Old Ripple Software’s Libraries Contained Private Key Vulnerability

American startup Ripple, whose cryptocurrency XRP is ranked second by capitalization in the cryptocurrency market now, published an official …

An opportunity to use ECDSA key for the second time makes it easy for computation, it was confirmed by several successful attacks carried out by cryptographers.

American startup Ripple, whose cryptocurrency XRP is ranked second by capitalization in the cryptocurrency market now, published an official announcement, according to which the libraries of Ripple (XRP) software which had been releaced before August, 2015, made private keys used to sign several transactions potentially vulnerable.

It became known due to a research made by DFINITY fund and Californian university. In addition to Ripple, some part of Bitcoin and Ethereum addresses turned out to be vulnerable, too.

As the cryptographers know, security of digital signature algorithms of elliptic curves (Elliptic Curve Digital Signature Algorithms = ECDSA), used by cryptocurrencies mentioned above depends on random data. If ECDSA private key ever used to sign two messages with one and the same signature, this private key turns out to be a soft target for hacker attack. The researchers claim that they successfully hacked hundreds of Bitcoin addresses and several Ethereum addresses, SSH (remote management for unix-like systems), HTTPS and one XRP private key, due to so-called one-use numbers. At they explain, potential consequences of such vulnerabilities may be quite considerable. In case of cryptocurrencies, these keys provide anyone with an opportunity to steal money from linked accounts. In case of SSH or HTTPS these keys allow to pretend to be a final host.

Nevertheless, it is possible to solve this issue, as the authors of the research believe. It is possible to prevent all the attacks discussed in this article with the help of determined generation of one-use ECDSA numbers which is already implemented in standard libraries of Bitcoin and Ethereum.

According to Ripple’s explanations, determined generation of one-use numbers is also a part of its software since August, 2015. This option also protects the addresses which interact with blockchain addresses and use new software libraries.

Regardless to the fact that cryptography is still far from being perfect, centralized systems like exchanges are attacked more often and more successfully, than the ones protected by private keys, as the research states. The researchers accessed approximately $54 in Bitcoins and $14 in Ethereum when they were carrying out the attacks.

Related Posts:

  • No Related Posts

Bitcoin SV [BSV] wallet to be used as smart card authenticating device: Craig Wright

… of Bitcoin SV or Satoshi’s Vision, has now formulated an application to use the cryptocurrency’s wallet for smart-card based system authentication.

Bitcoin SV, emerging from the Bitcoin Cash hardfork in mid-November, may have found an additional usage through its biggest proponent. Craig Wright, the chief scientist at the nChain and primary backer of Bitcoin SV or Satoshi’s Vision, has now formulated an application to use the cryptocurrency’s wallet for smart-card based system authentication.

In a Medium post titled, “Smart-card-based mobile wallets,” Wright explained the Bitcoin SV wallet for secure system access. This application will be based on nChain’s patent innovation on ECDSA [Elliptic Curve Digital Signature Algorithm] and will allow security and secure access using biometric smart cards.

Wright affirms that the application will even comply with the Anti Money-Laundering/ Know-Your-Customer (AML/KYC) norms and can be used to authenticate identity documents like passports.

He stated in the post:

“The data used in the process below can be saved publicly without any loss of security, written onto the blockchain, or backed up otherwise that allows recovery if it is ever lost.”

The five main pillars of success of this technology spelled out by nChain are: Security, Authenticity, Ease of Use and Authorised Access and Speed and Reliability. Privacy and control are also maintained limiting the undue influence of the government.

In addition to the wallet, a smartphone application can also be used, thereby allowing users to save their data in any device they like. The phone app will send the hash of the transaction and the “coin secret (wallet value)” to the smart card using a public key for authentication.

The wallet will hence require a card to sign in, increasing the security. Wright suggests that this application could be used to enhance the security of wallets like Handcash and Centbee.

Separate wallets can be created for different devices, for any reason, providing a specific and streamlined function. Wright suggests this application provides better flexibility than the hardware wallet Ledger, which he describes as being “clumsy and antiquated”.

Moreover, for additional security, a backup of the smart card can be stored in a safe and access is provided through a two-step authentication from the app and card together with the user’s biometrics.

The card can also be used to encrypt information on personal devices such as computers, laptops, tablets and more by using nChain’s patent which allows the sharing of a secret value between two nodes.

Subscribe to AMBCrypto’s Newsletter

Follow us on Telegram | Twitter | Facebook

Related Topics:bitcoin svCraig Wrightnews
Up Next

Bitcoin [BTC] Technical Analysis: Coin bleeds as vultures lurk around

Don’t Miss

Ripple and XRP’s “hostile takeover” FUDs washed clean by Ripple’s CEO Brad Garlinghouse and CTO, David Schwartz

Aakash Athawasya

Related Posts:

Ripple: Only XRP Private Keys That Used Software From Before August 2015 Are Vulnerable

Ripple (XRP) software libraries published before August 2015 potentially … As Cointelegraph reported yesterday, the New Zealand cryptocurrency …

Ripple (XRP) software libraries published before August 2015 potentially rendered private keys which signed multiple transactions vulnerable, Ripple announced in a statement released on Jan 16.

Recent research jointly conducted by the DFINITY Foundation and the University of California revealed that a portion of Bitcoin (BTC), Ethereum (ETH) and Ripple addresses are vulnerable.

As is known among cryptographers, the security of Elliptic Curve Digital Signature Algorithms (ECDAs) employed by the aforementioned cryptocurrencies is highly dependent on random data, which are known as nonces. The research further explains:

“It is well known that if an ECDSA private key is ever used to sign two messages with the same signature nonce, the long-term private key is trivial to compute [crack].”

The researchers claim to have successfully hacked hundreds of Bitcoin, some Ethereum, SSH (remote control for unix-like systems), HTTPS and one XRP private keys thanks to so-called biased nonces (with a low degree of randomness.) As the researchers explain, the consequences of such vulnerabilities are vast:

“In the case of cryptocurrencies, these keys give us, or any other attacker, the ability to claim the funds in the associated accounts. In the case of SSH or HTTPS, these keys would give us, or any other attacker, the ability to impersonate the end hosts.”

Still, the paper explains that such vulnerabilities can be prevented:

“All of the attacks we discuss in this paper can be prevented by using deterministic ECDSA nonce generation, which is already implemented in the default Bitcoin and Ethereum libraries.”

According to Ripple, deterministic nonce generation has also been part of their software since August 2015. This feature also makes addresses that interacted with the blockchain employing newer software libraries safe from this vulnerability.

While cryptography is far from perfect, centralized systems like exchanges and single computing systems are successfully attacked with success much more often than private keys, the research states.. The paper further notes that during the research, access has been obtained to only about $54 of BTC and $14 of XRP.

As Cointelegraph reported yesterday, the New Zealandcryptocurrency exchange Cryptopia has suspended services after detecting a major hack that has reportedly resulted in significant losses.

Also, recently news broke that a recent spate of ransomware attacks estimated to have earned hackers 705.08 Bitcoin ($2.5 million) likely came from Russian cybercriminals, not North Korean state-sponsored actors as initially thought.

Related Posts:

Vulnerabilities In Bitcoin, Ripple, And Ethereum Digital Signatures Discovered By Researchers

Some researchers have just reported vulnerabilities in cryptographic signatures for Ethereum, Bitcoin and Ripple. These vulnerabilities allow attackers …

Some researchers have just reported vulnerabilities in cryptographic signatures for Ethereum, Bitcoin and Ripple. These vulnerabilities allow attackers to calculate private keys, and steal cryptocurrencies from a given wallet. The researchers were able to calculate hundreds of Bitcoin private keys but dozens of Ripple, Ethereum, HTTPS, and SSH private keys using this cryptanalytic attack.

Lattice Attacks Against Weak ECDSA Signatures

According to the paper published by the researchers, it is possible get private keys by analyzing Bitcoin, Ethereum and Ripple signatures. This vulnerabilities only occur in edge cases where the code isn’t implemented properly by developers. It can also occur when there is a fault in the multi-signature hardware.
The paper emphasizes on the resiliency of cryptographic schemes that are used by cryptocurrencies and also highlights the importance of proper implementation.

Each time a cryptocurrency holder makes a transaction, they will need to create a digital signature with an elliptic curve algorithm. The software pops up with an arbitrary number that can only be used once for communication. The arbitrary number is called a nonce.

The software will have to sign each transaction with a unique nonce. If not, hackers will be able to calculate the private key of the signer and steal as many tokens as possible. The researchers also found out that hackers can continue to monitor a blockchain for repeated nonces to extract money from compromised keys. They can calculate private keys from signatures that have similar nonces.

Bitcoin (BTC) Price Today – BTC / USD

Name Price 24H (%)



The authors of the paper are Dr. Nadia Heninger, an associate professor of computer science in the University of California and Joachim Breitner, a senior researcher at DFINITY. The vulnerability was as fellows:

“The ECDSA digital signature algorithm needs to generate a random number of each signature. The number is called nonce. Note that this nonce is different from the one used in cryptocurrency mining. We exploited nonce vulnerabilities that were implementations that generated values that are much shorter than they should be. Some values shared the least significant bits.”

Using lattices, an advanced form of mathematics, the researchers were able to crack some wallet addresses and find private keys:

“Lattice algorithms allow us to find solutions to systems that are under constrained of linear equations. There are many cryptanalytic techniques that already use lattice algorithms as a building block.”

The paper made it clear that any non-uniformity that occurs during the generation of these digital signature nonces can show the private key information. With enough signatures, hackers can compute private keys to drain the users wallet.

Is The Vulnerability A Cause For Concern?

According to the report, the majority of cryptocurrency users need not worry about the vulnerabilities. The vulnerabilities can only be exploited if the digital signature code is bugged. There will be no security breaches as long as developers use the right techniques. These vulnerabilities can only be exploited when specific implementations are made.

These kind of attacks will be difficult for hackers because they are not cost effective. They may not profit from launching such an attack because of the amount of time, computational power and electricity they need to move forward. This doesn’t mean they will not add this new method of attack to their arsenal.

Unique Cryptanalytic Attack Used To Crack Private Keys of Cryptocurrencies

Vinny Lingham, CEO of Civic, on January 11, 2019, predicted that the cryptocurrency might fall below $3,000. Lingam states that the market would …

Vinny Lingham, CEO of Civic, onJanuary 11, 2019, predicted that the cryptocurrency might fall below $3,000.

Lingam states that the marketwould either breakdown or breakout. Bitcoin is trying to decide which way togo, therefore would trade sideways until the crypto finds a breakout orbreakdown direction.

On Thursday, within just a fewminutes Bitcoin shed $250 out of $4000. Thevolatility pattern of the Bitcoin took a new turn. The gains that were made earlier got canceledout. The price movements of Altcoinsreacted intensely to the price drop of Bitcoin. Almost all the cryptocurrenciesin the top twenty list by market capitalization shed 11.3% on Friday.

Recent research has identifiedthat hackers are using methods to calculate the private keys ofcryptocurrencies. They make use of a unique cryptanalytic attack.

However, these attacks occur onlyin cases where the developers have not executed their codes properly or in situationsthat involve faulty hardware that functions with multi-signature. Thosenetworks that are properly implemented do not suffer these attacks.

It so happens that anytime acrypto holder is involved in a transaction, they create a cryptographic signature.They make use of Elliptic Curve Digital Signature Algorithm (ECDSA). A nonce isgenerated by the algorithm. Thisarbitrary number is to be used for just once. It is important for the softwareto sign up with a different nonce each time otherwise hackers will be able tocalculate the private key of the signers.

Hackers continually monitor theblockchain watching for repeated nonces. Thus, they will be able to extractmoney from compromised keys. Hackers will be able to calculate the keys fromsignatures that make use of different signatures, but similar nonce. In cases,where the nonces have similar strings in the beginning and end of thesignatures then the hackers can exploit it.

The digital signature nonce isdifferent from the nonce used in the cryptocurrency mining process. The chancesfor exploitation of nonce are more when the values are very shorter than itshould be.

Lattice is an advancedmathematical approach that can be used to crack the wallet addresses toidentify the private keys. Several cryptanalytic techniques make use of thelattice algorithms as a building block.

This need not set most of thecryptocurrency users into a world of worry, because, a hack is possible onlywhen there is a bug in the digital signature code. The security scheme will be secure for aslong as it is executed according to the protocol and documented methods.The amount of time and electricity required forthis process is too high to make it profitable for attackers.