Bryan Bishop Wallet Security, Key Management & Hardware Security Modules (HSMs) Dev++ / BC2 - October 4th-5th 2018 - Keio University, Tokyo, Japan schedule: video: Alright, I’m now going to talk about bitcoin wallet security. And I was asked to talk about key management and hardware security modules and a bunch of other topics all in one talk. This will be a bit broader than some of the other talks because this is an important subject about how do you actually store bitcoin and then some of the developments around the actual storage of bitcoin in a secure way. Some have been integrated into bitcoin core, some that have not. Who am I? We have already went over this. If you don’t remember me, tough. I was previously working at LedgerX, I was their bitcoin developer. LedgerX is a CFTC regulated bitcoin options exchange and clearinghouse so they have to actually take possession of the bitcoin that are used for the option trades and store them long term and the bitcoin must absolutely be there for the settlements and withdrawals that eventually occur. If they are not, what is the point, that is the whole point of a clearinghouse. So, just some really brief lessons learned here. So when you have a security situation that really has to be done right automation is really useful to make sure everything works and everything is right, get it tested. It is great to have automation, then you do not have to do it anymore, but there is actually a high cost to doing automation and sometimes for high security situations maybe automation isn’t the right option, so that was one of the lessons that I came away with. Also, there is no end to end off the shelf storage custody solution for institutions really, it is not just use bitcoin core and you are good to go, you have to have people in your organization that need to be trained, if they do not know how to use bitcoin, just downloading bitcoin core isn’t good enough instructions for normies. Also, if you are working with regulators to get a license exchange for example be careful what you tell regulators because some of those will be interpreted as promises or design specifications and then that puts further constraints on the actual shape or structure of what you can actually build. So as an example, one of the consequences of certain representations made to regulators, they were not wrong representations, but as a consequence of them though I had to write a lot of custom wallet software that did not previously exist. And honestly, the hardware integration for bitcoin core is still in development and forth coming, so it is not like there is ready made solutions anyway. So, when we talk about storing bitcoin, some of this is going to be a little obvious to the old timers here, but in case you are not aware, you can have things such as hot wallet versus cold wallet, then you can also have different ways of storing the keys for your wallets, most notably online or offline. Some companies that store bitcoin on behalf of users have chosen to use hot wallets which is basically press a button and you can steal the bitcoin and then others have chosen to do offline storage. So offinline storage can work in a number of different ways. One is that you can have something as trivial as writing down your key onto a piece of paper and only uploading it to a computer that is air gapped, never connected to the internet, to other things where you maybe have it stored on a computer hardware device that is never connected to the internet, but it is not on paper. Some of the people find it ironic that one of the major suggestions for bitcoin users that if you are storing bitcoin store it on a paper wallet and put it in a vault and this is contrasted to the point that bitcoin is very software intensive so the fact that paper was a major recommendation was a bit ironic. And then there are specialty purpose specific devices such as hardware wallets and hardware security modules, which I will talk about more later. And then there are also certain groups of people that have decided to build bunkers underground and hire security forces to protect bitcoin for long term storage. And you know in some cases it is really interesting because software can sometimes provide a lot of the advantages that hardware could provide or that armed security forces could provide if you are just smarter about how you do it in software. So there are a bunch of different areas to explore here. I was actually giving a custody talk at Baltic Honeybadger recently in Latvia and one of the important things to ask though is what is the appropriate level of security for different use cases. Not everyone needs that armed security forces. Not everyone needs to use Shamir security sharing to backup multiple keys and pass them onto your heirs and whoever owns your estate when you die. And then other people do feel that is appropriate, so it is good to be aware of the spectrum and options available for storing your bitcoin. And in particular, the reason why I mention heirs, is in the event of your death, if you want people in your family to be able to access your bitcoin or in the event of a company that has business continuity interruptions the instructions need to be extremely clear and very well tested. Speaking of testing, many people do not realize this, but anytime you are doing anything in bitcoin, including transactions or long term cold storage or whatever it is you want to do, you can always test on regtest first. Anytime I spend bitcoin, I try to test the transaction on Regtest first in an environment I control to verify that my steps are actually correct. I think everyone should be doing that. If you are advising a company on how are they using and accessing their bitcoin, there needs to be actual steps documented. So for certain scenarios in companies or even individually the way I like to think about it, is something called the signing ritual or signing ceremonies and this is usually where you have a dedicated room or different rooms in different buildings around the world that are specifically constructed for signing bitcoin transactions. I’m about to give an example, on the next slide is the DNSSEC signing ceremony, it is probably the most public and the most transparent one. It is definitely inspirational and probably the most entertaining video on the internet, it is 4 hours of people reading off checklists. It is a great example, I think that it is kind of interesting that there is not one for anyone doing their bitcoin rituals. Like no one has done a transparency video about how they actually store their coins or withdraw them, I think that is really interesting. Another idea that was mentioned to me just today was the idea that the signing ritual, it would be interesting to try, consider a situation where instead of having software sign your transactions, consider doing it by hand. I think the computational confusing step in there is manually hashing everything, I think that if you use a computer for that step you might be able to get away with manually signing transactions, in which case you might not need computers to touch it and then you can get away with not having to check for malware in any of your devices. So if you were to actually design a signing ritual, what would actually go into that? How would that actually look. So hardware wallets are something on the market. There are a few available, something nice to have is that if you have a hardware wallet which is a speciality device designed to store bitcoin, a screen on the device would be really useful because then whenever you are about to perform some action the device can actually tell you what it thinks you are about to do. The idea of unlocking a hardware wallet is actually kind of terrifies me. This idea of a locked mode and an unlocked mode just seems kind of wrong because the idea of security is that you want the security to always be on, not just enable security and disable security while you are doing stuff. Have lots of backups, that is a good idea. One of the nice to haves that everyone has been talking about for a long time, but it hasn’t been made yet- maybe one of you can do it- is the idea of running a bitcoin core node on one of the hardware wallets of some kind, so that the consensus rules can be verified in the hardware wallet. There is an upcoming slide where I discuss this as useful for the lightning network. For example, where you can have a node, a lightning node, running such that transactions are only signed in the event that they positively increase your balance or something and then the hardware device would be able to verify those rules and monitor blockchain data to confirm that. So there is another sector of the market that has been called hardware security modules and this has existed long before bitcoin hardware wallets and bitcoin itself and I actually think that the idea of separately hardware wallets and hardware modules is actually a bit antiquated and we shouldn’t do them anymore we should just call them all hardware wallets or call them all hardware security modules but they are generally seen as having more computational power, but again though from the perspective of selling equipment to people or providing equipment and security does it really make sense to have some customer demographic better security or more features than others? Like we all have the same requirements for the most part for securing our bitcoin so I’m not really sure that fragmenting the market makes sense. So I have already talked about this use case for lightning. For hardware wallets that only sign transactions that positively increase the balance of the user. This would be useful for hot wallets that are still online but still use hardware security features. Another idea, is that you can have a hardware wallet that is itself protected by several other hardware devices, not necessarily hardware wallets but in particular you can imagine a scenario where you use multisig on a cryptography level not on a bitcoin level to gate access to a hardware device, so you have to have a quorum available in order to activate the HSM. One of the advantages of this actually if you have a number of people that you have entrusted to participate in this process and perhaps they become irresponsible or unavailable you could replace them without having to actually rotate your keys on the blockchain. Key rotation, I haven’t even talked about key rotation, in theory everyone should be rotating their keys quite regularly because you never know when someone has stolen your private key. And key rotation on the bitcoin blockchain side has a cost, it has a fee associated with it, but if you have this multisig quorum stuff going on to access your bitcoin or control it, this is one way of minimizing costs while also improving your security situation. Ok, now let’s actually get down to bitcoin specific stuff. I think there is a talk right after mine about partially signed bitcoin transactions, so anyway the idea of this is that you can have a standardized serialization format to communicate with hardware wallets. I do not want to steal anyone’s thunder so I’m just going to skip the rest of that. Another thing to consider for hardware wallets is pre-signed transactions. If you consider that there is a high cost to actually accessing a hardware wallet or using it regularly, then one interesting thing you can do is you can pre-sign transactions, that are valid that you perhaps store somewhere else or encrypt them somewhere else and you keep the encryption keys wherever. In the event of an emergency or some other situation, perhaps you lose your keys or access to your keys or your hardware wallet, you can broadcast these pre-signed transactions. There was also a proposal a while back, if you wanted to have something like a vault, one idea that has been proposed of using a covenant, but bitcoin doesn’t have convenance yet, or at least we certainly hope it doesn’t and I do not think anyone really knows if it really does right now. But, anyway what you can do is with time-lock transactions you always have this concern that perhaps someone could steal the key that signed a time-locked transaction and instead sign a transaction that does not have a time-lock. So what you can do instead is send it to a pubkey, well before you do that you can sign a transaction that spends from this pubkey that you have invented and then you can delete the private key that once a transaction spends to it and this is a way to make it a permanent time lock that must be exhausted before the bitcoin can be spent. So this is an interesting thing you can add to a way of storing bitcoin to improve security. Also, I am assisting with a custody workshop that will be occuring in San Francisco sometime in November. It’s smartcustody.com ran by Christopher Allen and a few others. It is just a one day workshop for family offices. So what would be really nice if there was some toolkit for how to store bitcoin in a really rigorous fashion where you can also share documentation, video documentation with other people about how to actually participate and use this and actually have training and so on. One of the interesting things about bip32 that was briefly mentioned in the last talk was that when you have the public keys you can derive more public keys and more addresses without actually having to go back to your private key, you don’t have to do any computation with the private key after you get your public key. And this is really useful and this actually minimizes the amount of times you have to interact with your secure hardware elements. So using bip32 and many of these hardware solutions can be really useful. Speaking of keys, we have been talking about keys for hours today, something that you should consider if you have never done it before, or even if you have, perhaps participate in some key signing, just ask around, particularly in slack, if you have a PGP key that has or has not been signed before I’m sure there are many people here including myself that would be happy to sign it, and there is some documentation at the link for how this usually goes. But this is useful for a web of trust and that is all that I have, thank you.