Security Test Fail? | Bitcointalksearch.org

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: And1 on March 15, 2013, 04:37:33 PM

But if file is unlocked while unciphered, i don't see the point in crypting it.

The granularity of Bitcoin's passphrase encryption isn't at the file level, it instead is at the Bitcoin Address record level. There is one field in the Bitcoin Address record in the wallet.dat and that is what needs to be decrypted.

So after being decrypted, in memory is only the decrypted private key for Bitcoin addresses(es) being used for a transaction. But in memory at some point as well is the Bitcoin passphrase that you just entered which is then used for decryption. So like the other posts mention, the Bitcoin client still requires a secure computing environment to protect from keyloggers and other malware.

Gabi

legendary

Activity: 1148

Merit: 1008

If you want to walk on water, get out of the boat

Let's make clear this: if your computer is infected then everything you do on that computer is not safe, no matter what.

kadoban

newbie

Activity: 16

Merit: 0

Be sure to check the wiki for information about keeping a secure wallet: https://en.bitcoin.it/wiki/Securing_your_wallet

DannyHamilton

legendary

Activity: 3472

Merit: 4801

If you are concerned about maintaining such a high level of security, you should only create transactions on a computer that is never connected to the network. Take a look at the Armory client, I think it will provide you with the level of security you are interested in.

And1

member

Activity: 62

Merit: 10

Quote from: And1 on March 16, 2013, 04:11:18 AM

Does QFX KeyScrambler help against keyloggers?

I found my answer - no and there isn't any keyscrambler for Bitcoin.

And1

member

Activity: 62

Merit: 10

Does QFX KeyScrambler help against keyloggers?

MysteryMiner

legendary

Activity: 1512

Merit: 1049

Death to enemies!

Quote from: And1 on March 15, 2013, 04:23:23 PM

If wallet deciphers only to RAM for transaction and than is immediately wiped out i guess not much people can make trojan able to catch unciphered part of private wallet.

The encrypted wallet is downloaded to hackers computer together with text file containing all keypresses on your computer. It includes the wallet password. Your coins are my coins.

Encryption is only good if the computer is not compromised in any way.

And1

member

Activity: 62

Merit: 10

Quote from: Stephen Gornick on March 15, 2013, 04:25:27 PM

Because it can be discovered which Bitcoin addresses are yours from seeing the wallet.dat, some people use an encrypted filesystem for the Bitcoin directory (or at least for where the wallet.dat is stored).

But if file is unlocked while unciphered, i don't see the point in crypting it.

Stephen Gornick

legendary

Activity: 2506

Merit: 1010

Quote from: And1 on March 15, 2013, 03:56:29 PM

Aaaa, so it decyphers only in RAM when im doing transaction? It is kept cyphered on the disk all the time, so the lock is unneeded?

You only need to enter the passphrase when generating a new address or when spending.

Because it can be discovered which Bitcoin addresses are yours from seeing the wallet.dat, some people use an encrypted filesystem for the Bitcoin directory (or at least for where the wallet.dat is stored).

And1

member

Activity: 62

Merit: 10

If wallet deciphers only to RAM for transaction and than is immediately wiped out i guess not much people can make trojan able to catch unciphered part of private wallet.

Does bitcoin work so?

Is there many trojans able to breach in?

MysteryMiner

legendary

Activity: 1512

Merit: 1049

Death to enemies!

Quote from: And1 on March 15, 2013, 03:56:29 PM

Aaaa, so it decyphers only in RAM when im doing transaction? It is kept cyphered on the disk all the time, so the lock is unneeded?

Only the private keys of wallet are encrypted. All other sensitive information like receiving addresses and public keys are unencrypted.

The greatest threat are trojan horses and keyloggers. They both make wallet encryption useless. With secure enough computer the encryption is unnecessary, but this kind of setup is out of reach for beginners and ordinary users.

And1

member

Activity: 62

Merit: 10

Aaaa, so it decyphers only in RAM when im doing transaction? It is kept cyphered on the disk all the time, so the lock is unneeded?

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

You are only prompted to enter passphrase when trying to do something considered sensitive like send coins or sign a message.

The wallet file contains a public portion (addresses & prior tx history) and a private portion of the wallet file contains the private keys and it is encrypted using AES with a 256 bit key created by hashing the passphrase roughly 10,000 or more times using SHA-256.

And1

member

Activity: 62

Merit: 10

On Windows XP i've set up Bitcoin-QT 0.8, synched with network, encrypted the wallet.dat file.
I have status stating that the wallet is encrypted.
Now decided to make security test.
I copied the wallet.dat to pendrive while Bitcoin was run - and here first bad surprise. Why isn't it really locked???
Than i installed Bitcoin-QT 0.8 on another computer with Windows 7. Only instead of creating wallet i copied one from pendrive.
And another bad surprise. The wallet was opened without asking about passphrase and i has all access to my copied wallet!!!

So to me any child can write a virus that will copy and send to himself wallet.dat because the lock doesn't work AND/OR wallet is not really ciphered, than transfer all my bitcoins to himself.

I feel like i discovered America. WTF? Is there ANY security in Bitcoin, or i miss some point?

Topic: Security Test Fail? (Read 794 times)