From: Bryan Bishop <kanzure@gmail•com>
To: Peter Todd <pete@petertodd•org>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>,
Bryan Bishop <kanzure@gmail•com>
Subject: Re: [bitcoin-dev] Hardware Wallet Standard
Date: Wed, 17 Aug 2016 13:36:38 -0500 [thread overview]
Message-ID: <CABaSBawL29aRF5aJ9jbshBU+FSzOPGYj0EaETawi7ttXewTAsg@mail.gmail.com> (raw)
In-Reply-To: <20160817001407.GA6571@fedora-21-dvm>
[-- Attachment #1: Type: text/plain, Size: 3782 bytes --]
On Tue, Aug 16, 2016 at 7:14 PM, Peter Todd via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> The other serious problem - and this is a problem with smartcards in
> general
> anyway - is that without Bitcoin-specific logic you're just signing
> blindly; we
> recently saw the problems with that with the Bitfinex/BitGo hack. And even
> then, without a screen most of the hardware wallets in are still just
> signing
> blindly, with at best hard-to-use limits on maximum funds moved
> per-transaction. Also note how even hardware wallets with a screen, like
> Trezor, aren't yet able to authenticate who you are paying.
>
"Welcome to my threat model."
In multisig scenarios, there must be a different "trust root" for each key.
For example, storing two private keys next to each other on the same web
server is broken because if one key is compromised it is infinitely trivial
to compromise the second key. Using multiple web servers is also broken if
the two servers are controlled by the same AWS keys or same "help me get my
servers back" support email request to whatever single sign-on service is
used. In some cases, it can be better to write software such that
transaction data is served at a particular location, and another
security-critical step is responsible for downloading that data from the
first machine, rather than the first computer directly pushing (with
authentication credentials in place for the attacker to compromise) the
data to the second computer.
I recommend using hardware security modules (HSMs). It's important to have
a public, reviewed bitcoin standard for hardware wallets, especially HSMs.
I expect this is something that the entire industry has a tremendous
interest in following and contributing to, which could even lead to
additional resources contributed (or at the very least, more detailed
requirements) towards libconsensus work.
Instead of signing any bitcoin transaction that the hardware wallet is
given, the hardware should be responsible for running bitcoin validation
rules and business logic, which I recommend for everyone, not only
businesses. Without running business logic and bitcoin validation rules,
the actual bitcoin history on the blockchain could be a very different
reality from what the hardware thinks is happening. Using a different
out-of-band communication channel, the hardware could query for information
from another database in another trust root, which would be useful for
business logic to validate against.
As for a screen, I consider that somewhat limited because you only get text
output (and I don't know if I can reasonably suggest QR codes here). With a
screen, you are limited to text output, which can compromise privacy of the
device's operations and info about the wallet owner. An alternative would
be to have a dedicated port that is responsibly only for sending out data
encrypted to the key of the wallet owner, to report information such as
whatever the hardware's transaction planner has decided, or to report about
the state of the device, state of the bitcoin validation rules, or any
accounting details, etc. Additionally, even a signed transaction should be
encrypted to the key of the device owner because a signed transaction can
be harmless as long as the owner still has the ability to control whether
the signed transaction is broadcasted to the network. It's "separation of
concerns" for transaction signing and decrypting a signed transaction
should be unrelated and uncoupled.
Also I am eager to see what the community proposes regarding signed and
authenticated payment requests.
((insert here general promotional statement regarding the value of reusable
checklists used during every signing ritual ceremony))
- Bryan
http://heybryan.org/
1 512 203 0507
[-- Attachment #2: Type: text/html, Size: 4641 bytes --]
next prev parent reply other threads:[~2016-08-17 18:36 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-16 14:10 Jonas Schnelli
2016-08-16 14:48 ` Pavol Rusnak
2016-08-16 15:13 ` Jonas Schnelli
2016-08-16 15:21 ` Pavol Rusnak
2016-08-16 17:48 ` Jochen Hoenicke
2016-08-17 0:25 ` Thomas Kerin
2016-08-17 7:24 ` Jonas Schnelli
2016-08-17 7:40 ` Nicolas Bacca
2016-08-17 10:13 ` Dana L. Coe
2016-08-17 11:34 ` Jonas Schnelli
2016-08-17 17:06 ` Marek Palatinus
2016-08-18 6:54 ` Jonas Schnelli
2016-08-18 9:15 ` Marek Palatinus
2016-08-18 9:35 ` Jonas Schnelli
2016-08-18 9:43 ` Marek Palatinus
2016-08-18 9:49 ` Jonas Schnelli
2016-08-18 10:23 ` Nicolas Bacca
2016-08-24 10:31 ` Thomas Kerin
2016-08-16 19:22 ` Luke Dashjr
2016-08-17 0:03 ` Thomas Daede
2016-08-16 23:36 ` Aiqin Li
2016-08-17 0:14 ` Peter Todd
2016-08-17 7:27 ` Nicolas Bacca
2016-08-17 18:36 ` Bryan Bishop [this message]
2016-08-22 16:50 ` Moral Agent
2016-08-28 23:14 ` Corey Haddad
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABaSBawL29aRF5aJ9jbshBU+FSzOPGYj0EaETawi7ttXewTAsg@mail.gmail.com \
--to=kanzure@gmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=pete@petertodd$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox