Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: Is the security of the trusted root cert the weak link in BIP-70? (Read 964 times)

Gavin Andresen
legendary
Activity: 1652
Merit: 2301
Chief Scientist
Is the security of the trusted root cert the weak link in BIP-70?
January 16, 2015, 10:42:42 AM
#5
Quote from: stevenh512 on January 15, 2015, 08:00:01 PM
True, in that case root certificates aren't the weak link, but I can think of situations where it would be. Trusting a root certificate implies trusting a centralized certifying authority. The authority can be compromised to issue and sign fake certificates to facilitate MITM attacks. Governments have already coerced a few CAs into facilitating MITM attacks on SSL/TLS in the past.

Even in that case, the certificate is "a" weak link, not "the" weak link. Think through what would have to fail to pull off a steal-bitcoins attack in the multisig-wallet case:

1) User has to be directed to an attacker-controlled payment website. That means either DNS lookup is compromised or the user's connection to the Internet is compromised (weak link number 1).

2) Attacker serves up a signed PaymentRequest with a valid certificate signed by a compromised root certificate authority (weak link number 2).


If the attacker can accomplish (1), it is likely they would just serve up unsigned payment requests from a non-secure website and bet that the user doesn't notice the lack of a padlock in the web browser UI and agrees to pay to an unauthenticated bitcoin address.

(1) is mitigated if the payment website uses HSTS headers so any repeat visitors get a HTTPS connection-- that pushes the attack to "must compromise both the connection and be able to spoof the web server certificate".  Strike that, if their computer is compromised HSTS headers won't help.

In any case, I wouldn't say the root certificates are a single point of failure.
stevenh512
full member
Activity: 137
Merit: 100
Re: Is the security of the trusted root cert the weak link in BIP-70?
January 15, 2015, 08:00:01 PM
#4
Quote from: Gavin Andresen on January 14, 2015, 02:22:53 PM
If your system is compromised, and you are using a single-signature wallet, then the first time you unlock your wallet ALL your coins are gone.

this

Quote
root certificates are not the weak link in that case; the keys being on one device is the weak link.

True, in that case root certificates aren't the weak link, but I can think of situations where it would be. Trusting a root certificate implies trusting a centralized certifying authority. The authority can be compromised to issue and sign fake certificates to facilitate MITM attacks. Governments have already coerced a few CAs into facilitating MITM attacks on SSL/TLS in the past.

Not saying that there's a better way to secure the payment protocol because I don't know of one, just acknowledging the fact that in some cases trusting a root certificate can be a week link in the protocol the same way it can be a weak link in SSL/TLS.
Gavin Andresen
legendary
Activity: 1652
Merit: 2301
Chief Scientist
Re: Is the security of the trusted root cert the weak link in BIP-70?
January 14, 2015, 02:22:53 PM
#3
If your system is compromised, and you are using a single-signature wallet, then the first time you unlock your wallet ALL your coins are gone.

root certificates are not the weak link in that case; the keys being on one device is the weak link.
btchip
hero member
Activity: 623
Merit: 500
CTO, Ledger
Re: Is the security of the trusted root cert the weak link in BIP-70?
January 14, 2015, 12:56:02 PM
#2
I'd agree with that, and it's unfortunately a generic PKI validation issue, considering revocation doesn't work well either - also having the specification suggesting to 'display the "Common Name" in the first X.509 certificate' to identify the sender probably doesn't help Smiley

I'm currently testing such a scheme with our hardware wallet, which might be interesting as a reference when discussing this topic if it proves to be successful : https://ledgerhq.github.io/btchip-doc/bitcoin-technical-beta.html#_personal_bip_70_certificates_user_validation - external users can choose to trust specific Payment Requests coming from a known secure root, with their own definition of secure.


DeathAndTaxes
donator
Activity: 1218
Merit: 1079
Gerald Davis
Re: Is the security of the trusted root cert the weak link in BIP-70?
January 14, 2015, 11:58:22 AM
#1
Is the security of the trusted root cert the weak link in BIP-70?  While BIP-70 prevents a MITM attack or a substitution attack on the receiver's end it fails if the user's system is compromised.  If the user's system is compromised by malware (common way to steal bitcoins) then the attacker can feed the user misinformation by a number of ways including providing a false "trusted root cert".

It would seem to me that the trusted root cert would need to be inaccessible to the attacker to provide any real security from the most obvious attack vector. I assume the unstated assumption is that the user will be using some type of hardware device. Either a secure hardware bitcoin wallet, some general purpose PKI hardware device i.e. TPM (trusted platform module), or even HSM.  Am I missing anything?

Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: