Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Armory
Author

Topic: Feature Request to Combat USB Vulnerability (Read 1198 times)

Razick
legendary
Activity: 1330
Merit: 1003
Feature Request to Combat USB Vulnerability
August 18, 2014, 09:17:37 AM
#5
Quote from: jl2012 on August 17, 2014, 10:37:13 AM
Quote from: Razick on August 16, 2014, 10:24:41 PM
In light of the recently discovered vulnerability in USB and SD devices, I was trying to determine a good way to relay transactions from my offline wallet without exposing it to the internet or potentially infected devices. I would like to request two features:

1) The ability to create transactions from an offline wallet. This way I don't have to get the unsigned transaction from my online, watch-only wallet. I can verify that I have sufficient balance myself, and of course you could add a warning and require the user to check a box before this is allowed.

2) The ability to create a QR code from a signed transaction. This would allow me to scan the transaction with my phone and broadcast it while maintaining the security of my offline system.

I hope you will consider these features, I think they would be helpful for paranoid users.

There is no such thing called "balance" in bitcoin protocol. Bitcoin doesn't work as you think. You are misled by blockchain.info

Haha, I meant the sum of all available inputs, but that is a good point. Unless I could somehow let the offline client know what inputs are available, which involves more than just the amount of bitcoin on each address, there would be no way to create a valid transaction. So I guess it's pretty much not possible.
TimS
sr. member
Activity: 250
Merit: 253
Re: Feature Request to Combat USB Vulnerability
August 17, 2014, 07:03:18 PM
#4
Quote from: Razick on August 16, 2014, 10:24:41 PM
1) The ability to create transactions from an offline wallet. This way I don't have to get the unsigned transaction from my online, watch-only wallet. I can verify that I have sufficient balance myself, and of course you could add a warning and require the user to check a box before this is allowed.
To add some details to what the others have said about the difficulties of doing this, see https://en.bitcoin.it/wiki/Transactions
In order to create a transaction offline, you'd need to not just tell the offline wallet that you have sufficient balance, but you'd need to tell it one or more (enough to equal or be greater than your desired output, less transaction fee) transaction outputs to spend. For your typical transaction, this means:
One (or more) 256-bit txid to spend (if it's a from another transaction the offline wallet already knows about, e.g. because it was a change output, you could simply choose it from the list)
One (or more) address from your wallet (could be chosen from the list of addresses in your wallets), being the address to spend corresponding to each txid you're spending
The address(es) you wish to spend to

Transmitting all of this data manually would be tedious, to say the least.
doug_armory
sr. member
Activity: 255
Merit: 250
Senior Developer - Armory
Re: Feature Request to Combat USB Vulnerability
August 17, 2014, 06:48:33 PM
#3
Quote from: Razick on August 16, 2014, 10:24:41 PM
1) The ability to create transactions from an offline wallet. This way I don't have to get the unsigned transaction from my online, watch-only wallet. I can verify that I have sufficient balance myself, and of course you could add a warning and require the user to check a box before this is allowed.

I'm pretty sure this isn't possible. For technical reasons, you really need an up-to-date blockchain before creating a transaction. I'm not even sure an offline computer could create a Tx without somehow getting data to it that lets it know what you control. Without that info, you really can't create a Tx at the nuts-and-bolts level. At best, you might be able to pop the blockchain onto the offline computer and have Armory process it. Once again, there's the pesky matter of getting the data onto the offline computer....

Quote
2) The ability to create a QR code from a signed transaction. This would allow me to scan the transaction with my phone and broadcast it while maintaining the security of my offline system.

I think this would be technically possible, at least in some instances. (QR codes can only contain so much data.) That said, keep in mind that you'd have to start with an online computer, as Armory currently does. The data would also have to be in a format readable by the phone's app. At the moment, I'm not aware of any phone apps with such a capability. If this changes, we'll keep it in mind.
jl2012
legendary
Activity: 1792
Merit: 1111
Re: Feature Request to Combat USB Vulnerability
August 17, 2014, 10:37:13 AM
#2
Quote from: Razick on August 16, 2014, 10:24:41 PM
In light of the recently discovered vulnerability in USB and SD devices, I was trying to determine a good way to relay transactions from my offline wallet without exposing it to the internet or potentially infected devices. I would like to request two features:

1) The ability to create transactions from an offline wallet. This way I don't have to get the unsigned transaction from my online, watch-only wallet. I can verify that I have sufficient balance myself, and of course you could add a warning and require the user to check a box before this is allowed.

2) The ability to create a QR code from a signed transaction. This would allow me to scan the transaction with my phone and broadcast it while maintaining the security of my offline system.

I hope you will consider these features, I think they would be helpful for paranoid users.

There is no such thing called "balance" in bitcoin protocol. Bitcoin doesn't work as you think. You are misled by blockchain.info
Razick
legendary
Activity: 1330
Merit: 1003
Re: Feature Request to Combat USB Vulnerability
August 16, 2014, 10:24:41 PM
#1
In light of the recently discovered vulnerability in USB and SD devices, I was trying to determine a good way to relay transactions from my offline wallet without exposing it to the internet or potentially infected devices. I would like to request two features:

1) The ability to create transactions from an offline wallet. This way I don't have to get the unsigned transaction from my online, watch-only wallet. I can verify that I have sufficient balance myself, and of course you could add a warning and require the user to check a box before this is allowed.

2) The ability to create a QR code from a signed transaction. This would allow me to scan the transaction with my phone and broadcast it while maintaining the security of my offline system.

I hope you will consider these features, I think they would be helpful for paranoid users.
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software>Armory
Jump to: