Pages:
Author

Topic: The official BitcoinPaperWallet.com thread -- updates and news. - page 9. (Read 55974 times)

sr. member
Activity: 261
Merit: 285
I wonder if your method can be tweaked by just using tape instead of tamper resistant stickers. Obviously it's less secure but might be good enough for lower BTC amounts.

Definitely still works with regular tape, especially if you're mostly concerned about casual tampering (wallet on the table) as opposed to dedicated fooling around with liquid solvents and heat guns. Smiley

To this end:

#1: Today I soft-launched https://bitcoinpaperwallet.com which not only provides the wallet generator (in-browser two-sided printing) but also features security tips, and allows you to purchase custom holograms using bitcoin. Wallet generator is open-source and can run entirely offline as it's based on bitaddress.org.

#2: Somewhat unrelated, but I entered a variation of my design for a *non-folding* project organized on bitcointalk.org. These paper wallets will be professionally printed (any you'll only home-print the keys/QR codes.) Have a look and vote for whichever design appeals most to you: https://tricider.com/en/brainstorming/poxx
sr. member
Activity: 437
Merit: 415
1ninja
I love this idea and what you've done with it. It's nice to have the private key hidden when carrying it in your wallet and being reasonably sure it hasn't been tampered with when you put your wallet on a table. They can be carried with you so not all your BTC is on your mobile phone (online). And you can use them to transfer BTC to other trusted parties who will know they should sweep the funds within a short time span.

Here is a link to a similar concept I proposed:
https://bitcointalksearch.org/topic/rough-idea-pocket-paper-wallet-feedback-please-51978

I wonder if your method can be tweaked by just using tape instead of tamper resistant stickers. Obviously it's less secure but might be good enough for lower BTC amounts.

member
Activity: 80
Merit: 10
IDK if it was still a question, but I would like to confirm that all of your QR codes worked for me. Secondly I think this is really cool, keep up the good work man.
full member
Activity: 224
Merit: 100
One bitcoin to rule them all!
Time to send another one to Karl Marx for testing?
sr. member
Activity: 261
Merit: 285
New design looks great!

Thanks, and again thanks for your extremely useful feedback.

For anyone who doesn't quite see how the new design addresses yellowcoin's "pull out the fold with stickytape" hack, here's how the new design folds up In Real Life



Now the two strips of tamper-evident tape stick to all 3 panels of the fold, preventing it from being snuck out.
newbie
Activity: 43
Merit: 0
What is preventing me from taking a stripe of paper with some expose tape in the end, slip it in the flap and pulling out the folded part? The security tape can be finger held down by the opening to prevent it from tearing.  I just tried it on a test paper and it worked as the whole flap came out.

I worked on about 5 or 6 variations last night before I hit on this one which isn't significantly more difficult to cut out with scissors. In my own tests, this new shape overcomes this exploit while still using the original design that calls for two strips of 2" x .625" tamper-evident tape. (When you fold this new design up, the tape now sticks to all three "panels" in the folded area so the innermost panel can't be snuck out.)

Thanks again yellowcoin for the excellent experiment.

http://i.imgur.com/Cx4Tg8V.jpg

PS: Yes, those are live keys, but there's nothing stored in them this time. Yet. Smiley

New design looks great!
I tend to think outside of the box and that was like the first thing that pop up on my head.  I'll poke around the new format when I get the chance to see if I can break it.
newbie
Activity: 23
Merit: 0
I wonder what QR code generator you use, because I didn't think it was possible to get QR codes to misread

Hmm, I hope this is just a blurring/resolution issue from taking a screenshot and then shrinking the size and applying JPG. I'm using the same code and QR generator as bitaddress.org -- the only fundamental difference is the web interface, CSS/HTML and the background art.

For what it's worth, I was able to instantly scan all of the codes from this page without issue.

