Pages:
Author

Topic: Why has my newly created Bitcoin address already been used? - page 2. (Read 1377 times)

legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
On the service https: // bitcoinpaperwall ... on the second attempt, the address 1MfPqSDiraPRBVyYASNkF8oc5Ja1ZkdsZn was "generated". I even made a screenshot for memory.
You're the third person that reported the same issue here so far, there's something really "fishy" on that site.
It's either the code is flawed or there's a number of pre-generated keys that's being monitored by the owner.
newbie
Activity: 5
Merit: 0
On the service https: // bitcoinpaperwall ... on the second attempt, the address 1MfPqSDiraPRBVyYASNkF8oc5Ja1ZkdsZn was "generated". I even made a screenshot for memory.
legendary
Activity: 2408
Merit: 2226
Signature space for rent
The case is interesting, that's the reason why I always discouraged newbies to use paper wallet. Because a newbie couldn't determine which is scam or phishing website and they might get scam eventually. We should do good practice always, if you use Electrum original software and verify Signature then you may use it as a paper wallet as well since you are allowed to export private keys. Otherwise I will encourage to buy hardware wallet instead of paper wallet if you can afford small investment. Your fund alt least will be safe. But don't forget to write your seed or private keys on multiple paper and keep them safe on multiple places. Don't save into any online machine.
member
Activity: 84
Merit: 22
Be cautious with services generating your addresses, you should look into bitcore.io it's easy to use


Here is how you can install it and run it
https://github.com/bitpay/bitcore#bitcore

legendary
Activity: 2268
Merit: 18771
My described scenario would not necessarily reuse a k value. It could possibly use one of thousands of k values that would appear "random" unless you produced and inspected thousands of transactions that you ultimately did not broadcast.
Or unless you read the source code to see how the k values were being generated, as I said above.

There are additional things that could happen that could cause your private key to become compromised while you are transferring the private key from a paper wallet to your computer, and these things are not possible if your private key was stored on your hard drive.
Provided you are importing your paper wallet to an airgapped computer in the privacy of your own house, and you don't have a camera pointed at you while you are doing it or something equally stupid, what kind of things are you referring to that make a paper wallet more risky than an airgapped wallet?
copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.
Perhaps I didn't explain myself clearly. My point wasn't "There is no method by which it could leak information", but rather "There is no method by which it could leak information that I can't detect before I choose to broadcast my transaction". If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values. The amount of trust you need to place in an airgapped wallet is much lower than the trust you place in any "live" software or mobile wallet, which could steal all your coins immediately upon you importing your seed phrase.
My described scenario would not necessarily reuse a k value. It could possibly use one of thousands of k values that would appear "random" unless you produced and inspected thousands of transactions that you ultimately did not broadcast.

You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.
You have to trust software to spend your coin when you spend it. When you sign a message or transaction, you combine what should be a random value with your private key to generate the signature. If you know one, it is trivial to calculate the other with a given signature. Malicious software could possibly leak information via this random value.
That can't be a problem as long as you use the address only once, right?
No. The point of my hypothetical attack is to leak information that is more valuable than a single private key, such as a seed list. Your seed list might be able to calculate many private keys that hold a lot of coin, but each private key only contains a small amount of coin.

In my hypothetical example, there might be 12 combinations in the yyzzzzz portion of the k value that are produced at random, plus one additional message that indicates to an attacker that messages are being "sent", similar to a "ping". Once a single message hidden in the k value is detected, the hacker could look at change addresses for additional hidden messages in the k value.



Quote
The scope of possible attacks is also greater when using a paper wallet than using an encrypted wallet.
So encrypt the paper wallet Smiley
I was actually referring to a wallet encrypted on a hard drive or computer. A paper wallet encrypted with the passphrase "LoyceV123" has less security than a private key encrypted on a hard drive/computer encrypted with the same passphrase. When you want to spend coin on a paper wallet, you need to load the private key, temporarily onto a computer to sign a transaction, and there are some things that could cause the private key to become compromised. Your private key could become compromised via your computer, and any of these things could happen regardless of if the private key is on a paper wallet or stored on a hard drive. There are additional things that could happen that could cause your private key to become compromised while you are transferring the private key from a paper wallet to your computer, and these things are not possible if your private key was stored on your hard drive.
HCP
legendary
Activity: 2086
Merit: 4363
Yeah, there's no good reason to settle for an invalid checksum. If you input a 24 word phrase in to iancoleman which has an invalid checksum and then click "Show entropy details", it will automatically change the final word to the correct checksum, maintaining the same 3 bits of initial entropy.
That's actually a pretty neat feature of that BIP39 tool... Just need to pick a word that uses the same initial entropy as the N bits of entropy leftover (7 for 12 words, 3 for 24 words) and then pad it out to 11 bits, then click "entropy details" and it'll correct it automagically!

