1xy and 1aa addresses.
  • 3.7 BTC saved by bithernet (1PGfLgFtRHgdgvPNvmHMjtsWwF4fyG1jvh), not yet returned
  • 0.24 + 0.084 + 0.016 BTC stolen by 1824bso2XgKTm7XThA75A2gdMpt3jSxW5M, 15hM4CMs7JZ3JjQHmvGhS4NKSsqhKMsQXu, and 1MKSWH9pShsLdV54cRLDQ9JKarsjXK4ms5

That's about 1070 BTC total.
Did I forget something important?   For all I know, there could be 100 BTC sweeped to various addresses, or the list could be complete.
hero member
Activity: 584
Merit: 500
December 18, 2014, 03:04:08 PM
... If I understood you correctly, if you seed the RNG with time-stamps from that short period you bump into the transactions which haven't had reused R values, that's how you got this private key?

https://github.com/blockchain/My-Wallet/commit/98d5a7ca59ef04d06ac6aee468634b12975a0f5c

In a nutshell, just poor seeding of the RNG.

Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds. Each of the 256 possible seeds produces its own sequence of numbers (which you can assign to some variable, for example k or d, etc) which can be used for secp256k1 point multiplication.

secp256k1: (G=base point, k=ECDSA nonce, d=private key)
point R = k*G (used for ECDSA: k and x-coordinate)
point Q = d*G (public key)

// Initialize arcfour context from key, an array of ints, each from [0..255]
function ARC4init(key) {
  var i, j, t;
  for(i = 0; i < 256; ++i)
    this.S = i;
  j = 0;
  for(i = 0; i < 256; ++i) {
    j = (j + this.S + key[i % key.length]) & 255;
    t = this.S;
    this.S = this.S[j];
    this.S[j] = t;
  }
  this.i = 0;
  this.j = 0;
}


Thanks, very informative. I assume then that the problem is fixed at the Blockchain.info end.

The earlier issue was due to counterwallet. Does that mean that Blcokchain.info has no issues now?
full member
Activity: 168
Merit: 103
December 18, 2014, 02:55:07 PM
Okay, I hope everybody closed the browser tab with the blockchain.info wallet that he opened 10 days ago. Because now everyone following this topic will implement his own rng cracker.

It would be more important that wallets start implementing RFC6979-style signatures, otherwise these kind of bugs will always come up.
full member
Activity: 164
Merit: 126
Amazing times are coming
December 18, 2014, 02:31:42 PM
The prng code is 30 lines.  It was trivial to resolve the few syntactic differences by hand.

Hmm... I used to test potential employees with less than 30 lines of C++ that only one out of one hundred understood perfectly so I guess that you must be an extremely good programmer. Smiley


But a C++ program is a C program encrypted with a very strong encryption method.  Cheesy

+1. It is my favourite write-only language after perl  Grin
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 18, 2014, 01:45:07 PM
But a C++ program is a C program encrypted with a very strong encryption method.  Cheesy

Hmm... well I know this is a joke but I do hope others know that C++ is not just C with some additions (they are almost as different as Java and JavaScript).
hero member
Activity: 910
Merit: 1003
December 18, 2014, 01:41:13 PM
The prng code is 30 lines.  It was trivial to resolve the few syntactic differences by hand.

Hmm... I used to test potential employees with less than 30 lines of C++ that only one out of one hundred understood perfectly so I guess that you must be an extremely good programmer. Smiley


But a C++ program is a C program encrypted with a very strong encryption method.  Cheesy
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 18, 2014, 12:13:51 PM
The prng code is 30 lines.  It was trivial to resolve the few syntactic differences by hand.

Hmm... I used to test potential employees with less than 30 lines of C++ that only one out of one hundred understood perfectly so I guess that you must be an extremely good programmer. Smiley
full member
Activity: 217
Merit: 259
December 18, 2014, 12:08:48 PM
I copied the JavaScript code and changed it into a Java program so that it would go through my Java compiler.

