Pages:
Author

Topic: Sigsafe: A NFC key tag for signing bitcoin transactions - page 2. (Read 23240 times)

legendary
Activity: 1162
Merit: 1007
I was thinking more about the "lack of a screen" concern when using the sigsafe as a second signer, as I was paddle boarding on the ocean this afternoon.  The more I think about this, the more confident I am that it's an edge concern and that sigsafe reduces the attack surface significantly.

Let's brainstorm the ways that coins could be stolen remotely:

1. Key logger
2. Wallet.dat stealer
3. Bad k-value used during signing
4. Low-entropy seed / supply-chain mole
5. Man-in-the-middle attack
6. ?

Sigsafe as a second signer solves #1 and #2 by design.  All wallets can eliminate #3 by using deterministic signatures.  #4 is addressed with sigsafe so long as the wallet you pair it with is independently controlled.  That leaves #5 and #6.  

We can resist #5 with "per tap" spend limits, locking the spend address, PIN access, authenticating the wallet, etc.

But how exactly could malware perform a MITM attack in the first place?  It would need to insert itself between the wallet app and the NFC API (which seems very difficult), fool the wallet app into thinking that it opened a handle to the NFC device normally, and, decrypt the wallet app's private keys, and steal any sigsafe authentication credentials.  When the user requests a transfer from the multisig address, the super-malware would have to manipulate the partially-signed transaction, re-sign it with the private key that it stole from the wallet app, modify the pubkey hash in the output script, use the stolen sigsafe authentication credentials to fool the sigsafe into thinking that it's the wallet so that sigsafe signs, and then connect to the internet to push the modified TX to the network.  

This seems far fetched to me.  I think most people lose the coins under their personal control because their wallet.dat file was stolen and cracked (e.g., from a wallet backup stored in a compromised email account).  Sigsafe solves this problem nicely.  
legendary
Activity: 1162
Merit: 1007
... for the less tech savvy of us, I think a button of some sort still provides the best protection. I do understand that the button can add a cost, but then it may be cheaper to just make it some sort of a small switch or even lever.

The idea is that this device is for the less tech savvy (I'm imagining my dad).  The button isn't required because the "tapping" motion is the button press.  

A valid argument for a screen can be made (and if a screen was included a button would make sense too), but I worry that something with a tiny screen would be too hard to read and confusing for someone like my dad.  He would know to keep his sigsafe secure and he would be able to tap it against his phone to authorize larger transfers too.    
  
legendary
Activity: 1630
Merit: 1000
legendary
Activity: 1162
Merit: 1007
Neat idea, personally I think just adding to the device a small button or way for the user to just approve signings before they happen would be great.

Lack of a screen/button is the most common criticism on the sigsafe thread at r/bitcoin, but of course that also increases cost and complicates the user experience (it's now more complex than "tap to sign").  

This is the response I posted there:

Quote from: Peter__R
It's immune to key-loggers (e.g., when used with your computer).

It's immune to wallet.dat stealers (since your important private keys are offline).

It's resistant to attacks on the sigsafe supply chain or poor random seed selection (since the other seed is generated by an independent party).

It's resistant to man-in-the-middle attacks (see below).

Regarding signing rogue TXs, I avoided too many details in the video (it's described in the white paper), but the device will only sign transactions authorized by its "signing rules." For example, the device can set "per tap" spend limits (or daily spend limits with the optional battery), verify an ECDSA signature (to reduce the threat of a MITM attack), check a PIN, etc.

Consider this scenario: My tag is configured to only sign up to 1 BTC "per tap." In the (IMO very) unlikely event that my wallet app "goes rogue" and remains undetected through several "day-to-day" transactions (even though it could just steal the online funds) until the moment that I'm about to transfer from my sigsafe, then modifies the TX in an undetected way, authenticates successfully with the sigSafe, and then I sign the rogue TX by tapping, the damage is sill limited to the per-tap spend limit. The attack must occur in the brief moment when your tag is in contact with the NFC reader and would be very difficult to execute.

There's no perfect security and there's certainly benefits to having a screen, buttons, etc. But we should also weigh probability of loss versus the cost and complexity of the security solution. I think a device like this is simple to use, low cost, and reduces the attack surface significantly.

