Master thesis by Piotr "ThePiachu" Piasecki, [email protected] Donations welcome: 18zRT8jaHJUZe3foLcHkocV468dZ9sGiBq 1 PRACA DYPLOMOWA MAGISTERSKA "Projekt i bezpieczeństwo aplikacji wspierających infrastrukturę Bitcoins w oparciu o Google Apps Engine." “Design and security analysis of Bitcoin infrastructure using application deployed on Google Apps Engine.” Wydział Fizyki Technicznej, Informatyki i Matematyki Stosowanej Promotorzy: mgr inż. Wiktor Wandachowicz, dr inż. Jan Rogowski Dyplomant: Piotr Piasecki Nr albumu: 169500 Łódź, 06.06.2012 2 Abstract Bitcoin is an innovative concept of a decentralised, peer-to-peer virtual currency. Its functions are autonomous from any centralised influence. This report discusses the various security features and vulnerabilities of Bitcoin, as well as various applications relating to it. It provides the wide view of the most notable parts of the Bitcoin ecosystem - ranging from the cryptographic algorithms underlying the Bitcoin Protocol, through applications allowing one to trade Bitcoins for traditional money, and ending up with a look on the behaviour of Bitcoin users. In order to gain the necessary expertise, a prolonged study of Bitcoin was undertaken, so as to be able to design independent Bitcoin applications running on Google App Engine. Such an undertaking allowed one to better understand all the inner workings of Bitcoin. Bitcoin jest innowacyjnym pomysłem zdecentralizowanej, wirtualnej waluty opartej na technologii peer-to-peer. Wszystkie jej funkcje są autonomiczne, niezależne od jakiegokolwiek zcentralizowanego nadzoru. Ten raport przedstawia różne silne i słabe strony bezpieczeństwa Bitcoinów, jak również aplikacji z nimi związanymi. Przedstawia on szeroki przekrój najważniejszych części ekosystemu Bitcoin - poczynając od kryptograficznych algorytmów będących podwaliną Protokołu Bitcoin, poprzez aplikacje pozwalające na wymianę Bitcoinów na tradycyjne waluty, kończąc na analizie zachowań użytkowników Bitcoinów. Celem zdobycia potrzebnej wiedzy, przedsięwzięto długie badanie zagadnienia Bitcoinów. Umożliwiło to na stworzenie niezależnych aplikacji związanych z Bitcoinami i działającymi na Google App Engine. Taka dogłębna analiza pozwoliła na zrozumienie wszystkich niuansów pracy Bitcoinów. 3 Table of Contents 1 Introduction ..................................................................................................................... 8 1.1 What is Bitcoin? ......................................................................................................... 8 2 Theoretical Background ............................................................................................... 10 2.1 Cryptography ........................................................................................................... 10 2.1.1 Premise of cryptography ..................................................................................... 10 2.1.2 Encryption and decryption algorithms ................................................................ 10 2.1.3 Hashing algorithms ............................................................................................. 10 2.1.4 Digital Signature Schemes .................................................................................. 11 2.2 Bitcoin ....................................................................................................................... 11 2.2.1 Economics and role of currency .......................................................................... 11 2.2.2 Digital currency................................................................................................... 12 2.2.3 Bitcoin as crypto currency .................................................................................. 13 2.2.4 Bitcoin infrastructure .......................................................................................... 19 2.2.5 Bitcoin ecosystem ............................................................................................... 20 2.2.6 MainNet, TestNet and AltCoins .......................................................................... 20 2.2.7 Bitcoin example use cases................................................................................... 21 2.3 Google App Engine .................................................................................................. 26 2.3.1 Architecture overview ......................................................................................... 26 3 Views on Bitcoin ............................................................................................................ 27 3.1 The IT/cryptography experts .................................................................................. 27 3.2 The legal experts ....................................................................................................... 27 3.2.1 Legal actions related to Bitcoin .......................................................................... 27 3.3 The economics experts ............................................................................................. 27 3.4 Government and politicians .................................................................................... 28 3.5 Payment processors .................................................................................................. 28 4 3.6 The common users ................................................................................................... 29 4 Research, analysis and design ...................................................................................... 30 4.1 Practical implementation structure ........................................................................ 30 4.2 Bitcoin protocol specification .................................................................................. 30 4.2.1 Connecting to the Network ................................................................................. 31 4.2.2 VERSION and VERACK ................................................................................... 31 4.2.3 Exchange of Blocks, Transactions and peers ...................................................... 31 4.3 Strength of cryptography and brute force attacks................................................ 32 4.4 Bitcoin algorithms security analysis ....................................................................... 32 4.4.1 Random number generator .................................................................................. 32 4.4.2 Data encryption ................................................................................................... 32 4.4.3 Elliptic Curve Digital Signature Algorithm ........................................................ 32 4.4.4 Secure Hash Algorithm SHA-2 ........................................................................... 33 4.4.5 RACE Integrity Primitives Evaluation Message Digest RIPEMD-160.............. 33 4.5 Bitcoin Network security analysis .......................................................................... 34 4.5.1 Cancer nodes ....................................................................................................... 34 4.5.2 No authentication for IP transfers ....................................................................... 35 4.5.3 Packet sniffing..................................................................................................... 35 4.5.4 DoS attacks ......................................................................................................... 36 4.5.5 Clock drift ........................................................................................................... 37 4.5.6 Illegal content ...................................................................................................... 37 4.5.7 Scalability............................................................................................................ 38 4.5.8 Segmentation ....................................................................................................... 39 4.5.9 Attack on all users ............................................................................................... 40 4.5.10 Dropping transactions ......................................................................................... 40 4.5.11 51% attack ........................................................................................................... 41 5 4.5.12 Spamming transactions ....................................................................................... 42 4.5.13 The "Finney" attack / Double-spend attack ........................................................ 44 4.6 Bitcoin applications security analysis ..................................................................... 44 4.6.1 Standard Client .................................................................................................... 44 4.6.2 Pools .................................................................................................................... 46 4.6.3 P2Pool ................................................................................................................. 52 4.6.4 Exchanges ........................................................................................................... 52 4.6.5 Other applications ............................................................................................... 53 4.7 Bitcoin ecosystem security analysis ........................................................................ 54 4.7.1 Alleged theft of wallets ......................................................................................