In this post,
https://bitcointalksearch.org/topic/avoiding-theft-using-trusted-computing-67508, Mike Hearn gives a good introduction to trusted computing technology and how it could help secure Bitcoin wallets. I've been working on these ideas, using the Flicker software that Mike linked to, and it's about ready for testing, if anyone is interested.
Basically it's a patched version of bitcoin-qt/bitcoind (for Linux only) that enforces limits on your daily spending. You could get infected with malware and the most it could do would be to drain your wallet a little bit at a time. All this with a single machine, although only certain models of Intel and AMD processors support the secure mode.
Mike gives a good summary of the principles of trusted computing. Suffice it to say that the technology allows you to create a piece of code that can run unmolested by the rest of the computer. The TPM chip is used to cryptographically protect its data. The data is sealed to the hash of the secure code, so that only that piece of code has access to its secrets.
I'm using Jon McCune's Flicker technology. Flicker switches you into the secure mode for just an instant, and then switches you back out again. In this way, the secure mode doesn't have to coexist with the operating system, which would require hypervisor technology. Flicker is only about 3000 lines of code, small as these things go.
I've made a Flicker module (they call it a PAL) called bcflick. And I've patched bitcoind to make calls into bcflick to generate new keys and to sign transactions. The Flicker module knows the wallet encryption key, while bitcoind (normally) doesn't. So the only way to sign transactions, for you or for malware, is to go through bcflick. Bcflick knows the time from the TPM and keeps track of the amount spent today, and will refuse to sign a transaction if the daily amount were to exceed the pre-set limit.
Because Flicker is so minimal, it has limitations. The total size of the PAL has to be less than 1 Meg. And the size of the input to and output from the PAL is a couple hundred K. More importantly, the PAL can't do any device I/O, because that would interfere with OS management of devices. Basically, the PAL starts up, reads input buffer, does work, and writes its output buffer, all in the blink of an eye. Actually, that is a little exaggerated about the speed. Because the TPM is so slow, and because of the firmware overhead in switching into the secure mode, a Flicker call takes a substantial fraction of a second.
These Flicker limitations restrict what we can do to strengthen a Bitcoin wallet. We can't ask the user to approve spends, because of no I/O. So the policy enforcement has to be self-contained. The daily spending limit seemed useful and not too complex. More complicated policies could be supported, such as adjusted daily limits based on the average of recent days. More ambitious would be to take into consideration infow of funds; this would require parsing the block chain, including dealing with reorgs.
It's best to start with a new wallet. If you have some funds, transfer them elsewhere temporarily and delete wallet.dat. After you finish initialization, transfer your funds back to new, bcflick-protected addresses.
In more detail, bcflick must be initialized when running cleanly, i.e. malware-free. This is unfortunately impossible. An approximation can be achieved by booting from a live CD or USB. Doing this will eliminate all but the most sophisticated threats.
In this mode, start bitcoind with the -flickerlimit switch. This will allow you to set the daily spending limit that bcflick will enforce. Then encrypt the new wallet with a long passphrase. This will pass the wallet encryption key to bcflick, along with the daily spending limit.
If you don't want to transfer your funds away and you are certain that you are not currently infected with malware, there is a shortcut. Boot into a clean mode and start bitcoind with the -flickerlimit switch. Then change your passphrase. You can change it to something longer, or even have the old and new passphrases be the same. Executing a passphrase change (re)initializes bcflick with the wallet encryption key and spending limit. This procedure is also useful when things go wrong and bcflick stops working. Boot into a clean state, run bitcoind with -flickerlimit, and change the passphrase from itself to itself.
Then you can boot into a regular mode, and bcflick will sign transactions, using the wallet encryption key to decrypt the signing keys. Bcflick will also create (encrypted) keys. This is so malware can't observe any decrypted keys. Any other operations requiring the wallet passphrase, such as spending in excess of the daily limit, should be done by booting into a clean mode and entering the passphrase. Under no circumstances should you enter your passphrase without booting into a clean mode. Otherwise, malware could learn it, and steal all your funds.
Because the passphrase is not needed for daily use, you can use a longer and more complex one. That, coupled with the infrequent use, means you should probably write it down and store it in a secure place.
I need to write more about the security model, both Flicker related and Bitcoin related. But in the mean time, here is a quick-start guide:
Experimental integration of Flicker with Bitcoin
Get a computer that supports Flicker
Set up the TPM:
Get TPM/J from
http://projects.csail.mit.edu/tc/tpmj/Enable the TPM in BIOS
Take ownership of the TPM with sudo java edu.mit.csail.tpmj.tools.TPMTakeOwnership
Create a counter with sudo java edu.mit.csail.tpmj.tools.TPMCreateCounter BITC
Get the master branch of flicker working, git clone git://git.code.sf.net/p/flickertcb/code
Get the master branch of bitcoin working, git clone git://github.com/bitcoin/bitcoin.git
Download the bitcoin block chain
If you have bitcoins, transfer them elsewhere and delete wallet.dat
Get the flicker branch, git clone http://github.com/halfinney/bitcoin/
Get the mytxtck branch, git clone git://git.code.sf.net/u/hal/flickertcb
Make a symbolic link called flicker in the bitcoin directory pointing to the flicker/examples/app directory
Run make in flicker/examples/{app,pal/libtommath,pal}
Copy flicker/examples/pal/bcflick.bin to ~/.bitcoin
Run make bitcoind in bitcoin/src
Run chmod 666 /sys/devices/system/cpu/cpu*/online /sys/kernel/flicker/* (you'll probably have to do this after every reboot)
Boot into a secure mode (eg. boot from a live CD)
Run bitcoind -flickerlimit= & where limit is the maximum daily limit of bitcoins spent
Run bitcoind encryptwallet
Boot into a regular mode and flicker will limit the amount spent per day to the limit you have set, without requiring a passphrase
Now you can transfer your funds back, to new addresses in your wallet
If you want to spend more, boot into the secure mode and unlock the wallet with the passphrase