Bitcoin BIP38 Security Advisory

You may use third party services (“printers”) to produce encrypted Bitcoin keys, based on an “intermediate code” that you (“owner”) create independently, and which starts with the letters “passphrase”, such as “passphraseouGLY8yjTZQ5Q2bTo8rtKfdbHz4tme7QuPheRgES8KnT6pX5yxFauYhv3SVPDD”.

If so you are using BIP38, also known as “passphrase-protected private keys”. Libbitcoin developers recently integrated this technology into the development kit.

The encrypted private key produced by the printer typically begins with the letters “6P”, such as “6PnQ4ihgH1pxeUWa1SDPZ4xToaTdLtjebd8Qw6KJf8xDCW67ssaAqWuJkw”.

This standard defines a “confirmation code”, which is another value the owner may receive from the printer, and begins with the letters “cfrm”, such as “cfrm38VUEdzHWKfUjdNjV22wyFNGgtRHYhXdBFT7fWw7cCJbCobryAYUThq4BbTPP15g4SeBsug”.

Payments can be made to the corresponding Bitcoin payment address, in this case “1AoLqsujagqD7NmbQKYBEuhRMnCfwJzGoy”. The owner, using the passphrase originally used to create the intermediate code is the only party who can spend money sent to this address, and is therefore protected from printer malfeasance and ineptitude.

However, I strongly recommend against reliance on the confirmation code. Validating this code with your original passphrase tells you nothing about your ability to spend money sent to its corresponding bitcoin payment address. In fact this code is not useful in any scenario where the printer cannot be trusted by the owner. This lack of trust is of course the reason for both the intermediate code and the confirmation code in the first place.

The only thing that the owner learns from validating the confirmation code is that only the owner could spend money sent to the corresponding address. But this assumes the owner has the corresponding private key. The encrypted private key provided by the printer may be entirely bogus. The only way to know whether you have the necessary private key is to validate the encrypted private key.

You are fine as long as you validate the encrypted private key, but don’t use the confirmation code for anything, even after you have validated the encrypted private key. This validation must include deriving the payment address from the encrypted private key. It is our recommendation that the confirmation code section be struck entirely from BIP38.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s