johoe



Offline



Activity: 217

Merit: 145







Full MemberActivity: 217Merit: 145 More Signatures with Repeated Nonces. April 09, 2016, 05:30:49 AM

Last edit: April 12, 2016, 01:54:13 AM by johoe #1



There were at least 135 keys involved of which at least 82 are compromised now. Most keys are related to 1BTrViTDX... (in the sense that they are inputs in the same transaction).



I setup a bot to sweep the compromised keys. If you can prove that it is your address, you can contact me to get the collected funds back.



But don't use the addresses again. There will probably be other persons setting up bots soon...



EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b. This address doesn't seem to be compromised yet. Note that this address has also been exposed and should not be used any more.



So far I have collected about 7 BTC.



EDIT2: Fixed the number of addresses. I accidently counted five unrelated addresses. Here is a complete list (addresses marked with + can be cracked):

http://johoe.mooo.com/bitcoin/2016-03-compromised.txt My script that I still occasionally run has detected repeated nonces (r-value) in signatures again. Looks like a bad random number generator; the repetitions usually happen some days apart. The problem seems already to be fixed but the addresses that were compromised are still used.There were at least 135 keys involved of which at least 82 are compromised now. Most keys are related to 1BTrViTDX... (in the sense that they are inputs in the same transaction).I setup a bot to sweep the compromised keys. If you can prove that it is your address, you can contact me to get the collected funds back.But don't use the addresses again. There will probably be other persons setting up bots soon...EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b. This address doesn't seem to be compromised yet. Note that this address has also been exposed and should not be used any more.So far I have collected about 7 BTC.EDIT2: Fixed the number of addresses. I accidently counted five unrelated addresses. Here is a complete list (addresses marked with + can be cracked): Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3

johoe



Offline



Activity: 217

Merit: 145







Full MemberActivity: 217Merit: 145 Re: New Signature with repeated nonces. April 09, 2016, 11:23:36 AM

Last edit: April 09, 2016, 11:51:27 AM by johoe #3



https://bitcointalk.org/index.php?topic=581411.0



AFAIK all hardware wallets use deterministic signatures by now, so I don't think it is a hardware wallet. The wallet is reusing random nonces to generate the signatures. It could be a bad random number generator or someone cloned the random state (e.g. by cloning a virtual machine or forking processes) or maybe even another openssl problem. I guess a cloned virtual machine is most likely from the pattern I observe. It wouldn't have happened if they had used deterministic signatures.



https://blockchain.info/tx/fc9c8c56ce09b48f1e593a0df3f9a03f8dc33ba2027621e047fc5fc4f86f93f6

https://blockchain.info/tx/34535e979bf3e0b960d7e3be85713fa6561a4d9642c7199a7bdf93b721b529a7

https://blockchain.info/tx/e1c9b009cfa861501ae6f3379148fcc5c0de98c5774a6c576fb9f9e6eb2879eb



All three transactions use r = 538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951



The last time this happened was the Blockchain.info December 2014 incident. You can read it up herehttps://bitcointalk.org/index.php?topic=581411.0AFAIK all hardware wallets use deterministic signatures by now, so I don't think it is a hardware wallet. The wallet is reusing random nonces to generate the signatures. It could be a bad random number generator or someone cloned the random state (e.g. by cloning a virtual machine or forking processes) or maybe even another openssl problem. I guess a cloned virtual machine is most likely from the pattern I observe. It wouldn't have happened if they had used deterministic signatures.All three transactions use r = 538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951 Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3

AgentofCoin



Offline



Activity: 1092

Merit: 1001









LegendaryActivity: 1092Merit: 1001 Re: New Signature with repeated nonces. April 09, 2016, 09:14:56 PM #7 Quote from: johoe on April 09, 2016, 05:30:49 AM ...

EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b. This address doesn't seem to be compromised yet. Note that this address has also been exposed and should not be used any more.



After looking at some of the tx going into and out of one of the compromised addresses,

it seems to me (but of course in Bitcoin we can never really know), the address's connections

may have some associations with a few different darknet markets.



So, if the above is true, I assume we will never hear from the true owner of the compromised addresses

and learn what was the wallet used and the cause of this reuse issue.





After looking at some of the tx going into and out of one of the compromised addresses,it seems to me (but of course in Bitcoin we can never really know), the address's connectionsmay have some associations with a few different darknet markets.So, if the above is true, I assume we will never hear from the true owner of the compromised addressesand learn what was the wallet used and the cause of this reuse issue. I support a decentralized & unregulatable ledger first, with safe scaling over time.

Request a signed message if you are associating with anyone claiming to be me.

johoe



Offline



Activity: 217

Merit: 145







Full MemberActivity: 217Merit: 145 Re: New Signature with repeated nonces. April 09, 2016, 09:38:37 PM #8 Quote from: calkob on April 09, 2016, 09:07:38 PM What in your estimation is the source of this problem?



