Topic: Sigsafe: A NFC key tag for signing bitcoin transactions - page 2. (Read 23172 times)

I was thinking more about the "lack of a screen" concern when using the sigsafe as a second signer, as I was paddle boarding on the ocean this afternoon.  The more I think about this, the more confident I am that it's an edge concern and that sigsafe reduces the attack surface significantly.

Let's brainstorm the ways that coins could be stolen remotely:

1. Key logger
2. Wallet.dat stealer
3. Bad k-value used during signing
4. Low-entropy seed / supply-chain mole
5. Man-in-the-middle attack
6. ?

Sigsafe as a second signer solves #1 and #2 by design.  All wallets can eliminate #3 by using deterministic signatures.  #4 is addressed with sigsafe so long as the wallet you pair it with is independently controlled.  That leaves #5 and #6.  

We can resist #5 with "per tap" spend limits, locking the spend address, PIN access, authenticating the wallet, etc.

But how exactly could malware perform a MITM attack in the first place?  It would need to insert itself between the wallet app and the NFC API (which seems very difficult), fool the wallet app into thinking that it opened a handle to the NFC device normally, and, decrypt the wallet app's private keys, and steal any sigsafe authentication credentials.  When the user requests a transfer from the multisig address, the super-malware would have to manipulate the partially-signed transaction, re-sign it with the private key that it stole from the wallet app, modify the pubkey hash in the output script, use the stolen sigsafe authentication credentials to fool the sigsafe into thinking that it's the wallet so that sigsafe signs, and then connect to the internet to push the modified TX to the network.  

This seems far fetched to me.  I think most people lose the coins under their personal control because their wallet.dat file was stolen and cracked (e.g., from a wallet backup stored in a compromised email account).  Sigsafe solves this problem nicely.  

The idea is that this device is for the less tech savvy (I'm imagining my dad).  The button isn't required because the "tapping" motion is the button press.  

A valid argument for a screen can be made (and if a screen was included a button would make sense too), but I worry that something with a tiny screen would be too hard to read and confusing for someone like my dad.  He would know to keep his sigsafe secure and he would be able to tap it against his phone to authorize larger transfers too.    
  

Lack of a screen/button is the most common criticism on the sigsafe thread at r/bitcoin, but of course that also increases cost and complicates the user experience (it's now more complex than "tap to sign").  

This is the response I posted there:

If somebody knows you have a SigSafe, they will probably also know that it has a button that needs pressing. Are we talking 5$ wrench attack here?

Neat idea, personally I think just adding to the device a small button or way for the user to just approve signings before they happen would be great.

My reasoning for this is that someone who knows you have a sigsafe and dont have a password can just approach you and by accident hit your sigsafe. Having a button or something that needs to be pressed makes it alot safer.
While I do agree having a password is the safest way to make your coins secure I think just a small discreet button to approve transactions would be easier. Something like once a signing request is made you have 3 seconds to press the bottom to approve the transaction signing request.

Cool video, your excitement spills over to the viewer. Well done. (I assume it's you in the video?)

Thanks for the support guys!

My plan, assuming there's demand for such a device, is to be in "open-beta" selling to the bitcoin community this winter and I believe I'm still on schedule.  This device needs significantly more testing, a security audit, accelerated "lifespan" testing at high temperatures, a spec published regarding the NFC communication protocol, etc., etc.  There's also the issue that presently it takes about 2 seconds to sign a transaction [two weeks ago it was over a minute so I've made progress ].  I'd like to reduce this to under 0.5 seconds so it feels more like a "tap."

The critical path now is getting app developers to enable sigSafe connectivity in the popular bitcoin wallets.  I think somehow I need to sweeten the pot. One idea I recently had is that perhaps the sigSafe tags could come "keyed" to particular wallets¹ to enable a profit-sharing model:

  - 25% of profits go to the wallet developer for which the sold sigSafe is "keyed" to.  
  - 25% of the profits go to entity through which the sale was made (for example, if the user purchased the tag through WalletApp-X's site, WalletApp-X would get 25% + 25%  = 50% of the profits).
  - 50% of the profits go the sigSafe manufacturer.  