That being said, I'd still like to make a more expensive version with a screen and capacitive touch sensor Smiley
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
Neat idea, personally I think just adding to the device a small button or way for the user to just approve signings before they happen would be great.

My reasoning for this is that someone who knows you have a sigsafe and dont have a password can just approach you and by accident hit your sigsafe. Having a button or something that needs to be pressed makes it alot safer.
While I do agree having a password is the safest way to make your coins secure I think just a small discreet button to approve transactions would be easier. Something like once a signing request is made you have 3 seconds to press the bottom to approve the transaction signing request.


If somebody knows you have a SigSafe, they will probably also know that it has a button that needs pressing. Are we talking 5$ wrench attack here?
legendary
Activity: 1630
Merit: 1000
Neat idea, personally I think just adding to the device a small button or way for the user to just approve signings before they happen would be great.

My reasoning for this is that someone who knows you have a sigsafe and dont have a password can just approach you and by accident hit your sigsafe. Having a button or something that needs to be pressed makes it alot safer.
While I do agree having a password is the safest way to make your coins secure I think just a small discreet button to approve transactions would be easier. Something like once a signing request is made you have 3 seconds to press the bottom to approve the transaction signing request.
donator
Activity: 2772
Merit: 1019
Any update on this?

Yes, the alpha-models work! 

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967

Cool video, your excitement spills over to the viewer. Well done. (I assume it's you in the video?)
legendary
Activity: 1162
Merit: 1007
Nice! When can we buy them?

Nice! When can I buy one? Wink

I would be happy to buy one as well please

Thanks for the support guys!

My plan, assuming there's demand for such a device, is to be in "open-beta" selling to the bitcoin community this winter and I believe I'm still on schedule.  This device needs significantly more testing, a security audit, accelerated "lifespan" testing at high temperatures, a spec published regarding the NFC communication protocol, etc., etc.  There's also the issue that presently it takes about 2 seconds to sign a transaction [two weeks ago it was over a minute so I've made progress Smiley].  I'd like to reduce this to under 0.5 seconds so it feels more like a "tap."

The critical path now is getting app developers to enable sigSafe connectivity in the popular bitcoin wallets.  I think somehow I need to sweeten the pot. One idea I recently had is that perhaps the sigSafe tags could come "keyed" to particular wallets1 to enable a profit-sharing model:

  - 25% of profits go to the wallet developer for which the sold sigSafe is "keyed" to.  
  - 25% of the profits go to entity through which the sale was made (for example, if the user purchased the tag through WalletApp-X's site, WalletApp-X would get 25% + 25%  = 50% of the profits).
  - 50% of the profits go the sigSafe manufacturer.  

For developers who are interested, and who could credibly integrate sigSafe connectivity in an Android app (or perhaps with a browser extension, or--if the iPhone 6 has 2-way NFC--in an iOS app), please email or PM me your qualifications and I can probably get you a sigsafe device to play with as soon as I have the USB bootloader working (so that I can send you firmware updates without you requiring a JTAG programmer).  

1But advanced users could just re-flash their device to "unkey" it.
legendary
Activity: 1162
Merit: 1007
Cool stuf, a simple way to get your coins out of cold storage, or is it not?

Yes.  This nice thing is that you can also very easily prove to yourself that your cold storage "works" by sending some coins to an online wallet without ever revealing your private keys to an internet-connected device.  

Quote
The sound on the video could be better though.

A lot of things could be better.  Creating this video gave me new respect for talented video producers.  For example, it was a big challenge to even get the lighting decent.  And lol, the "desk" in the video is actually the top of my coffee table balanced across two tower speaker; it was the only way I could get something at the right height that still looked OK.
legendary
Activity: 1092
Merit: 1000
Cool stuf, a simple way to get your coins out of cold storage, or is it not? The sound on the video could be better though.
legendary
Activity: 1162
Merit: 1007
In a phone usage case could 2 of 2 multisig be used where the phone is one key and the NFC tag the other?

Yes, this is my proposal for the first "product" for the sigSafe technology (refer to the pitch in the video).  The phone signs with its private key, and then requests that the user taps his tag against his phone to produce the second signature (which is signed internally within the sigSafe tag and then relayed over NFC back to the phone).  


I need to give credit to DeathAndTaxes who actually suggested something like this to me when he reviewed the sigSafe white paper back in May.  But the simplicity of this solution didn't hit me until recently.  


