Pages:
Author

Topic: Feedback on P2SH web wallets (Read 3823 times)

newbie
Activity: 36
Merit: 0
November 08, 2013, 10:32:50 AM
#21
Fair points.  Note that all wallets have this exact problem too :-)

Which is another way to say that p2sh web wallets have the same problem as anything else Smiley (barring offline ones).

Wait - that is definitely not true. :-)

Granted, you did identify that for one type attack, P2SH doesn't fully protect you.   But you're leaving off the far more common cases where P2SH doesn't have the same problems as standard addresses:

For active attacks, like you described, you're right, P2SH has the same vulnerability as standard addresses.  But as I mentioned, the second machine in the 2-signature process can audit, enforce spending limits, introduce delays, do additional confirmations, etc.  Although this is not a panacea, its something you can't do with standard addresses.

For idle attacks, which is what we mostly read about these days, P2SH is much stronger than standard addresses.  With standard addresses, hacking a single key system and stealing a single key gives you full access to the entire address, and you can steal the money at any time.  With a multi-signature address, you get nothing from doing this.

Mike
legendary
Activity: 1974
Merit: 1029
November 08, 2013, 03:46:00 AM
#20
Fair points.  Note that all wallets have this exact problem too :-)

Which is another way to say that p2sh web wallets have the same problem as anything else Smiley (barring offline ones).
newbie
Activity: 36
Merit: 0
November 08, 2013, 01:20:01 AM
#19
Maintaining Privacy
To maintain maximal privacy, it is important to not re-use bitcoin addresses. However, re-generating such keys repeatedly with each transaction would make many of the backup benefits that come with this system difficult. Users of bitcoin standard addresses already face this problem today and use a variety of deterministic wallet mechanisms to generate multiple keys from a single source.
The same techniques can be applied to the 2-of-3 address. Any key used as a signature should be rotated to a new address based on the next sequence in the deterministic key.

As a compromise solution, the 2-of-3 address offers one more option: only rotating the server's key. Since the 2-of-3 key is generated from 3 keys, one of which is managed by the service, we can rotate the user's funds to a new address by only rotating the server’s key. The resulting address cannot be correlated to the original 2-of-3 address. However, upon spending of the outputs, the public keys will again be revealed and a correlation could be made at that time. To maintain the ability for the user to extract funds without the service, the service will need to send the newly minted service public key to the user for safekeeping. This can be done via email. But again for maximal privacy, use of deterministic key rotation is recommended.

I'm totally with you on multisig for wallet security.  That said, I'm unconvinced these privacy measures are worth the inconvenience they incur vs the benefits of having a stable address.  It will be painfully obvious which TX output is change because it's overwhelming likely to be the only P2SH output ... there are other signals one could incorporate as well but this one alone would likely be sufficient 99% of the time.

Cool.  Good to know.  You're right that for now the P2SH keys kinda stand out :-)

Right now I'm working on a scheme which uses deterministic wallets to auto-rotate your address in a way that you never have to worry about.  A 2-of-3 P2SH address is simply a set of 3 keys; we can independently rotate them on the client & server predictably such that your addresses change with every transaction in an uncorrelated way without revealing the private keys to the other machine.  It turns out that I need this more for maintaining sane key management than for privacy.  Users do need multiple addresses - and if you've got 2 keys to manage for each address, it's just too much work.

Hopefully P2SH will not be so standout 6 months from now!

If you want to try it out, this is live on bitgo.com now and has been in use for some time.  Send me (or tiffney if you prefer!) an email for an invite.  [email protected].

mike
newbie
Activity: 36
Merit: 0
November 08, 2013, 01:09:10 AM
#18
Phinneas -

That's Tiffney, and she works with me at bitgo!  I'll have to talk with her about your request.

Bitgo.com is the one true BitGo, I think.  But it does appear to be a popular name, with similar sounding names popping up in canada and israel that are unrelated.
newbie
Activity: 16
Merit: 0
November 08, 2013, 12:10:12 AM
#17
Maintaining Privacy
To maintain maximal privacy, it is important to not re-use bitcoin addresses. However, re-generating such keys repeatedly with each transaction would make many of the backup benefits that come with this system difficult. Users of bitcoin standard addresses already face this problem today and use a variety of deterministic wallet mechanisms to generate multiple keys from a single source.
The same techniques can be applied to the 2-of-3 address. Any key used as a signature should be rotated to a new address based on the next sequence in the deterministic key.

As a compromise solution, the 2-of-3 address offers one more option: only rotating the server's key. Since the 2-of-3 key is generated from 3 keys, one of which is managed by the service, we can rotate the user's funds to a new address by only rotating the server’s key. The resulting address cannot be correlated to the original 2-of-3 address. However, upon spending of the outputs, the public keys will again be revealed and a correlation could be made at that time. To maintain the ability for the user to extract funds without the service, the service will need to send the newly minted service public key to the user for safekeeping. This can be done via email. But again for maximal privacy, use of deterministic key rotation is recommended.

I'm totally with you on multisig for wallet security.  That said, I'm unconvinced these privacy measures are worth the inconvenience they incur vs the benefits of having a stable address.  It will be painfully obvious which TX output is change because it's overwhelming likely to be the only P2SH output ... there are other signals one could incorporate as well but this one alone would likely be sufficient 99% of the time.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
November 07, 2013, 10:01:55 PM
#16
Maybe full disclosure is overrated.

Which alternative unicode BitCoin symbol do you like the best?

Ƀ


B⃦



฿



Someone needs to create the unicode symbol for the typical BTC… with the two vertical lines penetrating the center of the B.

I like option b.
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
November 07, 2013, 09:54:04 PM
#15
We have one girl here at BitGo... actually it's me, the author of our bitcointalk posts - and I use BTC  Smiley

What's BitGo?

BitGo is a startup that hasn't launched yet: http://www.bitgo.com/

I must say that is the funnest coming soon web page I've ever visited.

It also sparked my interest as to what exactly the start up's services are, so I will stay tuned.

PS: I'm not just saying that because you're a girl. About half of my previous post in this thread was just me joking around.. I am not looking for an online girlfriend rofl.  Grin

Thanks, yeah the landing page is fun Smiley

Haha, well, I am single and looking Wink this is me:



We have one girl here at BitGo... actually it's me, the author of our bitcointalk posts - and I use BTC  Smiley

Hey, Mike. Who's Tiffney and are you affiliated with bitgo.co/bitgo.ca/bitgo.x (x = other TLD)?

~TMIBTCITW
sr. member
Activity: 469
Merit: 253
November 07, 2013, 03:44:38 PM
#14
On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Only the scenario where both the server and the user are compromised does the attack succeed. This is why mbelshe is proposing the P2SH approach, because two signatures are needed, and they must of course be signing the exact same transaction.

dserrano is right - there are some types of attacks you can't catch.  He suggests a real-time attack, where you wait for the user to transact, and then change the contents of the transaction (depending on the API this could be a client-side or server-side attack).  For example, you may be able to change the destination address without the user noticing.  Of course, all wallets, even local ones, are susceptible to this attack today.  But with the client/server hybrid, the server can act as your co-signer and make sure it at least fits the right parameters.  In the future, I believe you could use this same mechanism to send to a human co-signer (like a business partner) for a human verification.

But, I think the P2SH address, used either web-based or locally is fundamentally stronger than a single-key address.

Mike

But if the malware changes the payee address under the hood, the partially signed transaction can be pinged off the server and feedback the contents via another route - an email address, or other, so that the user can verify what it is they're sending over the wire, no? If the malware allows this step, and only changes the tx contents on the "real" send, then the test and the real won't match, and the server will reject. This kind of confirmation mechanism is used a lot today, e.g. my online brokerage sends me an email with a pin number to confirm a withdrawal.

The attacker can compromise the way the server's response appears, in principle, but it gets incredibly difficult to compromise if there is this kind of alternative messaging route (email, SMS).
newbie
Activity: 36
Merit: 0
November 07, 2013, 03:30:59 PM
#13
The fact is that most people can't keep malware off their machines today.  This has nothing to do with bitcoin.  If you can't securely administer a machine, how could you possibly securely manage a local wallet?  Further, you need to backup your keys, but most people can't administer proper backups either.  Is it really a requirement that you need to be both a security and IT expert before you can use bitcoin?
It's a hard problem because even experts can't guarantee security, and as their services become more popular the incentives for thieves to spend a lot of resources breaking their systems only increases.

I agree with you on that!!!

In this system, even if the server is hacked, the attacker can't get your coins.  The server only has one key, but you need two to access the funds.  So although you lost one key, you've still got the same level of protection as you would have had with a client-side single key address.

Mike
newbie
Activity: 36
Merit: 0
November 07, 2013, 03:26:41 PM
#12
On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Only the scenario where both the server and the user are compromised does the attack succeed. This is why mbelshe is proposing the P2SH approach, because two signatures are needed, and they must of course be signing the exact same transaction.

dserrano is right - there are some types of attacks you can't catch.  He suggests a real-time attack, where you wait for the user to transact, and then change the contents of the transaction (depending on the API this could be a client-side or server-side attack).  For example, you may be able to change the destination address without the user noticing.  Of course, all wallets, even local ones, are susceptible to this attack today.  But with the client/server hybrid, the server can act as your co-signer and make sure it at least fits the right parameters.  In the future, I believe you could use this same mechanism to send to a human co-signer (like a business partner) for a human verification.

But, I think the P2SH address, used either web-based or locally is fundamentally stronger than a single-key address.

Mike
legendary
Activity: 1400
Merit: 1013
November 07, 2013, 03:23:06 PM
#11
The fact is that most people can't keep malware off their machines today.  This has nothing to do with bitcoin.  If you can't securely administer a machine, how could you possibly securely manage a local wallet?  Further, you need to backup your keys, but most people can't administer proper backups either.  Is it really a requirement that you need to be both a security and IT expert before you can use bitcoin?
It's a hard problem because even experts can't guarantee security, and as their services become more popular the incentives for thieves to spend a lot of resources breaking their systems only increases.
newbie
Activity: 36
Merit: 0
November 07, 2013, 03:18:26 PM
#10
On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Fair points.  Note that all wallets have this exact problem too :-)

But the p2sh wallet offers some real hope.  The user can specify on the server spending limits or authorized accounts that he/she is willing to transact to.  After the client coins the transaction, the server can validate that everything looks okay, before applying its signature.

Nothing is perfect, but you can't do this at all with a standard bitcoin address.

The payment protocol (with authenticated recipients) would help with users not noticing that funds are being siphoned to an attacker's address.

Mike
sr. member
Activity: 469
Merit: 253
November 07, 2013, 03:12:47 PM
#9
On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.

Only the scenario where both the server and the user are compromised does the attack succeed. This is why mbelshe is proposing the P2SH approach, because two signatures are needed, and they must of course be signing the exact same transaction.
newbie
Activity: 36
Merit: 0
November 07, 2013, 03:10:43 PM
#8
Safe and web wallet don't go together! STOP WITH WEB WALLETS, they are not safe, they don't help the community. Local wallets help the community.

You might be over-reacting to the word "web wallet", which does have some very insecure forms.  But I'm not referring to the same-old thing here.  I suspect you didn't read what I wrote :-)

I think we absolutely do need to figure out how to build a secure web wallet.  The fact is that most people can't keep malware off their machines today.  This has nothing to do with bitcoin.  If you can't securely administer a machine, how could you possibly securely manage a local wallet?  Further, you need to backup your keys, but most people can't administer proper backups either.  Is it really a requirement that you need to be both a security and IT expert before you can use bitcoin?  If so, you're making Bitcoin much smaller than it could be.

The proposal uses a combination of keys, one local and one server side to secure your keys, with a 3rd available to help as a backup.

You're right, it doesn't "help the community" (I assume you're referring to joining as a peer in the network); I'd love to figure out better ways to solve that part of the problem.

Mike
legendary
Activity: 1974
Merit: 1029
November 07, 2013, 03:06:58 PM
#7
On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.

Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!

No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.
sr. member
Activity: 469
Merit: 253
November 07, 2013, 03:03:49 PM
#6
Sort of; it all depends on how you create and store the keys.  The idea is that you need 3 keys.  Put one straight into cold storage as a backup, keep one on your client, and keep the 3rd on a server.  Now, hacking a single machine won't steal the keys.  The problem for the user is in how to cleanly create those 3 keys without ever having 2 keys on the same computer at the same time.

I've helped a number of people with cold storage.  I am very certain that a lot of people using user-side only solutions will be losing their passwords or keys either due to forgetfulness, accidental deletion, hardware failure, or other user error.  So this solution emerged as much to help with the "lost key" problem as the security/malware problem.

I wonder if there is any data on whether people lose more coins to losing their own keys or theft?  Most people probably won't admit! :-)
Mike

Not disagreeing at all. That's why I was saying "the real advantage is in the backup". I'd still argue that in terms of defending against attacks, it's the 2FA that matters.

Quote from: gweedo
Safe and web wallet don't go together! STOP WITH WEB WALLETS, they are not safe, they don't help the community. Local wallets help the community.
I think that's too simplistic a criticism. This kind of model does not delegate spending power to the server, so that takes one huge risk out of the equation.
Another interesting attack vector is where the malware on the machine changes the payee BTC address under the hood. In this case, a "web wallet" which has to interact with a server is actually an advantage over a local client wallet, because the server can confirm the payee address to the user before spend confirmation, defending against that attack.
newbie
Activity: 36
Merit: 0
November 07, 2013, 02:54:01 PM
#5
Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?

Thanks for reading!

Regarding 2FA: I think the biggest security measure here is that there are two machines involved in signing.  2FA is a nice add on to anything, but if you only need one signature, then you just have to break one machine. 
It's true that your model is secure against server compromise, but any model where a single key is kept user-side has that feature too. You don't need to break two machines in your architecture, you only have to take control user side.

Sort of; it all depends on how you create and store the keys.  The idea is that you need 3 keys.  Put one straight into cold storage as a backup, keep one on your client, and keep the 3rd on a server.  Now, hacking a single machine won't steal the keys.  The problem for the user is in how to cleanly create those 3 keys without ever having 2 keys on the same computer at the same time.

I've helped a number of people with cold storage.  I am very certain that a lot of people using user-side only solutions will be losing their passwords or keys either due to forgetfulness, accidental deletion, hardware failure, or other user error.  So this solution emerged as much to help with the "lost key" problem as the security/malware problem.

I wonder if there is any data on whether people lose more coins to losing their own keys or theft?  Most people probably won't admit! :-)

Mike



sr. member
Activity: 469
Merit: 253
November 07, 2013, 02:45:12 PM
#4
Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?

Thanks for reading!

Regarding 2FA: I think the biggest security measure here is that there are two machines involved in signing.  2FA is a nice add on to anything, but if you only need one signature, then you just have to break one machine.
It's true that your model is secure against server compromise, but any model where a single key is kept user-side has that feature too. You don't need to break two machines in your architecture, you (edit: without 2FA) only have to take control user side. Edit: that's why I say properly implemented 2FA is what counts.
newbie
Activity: 36
Merit: 0
November 07, 2013, 02:35:00 PM
#3
Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?

Thanks for reading!

Regarding 2FA: I think the biggest security measure here is that there are two machines involved in signing.  2FA is a nice add on to anything, but if you only need one signature, then you just have to break one machine.  This can be mitigated with strong passwords, but users seem to just love terrible passwords.  And then, if you ask them to create a strong password, they forget it!  Forgetting your passwords is probably a source of lost bitcoin as theft...  So, that's why this proposal uses the 2-of-3 instead of just 2-of-2.  You get the extra backup key.

Regarding creation of keys:  You're absolutely right - it is not necessary to create the keys in the browser.  Importing just the public key (you need the full public key, not the address hash) would be more secure for sure.  The only trouble is making that super easy to use....

Mike
sr. member
Activity: 469
Merit: 253
November 07, 2013, 02:27:04 PM
#2
Nicely thought out. The gains over a traditional approach using 2FA are only incremental, but then 2FA properly implemented ought already to be highly fraud resistant, even under malware conditions.
The real gains are in the nature of the backup, I guess.

Wrt to the address creation vulnerability: why is it necessary to have the user and the backup privkey on the machine concurrently? What about creating the backup privkey on an airgapped machine and then transferring the pubkey for address creation?
Pages:
Jump to: