Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3337693D for ; Wed, 17 Aug 2016 18:36:42 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi0-f43.google.com (mail-oi0-f43.google.com [209.85.218.43]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id BAEED170 for ; Wed, 17 Aug 2016 18:36:40 +0000 (UTC) Received: by mail-oi0-f43.google.com with SMTP id l203so148840753oib.1 for ; Wed, 17 Aug 2016 11:36:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=mWFRH++qxYmgvR5j9L2zmTKCaJzz91ReBG1Ymi9e+c4=; b=y+mT3lYkSJohc4tUOZ+nPeynrR5MizyoaFzGoDNkJXtrSjXw+1zQnml+JHDLSH0PLq OCKffbY7Nxjo8K9TES+mgOCQ3J8OgWA4um0ERM9JNVYW6j+AcDFxRYgX306HvlgO7g/K uh6Y6M00QSRpZMF+oegz6nFTpH3tLUZ0fsbsuXTOr/bu1jmh1mg8bok2YIeCai/830PH FhKGG49twrHID6CzcLNTg5V8qoDrzfOl9GamrIeneUc5E38vFrttgp9+xVXUFd3JMy5C 2iMlxI8RoWwhOqIJuetFsV8CbiVEslfEk/EnKfR+UsSA8o247HIlCrjn08+npwlpPHJk DuJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=mWFRH++qxYmgvR5j9L2zmTKCaJzz91ReBG1Ymi9e+c4=; b=aoB2yPU4DUGZBQ+4HhuL3xIiJnKBfdcACl0OnERf0qw8cSiG/WyuiTSV3+Sw1wcSKM ZPIc5bdbYeZMjDJgYJS+Keea8sRr+p9/9UCezZmlX3ZxYtX3fde4NwNrscFLt39cUswY VVlImPNAkPEpyDtYSEVs1wMg8Ox1J9shNPc/vzaR4smOMcBzQb+eCpoD5cTHw5rSWkkb l+rLvnj5GvkM09Gva3TusgcCCXIUhfGb9QBregvrye4Xm+UMmeMD9brdjGKOuGcyzVov lfI7aEQ9wvVFO/CBTGQ9iwvo1OOaOTDCVcl6XApVYvx3HjO2ai4+XyNgVFY1a52bOQrR HSNg== X-Gm-Message-State: AEkoouvrmF07GKebs0x3j9u2VFItRoZTLm6JAT8Q1j9og7SmgN+6Nb1+HxUIMc6cG+s1Uo8V1iY+nlcSI415WA== X-Received: by 10.202.196.151 with SMTP id u145mr25160452oif.141.1471458999993; Wed, 17 Aug 2016 11:36:39 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.43.113 with HTTP; Wed, 17 Aug 2016 11:36:38 -0700 (PDT) In-Reply-To: <20160817001407.GA6571@fedora-21-dvm> References: <57B31EBC.1030806@jonasschnelli.ch> <0501f5c2-611c-53c1-5fd1-d4da5ba5137b@gmail.com> <20160817001407.GA6571@fedora-21-dvm> From: Bryan Bishop Date: Wed, 17 Aug 2016 13:36:38 -0500 Message-ID: To: Peter Todd , Bitcoin Protocol Discussion , Bryan Bishop Content-Type: multipart/alternative; boundary=001a113e4c12ff0f00053a48be57 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Hardware Wallet Standard X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2016 18:36:42 -0000 --001a113e4c12ff0f00053a48be57 Content-Type: text/plain; charset=UTF-8 On Tue, Aug 16, 2016 at 7:14 PM, Peter Todd via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > The other serious problem - and this is a problem with smartcards in > general > anyway - is that without Bitcoin-specific logic you're just signing > blindly; we > recently saw the problems with that with the Bitfinex/BitGo hack. And even > then, without a screen most of the hardware wallets in are still just > signing > blindly, with at best hard-to-use limits on maximum funds moved > per-transaction. Also note how even hardware wallets with a screen, like > Trezor, aren't yet able to authenticate who you are paying. > "Welcome to my threat model." In multisig scenarios, there must be a different "trust root" for each key. For example, storing two private keys next to each other on the same web server is broken because if one key is compromised it is infinitely trivial to compromise the second key. Using multiple web servers is also broken if the two servers are controlled by the same AWS keys or same "help me get my servers back" support email request to whatever single sign-on service is used. In some cases, it can be better to write software such that transaction data is served at a particular location, and another security-critical step is responsible for downloading that data from the first machine, rather than the first computer directly pushing (with authentication credentials in place for the attacker to compromise) the data to the second computer. I recommend using hardware security modules (HSMs). It's important to have a public, reviewed bitcoin standard for hardware wallets, especially HSMs. I expect this is something that the entire industry has a tremendous interest in following and contributing to, which could even lead to additional resources contributed (or at the very least, more detailed requirements) towards libconsensus work. Instead of signing any bitcoin transaction that the hardware wallet is given, the hardware should be responsible for running bitcoin validation rules and business logic, which I recommend for everyone, not only businesses. Without running business logic and bitcoin validation rules, the actual bitcoin history on the blockchain could be a very different reality from what the hardware thinks is happening. Using a different out-of-band communication channel, the hardware could query for information from another database in another trust root, which would be useful for business logic to validate against. As for a screen, I consider that somewhat limited because you only get text output (and I don't know if I can reasonably suggest QR codes here). With a screen, you are limited to text output, which can compromise privacy of the device's operations and info about the wallet owner. An alternative would be to have a dedicated port that is responsibly only for sending out data encrypted to the key of the wallet owner, to report information such as whatever the hardware's transaction planner has decided, or to report about the state of the device, state of the bitcoin validation rules, or any accounting details, etc. Additionally, even a signed transaction should be encrypted to the key of the device owner because a signed transaction can be harmless as long as the owner still has the ability to control whether the signed transaction is broadcasted to the network. It's "separation of concerns" for transaction signing and decrypting a signed transaction should be unrelated and uncoupled. Also I am eager to see what the community proposes regarding signed and authenticated payment requests. ((insert here general promotional statement regarding the value of reusable checklists used during every signing ritual ceremony)) - Bryan http://heybryan.org/ 1 512 203 0507 --001a113e4c12ff0f00053a48be57 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= ue, Aug 16, 2016 at 7:14 PM, Peter Todd via bitcoin-dev &= lt;bitcoin-dev@lists.linuxfoundation.org> wrote:
The other serious problem - and this is= a problem with smartcards in general
anyway - is that without Bitcoin-specific logic you're just signing bli= ndly; we
recently saw the problems with that with the Bitfinex/BitGo hack. And even<= br> then, without a screen most of the hardware wallets in are still just signi= ng
blindly, with at best hard-to-use limits on maximum funds moved
per-transaction. Also note how even hardware wallets with a screen, like Trezor, aren't yet able to authenticate who you are paying.

"Welcome to my threat = model."

In multisig scenarios,= there must be a different "trust root" for each key. For example= , storing two private keys next to each other on the same web server is bro= ken because if one key is compromised it is infinitely trivial to compromis= e the second key. Using multiple web servers is also broken if the two serv= ers are controlled by the same AWS keys or same "help me get my server= s back" support email request to whatever single sign-on service is us= ed. In some cases, it can be better to write software such that transaction= data is served at a particular location, and another security-critical ste= p is responsible for downloading that data from the first machine, rather t= han the first computer directly pushing (with authentication credentials in= place for the attacker to compromise) the data to the second computer.
=

I recommend using hardware security modules (HSMs). It's important to = have a public, reviewed bitcoin standard for hardware wallets, especially H= SMs. I expect this is something that the entire industry has a tremendous i= nterest in following and contributing to, which could even lead to addition= al resources contributed (or at the very least, more detailed requirements)= towards libconsensus work.

Instead of signing any bitcoin transacti= on that the hardware wallet is given, the hardware should be responsible fo= r running bitcoin validation rules and business logic, which I recommend fo= r everyone, not only businesses. Without running business logic and bitcoin= validation rules, the actual bitcoin history on the blockchain could be a = very different reality from what the hardware thinks is happening. Using a = different out-of-band communication channel, the hardware could query for i= nformation from another database in another trust root, which would be usef= ul for business logic to validate against.
=
As for a screen, I consider that somew= hat limited because you only get text output (and I don't know if I can= reasonably suggest QR codes here). With a screen, you are limited to text = output, which can compromise privacy of the device's operations and inf= o about the wallet owner. An alternative would be to have a dedicated port = that is responsibly only for sending out data encrypted to the key of the w= allet owner, to report information such as whatever the hardware's tran= saction planner has decided, or to report about the state of the device, st= ate of the bitcoin validation rules, or any accounting details, etc. Additi= onally, even a signed transaction should be encrypted to the key of the dev= ice owner because a signed transaction can be harmless as long as the owner= still has the ability to control whether the signed transaction is broadca= sted to the network. It's "separation of concerns" for transa= ction signing and decrypting a signed transaction should be unrelated and u= ncoupled.

Also I am eager to see what the community proposes regardi= ng signed and authenticated payment requests.

((insert here general = promotional statement regarding the value of reusable checklists used durin= g every signing ritual ceremony))

<= div class=3D"gmail_signature" data-smartmail=3D"gmail_signature">- Bryanhttp://heybryan.org/
1 512 203 0507
--001a113e4c12ff0f00053a48be57--