Jump to content
pompous-p

Questions about secret keys/ripple wallet addresses

Recommended Posts

Some security questions regarding creating a cold storage paper wallet using Jatchilli's solution (https://jatchili.github.io/minimalist-ripple-client/):

1) What are the security risks while using his/her online version (https://jatchili.github.io/minimalist-ripple-client/) instead of downloading and running it on an air-gapped computer?
2) If am understanding this correctly, every Ripple wallet address has to have a secret key associated to it. How is this secret key actually 'set' (as in, how is it set to be associated with the specific ripple wallet address)?  
3) I assume I would need to be connected to the internet to 'set' a secret key for a ripple wallet address. Correct?
4) Can I change my secret key in the future? I notice Jatchilli has a 'rekey' button... is this it? 
5) What's stopping someone from creating an exorbitant number of wallet addresses and locking them with a secret key, just to make it hard/impossible for others to get a wallet address? Is it the 20 XRP minimum requirement to activate the account? 

Thanks!

Share this post


Link to post
Share on other sites

1. They are both the same.  Airgapping or disconnecting from the internet is just confirmation that it isn't secretly sending out your keys, but if you look at the code, you can discern that it isn't doing that to begin with.

2. The secret key randomly generated within certain constraints - the public address is then generated based on the secret (which is how the two are linked).  If you read on cryptography, the idea is that you can always create exactly the same output with a certain secret key but no one can reverse that output to find the secret key itself.

3. No, you can generate keys completely offline.  This is because it's randomly generated on your end, with the hopes that you don't accidentally randomly generate one that someone else already has (they try to make the odds of that near zero).

4. It depends on what sort of key you're using for your account.  See: https://ripple.com/build/transactions/#setregularkey .  IMO you might as well just create a new wallet and send all funds to it.

5. Wallets aren't really "created." It's more like you're randomly being assigned to an address combination, of which again the odds of you getting the same one as someone else are extremely low.

Share this post


Link to post
Share on other sites
1. They are both the same.  Airgapping or disconnecting from the internet is just confirmation that it isn't secretly sending out your keys, but if you look at the code, you can discern that it isn't doing that to begin with.
2. The secret key randomly generated within certain constraints - the public address is then generated based on the secret (which is how the two are linked).  If you read on cryptography, the idea is that you can always create exactly the same output with a certain secret key but no one can reverse that output to find the secret key itself.
3. No, you can generate keys completely offline.  This is because it's randomly generated on your end, with the hopes that you don't accidentally randomly generate one that someone else already has (they try to make the odds of that near zero).
4. It depends on what sort of key you're using for your account.  See: https://ripple.com/build/transactions/#setregularkey .  IMO you might as well just create a new wallet and send all funds to it.
5. Wallets aren't really "created." It's more like you're randomly being assigned to an address combination, of which again the odds of you getting the same one as someone else are extremely low.


Got it. Thanks. Regarding 5) how low is low odds? Basically you're saying that it is possible for me to discover someone else's ripple wallet, along with the secret key for it, by accident?

Share this post


Link to post
Share on other sites

#5 is something people constantly say is lower than the odds of getting struck by lightning or w/e.  It's the same as bitcoin and many other cryptocurrencies.  It's technically possible yes, but everyone treats it as so low it  might as well be impossible.

Share this post


Link to post
Share on other sites
#5 is something people constantly say is lower than the odds of getting struck by lightning or w/e.  It's the same as bitcoin and many other cryptocurrencies.  It's technically possible yes, but everyone treats it as so low it  might as well be impossible.


Got it. Yes, if I recall correctly, I think I have read about the impossibility of this.

Share this post


Link to post
Share on other sites
Posted (edited)
4 hours ago, pompous-p said:

 


Got it. Thanks. Regarding 5) how low is low odds? Basically you're saying that it is possible for me to discover someone else's ripple wallet, along with the secret key for it, by accident?

 

I believe there are 2^160 possible key pairs.  There are about 10^80 atoms in the observable universe. 2^160 is a bit more than 60% of 10^80.

That's a lot.

Metaphors I've heard used to describe the chance of a key pair collision:

Get struck by lightning 6 times in a single day without doing anything crazy like carrying a lightning rod.

Consider every atom of water on the planet, take one atom, put it back, completely randomize them, take the same atom out by chance.

You could run a brute force program to constantly create and check secret keys until our sun dies out without finding a match.

Edited by UrzasLegacy

Share this post


Link to post
Share on other sites
6 hours ago, pompous-p said:

 


Got it. Yes, if I recall correctly, I think I have read about the impossibility of this.

 

A really easy way to view how improbable this is is by trying to generate a vanity address.

 

When you do that you're looking for a specific phrase in a ripple address.

 

So for instance, I just did a search for rjon... it's been searching 3000/s and it still hasn't found one after a couple minutes. It even tells you how many seconds you need to wait until you're 50% certain you'll find an address. So for a three character address, it's 50 seconds to reach the 50% mark, and I have a decent computer running it.

 

Each additional character you add on... i.e. rjon1 adds 58 TIMES more difficulty, (since Bitcoin and Ripple addresses are encoded in base58) and it will take 51 minutes to get to the halfway likelihood point. 

Searching for rjon12 takes 47 hours to reach 50%.

Searching for rjon123 takes 114 days to reach 50%.

Searching for rjon1234 takes 6000 days to reach 50%.

Searching for rjon12345 takes 40000 days to reach 50%.

Searching for a full ripple address takes 80,000,000,000 days...

Share this post


Link to post
Share on other sites
4 minutes ago, JonHolmquist said:

A really easy way to view how improbable this is is by trying to generate a vanity address.

 

When you do that you're looking for a specific phrase in a ripple address.

 

So for instance, I just did a search for rjon... it's been searching 3000/s and it still hasn't found one after a couple minutes. It even tells you how many seconds you need to wait until you're 50% certain you'll find an address. So for a three character address, it's 50 seconds to reach the 50% mark, and I have a decent computer running it.

 

Each additional character you add on... i.e. rjon1 adds 58 TIMES more difficulty, (since Bitcoin and Ripple addresses are encoded in base58) and it will take 51 minutes to get to the halfway likelihood point. 

Searching for rjon12 takes 47 hours to reach 50%.

Searching for rjon123 takes 114 days to reach 50%.

Searching for rjon1234 takes 6000 days to reach 50%.

Searching for rjon12345 takes 40000 days to reach 50%.

Searching for a full ripple address takes 80,000,000,000 days...

Wow. Ok. So it's virtually impossible for someone to get your ripple address.

This is like the worlds most improbable lottery...

Share this post


Link to post
Share on other sites

hmmmm

I managed to set up a wallet using jatchili's minimalist ripple client, but I'm having difficulty sending XRP off of it...

I keep getting an error from jatchili's code.

Is there any other way I can send XRP off my wallet (other than gate hub please!)? 

Share this post


Link to post
Share on other sites

Okay so Im going ask a related question (I've been trying to find the answer without much luck).

In the minimalist wallet, What is the source of entropy? (In other worss, what kind of mechanism does it use to generate secret key-public key pair). And how reliably random is it? In my opinion, generating wallet address with reduced entropy can potentially become the weakest link in xrp security. 

Share this post


Link to post
Share on other sites
21 minutes ago, pompous-p said:

hmmmm

I managed to set up a wallet using jatchili's minimalist ripple client, but I'm having difficulty sending XRP off of it...

I keep getting an error from jatchili's code.

Is there any other way I can send XRP off my wallet (other than gate hub please!)? 

You can use the one I created here:

https://www.theworldexchange.net/

It's basically inputting the key and then toggling to send.

Share this post


Link to post
Share on other sites
23 minutes ago, pompous-p said:

hmmmm

I managed to set up a wallet using jatchili's minimalist ripple client, but I'm having difficulty sending XRP off of it...

I keep getting an error from jatchili's code.

Is there any other way I can send XRP off my wallet (other than gate hub please!)? 

What's the error?

Share this post


Link to post
Share on other sites
26 minutes ago, Khaiger said:

Okay so Im going ask a related question (I've been trying to find the answer without much luck).

In the minimalist wallet, What is the source of entropy? (In other worss, what kind of mechanism does it use to generate secret key-public key pair). And how reliably random is it? In my opinion, generating wallet address with reduced entropy can potentially become the weakest link in xrp security. 

It's this line in the code here:

ripple.Seed.from_bits(ripple.sjcl.random.randomWords(4));

It looks like it's using a function from ripplelib, but the ripplelib used looks like an older version, which I can't find documentation for so it's hard to say.

Share this post


Link to post
Share on other sites
2 hours ago, Khaiger said:

Okay so Im going ask a related question (I've been trying to find the answer without much luck).

In the minimalist wallet, What is the source of entropy? (In other worss, what kind of mechanism does it use to generate secret key-public key pair). And how reliably random is it? In my opinion, generating wallet address with reduced entropy can potentially become the weakest link in xrp security. 

That is the best question to be asking!

Share this post


Link to post
Share on other sites

×