Proposals icon indicating copy to clipboard operation
Proposals copied to clipboard
verified publisher icon EthereumCommonwealth

Detect insecure addresses without having access to private key | Public API

Open amj24 opened this issue 7 years ago • 5 comments

Proposal

Offer a public API for Ethereum based addresses to detect insecure addresses without having access to private key.

Description

Background: I made random checks on several blockchain projects to evaluate the safety of the addresses used. I collect all addresses in the blockchain and check them against my database of addresses generated with dummy private keys.

You might wonder why? Basically I do it for fun and out of curiousty too, no harm was intended.

While evaluating addresses on the CLO blockchain, I have found several addresses that have positive balance. Some addresses seem old and actually active. They have one of the weakest private keys ever. Unsecure addresses could probably be generated due to bad code (dev stage of app/software) or end user (new comers) there is a risk of fund loss.

The idea & solution: As soon as I noticed the issue I started wondering what is the best option to notify / alert the owners of such addresses. Definitely showing that publicly on a block explorer is not a good idea as it might encourage a targeted attack. So as long as the user has access to the wallet (see possible use cases below), it should be the safest option.

Solution: Create a database of addresses based on dummy private keys that are weak / leaked (see milestone section down).

Project Goals: Reduce the risk of using vulnerable private keys.

Warn end-user if:

  • His wallet contains addresses generated with weak private keys.
  • He attempts to send coins to a non-secure address.

=> Offer higher reliability for the community especially the ones who lack proper knowledge. Less frustration = More trust.

Possible Use cases: (Callisto web wallet) Any Ethereum based wallet with access to this API can discretely show a warning message to the end user (see screenshot message highlighted in red located in the right, click on the image to view full size )

image001

A user attempts to send coins to an address with weak PK, can get a helpful message. Especially in the event of migrating coins to another wallet. See the message under “To address” Box

image002

Other use cases: Any 3rd party app that wants to work in a secure environment, CLO nodes can show an informative message when dealing with similar addresses in the mainnet.

Milestones:

  1. Basic database: Cover the most obvious weak keys Example: 0000000000000000000000000000000000000000000000000000000000000001 1111111111111111111111111111111111111111111111111111111111111111 2222222222222222222222222222222222222222222222222222222222222222

With Permutations and slight changes, it’s possible to cover millions of private keys. I can showcase private keys generations in a short video.

  1. Private keys generated with the help of security dictionaries such as https://github.com/topics/dictionary-attack

  2. Private keys that are leaked publicly. (require an active crawler)

Only addresses will be produced without any private key attached. These addresses might to be saved in an integer friendly format so it can be indexed and retrieved easily.

Disclaimer: As a believer in CLO, I would like to offer it exclusively for Callisto network. I can provide the data and/or the API access itself and maintain it. The main goal of this project is to protect the community. I do not plan to commit any unlawful activity.

Funding goal

50K CLO / month to provide and maintain the API.

my address: 0xf07Bc0D791103480F8F0Ee95F1b2758627D9a080

amj24 avatar Dec 11 '18 17:12 amj24

I see the status of my proposal has changed, thanks Dexaran for taking the time to check my proposal.

I am happy to respond to any concerns, also open to suggestions too.

amj24 avatar Jan 29 '19 01:01 amj24

@amj24 I think that it may be a useful proposal, however I'd like to clarify some of its aspects.

This is a good idea to create a source of insecure addresses with bad private keys (I don't think that this is the greatest concern for the industry, however it can save some "not so smart" users) and provide API. This service alone is not so useful thing, but if it will be coupled with CEW or MEW then it can be a good option.

At the other hand, maintaining API is not that important if we can just hardcode a list of insecure addresses in CEW and periodically update it (say once a month).

CEW (MEW) must check whether the unlocked address is insecure according to the addresses list and pop up a big red banner saying "Warning! Your funds are insecure, please create one more address and transfer your funds there". This is not a problem of Callisto, but this is a global problem of all Ethereum-compatible networks. That's why I think that this must be chain-independent. If the address had some transactions on Callisto network then the same address is insecure in Ethereum, ETC, UBQ, Musicoin and other Ethereum-compatible networks.

  1. You need to create a list of addresses with bad private keys.

  2. You should publish a kind of documentation (which addresses you think are weak) and publish the source codes of scripts that you used.

  3. You need to submit a patch to ClassicEtherWallet (https://github.com/EthereumCommonwealth/etherwallet) with the implementation of addresses list, check of the unlocked address, pop-up warning banner.

I'm ready to negotiate the funding goal of this proposal.

Dexaran avatar Feb 04 '19 07:02 Dexaran

@amj24 are you still interested in this proposal development?

Dexaran avatar Feb 18 '19 18:02 Dexaran

@Dexaran I am interested. In fact, I am working on a prototype.

At first glance it might seem that only “not so smart users” are the ones who can benefit most here but I believe the use cases are actually limitless, it can be used by anyone: nodes, wallets, exchanges and end users. I believe that exchanges will be very interested in operating in safe environment and dealing with secure addresses since it reduces the issues among their end customers. It took me plenty of time to do the research and evaluate the risks. I was doing it for fun initially. Once I found some positive balances, I didn’t want to bother a lot and started looking for possible solutions to prevent that and that brought me here to bring light to this matter.

Anyway, here is my take on the points that you have proposed.

  1. The list is huge and will grow with time; the current list that I hold has over 50 million addresses with weak private keys with a focus on a specific pattern. (Only few have blockchain records, however. I can release the number that I have against this database for Callisto if requested)

  2. I believe that writing public documentations/details of these matters has its own risks since the same approach can be used nearly in any crypto currency project. I chose Ethereum as a start. I made the proposal here because I see the potential in Callisto and want to be a contributor here. There are people with better computing power than me if they just use or upgrade the code that I have, it can end up really bad for many crypto projects.

  3. I have no problems with making the patches for CLO’s Etherwallet, the dataset has to be hosted somewhere in a way that’s hard to query and reverse engineer, for extra safety purposes. I can take care of that.

My goal is to list addresses only, no private keys attached or stored in any form or anywhere in the API server(s). The project will evolve with time and I thought about the API as a starting point that I can deliver.

I am still going to finish up with the project. I want to support as many blockchain projects as possible. I strongly invite Callisto to make a contribution to this project and in return Callisto will be mentioned as an honorary founder/sponsor to this project and have access to the API for life.

I can make a prototype live by the end of this month so I can showcase a working product.

amj24 avatar Feb 21 '19 10:02 amj24

  1. I believe that writing public documentations/details of these matters has its own risks since the same approach can be used nearly in any crypto currency project. I chose Ethereum as a start. I made the proposal here because I see the potential in Callisto and want to be a contributor here. There are people with better computing power than me if they just use or upgrade the code that I have, it can end up really bad for many crypto projects.

Security through obscurity is not that good approach. I'm still in favor of transparent description.

My goal is to list addresses only, no private keys attached or stored in any form or anywhere in the API server(s). The project will evolve with time and I thought about the API as a starting point that I can deliver.

Yet I don't see any real benefit in maintaining API servers after the creation of the database of insecure addresses. In my opinion it would be better to publish the database and store it, for example, in IPFS.

I'm accepting this proposal for now and you will receive payments as soon as you publish the working product, but this may be reconsidered later.

Dexaran avatar Feb 21 '19 19:02 Dexaran