For developers who are interested, and who could credibly integrate sigSafe connectivity in an Android app (or perhaps with a browser extension, or--if the iPhone 6 has 2-way NFC--in an iOS app), please email or PM me your qualifications and I can probably get you a sigsafe device to play with as soon as I have the USB bootloader working (so that I can send you firmware updates without you requiring a JTAG programmer).  

¹But advanced users could just re-flash their device to "unkey" it.

Yes.  This nice thing is that you can also very easily prove to yourself that your cold storage "works" by sending some coins to an online wallet without ever revealing your private keys to an internet-connected device.  


A lot of things could be better.  Creating this video gave me new respect for talented video producers.  For example, it was a big challenge to even get the lighting decent.  And lol, the "desk" in the video is actually the top of my coffee table balanced across two tower speaker; it was the only way I could get something at the right height that still looked OK.

Cool stuf, a simple way to get your coins out of cold storage, or is it not? The sound on the video could be better though.

Yes, this is my proposal for the first "product" for the sigSafe technology (refer to the pitch in the video).  The phone signs with its private key, and then requests that the user taps his tag against his phone to produce the second signature (which is signed internally within the sigSafe tag and then relayed over NFC back to the phone).  


I need to give credit to DeathAndTaxes who actually suggested something like this to me when he reviewed the sigSafe white paper back in May.  But the simplicity of this solution didn't hit me until recently.  



Yes, this solution provides low-cost/simple hardware security by allowing the tag to piggyback off of the phone's screen.  


That was exactly the intent: since the sigSafe only has one of the two required keys, you don't need to trust the hardware as much.  

A multisig solution like this permits something quite interesting: in production, these sigSafe keys could be sold with a random seed already stored in EEPROM and a back-up of that seed printed on archival-quality paper (folded in some tamper-evident packaging).  Although advanced users could upload their own keys, new users could actually just use the one that came with the device (even if the sigSafe manufacturer was malicious, the chances that they are also in cahoots with a malicious wallet provider is slim).  I really don't want to rely on new users actually making a properly-verified backup of their seed, so I'd rather the default behaviour be something like:

 - tap the tag to the phone to initially create your multisig wallet

 - enter the last 6 digits on the front of your paper back-up

I'm assuming here ^^ that the pubkey is printed on the front of the tamper-evident package and the private key is inside.  This would allow the phone to ensure that the sigSafe corresponds with the paper back-up.

- store the paper back-up some place private and secure.  THIS IS THE ONLY WAY TO RECOVER YOUR FUNDS SHOULD YOU LOSE YOUR SIGSAFE.  

As long as the user puts the paper backup somewhere safe, I think this solution should be pretty foolproof even if the user loses or destroys his sigSafe.

 

I would be happy to buy one as well please

In a phone usage case could 2 of 2 multisig be used where the phone is one key and the NFC tag the other? The tag gives hardware security where the phone key allows me to see the transaction I'm signing? A bonus side effect is I don't have to trust the hardware as much.

Nice! When can I buy one?

Nice! When can we buy them?

Yes, the alpha-models work! 

Last week I believe I performed the first bitcoin multisig transaction signed offline by a passive NFC tag (no battery), transmitted over an air gap, and then broadcast to the bitcoin network in real time.

Here's a video demonstration:

https://vimeo.com/105458967

Any update on this?

Agree with all this. I use NFC to pair my bluetooth headphones with my phone and it works great. Think you are definitely on the right track here.

The fact that NFC is not yet ubiquitous beyond Android phones is obviously an obstacle.  However, several laptops and tablets now come equipped with NFC (a lot of people don't realize that their laptop already supports it), and of course it's possible to add a USB NFC reader as well (although that sort of defeats the "low cost" value proposition of Sigsafe).  Regarding Apple, let's hope they finally add NFC to the iPhone 6. 

Beyond bitcoin, NFC is a great technology because it is very short range allowing you to authenticate or "pair" devices by touch (think simplified Bluetooth pairing with no codes to enter) and because it is possible to transmit significant power magnetically (think wireless charging of a device via the NFC antenna). 

This is pretty cool.
PM me if there is some Indiegogo type funding project here and I might be in depending on price.