1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <eric@voskuil.org>) id 1YIRYJ-00058p-OI
for bitcoin-development@lists.sourceforge.net;
Tue, 03 Feb 2015 00:41:15 +0000
Received: from mail-pa0-f50.google.com ([209.85.220.50])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1YIRYI-0005my-HJ
for bitcoin-development@lists.sourceforge.net;
Tue, 03 Feb 2015 00:41:15 +0000
Received: by mail-pa0-f50.google.com with SMTP id rd3so88897045pab.9
for <bitcoin-development@lists.sourceforge.net>;
Mon, 02 Feb 2015 16:41:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
:cc:subject:references:in-reply-to:content-type;
bh=DmZ9Nmv+r2Rwtnkbr94fXHbq8xFPUYyHcNDGq+5vaBk=;
b=Q7celWAgJuOCqWPEBhOFjtVIJdoD7Vf3WPRd88+re+jgD81jMNHfOevJVSDN6N8RP4
3Lo32wvNhB8b7wHU4ju5qDzzGfu0q9x5JjZB+1WeWDXCkOS2DHZdIPMerr6NL5YaEldu
wls3C2MrvU5chPzdke99Li+RmPFlg96Prvc62l1VXqfDOZv6FwNLuzwuUW++o/MNnEHN
jbxDzk4mx28g3UHsKjkQpKO0V8tR/hFE6pBOOCSsRfX3cwaSLCPeOpJ9DO9EoyQAfe5D
+Dg3ZcHOg3XlydhIU+M9vWz9iCtVpjNBjZT90wpTWdfbKL7r60DNdQIcpTF7SuIp3o4K
k3zw==
X-Gm-Message-State: ALoCoQmGywxjNuTmL4jb6N+HvZuAl8HDfbY0+wSgQKd0zZaSvca5vMHtRIqYUkiXNyCLiXJO+C7c
X-Received: by 10.66.141.42 with SMTP id rl10mr21489429pab.124.1422924068732;
Mon, 02 Feb 2015 16:41:08 -0800 (PST)
Received: from [10.0.1.3] (c-50-135-46-157.hsd1.wa.comcast.net.
[50.135.46.157])
by mx.google.com with ESMTPSA id q1sm249236pdq.17.2015.02.02.16.41.07
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Mon, 02 Feb 2015 16:41:08 -0800 (PST)
Message-ID: <54D01930.10104@voskuil.org>
Date: Mon, 02 Feb 2015 16:41:20 -0800
From: Eric Voskuil <eric@voskuil.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Mike Hearn <mike@plan99.net>
References: <27395C55-CF59-4E65-83CA-73F903272C5F@gmail.com>
<54CE3816.6020505@bitwatch.co>
<68C03646-02E7-43C6-9B73-E4697F3AA5FD@gmail.com>
<05590A33-1802-4C15-91C0-8777ACD8440B@voskuil.org>
<CANEZrP1QgtJ2urNTVqbscrXaJ=wefUO16GQ=THaSBnLq9QBmeQ@mail.gmail.com>
<1F2B5D9D-BD1E-4EFB-AD48-4B3E376D9661@voskuil.org>
In-Reply-To: <1F2B5D9D-BD1E-4EFB-AD48-4B3E376D9661@voskuil.org>
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="uTb2NBheAWRWCFahxfJP01PjuEUMw6UwL"
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
X-Headers-End: 1YIRYI-0005my-HJ
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Proposal to address Bitcoin malware
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 03 Feb 2015 00:41:15 -0000
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--uTb2NBheAWRWCFahxfJP01PjuEUMw6UwL
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
One clarification below.
e
On 02/02/2015 02:54 PM, Eric Voskuil wrote:
> On Feb 2, 2015, at 11:53 AM, Mike Hearn wrote:
>>
>> In sending the first-signed transaction to another for second
>> signature, how does the first signer authenticate to the second
>> without compromising the independence of the two factors?
>>
>> Not sure what you mean. The idea is the second factor displays the
>> transaction and the user confirms it matches what they input to the
>> first factor. Ideally, using BIP70, but I don't know if BA actually
>> uses that currently.
>>
>> It's the same model as the TREZOR, except with a desktop app instead
>> of myTREZOR and a phone instead of a dedicated hardware device.=20
>=20
> Sorry for the slow reply, traveling.
>=20
> My comments were made in reference to this proposal:
>=20
>>> On Feb 2, 2015, at 10:40 AM, Brian Erdelyi <brian.erdelyi@gmail.com
>>> <mailto:brian.erdelyi@gmail.com>> wrote:
>>>
>>> Another concept...
>>>
>>> It should be possible to use multisig wallets to protect against
>>> malware. For example, a user could generate a wallet with 3 keys and=
>>> require a transaction that has been signed by 2 of those keys. One
>>> key is placed in cold storage and anther sent to a third-party.
>>>
>>> It is now possible to generate and sign transactions on the users
>>> computer and send this signed transaction to the third-party for the
>>> second signature. This now permits the use of out of band transactio=
n
>>> verification techniques before the third party signs the transaction
>>> and sends to the blockchain.
>>>
>>> If the third-party is malicious or becomes compromised they would not=
>>> have the ability to complete transactions as they only have one
>>> private key. If the third-party disappeared, the user could use the
>>> key in cold storage to sign transactions and send funds to a new wall=
et.
