I robot that scans new transactions (timestamped or not), awsome!
The thief's transaction was even in the same block. That thief was quick.
Topic: Reused R values again - page 6. (Read 121128 times)
The thief's transaction was even in the same block. That thief was quick.
- 105.9 BTC stolen by 1M77fUCzQrmY8jHRRgpzDVPAK5eQ31bwxZ
They were sent to this address at approximatly 00:50:20 GMT 1M77fUCzQrmY8jHRRgpzDVPAK5eQ31bwxZ
Within 17 seconds of me depositing 100 btc into my account they were stolen and transfered to another address without me even being logged into the blockchain wallet servce.
I robot that scans new transactions (timestamped or not), awsome!
The Blockchain.info issue should be fixed by now. There are still coming some bad transactions but they dwindled down to one or two per day. Also there are still transactions to the broken addresses, which usually get sweeped by either amaclin or bc.i or others, whoever is fastest.
I wanted to do a little after-math of how much money was moved by whom. It is hard to get exact numbers. Often I have no way to know whether a transaction is legitimate or if someone is stealing money from weak addresses. I think every item on the following list is correct but there may be more.
That's about 1070 BTC total.
Did I forget something important? For all I know, there could be 100 BTC sweeped to various addresses, or the list could be complete.
I wanted to do a little after-math of how much money was moved by whom. It is hard to get exact numbers. Often I have no way to know whether a transaction is legitimate or if someone is stealing money from weak addresses. I think every item on the following list is correct but there may be more.
- 870.7 BTC saved by me (they went through 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP)
- 105.9 BTC stolen by 1M77fUCzQrmY8jHRRgpzDVPAK5eQ31bwxZ
- 53.0 BTC saved by Blockchain.info
- 36.2 BTC stolen by various 1xy and 1aa addresses.
- 3.7 BTC saved by bithernet (1PGfLgFtRHgdgvPNvmHMjtsWwF4fyG1jvh), not yet returned
- 0.24 + 0.084 + 0.016 BTC stolen by 1824bso2XgKTm7XThA75A2gdMpt3jSxW5M, 15hM4CMs7JZ3JjQHmvGhS4NKSsqhKMsQXu, and 1MKSWH9pShsLdV54cRLDQ9JKarsjXK4ms5
That's about 1070 BTC total.
Did I forget something important? For all I know, there could be 100 BTC sweeped to various addresses, or the list could be complete.
Thanks!
The Blockchain.info issue should be fixed by now. There are still coming some bad transactions but they dwindled down to one or two per day. Also there are still transactions to the broken addresses, which usually get sweeped by either amaclin or bc.i or others, whoever is fastest.
I wanted to do a little after-math of how much money was moved by whom. It is hard to get exact numbers. Often I have no way to know whether a transaction is legitimate or if someone is stealing money from weak addresses. I think every item on the following list is correct but there may be more.
That's about 1070 BTC total.
Did I forget something important? For all I know, there could be 100 BTC sweeped to various addresses, or the list could be complete.
I wanted to do a little after-math of how much money was moved by whom. It is hard to get exact numbers. Often I have no way to know whether a transaction is legitimate or if someone is stealing money from weak addresses. I think every item on the following list is correct but there may be more.
- 870.7 BTC saved by me (they went through 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP)
- 105.9 BTC stolen by 1M77fUCzQrmY8jHRRgpzDVPAK5eQ31bwxZ
- 53.0 BTC saved by Blockchain.info
- 36.2 BTC stolen by various 1xy and 1aa addresses.
- 3.7 BTC saved by bithernet (1PGfLgFtRHgdgvPNvmHMjtsWwF4fyG1jvh), not yet returned
- 0.24 + 0.084 + 0.016 BTC stolen by 1824bso2XgKTm7XThA75A2gdMpt3jSxW5M, 15hM4CMs7JZ3JjQHmvGhS4NKSsqhKMsQXu, and 1MKSWH9pShsLdV54cRLDQ9JKarsjXK4ms5
That's about 1070 BTC total.
Did I forget something important? For all I know, there could be 100 BTC sweeped to various addresses, or the list could be complete.
... If I understood you correctly, if you seed the RNG with time-stamps from that short period you bump into the transactions which haven't had reused R values, that's how you got this private key?
https://github.com/blockchain/My-Wallet/commit/98d5a7ca59ef04d06ac6aee468634b12975a0f5c
In a nutshell, just poor seeding of the RNG.
Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds. Each of the 256 possible seeds produces its own sequence of numbers (which you can assign to some variable, for example k or d, etc) which can be used for secp256k1 point multiplication.
secp256k1: (G=base point, k=ECDSA nonce, d=private key)
point R = k*G (used for ECDSA: k and x-coordinate)
point Q = d*G (public key)
// Initialize arcfour context from key, an array of ints, each from [0..255]
function ARC4init(key) {
var i, j, t;
for(i = 0; i < 256; ++i)
this.S = i;
j = 0;
for(i = 0; i < 256; ++i) {
j = (j + this.S + key[i % key.length]) & 255;
t = this.S;
this.S = this.S[j];
this.S[j] = t;
}
this.i = 0;
this.j = 0;
}
Thanks, very informative. I assume then that the problem is fixed at the Blockchain.info end.
The earlier issue was due to counterwallet. Does that mean that Blcokchain.info has no issues now?
Okay, I hope everybody closed the browser tab with the blockchain.info wallet that he opened 10 days ago. Because now everyone following this topic will implement his own rng cracker.
It would be more important that wallets start implementing RFC6979-style signatures, otherwise these kind of bugs will always come up.
The prng code is 30 lines. It was trivial to resolve the few syntactic differences by hand.
Hmm... I used to test potential employees with less than 30 lines of C++ that only one out of one hundred understood perfectly so I guess that you must be an extremely good programmer.
But a C++ program is a C program encrypted with a very strong encryption method.
+1. It is my favourite write-only language after perl
But a C++ program is a C program encrypted with a very strong encryption method.
Hmm... well I know this is a joke but I do hope others know that C++ is not just C with some additions (they are almost as different as Java and JavaScript).
The prng code is 30 lines. It was trivial to resolve the few syntactic differences by hand.
Hmm... I used to test potential employees with less than 30 lines of C++ that only one out of one hundred understood perfectly so I guess that you must be an extremely good programmer.
But a C++ program is a C program encrypted with a very strong encryption method.
The prng code is 30 lines. It was trivial to resolve the few syntactic differences by hand.
Hmm... I used to test potential employees with less than 30 lines of C++ that only one out of one hundred understood perfectly so I guess that you must be an extremely good programmer.
I copied the JavaScript code and changed it into a Java program so that it would go through my Java compiler.
Did you use some special tool to do this (as JavaScript has nothing to do with Java and I am pretty sure trying to change JavaScript into C++ would be no simple task without a very specialised tool so I can't see how changing it into Java would actually be much easier)?
I used emacs
The prng code is 30 lines. It was trivial to resolve the few syntactic differences by hand.Okay, I hope everybody closed the browser tab with the blockchain.info wallet that he opened 10 days ago. Because now everyone following this topic will implement his own rng cracker.
I copied the JavaScript code and changed it into a Java program so that it would go through my Java compiler.
Did you use some special tool to do this (as JavaScript has nothing to do with Java and I am pretty sure trying to change JavaScript into C++ would be no simple task without a very specialised tool so I can't see how changing it into Java would actually be much easier)?
I just extracted the important parts from the javascript file. I understood from zootreeves's the comment in the github that all this initialization/Math.rand stuff was unimportant as the missing initialization would prevent the rng_pool to be filled properly. All I had to simulate was the prng (which is more or less the standard rc4 stream cipher). So I first tried to get the numbers from the prng initialized with zeros. When this didn't work out (actually I would have found some values using this code, but I only looked for one particular value), I tried variations of this, initializing it with an array of length 1.
I just looked in the stream produced by the prng for one particular k value that I broke earlier and that occurred several times on the block chain. When this was successful I knew I had the right solution.
There were still some unknowns, e.g., there are two candidates for k. First, I didn't check the JavaScript code if it really takes the bytes from the stream to build numbers, whether it is big or little-endian and so forth. When the first try didn't succeed, I read most of the relevant JavaScript code to check my assumptions. It took some time until I realized that I had to play with the initialization of the prng.
Is this all browser dependable, on how many browser have you tested? Do you get the same k values in all browsers?
You misunderstand. I didn't test it in a browser, I copied the JavaScript code and changed it into a Java program so that it would go through my Java compiler. But JavaScript is standardized; the particular behavior with NaN and undefined should be handled by all compliant browser in the same way.
The k values are actually computed by my program that breaks keys with reused R values in signatures (also written in Java). Computing the k value is an important step to get the private key. It is only possible if R is reused, but I had enough reused R values that I knew at least some of the k values. And I knew that the k value must haven been produced by the random number generator directly.
That there are two possible k values is because of the way ECDSA works. They compute the point k*G, and take its x coordinate. This is the r value (Personally, I usually use R to denote k*G but when I say R value in this thread I refer to the x coordinate of R). There are two points on the curve with the same x coordinate, namely k*G and -k*G. So there is no way to know the sign of k.
I solved this by try and error. But now I get it. key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++ returns NaN on undefined and NaN. Is this correct?
JavaScript has strange semantics.
If you don't use this code to generate your list, which code do you use?!? I'm confused, was convinced you've used their exact buggy code.
I just extracted the important parts from the javascript file. I understood from zootreeves's the comment in the github that all this initialization/Math.rand stuff was unimportant as the missing initialization would prevent the rng_pool to be filled properly. All I had to simulate was the prng (which is more or less the standard rc4 stream cipher). So I first tried to get the numbers from the prng initialized with zeros. When this didn't work out (actually I would have found some values using this code, but I only looked for one particular value), I tried variations of this, initializing it with an array of length 1.
I just looked in the stream produced by the prng for one particular k value that I broke earlier and that occurred several times on the block chain. When this was successful I knew I had the right solution.
There were still some unknowns, e.g., there are two candidates for k. First, I didn't check the JavaScript code if it really takes the bytes from the stream to build numbers, whether it is big or little-endian and so forth. When the first try didn't succeed, I read most of the relevant JavaScript code to check my assumptions. It took some time until I realized that I had to play with the initialization of the prng.
Is this all browser dependable, on how many browser have you tested? Do you get the same k values in all browsers?
I solved this by try and error. But now I get it. key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++ returns NaN on undefined and NaN. Is this correct?
JavaScript has strange semantics.
If you don't use this code to generate your list, which code do you use?!? I'm confused, was convinced you've used their exact buggy code.
I just extracted the important parts from the javascript file. I understood from zootreeves's the comment in the github that all this initialization/Math.rand stuff was unimportant as the missing initialization would prevent the rng_pool to be filled properly. All I had to simulate was the prng (which is more or less the standard rc4 stream cipher). So I first tried to get the numbers from the prng initialized with zeros. When this didn't work out (actually I would have found some values using this code, but I only looked for one particular value), I tried variations of this, initializing it with an array of length 1.
I just looked in the stream produced by the prng for one particular k value that I broke earlier and that occurred several times on the block chain. When this was successful I knew I had the right solution.
There were still some unknowns, e.g., there are two candidates for k. First, I didn't check the JavaScript code if it really takes the bytes from the stream to build numbers, whether it is big or little-endian and so forth. When the first try didn't succeed, I read most of the relevant JavaScript code to check my assumptions. It took some time until I realized that I had to play with the initialization of the prng.
I'm a little confused with all the tech junks that is being talked about here. Can u plz tell me in simple terms that if I use blockchain.info to create an address, download the paper wallet containing the private key and keep it and the password safe, then am I secured ?
I can see gmaxwell was talking about some try-catch which may kill the entropy in the seed. Is that present in blockchain.info as well ?
You better use an offline copy of bitaddress to generate your paper wallet.
https://bitcoinpaperwallet.com
https://www.bitaddress.org
i try this today
20 min download ubuntu and the wallets on 2nd USB , 20 min to add it to a USB , Boot up Ubuntu and print , would take any one less then 1hr from start to finish
Quote
Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds.
I do not understand. Sorry. I do not have expirience with js and different browsers.
What brunch do we use? 'Real Rand' case or Math.random? Why key.length is 0 and how does "% key.length" works? Division by zero?
I solved this by try and error. But now I get it. key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++ returns NaN on undefined and NaN. Is this correct?
JavaScript has strange semantics.
That's correct. Even though by specification NaN is Not-a-Number, that memory location (key[i % 0]) still holds some unknown value. So when modulo 256 ((key[1 % 0]) & 255) , it should return some number less than 256.
Quote
Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds.
I do not understand. Sorry. I do not have expirience with js and different browsers.
What brunch do we use? 'Real Rand' case or Math.random? Why key.length is 0 and how does "% key.length" works? Division by zero?
I solved this by try and error. But now I get it. key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++ returns NaN on undefined and NaN. Is this correct?
JavaScript has strange semantics.
If you don't use this code to generate your list, which code do you use?!? I'm confused, was convinced you've used their exact buggy code.
Quote
I solved this by try and error. But now I get it. key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++ returns NaN on undefined and NaN. Is this correct?
This is brainfuck. Quote
Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds.
I do not understand. Sorry. I do not have expirience with js and different browsers.
What brunch do we use? 'Real Rand' case or Math.random? Why key.length is 0 and how does "% key.length" works? Division by zero?
I solved this by try and error. But now I get it. key.length is 0 so "% key.length" returns NaN, which means it accesses the array at NaN, where all the values were written, because the postfix operator ++ returns NaN on undefined and NaN. Is this correct?
JavaScript has strange semantics.
Jump to: