Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YIRYJ-00058p-OI for bitcoin-development@lists.sourceforge.net; Tue, 03 Feb 2015 00:41:15 +0000 Received: from mail-pa0-f50.google.com ([209.85.220.50]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1YIRYI-0005my-HJ for bitcoin-development@lists.sourceforge.net; Tue, 03 Feb 2015 00:41:15 +0000 Received: by mail-pa0-f50.google.com with SMTP id rd3so88897045pab.9 for ; Mon, 02 Feb 2015 16:41:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=DmZ9Nmv+r2Rwtnkbr94fXHbq8xFPUYyHcNDGq+5vaBk=; b=Q7celWAgJuOCqWPEBhOFjtVIJdoD7Vf3WPRd88+re+jgD81jMNHfOevJVSDN6N8RP4 3Lo32wvNhB8b7wHU4ju5qDzzGfu0q9x5JjZB+1WeWDXCkOS2DHZdIPMerr6NL5YaEldu wls3C2MrvU5chPzdke99Li+RmPFlg96Prvc62l1VXqfDOZv6FwNLuzwuUW++o/MNnEHN jbxDzk4mx28g3UHsKjkQpKO0V8tR/hFE6pBOOCSsRfX3cwaSLCPeOpJ9DO9EoyQAfe5D +Dg3ZcHOg3XlydhIU+M9vWz9iCtVpjNBjZT90wpTWdfbKL7r60DNdQIcpTF7SuIp3o4K k3zw== X-Gm-Message-State: ALoCoQmGywxjNuTmL4jb6N+HvZuAl8HDfbY0+wSgQKd0zZaSvca5vMHtRIqYUkiXNyCLiXJO+C7c X-Received: by 10.66.141.42 with SMTP id rl10mr21489429pab.124.1422924068732; Mon, 02 Feb 2015 16:41:08 -0800 (PST) Received: from [10.0.1.3] (c-50-135-46-157.hsd1.wa.comcast.net. [50.135.46.157]) by mx.google.com with ESMTPSA id q1sm249236pdq.17.2015.02.02.16.41.07 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Feb 2015 16:41:08 -0800 (PST) Message-ID: <54D01930.10104@voskuil.org> Date: Mon, 02 Feb 2015 16:41:20 -0800 From: Eric Voskuil User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: Mike Hearn References: <27395C55-CF59-4E65-83CA-73F903272C5F@gmail.com> <54CE3816.6020505@bitwatch.co> <68C03646-02E7-43C6-9B73-E4697F3AA5FD@gmail.com> <05590A33-1802-4C15-91C0-8777ACD8440B@voskuil.org> <1F2B5D9D-BD1E-4EFB-AD48-4B3E376D9661@voskuil.org> In-Reply-To: <1F2B5D9D-BD1E-4EFB-AD48-4B3E376D9661@voskuil.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uTb2NBheAWRWCFahxfJP01PjuEUMw6UwL" X-Spam-Score: 0.0 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. X-Headers-End: 1YIRYI-0005my-HJ Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Proposal to address Bitcoin malware X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2015 00:41:15 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uTb2NBheAWRWCFahxfJP01PjuEUMw6UwL Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable One clarification below. e On 02/02/2015 02:54 PM, Eric Voskuil wrote: > On Feb 2, 2015, at 11:53 AM, Mike Hearn wrote: >> >> In sending the first-signed transaction to another for second >> signature, how does the first signer authenticate to the second >> without compromising the independence of the two factors? >> >> Not sure what you mean. The idea is the second factor displays the >> transaction and the user confirms it matches what they input to the >> first factor. Ideally, using BIP70, but I don't know if BA actually >> uses that currently. >> >> It's the same model as the TREZOR, except with a desktop app instead >> of myTREZOR and a phone instead of a dedicated hardware device.=20 >=20 > Sorry for the slow reply, traveling. >=20 > My comments were made in reference to this proposal: >=20 >>> On Feb 2, 2015, at 10:40 AM, Brian Erdelyi >> > wrote: >>> >>> Another concept... >>> >>> It should be possible to use multisig wallets to protect against >>> malware. For example, a user could generate a wallet with 3 keys and= >>> require a transaction that has been signed by 2 of those keys. One >>> key is placed in cold storage and anther sent to a third-party. >>> >>> It is now possible to generate and sign transactions on the users >>> computer and send this signed transaction to the third-party for the >>> second signature. This now permits the use of out of band transactio= n >>> verification techniques before the third party signs the transaction >>> and sends to the blockchain. >>> >>> If the third-party is malicious or becomes compromised they would not= >>> have the ability to complete transactions as they only have one >>> private key. If the third-party disappeared, the user could use the >>> key in cold storage to sign transactions and send funds to a new wall= et. >>> >>> Thoughts? My comments below start out with the presumption of user platform compromise, but the same analysis holds for the case where the user platform is clean but a web wallet is compromised. Obviously the idea is that either or both may be compromised, but integrity is retained as long as both are not compromised and in collusion. > In the multisig scenario the presumption is of a user platform > compromised by malware. It envisions a user signing a 2 of 3 output wit= h > a first signature. The precondition that the platform is compromised > implies that this process results in a loss of integrity of the private= > key, and as such if it were not for the second signature requirement, > the malware would be able to spend the output. This may be extended to > all of the keys in the wallet. >=20 > The scenario envisions sending the signed transaction to an another > ("third") party. The objective is for the third party to provide the > second signature, thereby spending the output as intended by the user, > who is not necessarily the first signer. The send must be authenticated= > to the user. Otherwise the third party would have to sign anything it > received, obviously rendering the second signature pointless. This > implies that the compromised platform must transmit a secret, or proof > of a secret, to the third party. >=20 > The problem is that the two secrets are not independent if the first > platform is compromised. So of course the malware has the ability to > sign, impersonate the user and send to the third party. So the third > party *must* send the transaction to an *independent* platform for > verification by the user, and obtain consent before adding the second > signature. The user, upon receiving the transaction details, must be > able to verify, on the independent platform, that the details match > those of the transaction that user presumably signed. Even for simple > transactions this must include amount, address and fees. >=20 > The central assumptions are that, while the second user platform may be= > compromised, the attack against the second platform is not coordinated > with that of the first, nor is the third party in collusion with the > first platform. >=20 > Upon these assumptions rests the actual security benefit (increased > difficulty of the coordinated attack). The strength of these assumption= s > is an interesting question, since it is hard to quantify. But without > independence the entire security model is destroyed and there is thus n= o > protection whatsoever against malware. >=20 > So for example a web-based or other third-party-provisioned > implementation of the first platform breaks the anti-collusion > assumption. Also, weak comsec allows an attack against the second > platform to be carried out against its network. So for example a simple= > SMS-based confirmation could be executed by the first platform alone an= d > thereby also break the the anti-collusion assumption. This is why I > asked how independence is maintained. >=20 > The assumption of a hardware wallet scenario is that the device itself > is not compromised. So the scenario is not the same. If the user signs > with a hardware wallet, nothing can collude with that process, with one= > caveat. >=20 > While a hardware wallet is not subject to onboard malware, it is not > inconceivable that its keys could be extracted through probing or other= > direct attack against the hardware. It's nevertheless an assumption of > hardware wallets that these attacks require loss of the hardware. > Physical possession constitutes compromise. So the collusion model with= > a hardware wallet does exist, it just requires device possession. > Depending on the implementation the extraction may require a non-trivia= l > amount of time and money. >=20 > In a scenario where the user signs with HW, then sends the transaction > to a third party for a second of three signatures, and finally to a > second platform for user verification, a HW thief needs to collude with= > the third party or the second platform before the owner becomes aware o= f > the theft (notifying the third party). This of course implies that > keeping both the fist and second platforms in close proximity > constitutes collusion from a physical security standpoint. This is > probably sufficient justification for not implementing such a model, > especially given the cost and complexity of stealing and cracking a > well-designed device. A device backup would provide comparable time to > recover with far less complexity (and loss of privacy). >=20 > Incidentally the hardware wallet idea breaks down once any aspect of th= e > platform or network to which it connects must be trusted, so for these > purposes I do not consider certain hybrid models as hardware wallets at= > all. For example one such device trusts that the compromised computer > does not carry out a MITM attack between the signing device and a share= d > secret entered in parts over time by the user. This reduces to a single= > factor with no protection against a compromised platform. >=20 > Of course these questions address integrity, not privacy. Use of a thir= d > party implies loss of privacy to that party, and with weak comsec to th= e > network. Similarly, use of hardware signing devices implies loss of > privacy to the compromised platforms with which they exchange transacti= ons. >=20 > e --uTb2NBheAWRWCFahxfJP01PjuEUMw6UwL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU0BkwAAoJEDzYwH8LXOFO8qsH/jMXsGUvthRCzafM0XIVB5Mi 1t0KfjzmjWhR7/dmz3NY2JqmDFVKxQFCd/HhHHspyhT7jNc6T0EwTSbizRZbY9DA 79ii7gdZAx5B6Sv+pmzf9wakdXP+ho7NIR0uvFz6PXDxlM7fFNO6PJJmJFlY0PMi QF0spQ0y4R5sbaN+5odioQPbNidDT4/AN+b7m+/wcXj4Fh0G/RwLbQ6DVQf31zKv 83tqUk8EDW4JdXLJ7jBw6JftgmfrtSHbLv/0m3usPNmOEhRps4wY+lH2ig9FFoMm YfG36ov8+tX9lOsfgWvq3v9vFoiVfC+5CgetHBGU8VMVpJHKCcsIhzGYVrLk9Ko= =uKb1 -----END PGP SIGNATURE----- --uTb2NBheAWRWCFahxfJP01PjuEUMw6UwL--