Quote
The tag gives hardware security where the phone key allows me to see the transaction I'm signing?

Yes, this solution provides low-cost/simple hardware security by allowing the tag to piggyback off of the phone's screen.  

Quote
A bonus side effect is I don't have to trust the hardware as much.

That was exactly the intent: since the sigSafe only has one of the two required keys, you don't need to trust the hardware as much.  

A multisig solution like this permits something quite interesting: in production, these sigSafe keys could be sold with a random seed already stored in EEPROM and a back-up of that seed printed on archival-quality paper (folded in some tamper-evident packaging).  Although advanced users could upload their own keys, new users could actually just use the one that came with the device (even if the sigSafe manufacturer was malicious, the chances that they are also in cahoots with a malicious wallet provider is slim).  I really don't want to rely on new users actually making a properly-verified backup of their seed, so I'd rather the default behaviour be something like:

 - tap the tag to the phone to initially create your multisig wallet

 - enter the last 6 digits on the front of your paper back-up

I'm assuming here ^^ that the pubkey is printed on the front of the tamper-evident package and the private key is inside.  This would allow the phone to ensure that the sigSafe corresponds with the paper back-up.

- store the paper back-up some place private and secure.  THIS IS THE ONLY WAY TO RECOVER YOUR FUNDS SHOULD YOU LOSE YOUR SIGSAFE.  

As long as the user puts the paper backup somewhere safe, I think this solution should be pretty foolproof even if the user loses or destroys his sigSafe.

 
newbie
Activity: 24
Merit: 0
I would be happy to buy one as well please
hero member
Activity: 994
Merit: 507
In a phone usage case could 2 of 2 multisig be used where the phone is one key and the NFC tag the other? The tag gives hardware security where the phone key allows me to see the transaction I'm signing? A bonus side effect is I don't have to trust the hardware as much.
sr. member
Activity: 427
Merit: 251
- electronics design|embedded software|verilog -
Any update on this?

Yes, the alpha-models work!  

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967

Nice! When can I buy one? Wink
hero member
Activity: 665
Merit: 500
Any update on this?

Yes, the alpha-models work! 

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967

Nice! When can we buy them?
legendary
Activity: 1162
Merit: 1007
Any update on this?

Yes, the alpha-models work! 

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967
hero member
Activity: 665
Merit: 500
Any update on this?
hero member
Activity: 665
Merit: 500
Very interesting. The NFC standard seems to be available for most android phones. What about iphones and laptops?

The fact that NFC is not yet ubiquitous beyond Android phones is obviously an obstacle.  However, several laptops and tablets now come equipped with NFC (a lot of people don't realize that their laptop already supports it), and of course it's possible to add a USB NFC reader as well (although that sort of defeats the "low cost" value proposition of Sigsafe).  Regarding Apple, let's hope they finally add NFC to the iPhone 6. 

Beyond bitcoin, NFC is a great technology because it is very short range allowing you to authenticate or "pair" devices by touch (think simplified Bluetooth pairing with no codes to enter) and because it is possible to transmit significant power magnetically (think wireless charging of a device via the NFC antenna). 

Agree with all this. I use NFC to pair my bluetooth headphones with my phone and it works great. Think you are definitely on the right track here.
legendary
Activity: 1162
Merit: 1007
Very interesting. The NFC standard seems to be available for most android phones. What about iphones and laptops?

The fact that NFC is not yet ubiquitous beyond Android phones is obviously an obstacle.  However, several laptops and tablets now come equipped with NFC (a lot of people don't realize that their laptop already supports it), and of course it's possible to add a USB NFC reader as well (although that sort of defeats the "low cost" value proposition of Sigsafe).  Regarding Apple, let's hope they finally add NFC to the iPhone 6. 

Beyond bitcoin, NFC is a great technology because it is very short range allowing you to authenticate or "pair" devices by touch (think simplified Bluetooth pairing with no codes to enter) and because it is possible to transmit significant power magnetically (think wireless charging of a device via the NFC antenna). 
sr. member
Activity: 672
Merit: 250
Most Advanced Crypto Exchange on the Blockchain
This is pretty cool.
PM me if there is some Indiegogo type funding project here and I might be in depending on price.
Pages:
Jump to: