Pages:
Author

Topic: Reused R values again - page 7. (Read 121295 times)

legendary
Activity: 1260
Merit: 1019
December 17, 2014, 03:02:03 PM
Quote
Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds.

I do not understand. Sorry. I do not have expirience with js and different browsers.
What brunch do we use? 'Real Rand' case or Math.random? Why key.length is 0 and how does "% key.length" works? Division by zero?

sr. member
Activity: 278
Merit: 250
December 17, 2014, 01:16:32 PM
... If I understood you correctly, if you seed the RNG with time-stamps from that short period you bump into the transactions which haven't had reused R values, that's how you got this private key?

https://github.com/blockchain/My-Wallet/commit/98d5a7ca59ef04d06ac6aee468634b12975a0f5c

In a nutshell, just poor seeding of the RNG.

Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds. Each of the 256 possible seeds produces its own sequence of numbers (which you can assign to some variable, for example k or d, etc) which can be used for secp256k1 point multiplication.

secp256k1: (G=base point, k=ECDSA nonce, d=private key)
point R = k*G (used for ECDSA: k and x-coordinate)
point Q = d*G (public key)

// Initialize arcfour context from key, an array of ints, each from [0..255]
function ARC4init(key) {
  var i, j, t;
  for(i = 0; i < 256; ++i)
    this.S = i;
  j = 0;
  for(i = 0; i < 256; ++i) {
    j = (j + this.S + key[i % key.length]) & 255;
    t = this.S;
    this.S = this.S[j];
    this.S[j] = t;
  }
  this.i = 0;
  this.j = 0;
}
full member
Activity: 164
Merit: 126
Amazing times are coming
December 17, 2014, 12:37:10 PM
@amaclin the problem that I see with all companies providing bitcoin services is that they introduce almost systemic risks in the bitcoin ecosystem. I mean, even when this is not a systemic issue, it is big enough to be an *almost* systemic issue. That is not good, sadly.
full member
Activity: 217
Merit: 259
December 17, 2014, 12:32:38 PM
I just noticed that I accidently swiped 7041 Satoshi from an address not related to this incident and sent it to blockchain.info  Shocked.

https://blockchain.info/address/127sp9ZQ2y2NbW3p8L37wgkvfRfxceWL64

To the owner of 127sp9ZQ2y2NbW3p8L37wgkvfRfxceWL64:
I still have >.9 BTC that I swiped from one of your other addresses.  You can contact me if you want it back.  Send me a message signed with the address from which I took the BTC, and I try to verify that you didn't just crack the address the same way I did.  And please tell us, which program is producing the weak signatures.

This was an address that I already cracked in October so it is not blockchain.info related.
legendary
Activity: 4228
Merit: 1313
December 17, 2014, 10:20:54 AM
The issues here are not with the Bitcoin protocol but with blockchain.info's poor quality software.

It would probably have been better that ECDSA sigs didn't rely upon *random* values at all (then none of this mess would have happened).

My guess is we probably have the NSA to thank for *encouraging* the use of such random values (being a great attack vector).


Exactly.  Blockchain.info != bitcoin.

legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 17, 2014, 10:10:58 AM
The issues here are not with the Bitcoin protocol but with blockchain.info's poor quality software.

It would probably have been better that ECDSA sigs didn't rely upon *random* values at all (then none of this mess would have happened).

My guess is we probably have the NSA to thank for *encouraging* the use of such random values (being a great attack vector).
legendary
Activity: 1260
Merit: 1019
December 17, 2014, 10:05:06 AM
Quote
AFAIK bc.i has set up an autosweeper for known addresses (and they have the complete list from me).  Also their wallet should forbid sending money to such an address.  At the moment I see no funds in any weak address.

Let us make fixes on https://bitcoin.org/en/faq#what-are-the-advantages-of-bitcoin

What are the advantages of Bitcoin?

Payment freedom - It is possible to send and receive any amount of money instantly anywhere in the world at any time. No bank holidays. No borders. No imposed limits. Bitcoin allows its users to be in full control of their money.

Very low fees - Bitcoin payments are currently processed with either no fees or extremely small fees. Users may include fees with transactions to receive priority processing, which results in faster confirmation of transactions by the network. Additionally, merchant processors exist to assist merchants in processing transactions, converting bitcoins to fiat currency and depositing funds directly into merchants' bank accounts daily. As these services are based on Bitcoin, they can be offered for much lower fees than with PayPal or credit card networks.

