>> (p.1)
    Author Topic: NXT Coin Security  (Read 8450 times)

    • miztaziggy (OP)
    Sr. Member
    ****
    Offline Offline

    Activity: 432
    Merit: 500


    View Profile
    December 10, 2013, 06:24:33 PM
     #1
    Can someone here with better knowledge re Cryptography and security than me (or anyone on NXT forum it seems) please answer this:

    NXT receiving address is 20 characters long made up of only numbers - therefore 10^20 combinations.

    Passwords to open wallets can be many more characters, therefore many many more combinations to open only 10^20 possible wallets.

    Secret phrase can be any 100 unicode chars.

    SHA256(secret_phrase) gives private key.
    Curve25519(private_key) gives public key.
    SHA256(public_key) gives account id.
    First 64 bits give VISIBLE account id.


    Now, if I send coins to one account using their VISIBLE account ID (20 characters long) which is all that is required with NXT, then multiple passwords can open a wallet with the SAME visible account ID.

    Apparently, the first account to send those coins on has ownership.

    What am I missing here?
     *Image Removed*

  • kaito
    Full Member
    ***
    Offline Offline

    Activity: 168
    Merit: 100



    View Profile
    December 10, 2013, 06:29:30 PM
     #2
    Quote from: miztaziggy on December 10, 2013, 06:24:33 PM
    What am I missing here?
    An opportunity to make lots of money.

  • Jest3r
    Full Member
    ***
    Offline Offline

    Activity: 224
    Merit: 100


    View Profile
    December 10, 2013, 06:31:27 PM
     #3
    I won't speak on how many hash collisions there are without doing the math myself but one thing I'd like to point out is that NXT addresses can be 18 to 20 digits long (As far as I know that is, the gap could be bigger). This increases the amount of possible addresses significantly.

  • bitme
    Sr. Member
    ****
    Offline Offline

    Activity: 317
    Merit: 250



    View Profile
    December 10, 2013, 06:33:44 PM
     #4
    Isn't it 1-20 digits for account?
    NXT makes the Difference
    My nxtforum account : bitme

  • Jest3r
    Full Member
    ***
    Offline Offline

    Activity: 224
    Merit: 100


    View Profile
    December 10, 2013, 06:39:11 PM
     #5
    Quote from: bitme on December 10, 2013, 06:33:44 PM
    Isn't it 1-20 digits for account?
    Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

  • miztaziggy (OP)
    Sr. Member
    ****
    Offline Offline

    Activity: 432
    Merit: 500


    View Profile
    December 10, 2013, 06:54:17 PM
     #6
    Still, compare the number of possible 'wallets' with the number of possible passwords.

    The number of collisions is HUGE.

    Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.
     *Image Removed*

  • Come-from-Beyond
    Legendary
    *
    Offline Offline

    Activity: 2142
    Merit: 1010

    Newbie


    View Profile
    December 10, 2013, 06:57:20 PM
     #7
    Quote from: miztaziggy on December 10, 2013, 06:54:17 PM
    Still, compare the number of possible 'wallets' with the number of possible passwords.

    The number of collisions is HUGE.

    Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.

    U should post here ur math from nextcoin.org. It will make someone's day. Smiley

  • bitme
    Sr. Member
    ****
    Offline Offline

    Activity: 317
    Merit: 250



    View Profile
    December 10, 2013, 07:06:06 PM
     #8
    Quote from: Jest3r on December 10, 2013, 06:39:11 PM
    Quote from: bitme on December 10, 2013, 06:33:44 PM
    Isn't it 1-20 digits for account?
    Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

    Here is 16 digits
    http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337
    NXT makes the Difference
    My nxtforum account : bitme

  • Come-from-Beyond
    Legendary
    *
    Offline Offline

    Activity: 2142
    Merit: 1010

    Newbie


    View Profile
    December 10, 2013, 07:13:18 PM
     #9
    Quote from: bitme on December 10, 2013, 07:06:06 PM
    Quote from: Jest3r on December 10, 2013, 06:39:11 PM
    Quote from: bitme on December 10, 2013, 06:33:44 PM
    Isn't it 1-20 digits for account?
    Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

    Here is 16 digits
    http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337


    Look at this - http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=648774468

  • Hazard
    Legendary
    *
    Offline Offline

    Activity: 980
    Merit: 1000



    View Profile WWW
    December 10, 2013, 07:21:46 PM
     #10
    This thing has been a poorly designed cashgrab since day 1.
    CryptoLife Development - Altcoin Creation and More | Electrum Wallet Creation

  • miztaziggy (OP)
    Sr. Member
    ****
    Offline Offline

    Activity: 432
    Merit: 500


    View Profile
    December 10, 2013, 07:24:20 PM
     #11
    Quote from: Come-from-Beyond on December 10, 2013, 07:13:18 PM
    Quote from: bitme on December 10, 2013, 07:06:06 PM
    Quote from: Jest3r on December 10, 2013, 06:39:11 PM
    Quote from: bitme on December 10, 2013, 06:33:44 PM
    Isn't it 1-20 digits for account?
    Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

    Here is 16 digits
    http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337


    Look at this - http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=648774468

    So how does that affect chances of collision?

    I keep seeing posts from you with no real answers. Never answers. The closest you have got is a post saying "wait until the source revealed and all will be clear".

    It really is like one of those auctions where a guy tries to sell you a black box that looks like it contains something valuable, without actually telling you what's inside. When you buy it and open it, it's just junk.
     *Image Removed*

  • Come-from-Beyond
    Legendary
    *
    Offline Offline

    Activity: 2142
    Merit: 1010

    Newbie


    View Profile
    December 10, 2013, 07:29:40 PM
     #12
    Quote from: miztaziggy on December 10, 2013, 07:24:20 PM
    Quote from: Come-from-Beyond on December 10, 2013, 07:13:18 PM
    Quote from: bitme on December 10, 2013, 07:06:06 PM
    Quote from: Jest3r on December 10, 2013, 06:39:11 PM
    Quote from: bitme on December 10, 2013, 06:33:44 PM
    Isn't it 1-20 digits for account?
    Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

    Here is 16 digits
    http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337


    Look at this - http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=648774468

    So how does that affect chances of collision?

    I keep seeing posts from you with no real answers. Never answers. The closest you have got is a post saying "wait until the source revealed and all will be clear".

    It really is like one of those auctions where a guy tries to sell you a black box that looks like it contains something valuable, without actually telling you what's inside. When you buy it and open it, it's just junk.

    I did answer ur questions. Sorry, but my English is not so good to explain something that requires knowledge of statistics or crypto. Any chance u speak Russian?

  • miztaziggy (OP)
    Sr. Member
    ****
    Offline Offline

    Activity: 432
    Merit: 500


    View Profile
    December 10, 2013, 07:40:06 PM
     #13
    You spoke good enough english in the thread you argued that BTC was insecure because of a 10^24 chance of collision, whereas it's 10^20 with NXT. How does that figure?
     *Image Removed*

  • miztaziggy (OP)
    Sr. Member
    ****
    Offline Offline

    Activity: 432
    Merit: 500


    View Profile
    December 10, 2013, 07:42:29 PM
     #14
    This from the NXT thread:


    Quote from: miztaziggy on December 10, 2013, 07:32:16 PM
    Quote from: Come-from-Beyond on December 10, 2013, 07:26:12 PM
    Quote from: miztaziggy on December 10, 2013, 07:15:43 PM
    I can't work out whether you're intentionally lying or just wrong....

    Tell me how I need the full 256 bit private key to access my coins?

    Because the way I see it is that with only 10^20 possible RECEIVING addresses and MANY MANY more possibilities for passwords, then multiple passwords MUST have the same receiving addresses. Therefore if you send NXT to one receiving address, many many passwords will open a wallet that will have received those same coins.

    Yes, many passphrases will open that account but only 1 will be able to spend the coins. Coz software checks that all 256 bits match.




    Again, is this a lie or misunderstanding?

    Tell me this:

    You and I both have our own passwords, each happens to create the same 20 digit wallet number.

    I ask someone to send me 1000 NXT to my public 20 digit address say 111111111111111111111

    Now you also ask someone to send you 2000 NXT to your 20 digit public address also 111111111111111111111

    We both open our wallets using our different passwords, both show our public address to be 111111111111111111111

    Now, who sees which coins?

    Do I see 1000 NXT and you see 2000 NXT, do we both see 3000 NXT?

    If it's the former, how did NXT know you should receive 2000 and me 1000 just from our public addresses?

    The fact is, it didn't.

    The coins are sent to a public address that can be created by more than 1 password. How is that secure?
     *Image Removed*

  • Come-from-Beyond
    Legendary
    *
    Offline Offline

    Activity: 2142
    Merit: 1010

    Newbie


    View Profile
    December 10, 2013, 07:44:20 PM
     #15
    Quote from: miztaziggy on December 10, 2013, 07:40:06 PM
    You spoke good enough english in the thread you argued that BTC was insecure because of a 10^24 chance of collision, whereas it's 10^20 with NXT. How does that figure?

    Did u read my answer on nextcoin.org? I bet no, coz u again compare 10^24 apples with 10^20 oranges.

  • dtothemt
    Newbie
    *
    Offline Offline

    Activity: 52
    Merit: 0


    View Profile
    December 10, 2013, 07:47:07 PM
    Last edit: December 10, 2013, 08:09:42 PM by dtothemt
     #16
    Quote from: miztaziggy on December 10, 2013, 06:54:17 PM
    Still, compare the number of possible 'wallets' with the number of possible passwords.

    The number of collisions is HUGE.

    Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.

    This is my thought exactly and if the dev wants NXT to grow and stick around, they need to fix this. I was just thinking about this yesterday. Migrating to a new addressing system seems like a tough transition though from my limited knowledge.

    Edit: Nevermind, just read the dev's response. Although I must say it is somewhat misleading for those who don't know that part of the address is hidden. I'm guessing the reason for this is that your mapping system isn't alphanumerical, thus to make things easier on the eyes you provide only that.

    But what would happen if the first 20 digits of two addresses happen to be the same, and someone sends NXT to that address? That still seems risky of a conflict occurring.

  • Come-from-Beyond
    Legendary
    *
    Offline Offline

    Activity: 2142
    Merit: 1010

    Newbie


    View Profile
    December 10, 2013, 07:48:29 PM
     #17
    Quote
    I ask someone to send me 1000 NXT to my public 20 digit address say 111111111111111111111

    Now you also ask someone to send you 2000 NXT to your 20 digit public address also 111111111111111111111

    Ok, I'll repeat again. Add some math. What are the odds that u get the same address within a short period of time?

  • artiface
    Full Member
    ***
    Offline Offline

    Activity: 238
    Merit: 100


    View Profile
    December 10, 2013, 07:49:51 PM
     #18
    Yes it seems all it takes is the correct passphrase to open any wallet.  

    I learned that the hard way, lost just about 30,000 nxt because my password was too easy. I saw in front of my eyes someone send my coins to a new account.  I've triple checked my machine and there is no back door or keylogger (if there was I think they would have gone for my btc first before the nxt anyday).  Someone used the same password as me and therefore they were able to spend all my coins.  

    I didn't understand that the password was network wide, I thought it was local to my machine only so it was simple, despite the warning.



  • Come-from-Beyond
    Legendary
    *
    Offline Offline

    Activity: 2142
    Merit: 1010

    Newbie


    View Profile
    December 10, 2013, 07:49:56 PM
     #19
    Quote from: dtothemt on December 10, 2013, 07:47:07 PM
    Migrating to a new addressing system seems like a tough transition though from my limited knowledge.

    No. That requires little changes.

  • miztaziggy (OP)
    Sr. Member
    ****
    Offline Offline

    Activity: 432
    Merit: 500


    View Profile
    December 10, 2013, 07:55:11 PM
     #20
    Quote from: Come-from-Beyond on December 10, 2013, 07:48:29 PM
    Quote
    I ask someone to send me 1000 NXT to my public 20 digit address say 111111111111111111111

    Now you also ask someone to send you 2000 NXT to your 20 digit public address also 111111111111111111111

    Ok, I'll repeat again. Add some math. What are the odds that u get the same address within a short period of time?

    Again - full disclosure - are you an early adopter, do you have NXT and are you selling NXT?

    My bet is yes you have NXT and are selling NXT.

    You're an idiot if you think I am talking about some random fluke where 2 innocent users happen upon the same key. I am talking about brute forcing the system.

    You create a thread and post about Bitcoin being open to a collision attack with a chance of finding same key 10^24. You, in your own words say it's not a big number and can easily be done with hashing power of BTC.

    Now NXT has 10,000 fewer possibilities that this at 10^20 (though I suppose it's actually 10^20 + 10^19 + 10^18 etc....but this doesn't increase the order of magnitude by that much really).

    FACT - NXT CAN BE BRUTE FORCE COLLISION ATTACKED VERY MUCH MORE EASILY THAN BTC.
     *Image Removed*
    Pages: [1] 2 3 4 5 »  All
      Print  
Page 1
Viewing Page: 1

IRLBTC™ © 2025 IRLBTC.com