Most people use either an app, an online platform, or a small hardware device as a wallet to store their cryptocurrency safely. The exchanges through which cryptocurrency changes hands, though, and other high stakes operations need something more like a massive digital bank vault. At the Black Hat security conference on Thursday, researchers detailed potential weaknesses in these specially secured wallet schemes, including some that affected real exchanges that have now been fixed.
The attacks aren't the digital equivalent of jackhammering a weak point on a safe or blowing up a lock. They're more like opening an old-timey bank vault with six keys that all have to turn at the same time. Breaking cryptocurrency private keys into smaller chunks similarly means an attacker has to cobble them together first to steal funds. But unlike distributing physical keys, the cryptographic mechanisms that underly multiparty key management are complex and difficult to implement correctly. Mistakes could be costly.
"These organizations are managing a lot of money, so they have quite high privacy and security requirements," says Jean-Philippe Aumasson, cofounder of the cryptocurrency exchange technology firm Taurus Group and vice president at Kudelski Security. "They need a way to split the cryptocurrency private keys into different components, different shares, so no party ever knows the full key and there isn't a single point of failure. But we found some flaws in how these schemes are set up that are not just theoretical. They could really have been carried out by a malicious party."
For the work, Aumasson, a cryptographer, validated and refined vulnerability discoveries made by Omer Shlomovits, cofounder of the mobile wallet maker ZenGo. The findings break down into three categories of attacks.
The first would require an insider at a cryptocurrency exchange or other financial institution exploiting a vulnerability in an open-source library produced by a prominent cryptocurrency exchange that the researchers declined to name. The attack takes advantage of a flaw in the library's mechanism for refreshing, or rotating, keys. In distributed key schemes, you don't want the secret key or its components to stay the same forever, because over time an attacker could slowly compromise each part and eventually reassemble it. But in the vulnerable library, the refresh mechanism allowed one of the key holders to initiate a refresh and then manipulate the process so some components of the key actually changed and others stayed the same. While you couldn't merge chunks of an old and new key, an attacker could essentially cause a denial of service, permanently locking the exchange out of its own funds.
Most distributed key schemes are set up so only a predetermined majority of the chunks of a key need to be present to authorize transactions. That way the key isn't lost entirely if one portion is accidentally eliminated or destroyed. The researchers point out that an attacker could use this fact to extort money from a target, letting enough portions of the key refreshincluding the one they controlthat they can contribute their portion and restore access only if the victim pays a price.
The researchers disclosed the flaw to the library developer a week after the code went live, so it's unlikely that any exchanges had time to incorporate the library into their systems. But because it was in an open-source library, it could have found its way into numerous financial institutions.
In the second scenario, an attacker would focus on the relationship between an exchange and its customers. Another flaw in the key rotation process, in which it fails to validate all of the statements the two parties make to each other, could allow an exchange with malicious motivations to slowly extract the private keys of its users over multiple key refreshes. From there a rogue exchange could initiate transactions to steal cryptocurrency from its customers. This could also be carried out quietly by an attacker who first compromises an exchange. The flaw is another open-source library, this time from an unnamed key management firm. The firm does not use the library in its own offerings, but the vulnerability could have been incorporated elsewhere.
