[ESHOP launched] Trezor: Bitcoin hardware wallet - page 97.

qawzsx

sr. member

Activity: 280

Merit: 250

NOT FUD! FACTS!

Just received my TREZORS

Anybody knows any tool which can encrypt text using a password?

I don't feel comfortable using a passphrase (the 25th word function) since it's asked every time when I use my trezor, yet I'd like to be able to print the 24 word seed in an encrypted format on paper and store it in multiple locations.

Any idea if this http://aesencryption.net/ is strong enough?

Also, is this a proper tool https://dcpos.github.io/bip39/, to use on an offline localhost webserver for private keys restoration from trezor if urgently needed?

slush

legendary

Activity: 1386

Merit: 1097

Thanks guys :-)

Anon136

legendary

Activity: 1722

Merit: 1217

Quote from: 600watt on December 03, 2014, 02:55:24 PM

Quote from: Famguyb on December 03, 2014, 12:48:58 PM

WOW! Good luck with this project. It looks amazing.

using my trezors almost daily i can say it IS amazing.

I do escrow for people here on the forums and trezor helps so much. Before i had to chose security or ease of use and since i was holding other peoples money i had to chose security so everything was a big pain. Back and forth to my air gaped computer all the time, copying bitcoin addresses over by hand sometimes. Now its secure and easy. So yea, seconded.

600watt

legendary

Activity: 2338

Merit: 2106

Quote from: Famguyb on December 03, 2014, 12:48:58 PM

WOW! Good luck with this project. It looks amazing.

using my trezors almost daily i can say it IS amazing.

Famguyb

newbie

Activity: 6

Merit: 0

WOW! Good luck with this project. It looks amazing.

LOBSTER

hero member

Activity: 560

Merit: 500

Quote from: cor on December 03, 2014, 12:02:26 PM

new link to our AMA: http://bit.ly/1FMZYO2

That's great. Will ask my questions there Wink

cor

full member

Activity: 121

Merit: 100

new link to our AMA: http://bit.ly/1FMZYO2

JorgeStolfi

hero member

Activity: 910

Merit: 1003

Quote from: kkurtmann on December 03, 2014, 12:37:06 AM

Quote from: JorgeStolfi on December 02, 2014, 03:14:16 PM

Quote from: kkurtmann on December 02, 2014, 02:02:28 PM

There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.

I don't know about the electron microscope specifically, but surely one can do it with suitable scientific equipment. Not with something that you but at Radio Shack, though.

Surely the suitable scientific equipment you are referring to, is the Electron Microscope, and nothing less.

I suppose you are right, for the readout. I was thinking of the first step, exposing the chip.

Erdogan

legendary

Activity: 1512

Merit: 1005

Quote from: Mickeyb on December 03, 2014, 02:46:42 AM

Quote from: Erdogan on December 02, 2014, 04:17:21 PM

Quote from: LOBSTER on December 02, 2014, 04:11:23 PM

Quote from: Erdogan on December 02, 2014, 04:05:07 PM

Quote from: qawzsx on December 02, 2014, 01:32:41 PM

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."

Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.

You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary.

You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security.

Ha ha a good one!!

Yep, the Trezor is that good.

It was not a joke anyway, ask Snowden about it.

Mickeyb

hero member

Activity: 798

Merit: 1000

Move On !!!!!!

Quote from: AussieHash on December 02, 2014, 04:54:21 PM

Quote from: LOBSTER on December 02, 2014, 04:28:36 PM

Just chillin in my dark cellar Cheesy

Maybe it's too excessive...

I hope you remembered step 6
http://www.reddit.com/r/Bitcoin/comments/1e4b9s/the_only_truly_secure_way_to_use_bitcoin_from_a/

This is freaking awesome!! I will be sharing this!!

On a more serious note, you can do as suggested or simply use Trezor!!

Mickeyb

hero member

Activity: 798

Merit: 1000

Move On !!!!!!

Quote from: Erdogan on December 02, 2014, 04:17:21 PM

Quote from: LOBSTER on December 02, 2014, 04:11:23 PM

Quote from: Erdogan on December 02, 2014, 04:05:07 PM

Quote from: qawzsx on December 02, 2014, 01:32:41 PM

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."

Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.

You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary.

You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security.

Ha ha a good one!!

kkurtmann

sr. member

Activity: 475

Merit: 250

Quote from: JorgeStolfi on December 02, 2014, 03:14:16 PM

Quote from: kkurtmann on December 02, 2014, 02:02:28 PM

There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.

I don't know about the electron microscope specifically, but surely one can do it with suitable scientific equipment. Not with something that you but at Radio Shack, though.

Surely the suitable scientific equipment you are referring to, is the Electron Microscope, and nothing less.

kkurtmann

sr. member

Activity: 475

Merit: 250

Quote from: Erdogan on December 02, 2014, 04:05:07 PM

Quote from: qawzsx on December 02, 2014, 01:32:41 PM

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."

Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's mouse, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.

FTFY

AussieHash

hero member

Activity: 692

Merit: 500

The hardware attack has been discussed by stick and slush
http://www.reddit.com/r/Bitcoin/comments/2cj620/trezor_is_an_isolated_environment_for_offline/cjg04wz

As well as addressed in their FAQ
http://doc.satoshilabs.com/trezor-faq/threats.html

Btchip references in the "physical security" popup a 30c3 presentation on extracting private data from FPGAs
https://hardwarewallet.com

Your attacker needs to have the skill of chipworks
http://www.chipworks.com/en/technical-competitive-analysis/resources/blog/inside-the-a7/

There were others who tried to deroof Apple CPUs which looked more like Apple Maps satellite imagery (blurry)
Edit : I can't find the old links now, but there were far less skillful CPU dissections than these at the time.
http://www.eetimes.com/document.asp?doc_id=1256680

JorgeStolfi

hero member

Activity: 910

Merit: 1003

Quote from: Mr. Spock on December 02, 2014, 04:14:06 PM

Quote from: kkurtmann on December 02, 2014, 02:02:28 PM

There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.

Can someone estimate how many bitcoins your TREZOR must hold to be worth this immense effort?

If the thief were to buy the necessary equipment, I would guess that it would cost at least tens of thousands of dollars, perhaps hundreds of thousands. (For starters, he would have to drill open the processor chip's enclosure without damaging the chip itself. That would require a good microscope, a super-steady drill, micromanipulators...) Therefore, that attack would be profitable only if the expected payoff was in the thousands of BTC.

However, the thief may be able to "borrow" the equipment from some physics or microelectronics research lab. In that case, the thief may be willing to attack smaller targets.

AussieHash

hero member

Activity: 692

Merit: 500

Quote from: LOBSTER on December 02, 2014, 04:28:36 PM

Just chillin in my dark cellar Cheesy

Maybe it's too excessive...

I hope you remembered step 6
http://www.reddit.com/r/Bitcoin/comments/1e4b9s/the_only_truly_secure_way_to_use_bitcoin_from_a/

LOBSTER

hero member

Activity: 560

Merit: 500

Quote from: Erdogan on December 02, 2014, 04:17:21 PM

Quote from: LOBSTER on December 02, 2014, 04:11:23 PM

Quote from: Erdogan on December 02, 2014, 04:05:07 PM

Quote from: qawzsx on December 02, 2014, 01:32:41 PM

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."

Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.

You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary.

You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security.

Just chillin in my dark cellar Cheesy

Maybe it's too excessive...

Erdogan

legendary

Activity: 1512

Merit: 1005

Quote from: LOBSTER on December 02, 2014, 04:11:23 PM

Quote from: Erdogan on December 02, 2014, 04:05:07 PM

Quote from: qawzsx on December 02, 2014, 01:32:41 PM

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."

Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.

You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary.

You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security.

chrisrico

hero member

Activity: 496

Merit: 500

Quote from: Mr. Spock on December 02, 2014, 04:14:06 PM

Can someone estimate how many bitcoins your TREZOR must hold to be worth this immense effort?

Yes, if the person has access to the Trezor, they can see the extended public keys and calculate the value held by the device. I'm not sure if this is true if a passphrase is used, since it is concatenated with the seed.

chrisrico

hero member

Activity: 496

Merit: 500

Quote from: LOBSTER on December 02, 2014, 04:11:23 PM

You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Note that the Trezor asks for the seed words in random order. There are 24! different combinations of the seed words, only one of which is valid. An attacker would still have to try on average half of the 620,448,401,733,239,439,360,000 possible combinations, which would take quite some time (by design). Using an offline computer for recovery is only necessary when you want to keep using the same seed. If you lost your Trezor, you should switch seeds anyway, and using an offline computer to move the funds is perfectly safe.

Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet - page 97. (Read 966173 times)