>>>
>>> Thoughts?
My comments below start out with the presumption of user platform
compromise, but the same analysis holds for the case where the user
platform is clean but a web wallet is compromised. Obviously the idea is
that either or both may be compromised, but integrity is retained as
long as both are not compromised and in collusion.
> In the multisig scenario the presumption is of a user platform
> compromised by malware. It envisions a user signing a 2 of 3 output wit=
h
> a first signature. The precondition that the platform is compromised
> implies that this process results in a loss of integrity of the private=
> key, and as such if it were not for the second signature requirement,
> the malware would be able to spend the output. This may be extended to
> all of the keys in the wallet.
>=20
> The scenario envisions sending the signed transaction to an another
> ("third") party. The objective is for the third party to provide the
> second signature, thereby spending the output as intended by the user,
> who is not necessarily the first signer. The send must be authenticated=
> to the user. Otherwise the third party would have to sign anything it
> received, obviously rendering the second signature pointless. This
> implies that the compromised platform must transmit a secret, or proof
> of a secret, to the third party.
>=20
> The problem is that the two secrets are not independent if the first
> platform is compromised. So of course the malware has the ability to
> sign, impersonate the user and send to the third party. So the third
> party *must* send the transaction to an *independent* platform for
> verification by the user, and obtain consent before adding the second
> signature. The user, upon receiving the transaction details, must be
> able to verify, on the independent platform, that the details match
> those of the transaction that user presumably signed. Even for simple
> transactions this must include amount, address and fees.
>=20
> The central assumptions are that, while the second user platform may be=
> compromised, the attack against the second platform is not coordinated
> with that of the first, nor is the third party in collusion with the
> first platform.
>=20
> Upon these assumptions rests the actual security benefit (increased
> difficulty of the coordinated attack). The strength of these assumption=
s
> is an interesting question, since it is hard to quantify. But without
> independence the entire security model is destroyed and there is thus n=
o
> protection whatsoever against malware.
>=20
> So for example a web-based or other third-party-provisioned
> implementation of the first platform breaks the anti-collusion
> assumption. Also, weak comsec allows an attack against the second
> platform to be carried out against its network. So for example a simple=
> SMS-based confirmation could be executed by the first platform alone an=
d
> thereby also break the the anti-collusion assumption. This is why I
> asked how independence is maintained.
>=20
> The assumption of a hardware wallet scenario is that the device itself
> is not compromised. So the scenario is not the same. If the user signs
> with a hardware wallet, nothing can collude with that process, with one=
> caveat.
>=20
> While a hardware wallet is not subject to onboard malware, it is not
> inconceivable that its keys could be extracted through probing or other=
> direct attack against the hardware. It's nevertheless an assumption of
> hardware wallets that these attacks require loss of the hardware.
> Physical possession constitutes compromise. So the collusion model with=
> a hardware wallet does exist, it just requires device possession.
> Depending on the implementation the extraction may require a non-trivia=
l
> amount of time and money.
>=20
> In a scenario where the user signs with HW, then sends the transaction
> to a third party for a second of three signatures, and finally to a
> second platform for user verification, a HW thief needs to collude with=
> the third party or the second platform before the owner becomes aware o=
f
> the theft (notifying the third party). This of course implies that
> keeping both the fist and second platforms in close proximity
> constitutes collusion from a physical security standpoint. This is
> probably sufficient justification for not implementing such a model,
> especially given the cost and complexity of stealing and cracking a
> well-designed device. A device backup would provide comparable time to
> recover with far less complexity (and loss of privacy).
>=20
> Incidentally the hardware wallet idea breaks down once any aspect of th=
e
> platform or network to which it connects must be trusted, so for these
> purposes I do not consider certain hybrid models as hardware wallets at=
> all. For example one such device trusts that the compromised computer
> does not carry out a MITM attack between the signing device and a share=
d
> secret entered in parts over time by the user. This reduces to a single=
> factor with no protection against a compromised platform.
>=20
> Of course these questions address integrity, not privacy. Use of a thir=
d
> party implies loss of privacy to that party, and with weak comsec to th=
e
> network. Similarly, use of hardware signing devices implies loss of
> privacy to the compromised platforms with which they exchange transacti=
ons.
>=20
> e
--uTb2NBheAWRWCFahxfJP01PjuEUMw6UwL
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU0BkwAAoJEDzYwH8LXOFO8qsH/jMXsGUvthRCzafM0XIVB5Mi
1t0KfjzmjWhR7/dmz3NY2JqmDFVKxQFCd/HhHHspyhT7jNc6T0EwTSbizRZbY9DA
79ii7gdZAx5B6Sv+pmzf9wakdXP+ho7NIR0uvFz6PXDxlM7fFNO6PJJmJFlY0PMi
QF0spQ0y4R5sbaN+5odioQPbNidDT4/AN+b7m+/wcXj4Fh0G/RwLbQ6DVQf31zKv
83tqUk8EDW4JdXLJ7jBw6JftgmfrtSHbLv/0m3usPNmOEhRps4wY+lH2ig9FFoMm
YfG36ov8+tX9lOsfgWvq3v9vFoiVfC+5CgetHBGU8VMVpJHKCcsIhzGYVrLk9Ko=
=uKb1
-----END PGP SIGNATURE-----
--uTb2NBheAWRWCFahxfJP01PjuEUMw6UwL--
|