vorberechnete Adresse auf Brieftaschenmöglichkeit

[root_s2yse8vt]

Up

0

Down

::

Ich vermute, dass diese Art von Seitenkanalangriff jeden Wallet-Dienst betreffen könnte, nicht nur Trezor.
Jede Wallet könnte eine vordefinierte Adresse bereitstellen, die einer dritten Partei bekannt ist.

Welche Art von Sicherheitsüberprüfung wurde bei Trezor durchgeführt, um dies zu verhindern?

[Keefryan]

Up

0

Down

::

Err .. it’s called being being „Open Source“ , Have you heard of the github ?

[matejcik]

Up

0

Down

::

The thing to understand is that addresses are not generated out of thin air. There is an algorithm, which very specifically means „a sequence of specific steps to take“, that starts with your seed and ends with an address.

For example, you need to be able to export an XPUB to a watch-only wallet. Does the XPUB load your account? If yes, then the wallets are both following the same algorithm = the address is not „pregenerated“.

But what if the XPUB is pregenerated? Get a wallet from a different vendor and import your seed. If your accounts come up, means that both vendors follow the same algorithm and the XPUB is not pregenerated.

But what if the seed is pregenerated?

That’s **the** tough question. In case of Trezor, the canonical answer is, you can see the source code and verify that the published firmware actually comes from that source code. Generating seed is a hot path that people like to look into, so presumably, if there was a problem, someone more technically inclined would already be claiming their fame by discovering it.

Judging by the fact that a lot of people with varying degrees of technical skill regularly come here asking questions about it, it would be weird if nobody was actually looking, right?

[Autor]

Beiträge