Message-ID: <54EA7864.6000404@voskuil.org>
Date: Sun, 22 Feb 2015 16:46:28 -0800
From: Eric Voskuil <eric@voskuil.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Andy Schroder <info@AndySchroder.com>, Jan Vornberger <jan@uos.de>, 
	bitcoin-development@lists.sourceforge.net
References: <20150222190839.GA18527@odo.localdomain>	<54EA5AAE.3040306@voskuil.org>
	<54EA5CB4.5030302@voskuil.org> <54EA67AB.6040002@AndySchroder.com>
In-Reply-To: <54EA67AB.6040002@AndySchroder.com>
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="rI8h2EfmqMoEcgLtVI51fR0OWEctsoQwp"
Subject: Re: [Bitcoin-development] Bitcoin at POS using BIP70,
 NFC and offline payments - implementer feedback
Precedence: list

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--rI8h2EfmqMoEcgLtVI51fR0OWEctsoQwp
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 02/22/2015 03:35 PM, Andy Schroder wrote:
>> On 02/22/2015 02:39 PM, Eric Voskuil wrote:
>>> Hi Jan,
>>>
>>> This is really nice work.
>>>
>>> WRT the Schroder and Schildbach proposal, the generalization of the "=
r"
>>> and "payment_url" parameters makes sense, with only the potential
>>> backward compat issue on payment_url.
>>>
>>>> TBIP75 furthermore proposes to include an additional 'h' parameter
>>>> which would be a hash of the BIP70 payment request, preventing a MIT=
M
>>>> attack on the Bluetooth channel even if the BIP70 payment request
>>>> isn't signed. This would have also been my suggestion, although I
>>>> know that Mike Hearn has raised concerns about this approach. One
>>>> being, that one needs to finalize the BIP70 payment request at the
>>>> time the QR code and NFC URI is generated.
>>>> ...
>>>> 3) Are there other comments regarding 'h' parameter as per TBIP75?
>>> Yes, this design is problematic from a privacy standpoint. Anyone wit=
hin
>>> the rather significant range of the Bluetooth terminal is able to
>>> capture payment requests and correlate them to people. In other words=
 it
>>> can be used to automate tainting.
>>>
>>> The problem is easily resolved by recognizing that, in the envisioned=

>>> face-to-face trade, proximity is the source of trust. Even in the abo=
ve
>>> proposal the "h" parameter is trusted because it was obtained by
>>> proximity to the NFC terminal. The presumption is that this proximity=

>>> produces a private channel.
>>>
>>> As such the "tap" should transfer a session key used for symmetric bl=
ock
>>> cipher over the Bluetooth channel. This also resolves the issue of
>>> needing to formulate the payment request before the NFC.
>>>
>>> As an aside, in other scenarios, such as an automated dispenser, this=

>>> presumption does not hold. The merchant is not present to guard again=
st
>>> device tampering. Those scenarios can be secured using BIP70, but can=
not
>>> guarantee privacy.
>>>
>>> The other differences I have with the proposal pertain to efficiency,=

>>> not privacy or integrity of the transaction:
>>>
>>> The proposed resource name is redundant with any unique identifier fo=
r
>>> the session. For example, the "h" parameter is sufficient. But with t=
he
>>> establishment of a session key both as I propose above, the parties c=
an
>>> derive a sufficiently unique public resource name from a hash of the
>>> key. An additional advantage is that the resource name can be
>>> fixed-length, simplifying the encoding/decoding.
>>>
>>> The MAC address (and resource name) should be encoded using base58. T=
his
>> The MAC address (and session key) should be encoded using base58. This=

>=20
>=20
> As I mentioned in my other e-mail, I don't know that we can consider
> this NFC a private channel, so I don't think a session key should be
> transmitted over it.

I don't think there is another option. The point of the NFC terminal is
to establish trust based on proximity.

I don't agree that it's insufficiently private. It's no less private
than if the customer pulled out an R2-D2 interface arm and plugged into
the merchant's terminal. The terminal connection can still be compromised=
=2E

IOW the merchant trusts that the person who just tapped on the NFC
terminal is the one who he/she is going to hand the product to, and both
parties trust that because of this handshake, no non-proximate
interlopers can monitor the content of the transaction. In the absence
of BIP70 (quite real in some scenarios) the payer also relies on
proximity to establish the identity of the receiver.

Otherwise, without proximity establishment, an *independent* secure
channel is required (see the Airbitz/RedPhone discussion). You end up
with an infinite regression problem. RedPhone terminates this regression
by relying on each party's ability to recognize the other's voice, and
in the difficulty of spoofing a voice. PKI deals with it by trusting
root CAs on presumed-trusted platforms (and a troublesome revocation
process). WoT establishes this by unspecified means (e.g. Peter Todd has
produced a nice video of him reading out his PGP key fingerprint).

If interlopers are so close to the NFC terminal that they can join the
session, they have effectively compromised an endpoint, so the privacy
problem becomes moot. Both endpoints must secure their devices to
achieve privacy in any design.

>>> is shorter than base16, is often shorter than base64, better
>>> standardized and does not require URI encoding, and is generally
>>> available to implementers.
>>>
>>> There is no need for the establishment of two Bluetooth services.
>>>
>>> I would change the payment_url recommendation so that the list order
>>> represents a recommended ordering provided by the terminal for the wa=
llet.
>>>
>>> I wrote up my thoughts on these considerations last year and recently=

>>> revised it by adding a section at the end to incorporate the "r" and
>>> "payment_url" generalizations from Andreas and Andy.
>=20
>=20
> The order is set so that it maintains backwards compatibility by
> providing the https request first.

Understood, it just isn't entirely clear to me that the backward compat
in this case doesn't depend on implementation choices of existing
systems. In any case it may be worth the small potential risk to achieve
the more elegant design.

> As mentioned in the proposal, the
> order of the r parameters has the recommended (but not required)
> priority. The wallet is encouraged to use the same protocol (but not
> required).

Understood, but it is more flexible to provide the recommendation that
the payment_url set be priority-ordered as well. This allows the seller
to deviate from the protocol (URL scheme) coupling, while also allowing
it to be established, as desired. Presumably it's the merchant's
priority that we want the wallet to honor where possible.

>>> https://github.com/evoskuil/bips/tree/master/docs
>>>
>>> e
>>>
>>>
>>> On 02/22/2015 11:08 AM, Jan Vornberger wrote:
>>>> Hi everyone,
>>>>
>>>> I am working on a Bitcoin point of sale terminal based on a Raspberr=
y Pi, which
>>>> displays QR codes, but also provides payment requests via NFC. It ca=
n optionally
>>>> receive the sender's transaction via Bluetooth, so if the sender wal=
let
>>>> supports it, the sender can be completely offline. Only the terminal=
 needs an
>>>> internet connection.
>>>>
>>>> Typical scenario envisioned: Customer taps their smartphone (or mayb=
e smartwatch
>>>> in the future) on the NFC pad, confirms the transaction on their pho=
ne
>>>> (or smartwatch) and the transaction completes via Bluetooth and/or t=
he phone's
>>>> internet connection.
>>>>
>>>> You can see a prototype in action here:
>>>>
>>>>   https://www.youtube.com/watch?v=3DP7vKHMoapr8
>>>>
>>>> The above demo uses a release version of Schildbach's Bitcoin Wallet=
, so it
>>>> works as shown today. However, some parts - especially the Bluetooth=
 stuff - are
>>>> custom extensions of Schildbach's wallet which are not yet standard.=

>>>>
>>>> I'm writing this post to document my experience implementing NFC and=
 offline
>>>> payments and hope to move the discussion forward around standardizin=
g some of
>>>> this stuff. Andy Schroder's work around his Bitcoin Fluid Dispenser =
[1,2]
>>>> follows along the same lines, so his proposed TBIP74 [3] and TBIP75 =
[4] are
>>>> relevant here as well.
>>>>
>>>>
>>>> ## NFC vs Bluetooth vs NFC+Bluetooth ##
>>>>
>>>> Before I get into the implementation details, a few words for why I =
decided to
>>>> go with the combination of NFC and Bluetooth:
>>>>
>>>> Doing everything via NFC is an interesting option to keep things sim=
ple, but the
>>>> issue is, that one usually can't maintain the connection while the u=
ser confirms
>>>> the transaction (as they take the device back to press a button or m=
aybe enter a
>>>> PIN). So there are three options:
>>>>
>>>> 1. Do a "double tap": User taps, takes the device back, confirms, th=
en taps
>>>> again to transmit the transaction. (I think Google Wallet does somet=
hing like
>>>> this.)
>>>>
>>>> 2. Confirm beforehand: User confirms, then taps and everything can h=
appen in one
>>>> go. The disadvantage is, that you confirm the transaction before you=
 have seen
>>>> the details. (I believe Google Wallet can also work this way.)
>>>>
>>>> 3. Tap the phone, then establish a Bluetooth connection which allows=
 you to do
>>>> all necessary communication even if the user takes the device back.
>>>>
>>>> I feel that option 3 is the nicest UX, so that is what I am focusing=
 on right
>>>> now, but there are pros and cons to all options. One disadvantage of=
 option 3 in
>>>> practice is, that many users - in my experience - have Bluetooth tur=
ned off, so
>>>> it can result in additional UI dialogs popping up, asking the user t=
o turn on
>>>> Bluetooth.
>>>>
>>>> Regarding doing everything via Bluetooth or maybe BLE: I have been f=
ollowing the
>>>> work that Airbitz has done around that, but personally I prefer the =
NFC
>>>> interaction of "I touch what I want to pay" rather than "a payment r=
equest comes
>>>> to me through the air and I figure out whether it is meant for me/is=
 legitimate".
>>>>
>>>>
>>>> ## NFC data formats ##
>>>>
>>>> A bit of background for those who are not that familiar with NFC: Mo=
st Bitcoin
>>>> wallets with NFC support make use of NDEF (NFC Data Exchange Format)=
 as far as I
>>>> am aware (with CoinBlesk being an exception, which uses host-based c=
ard
>>>> emulation, if I understand it correctly). NDEF defines a number of r=
ecord types,
>>>> among them 'URI' and 'Mime Type'.
>>>>
>>>> A common way of using NFC with Bitcoin is to create a URI record tha=
t contains a
>>>> Bitcoin URI. Beyond that Schildbach's wallet (and maybe others?) als=
o support
>>>> the mime type record, which is then set to 'application/bitcoin-paym=
entrequest'
>>>> and the rest of the NFC data is a complete BIP70 payment request.
>>>>
>>>>
>>>> ## Implementation ##
>>>>
>>>> To structure the discussion a little bit, I have listed a number of =
scenarios to
>>>> consider below. Not every possible combination is listed, but it sho=
uld cover a
>>>> bit of everything.
>>>>
>>>> Scenarios:
>>>>
>>>> 1) Scan QR code, transmit transaction via Bitcoin network
>>>>    Example QR code: bitcoin:1asdf...?amount=3D42
>>>>
>>>> 2) Touch NFC pad, transmit transaction via Bitcoin network
>>>>    Example NFC URI: bitcoin:1asdf...?amount=3D42
>>>>
>>>> 3) Scan QR code, fetch BIP70 details via HTTP, post transaction via =
HTTP
>>>>    Example QR code: bitcoin:1asdf...?amount=3D42&r=3Dhttps://example=
=2Eorg/bip70paymentrequest
>>>>
>>>> 4) Touch NFC pad, fetch BIP70 details via HTTP, post transaction via=
 HTTP
>>>>    Example NFC URI: bitcoin:1asdf...?amount=3D42&r=3Dhttps://example=
=2Eorg/bip70paymentrequest
>>>>
>>>> 5) Touch NFC pad, receive BIP70 details directly, post transaction v=
ia HTTP
>>>>    Example NFC MIME record: application/bitcoin-paymentrequest + BIP=
70 payment request
>>>>
>>>> 6) Scan QR code, fetch BIP70 details via Bluetooth, post transaction=
 via Bluetooth
>>>>    Example QR code: bitcoin:1asdf...?amount=3D42&bt=3D1234567890AB
>>>>    Payment request has 'payment_url' set to 'bt:1234567890AB'
>>>>
>>>> 7) Touch NFC pad, fetch BIP70 details via Bluetooth, post transactio=
n via Bluetooth
>>>>    Example NFC URI: bitcoin:1asdf...?amount=3D42&bt=3D1234567890AB
>>>>    Payment request has 'payment_url' set to 'bt:1234567890AB'
>>>>
>>>> Scenarios 1 and 2 are basically the 'legacy'/pre-BIP70 approach and =
I am just
>>>> listing them here for comparison. Scenario 3 is what is often in use=
 now, for
>>>> example when using a checkout screen by BitPay or Coinbase.
>>>>
>>>> I played around with both scenarios 4 and 5, trying to decide whethe=
r I should
>>>> use an NFC URI record or already provide the complete BIP70 payment =
request via
>>>> NFC.
>>>>
>>>> My experience here has been, that the latter was fairly fragile in m=
y setup
>>>> (Raspberry Pi, NFC dongle from a company called Sensor ID, using nfc=
py). I tried
>>>> with signed payment requests that were around 4k to 5k and the trans=
fer would
>>>> often not complete if I didn't hold the phone perfectly in place. So=
 I quickly
>>>> switched to using the NFC URI record instead and have the phone fetc=
h the BIP70
>>>> payment request via Bluetooth afterwards. Using this approach the am=
ount of data
>>>> is small enough that it's usually 'all or nothing' and that seems mo=
re robust to
>>>> me.
>>>>
>>>> That said, I continue to have problems with the NFC stack that I'm u=
sing, so it
>>>> might just be my NFC setup that is causing these problems. I will pr=
obably give
>>>> the NXP NFC library a try next (which I believe is also the stack th=
at is used
>>>> by Android). Maybe I have more luck with that approach and could the=
n switch to
>>>> scenario 5.
>>>>
>>>> Scenarios 6 and 7 is what the terminal is doing right now. The 'bt' =
parameter is
>>>> the non-standard extension of Andreas' wallet that I was mentioning.=
 TBIP75
>>>> proposes to change 'bt' into 'r1' as part of a more generic approach=
 of
>>>> numbering different sources for the BIP70 payment request. I think t=
hat is a
>>>> good idea and would express my vote for this proposal. So the QR cod=
e or NFC URI
>>>> would then look something like this:
>>>>
>>>>   bitcoin:1asdf...?amount=3D42&r=3Dhttps://example.org/bip70&r1=3Dbt=
:1234567890AB/resource
>>>>
>>>> In addition the payment request would need to list additional 'payme=
nt_url's. My
>>>> proposal would be to do something like this:
>>>>
>>>>     message PaymentDetails {
>>>>         ...
>>>>         optional string payment_url =3D 6;
>>>>         optional bytes merchant_data =3D 7;
>>>>         repeated string additional_payment_urls =3D 8;
>>>>           // ^-- new; to hold things like 'bt:1234567890AB'
>>>>     }
>>>>
>>>> TBIP75 proposes to just change 'optional string payment_url' into 'r=
epeated
>>>> string payment_url'. If this isn't causing any problems (and hopeful=
ly not too
>>>> much confusion?) I guess that would be fine too.
>>>>
>>>> In my opinion a wallet should then actually attempt all or multiple =
of the
>>>> provided mechanisms in parallel (e.g. try to fetch the BIP70 payment=
 request via
>>>> both HTTP and Bluetooth) and go with whatever completes first. But t=
hat is of
>>>> course up to each wallet to decide how to handle.
>>>>
>>>> TBIP75 furthermore proposes to include an additional 'h' parameter w=
hich would
>>>> be a hash of the BIP70 payment request, preventing a MITM attack on =
the
>>>> Bluetooth channel even if the BIP70 payment request isn't signed. Th=
is would
>>>> have also been my suggestion, although I know that Mike Hearn has ra=
ised
>>>> concerns about this approach. One being, that one needs to finalize =
the BIP70
>>>> payment request at the time the QR code and NFC URI is generated.
>>>>
>>>>
>>>> ## Questions ##
>>>>
>>>> My questions to the list:
>>>>
>>>> 1) Do you prefer changing 'optional string payment_url' into 'repeat=
ed string
>>>> payment_url' or would you rather introduce a new field 'additional_p=
ayment_urls'?
>>>>
>>>> 2) @Andreas: Is the r, r1, r2 mechanism already implemented in Bitco=
in Wallet?
>>>>
>>>> 3) Are there other comments regarding 'h' parameter as per TBIP75?
>>>>
>>>> 4) General comments, advice, feedback?
>>>>
>>>> I appreciate your input! :-)
>>>>
>>>> Cheers,
>>>> Jan
>>>>
>>>> [1] http://andyschroder.com/BitcoinFluidDispenser/
>>>> [2] https://www.mail-archive.com/bitcoin-development%40lists.sourcef=
orge.net/msg06354.html
>>>> [3] https://github.com/AndySchroder/bips/blob/master/tbip-0074.media=
wiki
>>>> [4] https://github.com/AndySchroder/bips/blob/master/tbip-0075.media=
wiki
>>>>
>>>> --------------------------------------------------------------------=
----------
>>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>>> from Actuate! Instantly Supercharge Your Business Reports and Dashbo=
ards
>>>> with Interactivity, Sharing, Native Excel Exports, App Integration &=
 more
>>>> Get technology previously reserved for billion-dollar corporations, =
FREE
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=3D190641631&iu=3D/4140=
/ostg.clktrk
>>>> _______________________________________________
>>>> Bitcoin-development mailing list
>>>> Bitcoin-development@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>>>>
>>
>>
>> ----------------------------------------------------------------------=
--------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboar=
ds
>> with Interactivity, Sharing, Native Excel Exports, App Integration & m=
ore
>> Get technology previously reserved for billion-dollar corporations, FR=
EE
>> http://pubads.g.doubleclick.net/gampad/clk?id=3D190641631&iu=3D/4140/o=
stg.clktrk
>>
>>
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>=20


--rI8h2EfmqMoEcgLtVI51fR0OWEctsoQwp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU6nhkAAoJEDzYwH8LXOFOtpsH/A8RxNpTh91YLozVLhNxigiZ
WdL9eeMmnZUIE+uf5yn/9rWx7YovgII8fSgD0bcQuh56sq/uNHPc4S5IwnYcCSmw
06DUPHPmrrdk/zUUR7aHPx2hx1cScqdxsWu5rV/h0WDghGOukdmf+rZydlJxbKz6
Jakx8VyYk2fXYvMYJQqLYbctBKcWgcD0RHlV3ZpUNF0zsdhnjV9mrI/Z+S6n/NCl
ji98bYmRzcLOVfjMh4Oenf8W/0pG1dZr6Mn3r35BInOWNT8Mk5h4oU7+Zn3P8x6R
k8kE+abTnsv0u9AgDsIJD1z4gyWggv6mNEj5k/rNDlH1TYlfIOL5KkK3OfMGEt4=
=QeA6
-----END PGP SIGNATURE-----

--rI8h2EfmqMoEcgLtVI51fR0OWEctsoQwp--