My guess is a cloned virtual machine state.



Observation: The reuse happened several days apart and then the nonces are repeated in roughly the same order. This happened three times. Then another completely different set of 10 nonces were repeated again after a few days.



Possible Explanation: The nonces are generated by a random number generator whose state is stored in a virtual machine image. After a few days the machine was restored to an earlier snapshot and restarted. Then again after a few days the machine was restored to this state. My guess is a cloned virtual machine state.Observation: The reuse happened several days apart and then the nonces are repeated in roughly the same order. This happened three times. Then another completely different set of 10 nonces were repeated again after a few days.Possible Explanation: The nonces are generated by a random number generator whose state is stored in a virtual machine image. After a few days the machine was restored to an earlier snapshot and restarted. Then again after a few days the machine was restored to this state. Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3

lucasjkr



Offline



Activity: 644

Merit: 500







Hero MemberActivity: 644Merit: 500 Re: More Signatures with Repeated Nonces. April 10, 2016, 12:48:17 AM #9 I would have thought that among all the other noise that an RNG should be using to seed itself, one of those inputs would be tied to the date and time? So that even if you had cloned a VM, and started it a few days late, it would have new seed data to generate randoms from than the original before it was cloned?

throwaway084575



Offline



Activity: 12

Merit: 0







NewbieActivity: 12Merit: 0 Re: More Signatures with Repeated Nonces. April 10, 2016, 09:53:28 AM #12 I have a paper wallet from bitcoinpaperwallet.com, created a few years ago and use mycelium to spend a little from it every so often. The change always goes back to the address should I move all those funds to a new wallet and not spend from paper wallets like that?

GermanGiant



Offline



Activity: 784

Merit: 500









Hero MemberActivity: 784Merit: 500 Re: More Signatures with Repeated Nonces. April 10, 2016, 11:40:56 AM #14



1. If I use an address for receive only over a long time and never spend, can that be affected by this ?



2. Blockchain.info has recently introduced HD wallets. Are they safe now ?



3. Are multisig addresses (starting with 3) unaffected by this ?



4. If I have a few questions here...1. If I use an address for receive only over a long time and never spend, can that be affected by this ?2. Blockchain.info has recently introduced HD wallets. Are they safe now ?3. Are multisig addresses (starting with 3) unaffected by this ?4. If https://coinb.in https://github.com/OutCast3k/coinbin/ ) is run from local machine to spend from addresses generated by https://www.bitaddress.org https://github.com/pointbiz/bitaddress.org ) running at local machine, will that be safe ?

johoe



Offline



Activity: 217

Merit: 145







Full MemberActivity: 217Merit: 145 Re: More Signatures with Repeated Nonces. April 10, 2016, 01:41:24 PM #17 Quote from: GermanGiant on April 10, 2016, 11:40:56 AM



2. Blockchain.info has recently introduced HD wallets. Are they safe now ?



3. Are multisig addresses (starting with 3) unaffected by this ?



4. If

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?2. Blockchain.info has recently introduced HD wallets. Are they safe now ?3. Are multisig addresses (starting with 3) unaffected by this ?4. If https://coinb.in https://github.com/OutCast3k/coinbin/ ) is run from local machine to spend from addresses generated by https://www.bitaddress.org https://github.com/pointbiz/bitaddress.org ) running at local machine, will that be safe ?

1. If you empty the wallet with a single transaction there is only a very tiny chance that you are affected. For this the client must be really buggy selecting the same nonce twice in this transaction, and someone (amaclin ) needs to have his bot running that tries to immediately double spend your transaction after seeing it. I have seen such a double-spend attempt once but it didn't succeed; although if it had succeeded, I wouldn't have seen it.



2. Probably no bitcoin client is completely safe. With regards to this problem, they are safe since they use deterministic signatures (January 2015).



3. No. My script also scans for multisig (at least I intended to do that). But I haven't found a reused nonce in a multisig so far.



4. They claim to use deterministic signatures. If that is correct, they are safe.

1. If you empty the wallet with a single transaction there is only a very tiny chance that you are affected. For this the client must be really buggy selecting the same nonce twice in this transaction, and someone (amaclin) needs to have his bot running that tries to immediately double spend your transaction after seeing it. I have seen such a double-spend attempt once but it didn't succeed; although if it had succeeded, I wouldn't have seen it.2. Probably no bitcoin client is completely safe. With regards to this problem, they are safe since they use deterministic signatures (January 2015).3. No. My script also scans for multisig (at least I intended to do that). But I haven't found a reused nonce in a multisig so far.4. They claim to use deterministic signatures. If that is correct, they are safe. Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3