Read the rest here:
Flaws Could Have Exposed Cryptocurrency Exchanges to Hackers - WIRED
- Crypto()Currency - CryptoCurrency.org - April 26th, 2014 [April 26th, 2014]
- Cryptocurrency - Wikipedia, the free encyclopedia - April 26th, 2014 [April 26th, 2014]
- TNW - Stefan Molyneux - Money, Power and Politics The Cryptocurrency Revolution - Video - April 26th, 2014 [April 26th, 2014]
- How to Set Up a Ripple (CryptoCurrency) Generating System! - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin / Cryptocurrency - An Extensive FAQ - Video - April 26th, 2014 [April 26th, 2014]
- --- The Great Debate --- Bitcoin vs Altcoin @ The CryptoCurrency Convention 4/9/14 - - Video - April 26th, 2014 [April 26th, 2014]
- Bryce Weiner @ CryptoCurrency Convention 4/9/14 - - Video - April 26th, 2014 [April 26th, 2014]
- Popularcoin @ CryptoCurrency Convention 4/9/14 - Joshua Nold - Video - April 26th, 2014 [April 26th, 2014]
- TimeKoin @ CryptoCurrency Convention 4/9/14 - Michael Brown - Video - April 26th, 2014 [April 26th, 2014]
- Infinitecoin @ CryptoCurrency Convention 4/9/14 - Loring Small - Video - April 26th, 2014 [April 26th, 2014]
- Bitcoin Exchange CryptoRush Loses Millions of BlackCoin Cryptocurrency - Video - April 26th, 2014 [April 26th, 2014]
- Brock Pierce, Entrepreneur "FireSide Chat" @ CryptoCurrency Convention NYC - 4/9/14 - Video - April 26th, 2014 [April 26th, 2014]
- [OFFICIAL SPONSOR] Nick Spanos, Bitcoin Center NYC @ CryptoCurrency Convention 4/9/14 - Video - April 26th, 2014 [April 26th, 2014]
- AuroraCoin @ CryptoCurrency Convention NYC 4/9/14 - David Lio - Video - April 26th, 2014 [April 26th, 2014]
- Dogecoin Founder Speaks on the Future of Cryptocurrency - April 27th, 2014 [April 27th, 2014]
- As Bitcoin Soars in Value, Alternative Cryptocurrencies ... - April 27th, 2014 [April 27th, 2014]
- Florincoin @ CryptoCurrency Convention NYC 4/9/14 - Joe Fiscella - Video - April 27th, 2014 [April 27th, 2014]
- DigiByte @ CryptoCurrency Convention NYC 4/9/14 - Jared Tate - Video - April 27th, 2014 [April 27th, 2014]
- Digitalcoin @ CryptoCurrency Convention NYC 4/9/14 - Andrew Davidson - Video - April 27th, 2014 [April 27th, 2014]
- PotCoin @ CryptoCurrency Convention NYC 4/9/14 - Nick Iversen - Video - April 27th, 2014 [April 27th, 2014]
- ZenithCoin @ CryptoCurrency Convention NYC 4/9/14 - Eddie Corral - Video - April 27th, 2014 [April 27th, 2014]
- BitAngels Co-Founder, David Johnson @ CryptoCurrency Convention NYC 4/9/14 - Video - April 27th, 2014 [April 27th, 2014]
- Australian dogecoin founder speaks on the future of cryptocurrency - April 28th, 2014 [April 28th, 2014]
- Coinnext Cryptocurrency Exchange Coming Soon - Video - April 29th, 2014 [April 29th, 2014]
- Cryptocurrency News Round-Up: MtGox Hearing Begins as Bitcoin gets Bloomberg Endorsement - May 1st, 2014 [May 1st, 2014]
- mTrader.org - Cryptocurrency Mining System - Video - May 1st, 2014 [May 1st, 2014]
- CryptoCurrency - cryptobars commodity Launch! - Video - May 1st, 2014 [May 1st, 2014]
- The Mises View: "Taxing Cryptocurrency" | Jeff Deist - Video - May 2nd, 2014 [May 2nd, 2014]
- Coin Pursuit Launches SliceFeeds Interactive Cryptocurrency Network - May 3rd, 2014 [May 3rd, 2014]
- Cryptocurrency | Ground Zero with Clyde Lewis - May 3rd, 2014 [May 3rd, 2014]
- CS 171 Final Project: Cryptocurrency Visualizations - Video - May 3rd, 2014 [May 3rd, 2014]
- Cryptocurrency Explained The Tech Guy 1046 - Video - May 3rd, 2014 [May 3rd, 2014]
- Know How 74 Cryptocurrency - Video - May 4th, 2014 [May 4th, 2014]
- MIT undergrads will each receive $100 in bitcoin - May 5th, 2014 [May 5th, 2014]
- cryptocurrency - Fortune Finance: Hedge Funds, Markets ... - May 8th, 2014 [May 8th, 2014]
- Bitcoin wins US election panel's approval for political donations - May 9th, 2014 [May 9th, 2014]
- CryptoCurrency of the World Unite! - Video - May 9th, 2014 [May 9th, 2014]
- Major Dogecoin Wallet Hacked, Shut Down - May 13th, 2014 [May 13th, 2014]
- Such hack, much sad: Doge Vault reportedly loses $56,000 in heist - May 13th, 2014 [May 13th, 2014]
- BBT Presents: Ode to Cryptocurrency - Video - May 13th, 2014 [May 13th, 2014]
- Scryptify Cryptocurrency Video - Crypto Currency Exchanges - Video - May 13th, 2014 [May 13th, 2014]
- AMD cuts Radeon R9 280 price as inflation woes die down - May 15th, 2014 [May 15th, 2014]
- The Cryptocurrency Certification Consortium - Video - May 15th, 2014 [May 15th, 2014]
- Bitpagar Cryptocurrency - Video - May 16th, 2014 [May 16th, 2014]
- TagPro - Cryptocurrency Juke Session w/ LTB & Counterpary - Video - May 16th, 2014 [May 16th, 2014]
- How to Mine Cryptocurrency Safely - Video - May 16th, 2014 [May 16th, 2014]
- Bunnycoin - Innovative New Cryptocurrency - Video - May 16th, 2014 [May 16th, 2014]
- Jan Irvin on Learning, Statism, Culture, Cryptocurrency and Voluntarism -- Potent News Podcast #1 - Video - May 16th, 2014 [May 16th, 2014]
- Nxt cryptocurrency platform: Proof of Stake mining system - Video - May 18th, 2014 [May 18th, 2014]
- Cryptocurrency Round-Up: Darkcoin Rise Continues; Dogecoin Saved My Life & Bitcoin Explainer Videos - May 19th, 2014 [May 19th, 2014]
- Givecoin.info Announces Partnership with Do A Bit of Good: World's First Charitable Mining Screensaver - May 21st, 2014 [May 21st, 2014]
- Cryptocurrency: Get Mining! - Video - May 22nd, 2014 [May 22nd, 2014]
- Violincoin - The first cryptocurrency for musician - - Video - May 22nd, 2014 [May 22nd, 2014]
- Trollcoin - The Fun Cryptocurrency! - Video - May 22nd, 2014 [May 22nd, 2014]
- Cryptocurrency and Nonprofits with Eric Nakagawa - Video - May 23rd, 2014 [May 23rd, 2014]
- The Cryptocurrency Store - Video - May 23rd, 2014 [May 23rd, 2014]
- The Cryptocurrency Store (Spanish/Espagnol) - Video - May 23rd, 2014 [May 23rd, 2014]
- How To Trade CryptoCurrency: Sign up to a safe and reliable exchange for trading CryptoCurrency - Video - May 23rd, 2014 [May 23rd, 2014]
- UT students to launch cryptocurrency exchange - May 24th, 2014 [May 24th, 2014]
- Videoconferencia Cryptocurrency 201243946 - Video - May 27th, 2014 [May 27th, 2014]
- VideoCharla Jesus Ramos Cryptocurrency - Video - May 27th, 2014 [May 27th, 2014]
- Cryptocurrency Round-Up: Bitcoin Pioneer Dies and Digital Currency's Status in Australia - August 31st, 2014 [August 31st, 2014]
- Bitcoin enthusiasts discuss the cryptocurrency - Video - August 31st, 2014 [August 31st, 2014]
- Make Fast 1.0 up to 10.00 BTC or Any Cryptocurrency REAL CASH - Video - August 31st, 2014 [August 31st, 2014]
- Halcyon cryptocurrency - Video - August 31st, 2014 [August 31st, 2014]
- Selling products / services / fiat money for cryptocurrency - Coinkite PoS Terminal - Video - August 31st, 2014 [August 31st, 2014]
- Selling cryptocurrency to customers - Coinkite PoS Terminal - Video - August 31st, 2014 [August 31st, 2014]
- Cryptocurrency Made Simple - A Plain English Guide to Bitcoins - September 8th, 2014 [September 8th, 2014]
- PotatoCoin - The cryptocurrency for the third world - Video - September 8th, 2014 [September 8th, 2014]
- How To Trade One Kind Of Cryptocurrency For A Different Kind Of Cryptocurrency - Video - September 8th, 2014 [September 8th, 2014]
- How To Fund Your Bleutrade Cryptocurrency Trading Account - Video - September 8th, 2014 [September 8th, 2014]
- How To Open An Account At Bleutrade.com Cryptocurrency Exchange - Video - September 8th, 2014 [September 8th, 2014]
- Cryptocurrency Round-Up: Apple Pay Boosts Bitcoin, Nakamoto Negotiates With Hacker - September 11th, 2014 [September 11th, 2014]
- Qoinpro Cryptocurrency Faucet ok - Video - September 12th, 2014 [September 12th, 2014]
- Weekly Roundup - CEX.IO - Multi-Functional cryptocurrency exchange - Video - September 12th, 2014 [September 12th, 2014]
- TCR #27: Cryptocurrency growth, 9/11 Anniversary, CDC Scandal, Face Your Fears - Video - September 12th, 2014 [September 12th, 2014]
- VanosEnigmA 011 Bitcoin-Comedy BitcoinDog CryptoCurrency-Cat Naughty - Video - September 15th, 2014 [September 15th, 2014]
- WikiLeaks Avoided Bitcoin to Prevent Government 'Destroying' Cryptocurrency - September 16th, 2014 [September 16th, 2014]
- LXC Coin crowdfunds in challenge to Bitcoin - September 16th, 2014 [September 16th, 2014]
- Why Bitcoin Is Poised To Win Big In Las Vegas - September 19th, 2014 [September 19th, 2014]