|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
https://www.reddit.com/r/Iota/comments/7cuget/address_reuse_how_to_prevent_iota_being_stolen/Posted by u/btceacc "I've read a number of threads that have talked about IOTA getting stolen. While some instances appear to have been due using online seed generators, the other instances appear to be due to re-using a previously used address. While there seems to be some explanation about not re-using addresses once it has been used to spend, the set of scenarios are still not clear to me. I'd just like to post a simplified list of scenarios of what to do and not do with regards to addresses. Please correct any misunderstanding and I will update: Scenario 1 - Creating a new receiving address and receive Attach address A to Tangle Receive 10 IOTA to Address A. (Result: Everything OK. Total of 10 IOTA) Spend 5 IOTA from Address A (Result: Everything OK. The remaining 5 IOTA automatically gets moved to Address F.) Spend 1 IOTA from address F (Result: Everything OK. The remaining 4 IOTA automatically gets moved to Address G.) Receive 3 IOTA to Address A (Result: All your 3 IOTA in Address A are now at risk of being stolen. Instead, you should have created a new address to receive.) Scenario 2 - Creating a new receiving address (without attaching to tangle first) and receive Receive 10 IOTA to Receiving Address B. (Result: Everything OK. Total of 10 IOTA) Receive 20 IOTA to Receiving Address B. (Result: Everything OK. Total of 30 IOTA) Receive 30 IOTA to Receiving Address B. (Result: Everything OK. Total of 60 IOTA) Spend 58 IOTA from Address B. (Result: Everything OK. The remaining 2 IOTA automatically gets moved to Address Q.) Spend 1 IOTA from Address Q. (Result: Everything OK. Total of 1 IOTA automatically gets moved to Address R.) Receive 10 IOTA into Address R. (Result: Everything OK. Total IOTA is 11.) Receive 10 IOTA into Address Q. (Result: The 10 IOTA on deposited are now at risk of being stolen) Scenario 3 - Safest practice (?) Attach address A to Tangle Receive 10 IOTA to Address C. (Result: Everything OK. Total of 10 IOTA) Spend 4 IOTA from Address C (Result: Everything OK. Total of 6 IOTA automatically moved to address X) I have read that numerous users are getting confused about all this and I really hope that the new wallet addresses these issues. Right now, the replies that people are being given are "you did something silly" or "you didn't read the manual". I think everyone needs to be aware that many users are newbies to crypto, let alone the nuances of IOTA. If it isn't clear in the wallet software, I can see that many high-profile hacks are going to occur if IOTA gets traction. In my view, it's important that the wallet and manual accommodates non-technical users and gives the utmost protection to users' funds. This would include seed generation (rather than encouraging people to go to shady online sites) and making a receiving address somehow inaccessible on the front-end so it cannot be easily re-used (a quick fix would simply be to put up a message whenever someone tries to copy a used receiving address to the clipboard). Appreciate any feedback or corrections to the above. EDIT: Updated Scenario #2 based on u/ColdDayApril's feedback."
|
|
|
|
|
andreas888
|
|
|
Group: Forum Members
Posts: 5,
Visits: 0
|
Hi,
If Scenario 1 is really possible then, that means, that there is a great bug in the wallet software !!!!!
The job of the wallet has to avoid this Scenario !!!
Andreas
|
|
|
|
|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
+xHi, If Scenario 1 is really possible then, that means, that there is a great bug in the wallet software !!!!! The job of the wallet has to avoid this Scenario !!!Andreas The wallet is not stateful. That means that it doesn't remember which addresses have been used previously. That'll be fixed in future versions.
|
|
|
|
|
andreas888
|
|
|
Group: Forum Members
Posts: 5,
Visits: 0
|
??? - in my wallet the transaction history can be seen.
|
|
|
|
|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
+x??? - in my wallet the transaction history can be seen. If you switch nodes a few times, you'll notice that the wallet history sometimes disappears. This is because the wallet on your device isn't the thing storing the history. ather, it's the host that you're connected to.
|
|
|
|
|
tm4949
|
|
|
Group: Forum Members
Posts: 2,
Visits: 0
|
+x+xHi, If Scenario 1 is really possible then, that means, that there is a great bug in the wallet software !!!!! The job of the wallet has to avoid this Scenario !!!Andreas The wallet is not stateful. That means that it doesn't remember which addresses have been used previously. That'll be fixed in future versions. So it's possible that after a snapshot the wallet could generate a receiving address that you have already spent from correct? So really after a snapshot we should move all funds to a new seed/wallet before attempting to spend/receive correct? I was talking to a dev a couple months ago when this problem was first rearing it's ugly head. According to him if reuse has only been done once the statistical probability of someone aquiring your private key for that address is still basically impossible. It would be nice to have some actual numbers on the resources required to aquire a key for an address that has been reused 1 times, 2 times, 3 times etc...
|
|
|
|
|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
@tm4949"So it's possible that after a snapshot the wallet could generate a receiving address that you have already spent from correct?" Yes - not only possible, but the wallet will generate addresses that you've already spent from! Addresses are generated deterministically from the seed, so after snapshots the wallet will start at index 0 and start generating addresses from there. If you sent any transactions from that seed prior to the snapshot, you would have already used the index 0 address, so sending anything to that address in the future would put those funds at risk."So really after a snapshot we should move all funds to a new seed/wallet before attempting to spend/receive correct?" This is one way of handling it. Another way to handle it would be to save the last address that you used, and then make sure to generate addresses until that address appears in your wallet. Then you'd know that any addresses generated beyond that point would be safe to use."I was talking to a dev a couple months ago when this problem was first rearing it's ugly head. According to him if reuse has only been done once the statistical probability of someone aquiring your private key for that address is still basically impossible. It would be nice to have some actual numbers on the resources required to aquire a key for an address that has been reused 1 times, 2 times, 3 times etc." https://en.wikipedia.org/wiki/Lamport_signature#Security_parametersSigning the message
Later Alice wants to sign a message. First she hashes the message to a 256-bit hash sum. Then, for each bit in the hash, based on the value of the bit, she picks one number from the corresponding pairs of numbers that comprise her private key (i.e., if the bit is 0, the first number is chosen, and if the bit is 1, the second is chosen). This produces a sequence of 256 random numbers. As each number is itself 256 bits long the total size of her signature will be 256×256 bits = 8 KiB. These random numbers are her signature and she publishes them along with the message.
Note that now that Alice's private key is used, it should never be used again. The other 256 random numbers that she did not use for the signature she must destroy. Otherwise, each additional signature reusing the private key halves the security level[1] against adversaries that might later create false signatures from them.
Security is halved with each reuse. It's a very simple logarithmic curve.
|
|
|
|
|
tm4949
|
|
|
Group: Forum Members
Posts: 2,
Visits: 0
|
+x@tm4949"So it's possible that after a snapshot the wallet could generate a receiving address that you have already spent from correct?" Yes - not only possible, but the wallet will generate addresses that you've already spent from! Addresses are generated deterministically from the seed, so after snapshots the wallet will start at index 0 and start generating addresses from there. If you sent any transactions from that seed prior to the snapshot, you would have already used the index 0 address, so sending anything to that address in the future would put those funds at risk."So really after a snapshot we should move all funds to a new seed/wallet before attempting to spend/receive correct?" This is one way of handling it. Another way to handle it would be to save the last address that you used, and then make sure to generate addresses until that address appears in your wallet. Then you'd know that any addresses generated beyond that point would be safe to use."I was talking to a dev a couple months ago when this problem was first rearing it's ugly head. According to him if reuse has only been done once the statistical probability of someone aquiring your private key for that address is still basically impossible. It would be nice to have some actual numbers on the resources required to aquire a key for an address that has been reused 1 times, 2 times, 3 times etc." https://en.wikipedia.org/wiki/Lamport_signature#Security_parametersSigning the message
Later Alice wants to sign a message. First she hashes the message to a 256-bit hash sum. Then, for each bit in the hash, based on the value of the bit, she picks one number from the corresponding pairs of numbers that comprise her private key (i.e., if the bit is 0, the first number is chosen, and if the bit is 1, the second is chosen). This produces a sequence of 256 random numbers. As each number is itself 256 bits long the total size of her signature will be 256×256 bits = 8 KiB. These random numbers are her signature and she publishes them along with the message.
Note that now that Alice's private key is used, it should never be used again. The other 256 random numbers that she did not use for the signature she must destroy. Otherwise, each additional signature reusing the private key halves the security level[1] against adversaries that might later create false signatures from them.
Security is halved with each reuse. It's a very simple logarithmic curve. I hope the IF is paying you for the work you do. I appreciate the great response and all you do here and in the slack community.
|
|
|
|
|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
"I hope the IF is paying you for the work you do"
They're probably allocating their resources toward much more important things.
"I appreciate the great response and all you do here and in the slack community."
I'm glad that you appreciate it. It's a group effort - lots of people all chipping in to make this community great.
|
|
|
|
|
andreas888
|
|
|
Group: Forum Members
Posts: 5,
Visits: 0
|
i do not understand why you are discusing wether to reuse an adress - YOU CAN NOT CONTROL, wether your adress ist reused or not !!!
|
|
|
|
|
andreas888
|
|
|
Group: Forum Members
Posts: 5,
Visits: 0
|
>.. I was talking to a dev a couple months ago when this problem was first rearing it's ugly head.
>According to him if reuse has only been done once the statistical probability of someone aquiring
>your private key for that address is still basically impossible. It would be nice to have some
>actual numbers on the resources required to aquire a key for an address that has been reused
>1 times, 2 times, 3 times etc...
How will you prevent someone to send you 1000 times 1 IOTA to your adress from different accounts ???
|
|
|
|
|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
@andreas888"i do not understand why you are discusing wether to reuse an adress - YOU CAN NOT CONTROL, wether your adress ist reused or not !!!" It won't be your fault if someone sends a transaction to one of your old address without confirming with you first before sending. "How will you prevent someone to send you 1000 times 1 IOTA to your adress from different accounts ???" You can receive at the same address as many times as you'd like. Until you send a transaction from that address.
|
|
|
|
|
Oliviacaz
|
|
|
Group: Forum Members
Posts: 3,
Visits: 2
|
I hope the core dev team fixes the issues with the wallet soon, because that is surely a barrier to the coins market cap growing.
|
|
|
|
|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
Courtesy of Frode:
'This is how key-hacking occurs :
The private key is 6561 trits for a sec-level 1 address.
This key is chucked up in 243 * 27, and each of the 27 chunks are hashed 26 times to form the public key.
When signing a message the bundle-hash is split into 3, with 27 trytes in each. For a sec-level 1 address, only first part is used.
each of the 27 trytes are 'normalized' into a int between 1 and 26
Then each of those numbers are used to decide how many times the key-chunk should be hashed.
when all key-chunks are hashed accoring to bundle-has, the result is exposed as the signature.
In order to verify the signature, one simply continues the hashing of each chunk so the total for each is 26 times. Then one compares the result with the address to verify signature is correct.
This leaves a situation, where any bundle that produces a hash (normalized) with values at the same as the first signature or higher valye can be signed using the exposed part of the key...
The more signatures made, the lower the number of the expoes key-hash is, and the easier it is to generate a bundle that can be signed.
Because if the first bundle signed the first chunk wirth 12, and second bundle has 14, you only hash the value from the signature two more times, and you have the hash number 14, and this will verify as a correct signature since the verification only verifies that going from 14 to 26 produces the correct value.'
|
|
|
|
|
andreas888
|
|
|
Group: Forum Members
Posts: 5,
Visits: 0
|
+x"How will you prevent someone to send you 1000 times 1 IOTA to your adress from different accounts ???" >You can receive at the same address as many times as you'd like. Until you send a transaction from that address. So - how do i prevent this case, that someone sends me iota to an andress, i have allready send a transaction from ? ?? ???
|
|
|
|
|
danwrubel
|
|
|
Group: Forum Members
Posts: 15,
Visits: 2
|
+x@andreas888"i do not understand why you are discusing wether to reuse an adress - YOU CAN NOT CONTROL, wether your adress ist reused or not !!!" It won't be your fault if someone sends a transaction to one of your old address without confirming with you first before sending. "How will you prevent someone to send you 1000 times 1 IOTA to your adress from different accounts ???" You can receive at the same address as many times as you'd like. Until you send a transaction from that address. It isn't receiving iota that causes exposure, it is sending. So, you can receive unlimited deposits with zero risk. If you send from the same address more than once, exposure is created. However, I believe the latest wallet does not permit sending more than once from the same address.
|
|
|
|
|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
+x+x"How will you prevent someone to send you 1000 times 1 IOTA to your adress from different accounts ???" >You can receive at the same address as many times as you'd like. Until you send a transaction from that address. So - how do i prevent this case, that someone sends me iota to an andress, i have allready send a transaction from ? ?? ??? I guess there will be second layer work arounds for this in the future. For now, just make sure to give each new person a new receive address to send a you a transaction.
|
|
|
|
|
bog-dn
|
|
|
Group: Forum Members
Posts: 1,
Visits: 10
|
Hello,
There is still a question that apparently hasn't been discussed anywhere on the Internet: What to do if I have already received iota to a used address? This happened to me recently and when I tried sending them to a new address, generated from a new seed I received the following error: private key reuse detected!
Then I tried using the android wallet, as some people suggested, but received the same error.
Do you have any other ideas how to transfer those funds? Or are they irreversibly locked now?
From what I understood, it's not fundamentally impossible to send them, just the GUIs won't let me do it.
|
|
|
|
|
Winston
|
|
|
Group: Administrators
Posts: 3.6K,
Visits: 6.8K
|
+xHello, There is still a question that apparently hasn't been discussed anywhere on the Internet: What to do if I have already received iota to a used address? This happened to me recently and when I tried sending them to a new address, generated from a new seed I received the following error: private key reuse detected! Then I tried using the android wallet, as some people suggested, but received the same error. Do you have any other ideas how to transfer those funds? Or are they irreversibly locked now? From what I understood, it's not fundamentally impossible to send them, just the GUIs won't let me do it. @bog-dn You can use the command line wallet or any other non-GUI wallet. You're correct that it's not fundamentally impossible to force address reuse, but it's just the GUIs that have built-in mechanisms to prevent it from happening
|
|
|
|
|
al
|
|
|
Group: Forum Members
Posts: 6,
Visits: 21
|
I have been following the discussion; It seems that a normal use-case for bit-coins is not possible or at least highly not recommended for itoa.
It is common to post an address on a website or email asking for donations or payments. The problem with iota is that once I harvest the iota from an address it becomes important that no more iotas get sent to that address. Therefore; this type of use case is not really possible with iotas since the maintenance of new donation addresses in websites is hard and impossible for emails and business cards.
How is this to be handled with hardware, I'm thinking IOT products. If a product is receiving payments on an address that has been given to its users and then it needs to harvest the iotas and send them on to the owner of the device; will it then have to reprovision all the users to send payments to a new address?
If a product make a payment it must create a new address with which to use for the next payment but how does it convey to the user of the product the new send payments address?
I'm just starting my education on this but I ran into this almost immediately. I saw folks asking for iota donation in their posts but once they harvest those itoa they have to hope noone else sends them anything.
Maybe the answer is "hey dr, it hurts when i do this; ans just dont do that." ie: dont ask for donations using iota. You will still need your bitcoin, nxtcoin, monero, whatever wallet.
Is there a best practice guide for future iot system designers?
|
|
|
|