-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathusage.html
More file actions
232 lines (164 loc) · 10.9 KB
/
usage.html
File metadata and controls
232 lines (164 loc) · 10.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>CIYAM Safe - Using CIYAM Safe</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta name="copyright" content="Copyright 2012-2018 CIYAM Developers"/>
<link rel="stylesheet" href="safe.css" type="text/css"/>
</head>
<div id="content">
<div id="header">
<div id="appname"><a href="#">Safe</a></div>
<h3 class="right-top">Usage</h3>
</div>
<div id="main">
<div id="text">
<pre>
Instructions for using CIYAM Safe
---------------------------------
Firstly understand that CIYAM Safe it is not intended to be an "offline wallet" in the way that other offline
wallets generally work but is instead a set of tools (scripts and 3rd party software packages) that enable an
offline LiveOS system to be able to be safely used in order to generate Bitcoin addresses and then later sign
transactions to safely spend all the "unspent outputs" by only using QR codes to move information between the
offline and online computers.
The intended usage of an address should be that it has a fixed purpose (such as being payment for a task) and
that after its "unspent outputs" have been "spent" that it would not be used again. Also although it is not
recommended to re-use an address the private key for any address can easily be restored if necessary.
To secure your private keys there are two separate pieces of information used in order to create a passphrase
for use with GPG. The first part is called a "User Key" and the second is a 5-6 character Password. Of course
using a longer password will increse the security level, however, as the User Key and Password are "combined"
then stretched, hashed and fed to "scrypt" there is no need for the password to be longer as it simply is not
practical for it to be brute-forced (probably even if the User Key was known).
After booting the LiveOS and logging in (as "tux" with password "linux") to install all the tools and scripts
for CIYAM Safe type:
./install
As per its instructions you next need to prepare your User Key (and decide upon a 5-6 character password) and
then type:
./init
The User Key is not handled like a password in that it is echoed to the screen so it should to be longer than
the password (recommended 20+ characters) and should be written down and safely stored. If storing the key as
plain text is a concern then the use of a tool such as "memory_key.html" (included) could be used in order to
generate a key from a personal memory that you can write down a clue instead of the User Key itself.
=============================================================================================================
NOTE: When using Firefox on the offline computer always select "Start Private Browsing" (Ctrl+Shift+P) first.
=============================================================================================================
Once you have typed in the User Key and the Password (you will be prompted to repeat the password as it isn't
echoed to the screen) then it will perform the stretching, hashing and finally "scrypt" encryption of the GPG
passphrase (which you don't need to even look at). Note that depending upon hardware this can take a while to
perform (but unless needing to do a "recovery" is just a one-off occurrence).
Whilst generating the GPG keys ZBar, Bitcoin and Vanitygen are compiled and depending upon your hardware this
could take quite a while to complete (wait until the message "Finished building 'bitcoind'..." appears before
trying to sign a transaction.
The GPG public key and encrypted private (armor exported) keys are written to "tux.pub.gpg" and "tux.sec.gpg"
and you should next safely copy these to your online computer by opening each of the following QR code images
in Firefox (enlarge the image size to fill up most of the screen with the QR code) and then scan each of them
using the webcam on your online computer.
tux.pub.gpg.png
tux.sec.gpg.00.png
tux.sec.gpg.01.png
(if using Windows on your online computer then omit the ./ prefixes so "./scan" will just become "scan")
./scan tux.pub.gpg.txt
(now hold the offline PC's screen close enough to the online computer's webcam to scan the code and after the
QR code has successfully been scanned then close ZBar)
./scan tux.sec.gpg.txt
(do the same but this time first scan "tux.sec.gpg.00.png" and the next scan "tux.sec.gpg.01.png" before then
closing ZBar and then you will need to remove the extra line break in the output file that was inserted after
the first scan)
The GPG public key used for signing on the offline computer needs to also be transferred across to the online
computer (the private key does not matter as GPG encrypted files are only ever sent *from* it not *to* it and
in the event of having to perform a recovery a new local GPG key pair will be created).
local.pub.gpg.png
./scan local.pub.gpg.txt
After successfully transferring the GPG private key and the two public keys via QR code it would be advisable
to now create backups of these files (including at least one "off-site" backup).
Generating and using a new Address
----------------------------------
First run the following script on your offline computer:
./genaddr
then in Firefox open up the [address].png file and scan this with your online computer's webcam:
(note use Ctrl-= to enlarge the image as much as possible and then F11 to view it "full screen")
./scan new_addr
(it would be recommended after scanning to rename "new_addr" to the bitcoin address or to some other relevant
name such as a task id or other reference)
Once again it would be advisable to immediately make backups of this new address file before sending bitcoins
to it.
Creating an unsigned transaction
--------------------------------
After bitcoins have been sent to the offline generated address to move the "unspent outputs" you will need to
construct one or more "raw transactions". To find the "unspent outputs" you can use an online service such as
(blockchain.info) and do a search for the address. From the list of transactions for that address you need to
then identify the Output Scripts that belong to the address and which of them are "unspent".
This will look something like:
OP_DUP OP_HASH160 039ff983382191b1b0e2baedd0d13467690dbcd0 OP_EQUALVERIFY OP_CHECKSIG
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Copy this information along with the txid and then issue the following command from within the Satoshi client
"Debug Window" (console tab).
createrawtransaction "[{\"txid\":\"xxxxxxxxxxReplaceThisWithYourTxIdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"vout\
":1}]" "{\"1PutTheAddressToSendToInHerexxxxx\":0.0015}]"
(note that the escaping here is that suitable for the Windows version of the Satoshi client - for the offline
computer the escaping is instead suitable for Linux so use that formatting if your online computer is running
Linux also)
The output should be something similar to the following which you will need to copy:
010000000150c2f5d4508c1028b744db1b17df1239742fdacb562a059aefa766e18e4ff0640100000000ffffffff01e00f97000000000
01976a91407dd428c4c6f8752d5ded10edabab12d912de14e88ac00000000
Next you need to append the transaction and unspent output as well as 76a914[scriptPubKey]88ac (replacing the
[scriptPubKey] with the value 039ff983382191b1b0e2baedd0d13467690dbcd0 that was copied originally):
010000000150c2f5d4508c1028b744db1b17df1239742fdacb562a059aefa766e18e4ff0640100000000ffffffff01e00f97000000000
01976a91407dd428c4c6f8752d5ded10edabab12d912de14e88ac00000000 '[{"txid":"xxxxxxxxxxReplaceThisWithYourTxIdxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxx","vout":1,"scriptPubKey":"76a914xxxxxxxReplaceWithYourScriptPubKeyxxxxxx88ac"}]'
(for those wondering the 76a914 is "OP_DUP OP_HASH160 PUSH_20BYTES" and 88ac is "OP_EQUALVERIFY OP_CHECKSIG")
Now put the raw tx with txid and unspent output information into the clipboard and generate the QR code using
a free online service such as http://goqr.me/ (there are numerous available). You can use the "check" utility
to verify that the QR code contains the correct information before continuing.
Signing an unsigned transaction
-------------------------------
Firstly start up Bitcoin (the following script will create the necessary bitcoin.conf file if it has not been
already created):
./bitcoin
Then execute the "signtx" script with the address whose "unspent outputs" are to be spent:
./signtx 1PutTheAddressSendingFromHerexxxx
When prompted enter your 5-6 character password (which is used by scrypt to decrypt the GPG master passphrase
and place it on the clipboard) and when prompted by GPG for the password simply "paste" (i.e. Shift + Insert)
to continue. The raw transaction should now have been signed and the QR code "send_tx.png" should be opened
in Firefox and enlarged to fill the screen so it's ready for the online computer to scan.
Sending a signed transaction
----------------------------
./scan send_tx
(once the transaction has been successfully sent there is no need to keep this file)
The sendrawtransaction command and hex code should now be pasted into the "Debug Window" (console tab) of the
Satoshi client and then executed.
Restoring From Backup
---------------------
Assuming your LiveOS USB was lost or stolen start by installing the LiveOS again but this time when "init" is
called add the word "restore" as an argument to it (this will prevent it trying to create the master keys for
the "tux" user).
Most importantly you need your original User Key and your 5-6 password - without those you will simply not be
able to restore at all.
./install
./init restore
After the script has finished back on your online computer use http://goqr.me/ (or similar) to encode each of
the GPG public and private keys that had be originally created and then on the offline computer use "scan" to
save them (it would be recommended to break the private key into two parts to avoid using too large a QR code
for the webcam to be able to read and if the webcam on the offline computer is poor quality then maybe do the
same for the public keys also):
=============================================================================================================
NOTE: If your online computer is Windows then you may need to replace CRLF with LF after moving the QR codes.
=============================================================================================================
./scan tux.pub.gpg
./scan tux.sec.gpg
./scan old_local.pub.gpg
Each of these keys should then next be imported into GPG:
gpg --import tux.pub.gpg
gpg --import tux.sec.gpg
gpg --import old_local.pub.gpg
./hash_pwd
(now enter your User Key and short Password to rebuild the password hash required for GPG decoding)
If the LiveOS USB was lost or stolen then it would be advised to create raw tx's to "clean out" any remaining
"unspent outputs" and also to not use any of the old addresses again.
</pre>
</div>
</div>
<div id="login_footer"><p>© 2012-2018 CIYAM Developers</p></div>
</div>
</body>
</html>