MALICIOUS BITCOIN WALLET GENERATION SOFTWARE COULD PRODUCE KNOWN PRIVATE KEYSDecember 1, 2017
Recently in a social media group; the following article was posted and I was asked for a quick opinion.
Before I post my reply, I just want to call out that all photos of ‘hackers’ are always some guy in a balaclava at a computer. It’s quite stupid. Originally I had simply copied the post into our Facebook group; but I’ve since wanted to write a little more about this topic.
Anyways, this was my reply:
OKI’ve read the article properly and have read the pastebin source as well as going back through the Reddit post.
Nothing too malicious (or new, people have been predicting this since 2013 or even earlier but I’ve not had time to search) going on here, more so someone very intelligent who has the time to do a lot of testing based on a number of assumptions. Usually those assumptions can be based on deliberate action, stupidity, carelessness or laziness.For me – the takeaways are this.1. Warm wallets, online wallets and those websites that generate hash and RNG are always a bit ‘eh’ with me. It places too much trust in someone else.3. Pastebin here: https://pastebin.com/jCDFcESz4. Fun trivia, Psuedo Random Number Generation and Predictability is always an issue in cryptography. In many systems, especially open source systems, predictability is a real problem. Open source PRNG used in the generation of crypo-hashes can often be ‘predictable’, as shown in this ‘exploit’, but it also affects many other encrypted systems such as email, voice comms etc. What you want to achieve in a truly secure system is true randomness. here’s a good article : https://www.design-reuse.com/articles/27050/true-randomness-in-cryptography.htmlI can for instance, ascertain what type of traffic you are throwing around that uses GNU Libc Random() because of the first few bits; are always constants in the headers of the packets. The exploit circles around this:GNU libc random():r[i] ← ( r[i-3] + r[i-31] ) % 2^32 | Linear transformationoutput r[i] >> 1 | It outputs a few bits at every iterationEDIT: essentially what this means is after enough messages, say 25-30 or so, I can predict/work out what this system is and what it is doing – because I have enough data to make matches.People who are familiar with Kerberos V4 in Windows Server prior to Windows 2012 may be familiar with GNU Libc Random() ; and it’s one reason why Kerberos V5 does not support V4. It is tremendously insecure.5. I wouldn’t be overtly worried, put your coins on a hard wallet. Then monitor the situation for your wallet. For example, I am now dubious on the long term safety of Ledger since they partnered with Intel – and Intel is known for co-operating with the NSA et al. Investigate the IAMT thing, for example.6. Research to understand how the crypto-hash is generated. Inputs result in outputs. As the pastebin shows, using ‘password’ enough times as a seed results in a valid hash.7. Have a look into bitcoin collisions ; the probability is so rare, it’s thought impossible. But it could happen. Check out the large bitcoin collider.
This highlights to me an observation with crypto-currency; as an economical disruptor gaining more and more mainstream adoption, the gap between people who are knowledgeable about the technology and those that are not will widen significantly.
I am by no means claiming to be any sort of expert, but during my Masters Degree I did take cryptography and security courses; and the topic itself is incredibly deep. Even your typical IT Security professionals knowledge in this field, to my observation, is often lacking – and it is of futile expectation to expect the mainstream adopter to know or care anything about this.
As such, this highlights a requirement from a merchant/customer perspective. The merchant and the customer do not want (in many cases) or need to be aware of or experts in blockchain, cryptography, security etc. They need products that work. I’ll leave this open ended for your interpretation; because the tendency will be to immediately start a ‘this coin vs that coin’ debate, but to me it suggests a requirement for a lot of work at addressing the seamlessness of cryptocurrency use, should it be truly adopted by the mainstream.
Predictable wallet addresses just highlights to me, another massive attack vector built into the system ready for exploit.
If you’re interested in learning more, a lot more in fact, about cryptography – I would highly suggest the following free Coursera courses provided by Stanton University.
I have taken these courses and highly recommend them.
About this course: Cryptography is an indispensable tool for protecting information in computer systems. In this course you will learn the inner workings of cryptographic systems and how to correctly use them in real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two parties generate a shared secret key. Throughout the course participants will be exposed to many exciting open problems in the field and work on fun (optional) programming projects. In a second course (Crypto II) we will cover more advanced cryptographic tasks such as zero-knowledge, privacy mechanisms, and other forms of encryption.
About this course: Learn about the inner workings of cryptographic primitives and protocols and how to apply this knowledge in real-world applications. A free textbook covering the material in the course is available at http://cryptobook.us.