ADIL 🦂 丰 ₿ ⚡ on Nostr: How Generating Private Keys Became a Pain Absolutely everyone who has ever used ...
How Generating Private Keys Became a Pain
Absolutely everyone who has ever used crypto - first of all encountered a seed phrase or private key when creating a wallet
You are given this key, and you calmly believe that this piece of code will reliably protect your funds. But the systems on which everything is built are far from always ideal
Milk Sad Disclosure
Considering the level of development compared to 2014-2015 and earlier, it is surprising how such a mistake as in Libbitcoin Explorer could even surface in 2022.
The bx seed console command in Libbitcoin Explorer versions 3.x uses a Mersenne Twister pseudo-random number generator (PRNG) initialized with 32 bits of the system time. https://en.wikipedia.org/wiki/Mersenne_Twister#Disadvantages
// What's funny is that the popular "Mastering Bitcoin" documentation also suggests using bx seed to generate wallets https://aantonop.com/books/mastering-bitcoin/
Do you even understand what this means? o_0
Secure cryptography involves using huge, unguessable numbers. If the private key generator is weak, the results of the generation will be compromised in almost all cases.
And in the case of Milk Sad , the private key was based on a 32-bit temporary seed.
That is, at the moment of generation, the timestamp (literally - what time is it on the computer) was taken and converted into a 32-bit private key
Git with code: https://github.com/libbitcoin/libbitcoin-system/blob/a1b777fc51d9c04e0c7a1dec5cc746b82a6afe64/src/crypto/pseudo_random.cpp#L77
In this case, the practical security of the wallet is reduced from 256 bits to only 32 bits of unknown key information.
A 32-bit key space is 2^32, or 4,294,967,296 different unique combinations.
To understand - a good gaming PC can reach this value in just one day
Why was the vulnerability named "Milk Sad"?
Running bx seed on 3.x versions with system time 0.0 always generates the following seed phrase: " milk sad wage cup reward umbrella...."
The main theft happened in 2023, although the initial exploitation probably started even earlier. Still, not much money was stolen, probably +-$1M
But this is just the beginning of the madness.
Absolutely everyone who has ever used crypto - first of all encountered a seed phrase or private key when creating a wallet
You are given this key, and you calmly believe that this piece of code will reliably protect your funds. But the systems on which everything is built are far from always ideal
Milk Sad Disclosure
Considering the level of development compared to 2014-2015 and earlier, it is surprising how such a mistake as in Libbitcoin Explorer could even surface in 2022.
The bx seed console command in Libbitcoin Explorer versions 3.x uses a Mersenne Twister pseudo-random number generator (PRNG) initialized with 32 bits of the system time. https://en.wikipedia.org/wiki/Mersenne_Twister#Disadvantages
// What's funny is that the popular "Mastering Bitcoin" documentation also suggests using bx seed to generate wallets https://aantonop.com/books/mastering-bitcoin/
Do you even understand what this means? o_0
Secure cryptography involves using huge, unguessable numbers. If the private key generator is weak, the results of the generation will be compromised in almost all cases.
And in the case of Milk Sad , the private key was based on a 32-bit temporary seed.
That is, at the moment of generation, the timestamp (literally - what time is it on the computer) was taken and converted into a 32-bit private key
Git with code: https://github.com/libbitcoin/libbitcoin-system/blob/a1b777fc51d9c04e0c7a1dec5cc746b82a6afe64/src/crypto/pseudo_random.cpp#L77
In this case, the practical security of the wallet is reduced from 256 bits to only 32 bits of unknown key information.
A 32-bit key space is 2^32, or 4,294,967,296 different unique combinations.
To understand - a good gaming PC can reach this value in just one day
Why was the vulnerability named "Milk Sad"?
Running bx seed on 3.x versions with system time 0.0 always generates the following seed phrase: " milk sad wage cup reward umbrella...."
The main theft happened in 2023, although the initial exploitation probably started even earlier. Still, not much money was stolen, probably +-$1M
But this is just the beginning of the madness.