So, basically, an offline copy of the BIP39 tool and a coin... and one can randomly generate mnemonics to their hearts content, knowing that they don't need to worry about "bad" RNGs (assuming their coin isn't biased! Wink)
legendary
Activity: 2268
Merit: 18771
If you are going to use something like Electrum on your airgapped device to import your hand-generated seed phrase to give you an address to send to, then you could skip manually calculating the hash for the checksum altogether and just brute force it, as Electrum will tell you when you are using an invalid checksum. With the first 3 bits of entropy already known, there will only be 256 possible words.

everything else can still be done with a computer after the number was physically generated using a coin or something like that.
You still need to be sure that the software you are using isn't just spitting out pre-generated addresses regardless of what seed phrase you enter. You could go through the process of performing each operation from seed to address manually, or more simply (as Loyce has said above) you could import your seed phrase in to multiple different wallets (all airgapped of course) and ensure the generated addresses match up.

It'll complain that it's not a valid BIP39 mnemonic. I know Electrum will let you bypass that and go ahead and use it anyway... but surely for max compatibility you'd want a "valid" mnemonic!
Yeah, there's no good reason to settle for an invalid checksum. If you input a 24 word phrase in to iancoleman which has an invalid checksum and then click "Show entropy details", it will automatically change the final word to the correct checksum, maintaining the same 3 bits of initial entropy. Doing so will obviously then lead to a different wallet with different addresses, so can only lead to more confusion down the line.
legendary
Activity: 3472
Merit: 10611
Won't padding out the checksum cause issues down stream when you attempt to restore this in a wallet tho?

that's true but when someone is going around the conventional methods of creating a mnemonic then the assumption is that they are already using unconventional methods and codes that should take all of this into consideration.
HCP
legendary
Activity: 2086
Merit: 4363
Won't padding out the checksum cause issues down stream when you attempt to restore this in a wallet tho? Huh

It'll complain that it's not a valid BIP39 mnemonic. I know Electrum will let you bypass that and go ahead and use it anyway... but surely for max compatibility you'd want a "valid" mnemonic!

But yes, I was being facetious about manually calculating the SHA256 hash Tongue... the setup you are using has a really good mix of "randomness", security and convenience. I like it.
legendary
Activity: 3472
Merit: 10611
Now all you need to do is do your SHA256 hash by hand to generate the checksum and you've got the complete no computer solution to generating a seed mnemonic Tongue
It would however blow out your 15-20 minute time frame to probably closer to a day... having to do 64 rounds of SHA256 to get your final hash at a rough speed of 1 round per 15 minutes or so Tongue
There are just some things that are better left to computers Wink

well you don't have to have a checksum since it is not mandatory. you can just pad the entropy with zeros and then derive the mnemonic from that.
besides the problem is never with checksum and things like that. the problem that makes people want to flip coins is the Random Number Generators, everything else can still be done with a computer after the number was physically generated using a coin or something like that.
HCP
legendary
Activity: 2086
Merit: 4363
Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.
Flip a coin 3 times, calculate the checksum using a permanently airgapped computer, pick the last word.
Write down on paper, import in to a wallet or iancoleman on your permanently airgapped computer to generate a receiving address (Optional: add in a passphrase and write that down on a separate piece of paper).
Whole thing can be done in 15-20 minutes.
Now all you need to do is do your SHA256 hash by hand to generate the checksum and you've got the complete no computer solution to generating a seed mnemonic Tongue

It would however blow out your 15-20 minute time frame to probably closer to a day... having to do 64 rounds of SHA256 to get your final hash at a rough speed of 1 round per 15 minutes or so Tongue


There are just some things that are better left to computers Wink
legendary
Activity: 2268
Merit: 18771
-snip-
To be fair, if an attacker is able to install probes on my power supply or a camera in my house, I've got far bigger problems than the safety of my cold storage. Tongue

This guys shows in this video how to do it
It's a nice video, but he is only generating a single private key and not an entire seed phrase, which is far more straightforward. Once you've flipped a coin 256 times, all you have to do is convert the result to Base58Check and you've got yourself a private key. You don't need to worry about word lists or checksums as you would if you were generating a seed phrase.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Flip a coin 11 times, turn the resulting number in to a BIP39 word from the word list. Repeat 22 more times.