Did you use some special tool to do this (as JavaScript has nothing to do with Java and I am pretty sure trying to change JavaScript into C++ would be no simple task without a very specialised tool so I can't see how changing it into Java would actually be much easier)?


I used emacs Cheesy The prng code is 30 lines.  It was trivial to resolve the few syntactic differences by hand.

Okay, I hope everybody closed the browser tab with the blockchain.info wallet that he opened 10 days ago. Because now everyone following this topic will implement his own rng cracker.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 18, 2014, 11:35:11 AM
I copied the JavaScript code and changed it into a Java program so that it would go through my Java compiler.

Did you use some special tool to do this (as JavaScript has nothing to do with Java and I am pretty sure trying to change JavaScript into C++ would be no simple task without a very specialised tool so I can't see how changing it into Java would actually be much easier)?
full member
Activity: 217
Merit: 259
December 18, 2014, 09:55:50 AM

I just extracted the important parts from the javascript file.  I understood from zootreeves's the comment in the github that all this initialization/Math.rand stuff was unimportant as the missing initialization would prevent the rng_pool to be filled properly.  All I had to simulate was the prng (which is more or less the standard rc4 stream cipher).  So I first tried to get the numbers from the prng initialized with zeros.  When this didn't work out (actually I would have found some values using this code, but I only looked for one particular value), I tried variations of this, initializing it with an array of length 1.

I just looked in the stream produced by the prng for one particular k value that I broke earlier and that occurred several times on the block chain.  When this was successful I knew I had the right solution.

There were still some unknowns, e.g., there are two candidates for k.  First, I didn't check the JavaScript code if it really takes the bytes from the stream to build numbers, whether it is big or little-endian and so forth.  When the first try didn't succeed, I read most of the relevant JavaScript code to check my assumptions.  It took some time until I realized that I had to play with the initialization of the prng.


Is this all browser dependable, on how many browser have you tested? Do you get the same k values in all browsers?

You misunderstand.  I didn't test it in a browser, I copied the JavaScript code and changed it into a Java program so that it would go through my Java compiler.  But JavaScript is standardized; the particular behavior with NaN and undefined should be handled by all compliant browser in the same way.

The k values are actually computed by my program that breaks keys with reused R values in signatures (also written in Java).  Computing the k value is an important step to get the private key.  It is only possible if R is reused, but I had enough reused R values that I knew at least some of the k values.  And I knew that the k value must haven been produced by the random number generator directly.

That there are two possible k values is because of the way ECDSA works.  They compute the point k*G, and take its x coordinate. This is the r value (Personally, I usually use R to denote k*G but when I say R value in this thread I refer to the x coordinate of R).   There are two points on the curve with the same x coordinate, namely  k*G and -k*G.  So there is no way to know the sign of k.
legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
December 18, 2014, 09:13:06 AM

I solved this by try and error.  But now I get it.  key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++  returns NaN on undefined and NaN.   Is this correct?

JavaScript has strange semantics.

If you don't use this code to generate your list, which code do you use?!? I'm confused, was convinced you've used their exact buggy code.

I just extracted the important parts from the javascript file.  I understood from zootreeves's the comment in the github that all this initialization/Math.rand stuff was unimportant as the missing initialization would prevent the rng_pool to be filled properly.  All I had to simulate was the prng (which is more or less the standard rc4 stream cipher).  So I first tried to get the numbers from the prng initialized with zeros.  When this didn't work out (actually I would have found some values using this code, but I only looked for one particular value), I tried variations of this, initializing it with an array of length 1.

I just looked in the stream produced by the prng for one particular k value that I broke earlier and that occurred several times on the block chain.  When this was successful I knew I had the right solution.

There were still some unknowns, e.g., there are two candidates for k.  First, I didn't check the JavaScript code if it really takes the bytes from the stream to build numbers, whether it is big or little-endian and so forth.  When the first try didn't succeed, I read most of the relevant JavaScript code to check my assumptions.  It took some time until I realized that I had to play with the initialization of the prng.


Is this all browser dependable, on how many browser have you tested? Do you get the same k values in all browsers?
full member
Activity: 217
Merit: 259
December 18, 2014, 07:51:21 AM

I solved this by try and error.  But now I get it.  key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++  returns NaN on undefined and NaN.   Is this correct?

JavaScript has strange semantics.

If you don't use this code to generate your list, which code do you use?!? I'm confused, was convinced you've used their exact buggy code.

I just extracted the important parts from the javascript file.  I understood from zootreeves's the comment in the github that all this initialization/Math.rand stuff was unimportant as the missing initialization would prevent the rng_pool to be filled properly.  All I had to simulate was the prng (which is more or less the standard rc4 stream cipher).  So I first tried to get the numbers from the prng initialized with zeros.  When this didn't work out (actually I would have found some values using this code, but I only looked for one particular value), I tried variations of this, initializing it with an array of length 1.

I just looked in the stream produced by the prng for one particular k value that I broke earlier and that occurred several times on the block chain.  When this was successful I knew I had the right solution.

There were still some unknowns, e.g., there are two candidates for k.  First, I didn't check the JavaScript code if it really takes the bytes from the stream to build numbers, whether it is big or little-endian and so forth.  When the first try didn't succeed, I read most of the relevant JavaScript code to check my assumptions.  It took some time until I realized that I had to play with the initialization of the prng.
hero member
Activity: 599
Merit: 500
December 18, 2014, 07:32:30 AM

I'm a little confused with all the tech junks that is being talked about here. Can u plz tell me in simple terms that if I use blockchain.info to create an address, download the paper wallet containing the private key and keep it and the password safe, then am I secured ?

I can see gmaxwell was talking about some try-catch which may kill the entropy in the seed. Is that present in blockchain.info as well ?

You better use an offline copy of bitaddress to generate your paper wallet.

https://bitcoinpaperwallet.com
https://www.bitaddress.org

i try this today
20 min download ubuntu and the wallets on 2nd USB , 20 min to add it to a USB , Boot up Ubuntu and print , would take any one less then 1hr from start to finish
sr. member
Activity: 278
Merit: 250
December 17, 2014, 05:29:04 PM
Quote
Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds.

I do not understand. Sorry. I do not have expirience with js and different browsers.
What brunch do we use? 'Real Rand' case or Math.random? Why key.length is 0 and how does "% key.length" works? Division by zero?



I solved this by try and error.  But now I get it.  key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++  returns NaN on undefined and NaN.   Is this correct?

JavaScript has strange semantics.


That's correct. Even though by specification NaN is Not-a-Number, that memory location (key[i % 0]) still holds some unknown value. So when modulo 256 ((key[1 % 0]) & 255) , it should return some number less than 256.
legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
December 17, 2014, 04:01:31 PM
Quote
Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds.

I do not understand. Sorry. I do not have expirience with js and different browsers.
What brunch do we use? 'Real Rand' case or Math.random? Why key.length is 0 and how does "% key.length" works? Division by zero?



I solved this by try and error.  But now I get it.  key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++  returns NaN on undefined and NaN.   Is this correct?

JavaScript has strange semantics.

If you don't use this code to generate your list, which code do you use?!? I'm confused, was convinced you've used their exact buggy code.
legendary
Activity: 1260
Merit: 1019
December 17, 2014, 03:57:09 PM
Quote
I solved this by try and error.  But now I get it.  key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++  returns NaN on undefined and NaN.   Is this correct?
This is brainfuck.
full member
Activity: 217
Merit: 259
December 17, 2014, 03:54:06 PM
Quote
Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds.

I do not understand. Sorry. I do not have expirience with js and different browsers.
What brunch do we use? 'Real Rand' case or Math.random? Why key.length is 0 and how does "% key.length" works? Division by zero?



I solved this by try and error.  But now I get it.  key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++  returns NaN on undefined and NaN.   Is this correct?

JavaScript has strange semantics.
Pages:
Jump to: