Jump to content

Recommended Posts

I'm in the process of moving my XRP to cold storage, but want to check the security of my currency. I got to thinking about one method of trying to hack XRP that is probably impossible, but I'd like some confirmation on it.

1. I'm wondering how many possible XRP addresses there are?

2. What would it take to set up a program to cycle through all the addresses and run a balance check on each one?

3. Then when you've found a number of addresses with nice balances, couldn't you then run a program to brute force hack the secret key?

4. In cold storage are there any extra layers of security you can add through the RippleAPI beyond the secret key?

I'm guessing it's nigh on impossible to hack an address/ addresses this way, but I'd be curious to know the maths behind it or how difficult it would be.

Cheers for any help.

Trippy

Share this post


Link to post
Share on other sites

Most of all current cryptosystems rely on the fact that there are so many possibilities for keys that the actually used ones are negligibly few. RCL is no different. It is not possible (assuming everyone used a good source of entropy when creating private keys!) to stumble upon any funded private key by accident until the sun destroys the earth. Yes, this accounts for Moore's law.

It is very easy to list all accounts with their balances, it is impossible with current technology to "brute force hack" private keys.

You could use a few advanced features like signing keys and so on, but you can permanently lock yourself out of your funds easily that way. I don't really see the benefits, but your mileage may vary.

Share this post


Link to post
Share on other sites
14 minutes ago, Sukrim said:

Most of all current cryptosystems rely on the fact that there are so many possibilities for keys that the actually used ones are negligibly few. RCL is no different. It is not possible (assuming everyone used a good source of entropy when creating private keys!) to stumble upon any funded private key by accident until the sun destroys the earth. Yes, this accounts for Moore's law.

It is very easy to list all accounts with their balances, it is impossible with current technology to "brute force hack" private keys.

You could use a few advanced features like signing keys and so on, but you can permanently lock yourself out of your funds easily that way. I don't really see the benefits, but your mileage may vary.

Thanks, Sukrim. So the private key is enough to protect the address?

Wow, it even accounts for Moore's law!

Edited by Trippy
Edit...

Share this post


Link to post
Share on other sites

The address is an encoded form of the public key, which is mathematically linked to the private key.

Look up the "birthday problem" in case you are interested on how likely a collision is for a certain amount of funded addresses vs. possible addresses.

Share this post


Link to post
Share on other sites
1 minute ago, Sukrim said:

The address is an encoded form of the public key, which is mathematically linked to the private key.

Look up the "birthday problem" in case you are interested on how likely a collision is for a certain amount of funded addresses vs. possible addresses.

Thanks.

Share this post


Link to post
Share on other sites
6 minutes ago, Sukrim said:

The address is an encoded form of the public key, which is mathematically linked to the private key.

Look up the "birthday problem" in case you are interested on how likely a collision is for a certain amount of funded addresses vs. possible addresses.

Sorry to bother, Sukrim, but is there a place that explains address and public and private keys in more details as they relate to ripple?

Cheers.

Share this post


Link to post
Share on other sites

If you're interested, there's a comprehensive answer here.

Specifically:  "if you could use the entire planet as a hard drive, storing 1 byte per atom, using stars as fuel, and cycling through 1 trillion keys per second, you'd need 37 octillion Earths to store it, and 237 billion suns to power the device capable of doing it, all of which would take you 3.6717 octodecillion years."

1 octillion is:  1000000000000000000000000000
1 octodecillion is:  1000000000000000000000000000000000000000000000000000000000

So according to the writer, you'd need 37000000000000000000000000000 earth-sized hard drives storing 1 byte per atom, and 3671700000000000000000000000000000000000000000000000000000 years to get through every key.  (Though, as consolation, after that you would have *all* the coins.)

This is for bitcoin, but the principle and numbers are - for practical purposes - the same for almost all cryptocurrency.  The numbers may vary by a few quadrillion years here and there, but who's counting? ;)

Share this post


Link to post
Share on other sites
Just now, Professor Hantzen said:

If you're interested, there's a comprehensive answer here.

Specifically:  "if you could use the entire planet as a hard drive, storing 1 byte per atom, using stars as fuel, and cycling through 1 trillion keys per second, you'd need 37 octillion Earths to store it, and 237 billion suns to power the device capable of doing it, all of which would take you 3.6717 octodecillion years."

1 octillion is:  1000000000000000000000000000
1 octodecillion is:  1000000000000000000000000000000000000000000000000000000000

So according to the writer, you'd need 37000000000000000000000000000 earth-sized hard drives storing 1 byte per atom, and 3671700000000000000000000000000000000000000000000000000000 years to get through every key.  (Though, as consolation, after that you would have *all* the coins.)

This is for bitcoin, but the principle and numbers are - for practical purposes - the same for almost all cryptocurrency.  The numbers may vary by a few quadrillion years here and there, but who's counting? ;)

This is ABSOLUTELY BRILLIANT! :D:D:D

Share this post


Link to post
Share on other sites

What if there is a program that create offline wallets and than check for balance? If you find an account with balance you have his secret 

How long will it take to create all wallets pairs?? 

Share this post


Link to post
Share on other sites

From what I understand, BTC is similar to XRP. Someone had shared this in the past, I book marked it, but am unable to remember who posted so I can't give proper credit. 

http://directory.io/

This site lists all the btc addresses and secrets. Give a shot trying to find an address  with a balance. I was able to find one but it was a small amount and already moved. It was on page 1337, so I assume it was put there on purpose as an Easter egg type deal. Seriously give it a shot, I promise you will give up before finding anything. 

Share this post


Link to post
Share on other sites

It's very unlikely but I'd be careful to say impossible.  We're talking about probability here, not absolute.  There's two things:

1. Guessing the private key (which is essentially brute force).

2. Accidentally generating the same account as someone else.

I've never been a fan of just saying something is impossible just because it's unlikely.  You could say something is as unlikely as a lightning strike but it still happens constantly even if it's not happening to you specifically.  For Ripple/Bitcoin, it's less likely than a lightning strike, but it's not correct to think of it as waiting for the Earth or Sun to die.  If it does happen, it happens.  There's no clock ticking or deck of cards waiting to run out (if you want to use a deck of cards analogy, it would be a deck in which previously drawn cards keeps getting reshuffled into the mix but the deck is so large you're unlikely to draw the same one).

Your fallback here is that if it does happen, you have to then hope that it happens to be an account with a lot of funds.  And then after that, every transaction is tracked, so if you try to move it into the real world, whoever else owned that account would know exactly who's trying to access the money.

Edited by pftq

Share this post


Link to post
Share on other sites

I have been reading up on multi-sign. Requiring two signatures would remove the worry about someone else generating the same key as you. You would have to disable the master key pair and that is pretty scary, but I would make sure it works prior to sending a big amount over. One question I have is, is it possible to offline sign a SignerListSet tx using the API? The example given on Ripple/build uses running Rippled in stand alone mode, to sign and submit, I do not understand how the TX will make it to the ledger if you are in stand alone mode. And if you are not in stand alone mode you expose the secret key. 

 

Edit : I guess this is a moot point as you would disable the master key pair anyway. 

Edited by Kakoyla

Share this post


Link to post
Share on other sites
37 minutes ago, Kakoyla said:

You would have to disable the master key pair and that is pretty scary

You can also re-key your wallet, and your Rippled, if I recall right. 

So, if you were running a large market making operation, you may re-key your wallet at time intervals (every morning), by re-setting the Master Key https://wiki.ripple.com/Master_Key

This same process has been used to, first set up an account's behavior, then "blackhole" an account by setting it's key to an already knows blackholed wallet (I believe?), making it a sort of DAO type wallet, which will just act as it's behavior was set because nobody has the secret key to change how it behaves.

 @ripplerm can your correct my inaccuracies, I think you were the first one I saw propose this method?

Share this post


Link to post
Share on other sites
2 hours ago, Kakoyla said:

I have been reading up on multi-sign. Requiring two signatures would remove the worry about someone else generating the same key as you. You would have to disable the master key pair and that is pretty scary, but I would make sure it works prior to sending a big amount over. One question I have is, is it possible to offline sign a SignerListSet tx using the API? The example given on Ripple/build uses running Rippled in stand alone mode, to sign and submit, I do not understand how the TX will make it to the ledger if you are in stand alone mode. And if you are not in stand alone mode you expose the secret key. 

 

Edit : I guess this is a moot point as you would disable the master key pair anyway. 

The idea is you are signing offline (so nothing online ever has potential access to your private key) and then copying only the output (not the private key) to the ledger.  You can mathematically check that the output is a properly signed transaction, but it's much harder to reverse engineer the transaction to find the private key that signed it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...