Jump to content
Trader-to-the-Crown

Need advice for testing my secret key offline for an XRP paper wallet.

Recommended Posts

1 minute ago, pftq said:

That is what the wallet does already (signs offline and submits online); it's handled by Ripple-lib. Any wallet that uses Ripple-lib would do that.  Like you said though, it's hard for most users to verify what's using Ripple-lib or not and then even then it seems most don't realize the signing happens offline.

But there's no way using theworldexchange to sign a tx on an offline PC and move the signed transaction to theworldexchange on an online PC and submit it there is there?

I think that process is important when handling paper wallet keys because even if the wallet is trustworthy, there could be other malicious processes running on your PC that could be capturing your secret key as you enter it.

Share this post


Link to post
Share on other sites
14 minutes ago, at3n said:

But there's no way using theworldexchange to sign a tx on an offline PC and move the signed transaction to theworldexchange on an online PC and submit it there is there?

I think that process is important when handling paper wallet keys because even if the wallet is trustworthy, there could be other malicious processes running on your PC that could be capturing your secret key as you enter it.

My point was to the original question of verifying a secret key is valid, which you could do by just trying to login on an offline computer.  But actually TWE does output the signed transaction in the console log, so you technically could run a local copy on an offline computer and copy-paste that.  The relevant part of the JS code is below in the submitTransaction function ( the console.log call).  To do what you're saying though would require essentially multiple computers (one to sign, one to send), which is not what I see most people would do or find practical.  You might start worrying that the way you copy-paste (USB?) might also bring malware to the offline computer.  For me, it's more practical to just have two wallets, one that I never send out of or use the private key for (except to verify offline on a local copy of TWE or other wallet) (aka long-term/cold-wallet) and another that I use more often (aka operational/hot-wallet) but keep less funds in.

                       var result = api.sign(prepared.txJSON, key);
                      transaction = result.signedTransaction;
                      console.log(transaction);

 

Edited by pftq

Share this post


Link to post
Share on other sites
1 hour ago, pftq said:

My point was to the original question of verifying a secret key is valid, which you could do by just trying to login on an offline computer.  But actually TWE does output the signed transaction in the console log, so you technically could run a local copy on an offline computer and copy-paste that.  The relevant part of the JS code is below in the submitTransaction function ( the console.log call).  To do what you're saying though would require essentially multiple computers (one to sign, one to send), which is not what I see most people would do or find practical.  You might start worrying that the way you copy-paste (USB?) might also bring malware to the offline computer.  For me, it's more practical to just have two wallets, one that I never send out of or use the private key for (except to verify offline on a local copy of TWE or other wallet) (aka long-term/cold-wallet) and another that I use more often (aka operational/hot-wallet) but keep less funds in.


                       var result = api.sign(prepared.txJSON, key);
                      transaction = result.signedTransaction;
                      console.log(transaction);

 

Cool, that's really good to know about how to get the signed transaction from TWE, thank you.

I guess I'm just more paranoid than most when generating keys that I'm going to use to store a lot of value. It comes down to each person's acceptable level of risk - I wouldn't be happy to just accept being told by any software that a key pair was valid, for peace of mind I would rather put in the extra effort and securely submit an actual transaction to prove it. It's not convenient at all, but by its nature a paper wallet is very inconvenient to use. The point of a paper wallet is for better security than any other type of wallet; if I want something secure then I'm willing to put in extra work when setting it up.

For people who can't write code, then I think the best alternative is to use a wallet that they trust, with the built-in capability (e.g. Rippex) to do the 2-computer offline/online tx.

But for people or situations where such complexity isn't required, then I absolutely accept that TWE is a good tool to use to do a simple offline verification of a secret key/wallet address pair.

Regarding securely copy-pasting to/from an offline PC, yeah, again, it's down to how much effort someone's willing to put in. Burning a CD-R should be safer than USB, once you examine what has been burned afterwards. For moving the transaction from offline to online, I think it's acceptable to fully format a USB key and just use that (also make sure autorun is not enabled). To take it a step further, I believe you can fit a transaction into a QR code, which you could print and then scan into the online PC, but I'm not at that level of paranoia yet!

But hey, there's no absolutely "right" way to do things, I'm certainly not saying that you're wrong, this is just my personal preference and it helps me sleep at night. Maybe going to extremes sometimes is more useful psychologically than technically... hmm... I have to think about that...

Edited by at3n

Share this post


Link to post
Share on other sites
Guest
2 hours ago, pftq said:

using the public and private keys to sign/encrypt a message and then verify/decrypt it, I like that also, although probably too complicated for many to be able to use with confidence

The appeal of this method (especially, the signing part) is that it replicates what happens in a transaction. A transaction is valid if it has been signed with the private key belonging to the originating address. The validators ‘know’ it's OK if they can validate the signature against the same address's public key.

So, if your public & private keys work properly in a simple sign/validate scenario (or encrypt/decrypt if you prefer), you know that they're capable of interacting correctly with the XRP ledger. The Electrum bitcoin wallet illustrates that this sanity-check can be made very user-friendly, but using Electrum for ripple keys is convoluted.

Share this post


Link to post
Share on other sites
Guest
2 hours ago, pftq said:

You might start worrying that the way you copy-paste (USB?) might also bring malware to the offline computer

Secure communication over short distances is old technology that can be replicated between 2 computers with webcams. Using laptops as Aldiss lamps could be fun, but QR codes probably have higher bandwidth than morse code. Take a look at this project.

Share this post


Link to post
Share on other sites

@at3n  I want to thank you for being so knowledgable and helpful here...  It's unfortunate that Ripple themselves haven't given us the tools needed.  Personally I think that is an uncharacteristic mistake on their part.

2 hours ago, at3n said:

But for people or situations where such complexity isn't required, then I absolutely accept that TWE is a good tool to use to do a simple offline verification of a secret key/wallet address pair.

Which is why I used it in response to @Trader-to-the-Crown 's question.  I believe it meets his requirements.

I was fully aware of the Safari bignumbers.js browser bug,  and also aware that pftq had patched it as soon as (s)he was aware of it.

 I personally feel the best arrangement is a cold computer creating a paper wallet,  and then recreated to sign offline transactions and a QR code to an online wallet. But not everyone wants to go to that degree of effort.

Edited by Tinyaccount
@ symbol fail...

Share this post


Link to post
Share on other sites
On 5/5/2018 at 4:32 AM, at3n said:

 

I'll admit that I don't understand the maths behind cryptographic algorithms, but I think that the risk is not that the algorithms will make a mistake, but that either the service (e.g. Bithomp) will not implement the algorithm correctly, or else will deliberately give you the wrong keys in order to steal from you (I'm not accusing Bithomp here of anything, just using it as an example of a service that people trust). Another point to consider is that the key pair might be valid but the software could be generating pre-determined or predictable keys, so that the wallet developer can watch the wallets created by it and steal everything when they start filling up.

 

Bithomp's paper wallet is open source, uses ripple-lib.

https://github.com/OctillionSA/ripple-paper-wallet

1. Ripple-lib developed by Ripple, pretty trustworthy to trust it to be correct in generate a ripple key pairs

2. The code is opensource you can verify it

3. you can download it and run offline (press close or download)

Share this post


Link to post
Share on other sites
On 5/4/2018 at 8:17 PM, Trader-to-the-Crown said:

So I know that I can test my secret key for my paper wallet by importing it into Toast Wallet, but that defeats the whole purpose of holding long term in a paper wallet.

I dont want to expose my secret key to a 3rd party wallet software like Toast or Gatehub until I am ready to sell. Once I expose the key to a 3rd party service, I lose the security advantages of having the paper wallet, and yet until I test my secret key I am not comfortable moving my XRP balance into my paper wallet. Feels like a damned if you do, damned if you dont situation.

I heard there is a way to test it offline with something called (nodeJs)? Does anyone know how to do this?

Seems somebody on Reddit is in a similar predicament, but they've yet to get an answer on this either.

so complicated. someday youll be able to instantly transfer XRP to your bank. wild west for sure. 

Share this post


Link to post
Share on other sites
On 5/25/2018 at 4:00 PM, Warbler said:

These links are dead - any other source for equivalent functionality?

Share this post


Link to post
Share on other sites
4 hours ago, PunishmentOfLuxury said:

These links are dead - any other source for equivalent functionality?

I’m not an expert but I believe:

If you go to https://www.theworldexchange.net/#about

and then disconnect your computer by unplugging Ethernet cable turning off Wifi etc then you have a page that has the required libraries already in your now-offline browser.

If you “login” with your secret key and it doesn’t complain, and gives the correct public address, then that is enough in my uneducated opinion.  It has used that key to calculate the public address and if that matches then you are golden.

 Close the browser and clear your cache.  Unless you have some malware on your computer sniffing your keystrokes,  that caches offline and then when connected reports back to the hacker...   no one saw it.

This assumes you also don’t have your phone or laptop camera anywhere near the keyboard and or screen.

All of this is for you to consider and research yourself because as I said...  I am not an expert.

 

Edited by Tinyaccount
Added extra detail about unplugging

Share this post


Link to post
Share on other sites
3 hours ago, Tinyaccount said:

I’m not an expert but I believe:

If you go to https://www.theworldexchange.net/#about

and then disconnect your computer by unplugging Ethernet cable turning off Wifi etc then you have a page that has the required libraries already in your now-offline browser.

If you “login” with your secret key and it doesn’t complain, and gives the correct public address, then that is enough in my uneducated opinion.  It has used that key to calculate the public address and if that matches then you are golden.

 Close the browser and clear your cache.  Unless you have some malware on your computer sniffing your keystrokes,  that caches offline and then when connected reports back to the hacker...   no one saw it.

This assumes you also don’t have your phone or laptop camera anywhere near the keyboard and or screen.

All of this is for you to consider and research yourself because as I said...  I am not an expert.

 

Also best to use a LiveDVD (can also be made for USB or MicroSD) so you're sure no modifications have been done on your system. And verify the checksum.

Edited by SquaryBone

Share this post


Link to post
Share on other sites

@PunishmentOfLuxury  @Tinyaccount

we moved our open-sourced libraries to bithomp account

https://github.com/bithomp

the small tool to validate secret is deprecated now, as it's possible to check secret in the bithomp-tools

https://github.com/Bithomp/bithomp-tools

download the index.html page, open it on the clean and trusted offline computer.

agree to terms, choose offline mode, enter your secret key and the tool will show you the xrp address.

If the xrp address matches to the one you have, means it's a correct pair. 

Share this post


Link to post
Share on other sites
On 5/5/2018 at 8:17 AM, Trader-to-the-Crown said:

I heard there is a way to test it offline with something called (nodeJs)? Does anyone know how to do this?

I'm really late to the party on this one but here's some tools for doing what you want. As a bonus, no Node.js is required, just download the whole project and open the html files in an up-to-date Chrome of Firefox browser.

https://github.com/SimpleXRPTools/SimpleXRPTools

Share this post


Link to post
Share on other sites
5 hours ago, SimpleXRPTools said:

I'm really late to the party on this one but here's some tools for doing what you want. As a bonus, no Node.js is required, just download the whole project and open the html files in an up-to-date Chrome of Firefox browser.

https://github.com/SimpleXRPTools/SimpleXRPTools

Not Open Source software and needlessly vendoring minified libraries...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...