This guys shows in this video how to do it
Very interesting, and if you want to do it it worth checking it out.
https://www.youtube.com/watch?v=ieHoQ4sGuEY
legendary
Activity: 1624
Merit: 2481
Is it by chance possible to change the private key to that address?

No.
The address is basically the hash of the public key. And the public key is derived from the private key.
hero member
Activity: 2464
Merit: 519
Is it by chance possible to change the private key to that address?
legendary
Activity: 1624
Merit: 2481
Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins.

Technically, this isn't completely true  Tongue

There are quite a few paper about how to exfiltrate data from air-gapped computers.
Those techniques are highly sophisticated and the chances of happening to are close to zero. But some would include:

  • AirHopper: Malware to encode data into FM signals transmitted from a screen cable. This signal can be received by any smartphone with an FM receiver
  • PowerHammer: Exfiltration via Powerline: With probes on the computer and the power control box, malware on the air-gapped computer can increase/decrease the cpu load by doing useless (but ressource heavy) calculations to transmit data via the power line.
  • Another option requires a camers to be installed close to the computer: Using the hard disk led's to transmit data.

Those are not just theories, but they have been proven to work.
There are a few more extremely fascinating (and highly unlikely) attacks which could extract data from such an air-gapped setup.
Quite a few paper have been published which cover exactly that: Exfiltrating data from air-gapped computers. They are quite exciting to read.

It is obvious that no typical crypto holder will face such an attack, altough its interesting to know which techniques exist  Smiley
legendary
Activity: 2268
Merit: 18771
That can't be a problem as long as you use the address only once, right?
It could also be a problem if you have exposed your master public key to anyone. The combination of knowing a master public key and one of the child private keys allows you to derive all the other child private keys.

Have you ever checked this much before broadcasting a transaction?
Once or twice, but mostly as a learning exercise for myself rather than any genuine concern that the software I am using is using a non-random k value. However, I generally use Electrum as my interface for accessing paper wallets or other cold storage, which has used RFC 6979 for generating k values since version 1.9, so this isn't an attack vector I am particularly concerned about.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.
You have to trust software to spend your coin when you spend it. When you sign a message or transaction, you combine what should be a random value with your private key to generate the signature. If you know one, it is trivial to calculate the other with a given signature. Malicious software could possibly leak information via this random value.
That can't be a problem as long as you use the address only once, right?

Whenever I sign a message offline, I use different software to decode the raw transaction and see if it still does what I want. I've never seen a problem there, but it doesn't hurt to be sure.

Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins. If it signs a transaction to the wrong address, for example, I can easily pick that up before moving the transaction to my live computer to be broadcast.
This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.
I've seen the scenario before, and you're right. I've consolidated a paper wallet before, sending the funds back to the same wallet.

If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values.
Have you ever checked this much before broadcasting a transaction?
legendary
Activity: 2268
Merit: 18771
Creating a 7 of 7 multi-sig private key should be less risky than creating a private key that requires one signature to spend coin (assuming you can easily replicate the procedure to keep each private key secure).
I mean, sure, but that is completely irrelevant to what we are discussing here. Paper wallets which are generated via flipping a coin and paper wallets which are generated via third party code/software will be exactly as easy or difficult to spend from as each other, and exactly as secure or not to spend from as each other, depending on how and where you opt to import the seed/private key. Generating entropy by hand decreases your risk from malicious or flawed code generating non-random entropy. It is irrelevant to the spending process.

This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.
Perhaps I didn't explain myself clearly. My point wasn't "There is no method by which it could leak information", but rather "There is no method by which it could leak information that I can't detect before I choose to broadcast my transaction". If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values. The amount of trust you need to place in an airgapped wallet is much lower than the trust you place in any "live" software or mobile wallet, which could steal all your coins immediately upon you importing your seed phrase.
Pages:
Jump to: