Milk Sad: cryptographic weakness in Libbitcoin Explorer's private key generator \ stacker news ~bitcoin

pull down to refresh

Milk Sad: cryptographic weakness in Libbitcoin Explorer's private key generator milksad.info/

11.1k sats \ 22 comments \ @lightcoin_ 8 Aug 2023 bitcoin

view all related items

221 sats \ 2 replies \ @k00b 8 Aug 2023

Overheard in @PlebLab:

Mastering Bitcoin ... maybe it should be called Mastering Other People's Bitcoin

20 sats \ 0 replies \ @realtrader 9 Aug 2023

sinister but makes 'sense'

0 sats \ 0 replies \ @SimpleStacker 9 Aug 2023

Oof

110 sats \ 0 replies \ @shibe 9 Aug 2023

This is so bad that it's hard to think that this wasn't intentional:

TLDR; not only did libbitcoin explorer use an insecure Random Number Generator (one whose state can be predicted by sampling a few hundred outputs), but it was seeded with only 32 bits of entropy from system time.

For reference you need at least 128 bits of entropy for a "secure" wallet.

32 bits of entropy on the other hand is only around 4 billion different possible seed phrases. It'd take your average computer just about a day or two to go through all the possible phrases generated by this library.

I thought people who were rolling dice or flipping coins 256 times was overkill but now I'm not so sure if this is the state of some of the seed phrase generators out there

100 sats \ 0 replies \ @Rsync25 9 Aug 2023

What's hardwallets use this software? I don't found on the Github

100 sats \ 0 replies \ @Athena_Alpha 9 Aug 2023

This kind of garbage seed generation is precisely why we have this test for our Hardware Wallet Rating Methodology:

Awarded if the Hardware Wallet uses multiple unpredictable physical processes to generate the seed such as a True Random Number Generator (TRNG), sensors, dice rolls or camera images.

100 sats \ 0 replies \ @BITC0IN 8 Aug 2023

"What the hell !? A bad PRNG algorithm, seeded with only 32 bit of system time, used to generate long-lived wallet private keys that store cryptocurrency? 😧"

bitpay was apparently using this https://www.reddit.com/r/Bitcoin/comments/158nyuo/mass_hacking_of_over_1000_bitcoin_accounts/

0 sats \ 0 replies \ @downtownjj 9 Aug 2023

in paris they call it 'le big-mac'

169 sats \ 13 replies \ @02d072ecce 8 Aug 2023

deleted by author

120 sats \ 11 replies \ @frostdragon 9 Aug 2023

Passphrase wallets are still a single point of failure, and if you have a badly generated wallet, the security is reduced to the passphrase itself.

The solution is to use open source software, so you know exactly how seed phrases are being generated, and to use multisig.

10 sats \ 3 replies \ @Lumor 9 Aug 2023

bx exploited above is open source software.

0 sats \ 2 replies \ @frostdragon 9 Aug 2023

good god, how the hell wasn't this found sooner, then. Geez, it's still in their source code. 🤦🏻‍♂️

100 sats \ 1 reply \ @02d072ecce 9 Aug 2023

deleted by author

0 sats \ 0 replies \ @frostdragon 9 Aug 2023

Ha, yeah I fully agree. Guess that’s why I thought an exploit would have happened back in 2017

0 sats \ 2 replies \ @realtrader 9 Aug 2023

12 or 24 seed + phrase + multisig? oh yes do we have adequate security?

0 sats \ 1 reply \ @frostdragon 9 Aug 2023

Nah, I wouldn't do multisig + passphrase. You don't really need passphrase for multisig. See my response above.

0 sats \ 0 replies \ @realtrader 9 Aug 2023

perfect, thanks

0 sats \ 3 replies \ @02d072ecce 9 Aug 2023

deleted by author

1 sat \ 1 reply \ @PlebeiusG 9 Aug 2023

One small point of correction: a paraphrase takes a seed and generates a new paraphrase. Someone can always generate a random seed and have it be equal to your seed + paraphrase (however small that chance is). Having a paraphrase doesn’t protect you from that.

1 sat \ 0 replies \ @PlebeiusG 9 Aug 2023

EDIT: a passphrase takes a seed a generates a new SEED.

One handed typo with cigar 🚬 sorry

0 sats \ 0 replies \ @frostdragon 9 Aug 2023

If you're doing single sig, yeah definitely use a passphrase. The passphrase is essentially an additional seed word... You just have to make sure you don't lose it, because if you do, you've lost your funds. It's not a great solution for long term storage IMO.

Multisig eliminates the need for a passphrase for a couple of reasons: 1 - you need to know which wallets are connected to withdraw from, so even if you were able to predict seed phrases, you'd still have your work cut out for you trying to find multisig wallets 2 - you wouldn't know if you found a multisig wallet or not, and can't withdraw without the xpubs anyway

That's way more complicated for the attacker, and it's way more difficult for the user to lose their funds.

100 sats \ 0 replies \ @lightcoin_ OP 9 Aug 2023

as long as the passphrase itself is secure, yes

e.g. https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases