1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <gmaxwell@gmail.com>) id 1WLIpQ-0002X0-Aa
for bitcoin-development@lists.sourceforge.net;
Wed, 05 Mar 2014 20:54:12 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.217.175 as permitted sender)
client-ip=209.85.217.175; envelope-from=gmaxwell@gmail.com;
helo=mail-lb0-f175.google.com;
Received: from mail-lb0-f175.google.com ([209.85.217.175])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1WLIpP-0001J5-GM
for bitcoin-development@lists.sourceforge.net;
Wed, 05 Mar 2014 20:54:12 +0000
Received: by mail-lb0-f175.google.com with SMTP id w7so1106685lbi.34
for <bitcoin-development@lists.sourceforge.net>;
Wed, 05 Mar 2014 12:54:05 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.152.5.136 with SMTP id s8mr127221las.55.1394052844922; Wed,
05 Mar 2014 12:54:04 -0800 (PST)
Received: by 10.112.189.164 with HTTP; Wed, 5 Mar 2014 12:54:04 -0800 (PST)
In-Reply-To: <20140305203222.GD24917@tilt>
References: <CANEZrP25N7W_MeZin_pyVQP5pC8bt5yqJzTXt_tN1P6kWb5i2w@mail.gmail.com>
<53174F20.10207@gmail.com> <20140305193910.GA24917@tilt>
<CAAS2fgR+q4fDs3JfX9az8b17Dk7VKjC3SxYja-2spwU-kM74fA@mail.gmail.com>
<20140305203222.GD24917@tilt>
Date: Wed, 5 Mar 2014 12:54:04 -0800
Message-ID: <CAAS2fgRTuOaSbTqnCOp=783gLCeh7ZU0FWbxzMS6pe8WKPTcLQ@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Peter Todd <pete@petertodd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -1.6 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(gmaxwell[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1WLIpP-0001J5-GM
Cc: Bitcoin Development <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] New side channel attack that can recover
Bitcoin keys
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 20:54:12 -0000
On Wed, Mar 5, 2014 at 12:32 PM, Peter Todd <pete@petertodd.org> wrote:
> That's nice, but I wrote my advice to show people how even if they don't
> know any crypto beyond what the "black boxes" do - the absolute minimum
> you need to know to write any Bitcoin software - you can still defend
> yourself against that attack and many others.
But it's still incomplete.
Say you have an address=E2=80=94 used only once!=E2=80=94 with a txout with=
a lot of value.
Someone starts paying you small amounts to that address over and over
again. You haven't asked them to, they're just doing it.
Do you ignore the funds?=E2=80=94 maybe tell some customer that was ignoran=
tly
paying you over and over again to a single address "sorry, those are
my rules: I only acknowledge the first payment, those funds are
lost!".
No, of course not. You spend the darn coins and if you're on a shared
host perhaps you disclose a private key.
The probability of an attack actually going on is low enough compared
to the cost of spending the coins in that case that even someone with
good knoweldge of the risks will choose to do so.
So absolutely, not reusing addresses massively increases your safety
and limits losses when there is theft. But it isn't enough alone. (Nor
is smarter signing, considering complex software like this has bugs
and its hard to be confident that something is side channel free=E2=80=94 e=
sp
when you allow attacker interference).
|
