Pages:
Author

Topic: OVERVIEW: BITCOIN HARDWARE WALLETS █████████████████ Secure your Coins - page 27. (Read 122423 times)

hero member
Activity: 623
Merit: 500
CTO, Ledger
FPGAs are used today in many markets instead of ASICs, such as 10-100 GbEthernet, wireless communication, high throughput encryption, even in smartphones (project ARA). As mentioned, their ability to implement any logic function is a great asset. But after the FPGA is configured at power-on, it is not possible to change it's function over the input-output pins.

How do you load the bitstream ? Then how do you lock it ? Also how do you avoid getting back to square one (properly locking down the device) if you depend on a non corrupted bitstream in the first place ? Which FPGA do you plan to use ?

However, microcontroller is prone to attacks from it's input-output pins and dedicated interfaces (uart, usb, etc.). If a remote attacker was able to change the code on the microcontroller flash, only a single successful attack is needed. Afterwards the infected microcontroller can leak private keys, attack any device it is connected to (see recent usb vulnerability) and more without the user knowing it. (example: http://www.bunniestudios.com/blog/?p=3554)

it's exactly the same problem if someone manages to change the bitstream. where is it loaded from ?

With FPGA a developer controls every single bit and logic gate inside the chip as a routine.

except you can't verify the generated bitstream on many (all ?) typical commercial FPGAs, so you blindly trust the generator.

With microcontroller you have to trust the compiler and effectively can not check the resulting binary code, because it is very different from the high-level C code written by developer.

you can still check the generated assembly code, at least, while you can't read the generated bitstream.

FPGA configuration can be done only over dedicated pins of the chip, which are not accessible from external interface.

ok, so how do you reprogram it and avoid getting a "bad" firewall uploaded then ?

newbie
Activity: 22
Merit: 0
So how much will eliptibox be, and when is the 1st batch scheduled for ?

We are working hard on the product and making good progress. It's a complex project and we prefer not to set over-optimistic expectations.
You are welcome to subscribe at our site to receive proof-of-work updates.
We didn't set the price yet, however our intention is to distribute EliptiBox as a community platform with low margins.


www.eliptibox.com


Do you have a range idea yet? 50-100? 100-150? >50?

The final price depends strongly on the quantity, thus on the community interest in our solution. During the following month we are advertising in order to determine the mass production volume and unit price. The price could be anywhere between 50 to 250$.


www.eliptibox.com
newbie
Activity: 22
Merit: 0
So how much will eliptibox be, and when is the 1st batch scheduled for ?

We are working hard on the product and making good progress. It's a complex project and we prefer not to set over-optimistic expectations.
You are welcome to subscribe at our site to receive proof-of-work updates.
We didn't set the price yet, however our intention is to distribute EliptiBox as a community platform with low margins.


www.eliptibox.com

newbie
Activity: 22
Merit: 0
FPGAs are actually harder to secure than any other kind of hardware - they're designed for flexible & fast hardware emulation, not security (and add proprietary bitstreams on top of that, which make it harder to understand what the chip is actually doing - f.e. see https://eprint.iacr.org/2014/649.pdf).

I fail to see what kind of added security an FPGA would bring, compared to another microcontroller performing the same checks using a totally different code base than the wallet code.


FPGAs are used today in many markets instead of ASICs, such as 10-100 GbEthernet, wireless communication, high throughput encryption, even in smartphones (project ARA). As mentioned, their ability to implement any logic function is a great asset. But after the FPGA is configured at power-on, it is not possible to change it's function over the input-output pins.

However, microcontroller is prone to attacks from it's input-output pins and dedicated interfaces (uart, usb, etc.). If a remote attacker was able to change the code on the microcontroller flash, only a single successful attack is needed. Afterwards the infected microcontroller can leak private keys, attack any device it is connected to (see recent usb vulnerability) and more without the user knowing it. (example: http://www.bunniestudios.com/blog/?p=3554)

With FPGA a developer controls every single bit and logic gate inside the chip as a routine.
With microcontroller you have to trust the compiler and effectively can not check the resulting binary code, because it is very different from the high-level C code written by developer.

FPGA configuration can be done only over dedicated pins of the chip, which are not accessible from external interface.

Moreover, we will publish the source code of the firewall, so that anyone can compile it on our development kit and validate the functionality.

You are welcome to subscribe at our site to receive in-depth design documentation to be published gradually.

www.eliptibox.com



hero member
Activity: 623
Merit: 500
CTO, Ledger
FPGAs are actually harder to secure than any other kind of hardware - they're designed for flexible & fast hardware emulation, not security (and add proprietary bitstreams on top of that, which make it harder to understand what the chip is actually doing - f.e. see https://eprint.iacr.org/2014/649.pdf).

I fail to see what kind of added security an FPGA would bring, compared to another microcontroller performing the same checks using a totally different code base than the wallet code.
hero member
Activity: 692
Merit: 500
So how much will eliptibox be, and when is the 1st batch scheduled for ?
newbie
Activity: 22
Merit: 0
There is a new wallet concept - http://www.eliptibox.com/. First to talk about firewall on hardware and packed with features.
Can be interesting platform for developers.


Interesting concept, thanks for sharing. What does "fpga hardware firewall" means? Why do you need this if you do only offline signing? I don't assume that this wallet downloads the blockchain to let you view your transactions.

I also was wondering why a field programable gate array would be used as a firewall. Apparently it does download block headers and stores tx info on the device, so says their site.

FPGA enables complete decoupling between the communication messages wallet-external app and the wallet crypto code.

With regular microcontoller (that all HW wallets use) the code you write in editor is not the code that runs on the device. Compiler optimizes (=rewrites) it and linker adds large blocks of 3rd party code automatically. Furthermore, usually the messages data is at the same physical memory as the code, so it is possible to change the code of the microcontroller by malicious message injection that exploits bugs in the chip design or the code. (buffer overflow as a common example).

If the same microcontroller is connected directly to the external interface, like USB, Cellular or BT, remote attacker can gain control over the interface and base his attacks from inside the wallet. We often read about new interface breach, like in USB or GSM or weak BT.

However, in FPGA you run exactly the code you've written and can verify it by looking at the final silicon configuration. There is no software or ability to change the FPGA code when running. So the code for the internal MCU can be upgraded and multiple external non-secure interfaces can be used without breaching the security.
FPGA chip sits in-between and makes sure only "legal" data goes through.


www.eliptibox.com

full member
Activity: 140
Merit: 100
They are all looks cool.
I like  CryptoLabs Case.
I read article about it
https://www.cryptocoinsnews.com/cryptolabs-case-bitcoin-hardware-wallet-melds-biometrics-multi-sig-ease-use/

Nice features.
If I ever get amount worth of buying it, that will be my choice.
Why?
It's simple: "Without having possession of the device, there is no way to get that key."
sr. member
Activity: 475
Merit: 250
There is a new wallet concept - http://www.eliptibox.com/. First to talk about firewall on hardware and packed with features.
Can be interesting platform for developers.


Interesting concept, thanks for sharing. What does "fpga hardware firewall" means? Why do you need this if you do only offline signing? I don't assume that this wallet downloads the blockchain to let you view your transactions.

I also was wondering why a field programable gate array would be used as a firewall. Apparently it does download block headers and stores tx info on the device, so says their site.
legendary
Activity: 924
Merit: 1000
There is a new wallet concept - http://www.eliptibox.com/. First to talk about firewall on hardware and packed with features.
Can be interesting platform for developers.


Interesting concept, thanks for sharing. What does "fpga hardware firewall" means? Why do you need this if you do only offline signing? I don't assume that this wallet downloads the blockchain to let you view your transactions.

I've found more info here:

https://bitcointalksearch.org/topic/m.10601510
hero member
Activity: 644
Merit: 500
My goal is becaming a billionaire.
Oh I see , do you mind linking me to their thread ? their thread is here on Bitcointalk ? Shocked
~ Madness

Thread : https://bitcointalksearch.org/topic/coolwallet-launched-resellers-are-wanted-915649. Good luck! Smiley

   -MZ

Thanks mate , really appreciate it Grin hopefully they accept different payment methods

~ Madness
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
hero member
Activity: 644
Merit: 500
My goal is becaming a billionaire.
Oh , It's not available as far as I know , when I click "Purchase" , it redirect me to an Article on Indiegogo instead of doing the Payment process.

~ Madness

You will have to purchase through Indiegogo. It's crowdfunding article. If you want to buy with BTC, post in their thread.

   -MZ

Oh I see , do you mind linking me to their thread ? their thread is here on Bitcointalk ? Shocked
~ Madness
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
Oh , It's not available as far as I know , when I click "Purchase" , it redirect me to an Article on Indiegogo instead of doing the Payment process.

~ Madness

You will have to purchase through Indiegogo. It's crowdfunding article. If you want to buy with BTC, post in their thread.

   -MZ
hero member
Activity: 644
Merit: 500
My goal is becaming a billionaire.
Never understood what is a Cool wallet Shocked is Cool wallet = Cold storage ? if yes what is Cold storaeg ? xD Shocked

~ Madness

Shocked Tongue See second wallet in OP. Yes, it can be used for cold storage as well as for trading.

   -MZ

Oh , It's not available as far as I know , when I click "Purchase" , it redirect me to an Article on Indiegogo instead of doing the Payment process.

~ Madness
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
Never understood what is a Cool wallet Shocked is Cool wallet = Cold storage ? if yes what is Cold storaeg ? xD Shocked

~ Madness

Shocked Tongue See second wallet in OP. Yes, it can be used for cold storage as well as for trading.

   -MZ
hero member
Activity: 644
Merit: 500
My goal is becaming a billionaire.
1. CryptoLabs "Case" looks pretty cool ... but seems like It didn't come out yet and I'am losing hope here . If nothing comes out very soon I guess I will go with Ledger wallet anyone here used it before ? thanks .

~ Madness

Ledger wallet is nice and clean. There are few videos in YouTube, search 'Ledger bitcoin wallet' there. It is easy to setup. But why don't you go for CoolWallet?

   -MZ

Never understood what is a Cool wallet Shocked is Cool wallet = Cold storage ? if yes what is Cold storaeg ? xD Shocked

~ Madness
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
1. CryptoLabs "Case" looks pretty cool ... but seems like It didn't come out yet and I'am losing hope here . If nothing comes out very soon I guess I will go with Ledger wallet anyone here used it before ? thanks .

~ Madness

Ledger wallet is nice and clean. There are few videos in YouTube, search 'Ledger bitcoin wallet' there. It is easy to setup. But why don't you go for CoolWallet?

   -MZ
hero member
Activity: 644
Merit: 500
My goal is becaming a billionaire.
1. CryptoLabs "Case" looks pretty cool ... but seems like It didn't come out yet and I'am losing hope here . If nothing comes out very soon I guess I will go with Ledger wallet anyone here used it before ? thanks .

~ Madness
legendary
Activity: 924
Merit: 1000
There is a new wallet concept - http://www.eliptibox.com/. First to talk about firewall on hardware and packed with features.
Can be interesting platform for developers.


Interesting concept, thanks for sharing. What does "fpga hardware firewall" means? Why do you need this if you do only offline signing? I don't assume that this wallet downloads the blockchain to let you view your transactions.
Pages:
Jump to: