Re: BtcIO - Open source, cold, BTC wallet

Quote from: pooya87 on Today at 04:07:05 AM

You might want to warn people that you are using a very weak RNG (System.Random) to generate their keys[1] and it is not safe to use this method to get a true random bitcoin private key to be used for real bitcoins.
Also you are using your own defined word list to generate the "seed" which you end up computing its SHA256 only as a "secure" entropy[2]

https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/Tech.cs#L75-L82
https://github.com/avadhuta/BtcIO/blob/3f67b5657733370e99078c7345a1e46a27d993c5/BtcWalletTools/WalletTools.cs#L255

It is more secure, in that method, to use System.Security.Cryptography.RNGCryptoServiceProvider class than Random and then use it's GetBytes method to get a byte value which OP then takes the modulus of words.Length. For example:

Code:

using System.Security.Cryptography;

# ...

public static String RandomSeed() {
RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
byte[] randomNumber = new byte[1];
string res = "";
for (int i = 0; i < 12; i++) {
rngCsp.GetBytes(randomNumber);
int r = randomNumber[0] % words.Length;
res += words[r].ToLower() + (i < 11 ? " " : "");
}
rngCsp.Dispose();
return res;
}
# ...

Note: I did not test this code for syntax errors.