Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Mike Hearn <mike <at> plan99.net>
Subject: Android key rotation
Newsgroups: gmane.comp.bitcoin.devel
Date: Sunday 11th August 2013 16:28:13 UTC (over 3 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

I hope you are having a pleasant weekend. A few days ago we learned
that the Android implementation of the Java SecureRandom class
contains multiple severe vulnerabilities. As a result all private keys
generated on Android phones/tablets are weak and some signatures have
been observed to have colliding R values, allowing the private key to
be solved and money to be stolen.

The public security alert is here:

http://bitcoin.org/en/alert/2013-08-11-android

I will shortly post in the bitcointalk forums as well.

An update for the Bitcoin Wallet app has been prepared that bypasses
the system SecureRandom implementation and reads directly from
/dev/urandom instead, which is believed to be functioning correctly.
All unspent outputs in the wallet are then respent to this new key.

The process is automatic and does not involve user intervention.
Andreas can control the process via a percentage throttle, which we
will use to slow things down if the memory pool load gets too high.

A fixed APK is available here:

https://code.google.com/p/bitcoin-wallet/downloads/detail?name=bitcoin-wallet-3.15-beta.apk&can=2&q=

Andreas plans to release this to beta either today or tomorrow. Once
some reasonable population of users has completed testing the
automated re-keying process, it will be released via the Play Store.
All users will get a notification informing them of the new version
and some will be upgraded automatically.

Other wallet maintainers have also been notified and are working on
similar updates.

thanks
- -mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJSB7udAAoJEPLkhhyZiIFvv7QIAJQf5AqpNdo0hWSubvcXu6H9
QoYJllZRb3KhjDEaFU5xinvrN3co6mqRqctbhP2JplrwebEczd8GN4jJZyn90oES
7oydQsnYGyO1+W64dnMjOXSCsvIerAv1TuYDIeRmVFlWzXEAbEK3QTB7G/qciF5x
YNh5M94HYFTCTzDwc3oCHJQUzbl/X/BwPS8TITmEZ3gfYDi+hoyUmHlZukjtFZf+
/ukDqzWPswscUseuXlUqfu7EMbV0cFO2niCwuTsmkvxkjsz35bPD1LxMYmm1qEjw
FeKINcws74okK7pnAqsHYIiP0d64zOwfQFJqfFyek18f0LSqYf32h3h1F8GbmJU=
=bZtl
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
 
CD: 3ms