Topic: A Secure and Redundant Savings Wallet Concept, Hopefully - page 2. (Read 5081 times)

Thank you for that link, I couldn't find any implementations either! I didn't know whether it was practical with long strings at look. Seems to work!

http://point-at-infinity.org/ssss/

I'm not sure I'd go with the truecrypt for this. You can generate a random passphrase with enough bits to be more secure than the original private key. Then encrypt your wallet with that using gpg, then run ssss on the secret key. I'd do this all in memory and only write out the individual ssss parts to the usb keys, never write out more than one key to any media.

This distro looks like a good choice: https://www.privacy-cd.org/

It disables all network and hard drives so you don't have to worry about accidentally writing stuff to something persistent.


There are important tradeoffs here. You're putting almost all your trust into the safe deposit box. That might make sense, but if that's the case why not just put the full key in there without a passphrase? The passphrase is sitting right next to it so it doesn't really serve a purpose in this scenario. Each extra piece is also a risk because you could lock yourself out even without a thief. You could forget the passphrase, forget where you put the drives, something could happen to them. In my case, I've decided that I need either a pass phrase or 2 out of 2 usb drives to get in, but I'll never write the pass phrase down anywhere, and the usb drives don't require any pass phrases in case i forget it.

The important thing is you're putting a lot of thought into this, and posting your ideas and getting feedback is the best way to do security.

You can't get information about the sixth part, but you still may get information about the secret without it.


Yes, I think your idea is worth a try. But I think is not reviewed enough to advice people in a forum to do that, or only for experiments.

In my opinion everybody is free to do as he likes, but when people start to spread their unproven ideas to other users (who may be noobs who just follow the advice without having the capabilities to review it themselves) I get a little upset.

Your thread is very valuable for a discussion here, I just wanted to say that unexperienced users should prefer the better tested ideas.

I also appreciate the very fact that you share your ideas with us in the first place! I also appreciate that you take criticism seriously and review your work.


That's how we get closer to the solutions for our problems.

I recall a previous reply from you indicating that "splitting is stupid", guess I missunderstood that.

If something is made up of 6 parts, and you only have 5 of the parts, and each part is unique, you do not have the whole thing.  That is not something I am just hoping, that is fact, I know that if you don't have all 6 parts you don't have all 6 parts.

The core concept here is that there are 6 volume parts and 6 encryption key parts.  All are required in order to access the wallet.  Each media only has 5 of the volume parts and 5 of the key parts.  Don't you think it's safe to say that there is pretty much no way to derive the missing part of either, if you only have 5 of the 6 parts?  And to compromise the wallet, you'd have to somehow come up with BOTH of the missing parts.  BTW I have decided I like the number 6, this could be done the same as long as there's 3 or more parts.

I realize this seems overly complex but so far I do feel confident that it provides a fairly high level of both security and redundancy and in many regards, this approach is me keeping it simple. 

I very much appreciate the feedback, information, and opportunity to discuss.  And I'm happy so far anyway, nothing has come up that suggests to me that this is a bad approach.  I think we (the community) should try to put together several guides for keeping bitcoin wallets safe and each one would have a different paranoia level associated with it

It is not stupid. But you should not trust it until you have a reason to assert that it is secure. If you don't know whether it is secure, assert that it isn't. That's the only proper way to do security.

Ok so any suggestions for how I go about implementing Shamir's scheme into my concept?  It would seem that there are no implementations that allow you turn a file (a TrueCrypt volume in this case) into a bunch of shares, just a password/string.  Granted, I could use this instead of my six seperate key files but still a goal is that the TrueCrypt volume also get split up and spread across the 6 storage locations such that no one location contains the entire volume file.

EDIT:  I am just trying to understand why simply splitting the file is "stupid".

It has similar properties, but you don't have a prove that your's is secure.

Shamir's is secure because it is based on polynomial functions. If you have a polynomial function of degree N, you need at least N+1 points on the curve to reconstruct it. If you have one point less, the secret could be everything.



EDIT: Btw, Shamir is the guy, who the S of RSA stands for. Not an unknown person in the world of cryptography.

Seems like what I have come up with is similar to Shamir's Secret Sharing scheme with K=2 and N=6.  Thanks for that link.

That's why I mentioned Shamir's Secret Sharing. That is designed for that purpose, and well known.



You shouldn't just create your own schemes, how do you know it is secure? Use publicly known schemes that are known to researchers worldwide for decades.


EDIT: Shamir's Sharing is proven to be information-theoretically secure. If you have one part less than required, you don't get a single bit of information about the secret.

Yes. XKCD illustrates a variation of the rusty pipe gambit, in the form of a wrench:

Can you XOR  and end up with B, C, D, E, F & G and then just need any 2 of them to restore?

Did you notice, there's also 6 key files and only 5 of them are on each media.

Never make it more complicated, if you don't get a security advantage. It just makes flaws more likely.

How do you split the wallet for example? Splitting is stupid, I can tell you an absolutely secure (mathematically provable!!) way to do it:

1. Take your wallet.dat (call it file A)
2. Create a file with the same amount of bits, but totally random (each bit probability of 0.5, each bit independent of the other bits) (call it file B)
3. XOR files A and B (call the result file C)
4. Store files B and C at isolated locations


Now you can be absolutely certain that nobody reconstructs a single bit of your wallet without getting both files.
Further reading: http://en.wikipedia.org/wiki/One-time_pad




Another method is even more flexible, but not absolutely secure. [EDIT: Turns out to be absolutely secure also.] You can choose freely a number N of parts, and choose freely a number n of how many parts shall be needed to reconstruct the secret.

http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

Ah ok well doesn't the TrueCrypt Hidden Volume address this, potentially?  You could have 2 wallets, one in the outter (decoy) volume with a small amount of Bitcoin in it and then the real savings wallet in the hidden volume.

Sorry, I don't follow, could you elloborate?

Yes of course, in order to use the wallet sometime in the future it will then no longer be secure which is why you use it to send the saved Bitcoin somewhere else and then never use it again (last part of step 11).  The goal is to keep it secure and have redundancy so that the wallet and bitcoin are still there come the day when you need them.

While you may be safe from remote and brute-force attacks, your strategy is no match for the rusty pipe gambit. If you had enough bitcoins for anyone to care about, they'd probably do that first.

@bcearl:

So encryption is 100% perfect and can't possibly be hacked/cracked/etc?  I accept that this approach is probably overkill for many but it suites my tastes.  Even if it is unlikely that the encryption could be hacked, why not have the additional protection of each USB drive only having "part" of the wallet?

I am trying to understand your point..  Are you hinting that you think my concept for having the wallet split into multiple chunks where you need at least 2 of the chunks together in order to access the wallet is a bad idea?  

Is there a better way to achive the same "Security and Redundancy" that this approach provides?  Or does this approach maybe not provide the "Security and Redundancy" that I think it does?

Since when do you have to use the regular client software?

but when you want to actuall retrieve those coins you've got to remove all the security, and when bitcoin loads or reads a wallet file it loads the entire wallet.dat into memory, making it trivially easy to steal. It's like building a giant nuclear proof bunker to store all your priceless art in, but then to read it you take it out of that and walk to a bus stop at the dodgy end of town.