Fewer risks for merchants - Bitcoin transactions are secure, irreversible, and do not contain customers’ sensitive or personal information. This protects merchants from losses caused by fraud or fraudulent chargebacks, and there is no need for PCI compliance. Merchants can easily expand to new markets where either credit cards are not available or fraud rates are unacceptably high. The net results are lower fees, larger markets, and fewer administrative costs.

Security and control - Bitcoin users are in full control of their transactions; it is impossible for merchants to force unwanted or unnoticed charges as can happen with other payment methods. Bitcoin payments can be made without personal information tied to the transaction. This offers strong protection against identity theft. Bitcoin users can also protect their money with backup and encryption.

Transparent and neutral - All information concerning the Bitcoin money supply itself is readily available on the block chain for anybody to verify and use in real-time. No individual or organization can control or manipulate the Bitcoin protocol because it is cryptographically secure. This allows the core of Bitcoin to be trusted for being completely neutral, transparent and predictable.
full member
Activity: 217
Merit: 259
December 17, 2014, 09:46:40 AM
Strange things happening...
https://blockchain.info/address/1NEBmytquNcVKcQtVbVYCEXg7tNkN12QGK

this address was fine until today. It had 10 outgoing transactions last week but all with good R values.
Today it had a new transaction with bad R value.

AFAIK bc.i has set up an autosweeper for known addresses (and they have the complete list from me).  Also their wallet should forbid sending money to such an address.  At the moment I see no funds in any weak address.

legendary
Activity: 1260
Merit: 1019
December 17, 2014, 09:24:41 AM
Quote
When can we assume bc.i have sorted this fuck up out?

Private keys are already compromised.
bc.i can not do anything with it now. They even can not determine who moves funds out "owner" or "hacker"
In fact they also can sweep funds.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 17, 2014, 09:17:35 AM
When can we assume bc.i have sorted this fuck up out?

They have already fixed the code - the main issue now is that people have not "refreshed their browser pages" who were using the buggy code (and of course the funds that have not been swept from the compromised keys) and people still using compromised addresses (I am assuming that blockchain.info would have sent all affected users an email - but not all may have received that email or acted on it).
legendary
Activity: 3556
Merit: 9709
#1 VIP Crypto Casino
December 17, 2014, 09:15:53 AM
When can we assume bc.i have sorted this fuck up out?
hero member
Activity: 599
Merit: 500
December 17, 2014, 07:51:29 AM
with all this talk can  please have a noob friendly opinion

would green address it be a safer option ? or breadwallet for IOS ?
i want to keep a small wallet with $20 so i can buy beer and show my mates 
full member
Activity: 168
Merit: 103
December 17, 2014, 07:26:29 AM
Are they still not using deterministic “k” by now? Even a simple k = H(m||secretkey) would be better than any home-baked RNG that is considering Date().getTime().

Can some JS pro tell me what Browsers still don't provide good entropy from the operating system and why users should generate keys on them?
stv
newbie
Activity: 27
Merit: 0
December 17, 2014, 05:32:10 AM

Interesting observation from that paper I don't remember ever seeing before:

Quote
Another slightly related security issue also arose from the fact that k has to be chosen by the signature algorithm. If two values k1, k2 in two different signatures have a known linear relationship k2 = ak1 + b with a, b ∈ Z, the private key d can be extracted from the two signatures without the knowledge of the values k1, k2, since it results in two linear equations with only d and k1 unknown.

It means that two R values don't have to be identical (reused) for their private keys to be breakable, it's enough for them to be "close" to each other, so that R2 can be found adding G to R1 relatively small number of times, few million for instance so it would be implementable in practice to check the neighborhood of every R value ever used against the complete set of R's. I know that two R values in theory should not ever be close to each other if RNG is decent, but we see in practice that not only they are close but often identical.

It doesn't have too much to do with closeness. There is a linear relationship between any pair of two numbers in the “Z_n” (with n from Bitcoin's secp256k1 curve). The question is whether you know it. Easier “k” is much easier to break, because it results in identical “r” appearing in the blockchain. Anybody can detect them immediately. But for an evil programmer who manipulates the generation of “k”, there is much more potential to leak values, without having obvious appearances in the blockchain.
stv
newbie
Activity: 27
Merit: 0
December 17, 2014, 05:25:14 AM

Does not help against the attack from here, because the manipulated random numbers are provably indistinguishable, but it would have prevented the ridiculous bug in MyWallet.
full member
Activity: 217
Merit: 259
December 17, 2014, 05:18:44 AM
There have been again some bad transactions this night, including this big one from bitcoin gambling guide:
https://blockchain.info/tx/6bde86ea2a9892d955443d2bf3d716fa2c0c8947e2cddcc54e2a61930405f3df

The other exposed addresses are 12bGnGuxW6LRyCE8peAYnAFxS7fzVnSALZ, 1BCzSb27A3Ky8HuLNeAE9L17EVjXvo66z
and 1ALzByRJDvFH18CSVZ3YsTdGUkg8fmD5Fw

I uploaded a list of public keys (in compressed hex format).  To get a list of weak R values just remove the 02/03 from the beginning of the line.  I leave it up to you to compute a list of weak addresses from it.

I found out, yesterday that it is possible to compute the private keys from this list alone without breaking the RNG but it is probably more difficult than just breaking the RNG Smiley  Using the same trick, I think I found a way to compute this list 30 times faster if I need to do that again.


Edit: This transaction looks suspicious
https://blockchain.info/tx/45615ef3bba30a29561249a581e59b6e2b44e7612219735a1afdf3f76dbff849
I think others know how to break the RNG.

Edit2: I just tried my download link and noticed that it downloads a Download.exe.  Is this site (sendspace) safe  to use?  I disabled the link for now.
Edit3: I changed the download link to solidfiles.com.

hero member
Activity: 584
Merit: 500
December 17, 2014, 01:56:59 AM
Does this mean the problem was not limited to the reused R values, all transfers were compromised during the few hours while the bug was not discovered? If I understood you correctly, if you seed the RNG with time-stamps from that short period you bump into the transactions which haven't had reused R values, that's how you got this private key?
Also new wallets created.  And "this time period" is somewhat ambiguous due to caching. For all I know there is some browser tab up someplace running this code that could generate an address and and receive 1000 BTC at any moment.

That sounds bad. Blockchain.info should put a general warning on their page to clear the cache. Till now there has been no warning at all, they are trying to hide their incompetence.
full member
Activity: 173
Merit: 104
December 16, 2014, 09:17:19 PM
Does this mean the problem was not limited to the reused R values, all transfers were compromised during the few hours while the bug was not discovered? If I understood you correctly, if you seed the RNG with time-stamps from that short period you bump into the transactions which haven't had reused R values, that's how you got this private key?
Also new wallets created.  And "this time period" is somewhat ambiguous due to caching. For all I know there is some browser tab up someplace running this code that could generate an address and and receive 1000 BTC at any moment.
Well, that's not absolutely horrifying, is it? damn.
staff
Activity: 4284
Merit: 8808
December 16, 2014, 07:40:55 PM
Does this mean the problem was not limited to the reused R values, all transfers were compromised during the few hours while the bug was not discovered? If I understood you correctly, if you seed the RNG with time-stamps from that short period you bump into the transactions which haven't had reused R values, that's how you got this private key?
Also new wallets created.  And "this time period" is somewhat ambiguous due to caching. For all I know there is some browser tab up someplace running this code that could generate an address and and receive 1000 BTC at any moment.
legendary
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
December 16, 2014, 05:58:20 PM
Quote
Yes, I agree with you to a certain extent if the developer kept the application as closed source. However, in this case, it appears to be an honest mistake.

Please see:
https://github.com/blockchain/My-Wallet/commit/98d5a7ca59ef04d06ac6aee468634b12975a0f5c

bc.i had two updates on December,8
First one they published bug, few hours later they fixed it
github.com has only one commit - fixing unknown bug

I was just able to reproduce the bug from the GitHub info:

If you comment out line 29, your PRNG backend will not be initialized correctly
// Random number generator - requires a PRNG backend, e.g. prng4.js
// Initialize arcfour context from key, an array of ints, each from [0..255]
function ARC4init(key) {

Private Key:
20024245551370964114963921214810962636924048065379939224750754889731391894624(DEC)
953251A6CBDFCB91E38B958AB2B5013A503130194D8AA26083F7664E84FDFE49 (HEX)
5JwzcBP4uE5miuJW4tweMbFCz85pWmvXM7e2n6kSG8j9jwKFdTj (WIF)

Edit: Their quality assurance team should have caught this bug if the code was reviewed. It's too obvious.
1Mi8X7NHHYEQR95EnvQSciJ3ChCimt65SK (Bitcoin Address)

This seems to be recovery address from the disaster, 914 BTC total, they've been slowly returning funds to users:
https://blockchain.info/address/1PLn3ru1n7wERPP1BLVV9oAEGGuXUP1eoC

Does this mean the problem was not limited to the reused R values, all transfers were compromised during the few hours while the bug was not discovered? If I understood you correctly, if you seed the RNG with time-stamps from that short period you bump into the transactions which haven't had reused R values, that's how you got this private key?
Pages:
Jump to: