Scribd
Upload
1K views41 pages

Bsidescbr18 Hacking Bitcoin Slides

This talk discusses techniques for potentially hacking deterministic Bitcoin addresses through analyzing weak passwords, numbers, dates of birth, and other predictable patterns that could generate valid Bitcoin addresses. The speaker acknowledges this would be considered stealing and is not recommending trying it. They also discuss other avenues like public key collisions, weaknesses in random number generation, and ECDSA signature exposure that could potentially compromise addresses. The main takeaways are that key security is difficult and there are arguments around both mass surveillance of the blockchain to find values as well as providing white hat services to warn of exposed accounts.

Uploaded by

Paul Phoneix
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views41 pages

Bsidescbr18 Hacking Bitcoin Slides

This talk discusses techniques for potentially hacking deterministic Bitcoin addresses through analyzing weak passwords, numbers, dates of birth, and other predictable patterns that could generate valid Bitcoin addresses. The speaker acknowledges this would be considered stealing and is not recommending trying it. They also discuss other avenues like public key collisions, weaknesses in random number generation, and ECDSA signature exposure that could potentially compromise addresses. The main takeaways are that key security is difficult and there are arguments around both mass surveillance of the blockchain to find values as well as providing white hat services to warn of exposed accounts.

Uploaded by

Paul Phoneix
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Hacking Deterministic


Bitcoin Addresses
Michael McKinnon - @bigmac
This talk is ONLY about Bitcoin
Bro, wanna buy some #sheepcoin?
2
I won’t be outing Satoshi
#whoissatoshi
3
I’m not a Lawyer,

This is not legal advice.
Just because something is technically

possible doesn’t mean it isn’t stealing…

…even in a decentralised world.

4
https://bit.ly/2HjT7aq

5
Bitcoin Addresses 101

16ga2uqnF1NqpAuQeeg7sTCAdtDUwDyJav

3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy

bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq

6
Bitcoin Addresses 101

16ga2uqnF1NqpAuQeeg7sTCAdtDUwDyJav

Generated offline.

An address is something you can prove


you created when it comes time to spend.

7
Bitcoin Addresses 101
Never includes 0,O,I,l

16ga2uqnF1NqpAuQeeg7sTCAdtDUwDyJav

Base58Check decode…

3e546d0acc0de5aa3d66d7a920900ecbc66c20314648aa13

Which consists of…



3e546d0acc0de5aa3d66d7a920900ecbc66c2031 + 4648aa13

( Hash160 + Checksum )

8
Hash 160 | blockchain.info
9
Address =
RIPEMD160(SHA256(Public Key))
Private
Public Key

Bitcoin Elliptic Key
Address
 04B568858A407A8721923B89DF Curve
9963D30013639AC690CCE5F555 Function

3e546d0acc0de5aa3d6
 529B77B83CBFC76950F90BE717
6d7a920900ecbc66c2031 E38A3ECE1F5558F40179F8C950
2DECA11183BB3A3AEA797736A6

10
y2 = x 3 + 7
Magic stuff happens!
11
secp256k1

12
“y2 = x3 + 7”

“G”

“n”

13
Just pick a number

between 1 and …
115,792,089,237,316,195,423,570,985,008,687,907,852,
837,564,279,074,904,382,605,163,141,518,161,494,337.

78 digits long.

115 quattuorvigintillion!

14
So, it’s “just” 256-bits…

So the only thing protecting anybody’s


Bitcoin is 256 bits of random data?

That’s actually pretty awesomely secure.

Impossible vs. Improbable.

Challenge Accepted!

15
https://lbc.cryptoguru.org/
16
Other than brute-forcing the
key space, what else?
17
Introducing

“Brain Wallets”

Why remember 256-bits of stuff,



when you can just remember a password!

What could possibly go wrong?

18
“password”

SHA256(“password”)


5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

As a Bitcoin address?


16ga2uqnF1NqpAuQeeg7sTCAdtDUwDyJav

19
The address for “password”

has been used 45,010 times!

20
Okay, time to build.
a.k.a Designing the Bitcoin Death-ray.

21
Bitcoin
Passwords Other

Server
Lists stuff?
(bitcoin core)

generate deterministic
parse blk*.dat files
addresses
(rusty-blockparser)
(btcthumper, file2addr)

sort | uniq bitcoin “1*”


Lists of sorted
addresses Match?
generated addresses
(340,086,675)
Password lists?

Get a big password dump list…

Results

193,230,656 addresses, found = 12,421 (0.0064%)

23
91.8%
junk

1,018
other

24
“Passwords” Found
kkkkkkkkkkkkkkkk - 0.005 BTC

12EMX7CANb7iGu4SMb3MTEg3oZ6Trz1gUF

deadsheep - 14.299101 BTC



12P5JTb5kWF5h8kRCwTjTYXbwQ7RKoo5kb

asdfghjkloiuytrewq - 18.24654206 BTC



19jcvAMdZvFJcrDzzvox6pjQK9fHSqfhMw

25
Numbers?

Generate lots of numbers… i.e. PIN, Passcode

0 … n

Results

0 to 15,000,000 addresses, found 37 (0.00025%)

26
Number Results!

0, 1, 2, 6, 39, 42, 52, 66, 83, 111, 123, 398,


420, 666, 1234, 1324, 1337, 1728, 2007, 2539,
5000, 8419, 12345, 30000, 31337, 123123,
123456, 123654, 198921, 324855, 345644, 424242,
491278, 1234567, 12345678, 8964009, 9017002

27
Birthdates?

Generate birthdates from 1/1/1900 - 19/6/2020

19000101, 01011900, 1900-01-01, 01/Jan/1900

Results

70,400 addresses, found 3 == 0.0043%

28
Birthdates Found
28081967 - 0.005 BTC

1DEihiioBnxj9EMG8A97vDTXZurzQusCQw

02011980 - 0.001 BTC



1Bosy3yuTPiT3MMEAk9RSn3iLkZA9mvGGm

20051981 - 0.01 BTC



1Mt2sKNWhYiDZ7wBh4guZJur44acV3Pr4s

29
Epoch?

Generate epoch timestamps…

i.e. 1415319076 = Friday, 7 November 2014 12:11:16AM

Results

9,095,889 addresses, found 0

30
What else?

https://pastebin.com/jCDFcESz

31
Block hashes?
Oh no, he’s about to mention “blockchain”…

000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f

Results

500,000 addresses

Method 1 “String”: found 0

Method 2 “Binary”: found 0

Method 3 “Double SHA256”: found 0

(Not sure why my results didn’t match the Pastebin post)

32
Other Experiments…

Different encoding - what other deterministic things


could produce 256 bit output? i.e. 1/2 of a SHA512

Multiple iterations of encoding - SHA256(“password”)


x 1,975 times.

Previous transaction ID’s

Consider dev mistakes that might get made…

33
Oops…?

echo -n “” | shasum -a 256

34
Other Weaknesses?
(time permitting)

35
Public Key Collision?

The HASH160 value is only 160 bits long,


but it’s derived from a 256 bit input.

Theoretically, more than one public key


could result in the same HASH160 value.

Who knows what the future may hold.

36
Much Randomness

java.util.Random()

Opportunities to look for



any weaknesses in

generating private keys.

37
ECDSA Exposure

Bitcoin addresses rely on ECDSA to verify


transactions.

ECDSA uses a random value to generate


the signature.

http://www.nilsschneider.net/2013/01/28/
recovering-bitcoin-private-keys.html

38
Take Aways
- Problem applies to many other cryptocurrencies

- Managing keys is hard (i.e. PGP), Hardware Wallets?

- Which path to take?

Massive Rainbow-like table, White-Hat Services to warn


monitor P2P transactions, people about lame arse
and MONEY GRAB. addresses? Bridge the gap.

39
Such a waste…

40
Thank You!

You might also like