I wonder if the lower resolution coupled with a lower quality scanner was the problem...? I used a Galaxy S3, but I have no idea how that camera compares to anything else.
newbie
Activity: 13
Merit: 0
I wonder what QR code generator you use, because I didn't think it was possible to get QR codes to misread

Hmm, I hope this is just a blurring/resolution issue from taking a screenshot and then shrinking the size and applying JPG. I'm using the same code and QR generator as bitaddress.org -- the only fundamental difference is the web interface, CSS/HTML and the background art.

Here's a non-downscaled sample. Would you see if the sample below reads correctly 10/10 for you? The QR codes when printed are quite sharp. Significantly sharper than this JPG.

http://i.imgur.com/03MhJNI.jpg

Couldn't get that one to read garbled even when I tried vile things with it ( rotating the camera, off-axis, etc... ) so was probably the blurriness.
sr. member
Activity: 261
Merit: 285
I wonder what QR code generator you use, because I didn't think it was possible to get QR codes to misread

Hmm, I hope this is just a blurring/resolution issue from taking a screenshot and then shrinking the size and applying JPG. I'm using the same code and QR generator as bitaddress.org -- the only fundamental difference is the web interface, CSS/HTML and the background art.

Here's a non-downscaled sample. Would you see if the sample below reads correctly 10/10 for you? The QR codes when printed are quite sharp. Significantly sharper than this JPG.

newbie
Activity: 13
Merit: 0
I worked on about 5 or 6 variations last night before I hit on this one which isn't significantly more difficult to cut out with scissors. In my own tests, this new shape overcomes this exploit while still using the original design that calls for two strips of 2" x .625" tamper-evident tape. (When you fold this new design up, the tape now sticks to all three "panels" in the folded area so the innermost panel can't be snuck out.)

Thanks again yellowcoin for the excellent experiment.

http://i.imgur.com/Cx4Tg8V.jpg

PS: Yes, those are live keys, but there's nothing stored in them this time. Yet. Smiley

I wonder what QR code generator you use, because I didn't think it was possible to get QR codes to misread [ either they'll scan, or it'll fail ]. Because, out of like 8 tries, I've read "1264FsZE5Fkc7TcsP1qg4PTcVi3^VYMgrA" off that QR code twice.

I do think that new design is a good compromise between cutting difficulty and the issue with sneaking the panel out, though.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
I've been busy on other fronts, but here is a preview of a simple attempt:

Clearly, some letters of the private key can be read, through all the folds and the safety sticker.
While I wasn't able to extract the complete key yet, this is a warning to anyone creating paper wallets. Canton takes this seriously, and from our private communication it seems that he has already implemented further improvements to the tamper-proofness (sic!) of his design.

While public information about techniques of non-destructive readout of hidden print is limited, everyone should bear in mind that we can see oil paintings that have been painted over, the insides of living creatures, insides of bags and people's pockets and underwear at the airports, obliterated serial numbers from hand guns, etc.

I'll try to find time to keep having fun with the paper wallet canton has sent me. Besides through-illumination and image processing, other simple methods involve volatile liquids that make paper temporarily translucent.

Finally, I'll share what I've been doing for many months: print a paper wallet, and place a piece of aluminum fold (folded in V-shape) around the fold with private key. I then laminate the whole thing. It would be extremely hard to read what's on the paper between two layers of Al foil. Added benefit - private key survives baking in the oven that completely destroys the exposed public key.
Án example, before laminating:


legendary
Activity: 1310
Merit: 1000
I mean so the folded parts aren't touching each other kinda like () instead of ||

Oh I totally get it now. Thanks for the ASCII art. Smiley

You're the second person to comment on this possible weakness. (The other person was on reddit.) So I just now [did a test], squishing the bill and then shining an extremely bright laser through the now 2 instead of 3 folds. Result? The QR code is still totally obfuscated because of the security pattern printed on the opposite panel. However I could easily read *some* of the characters in the alphanumeric private key. Probably not enough to be a risk but I'll redesign to make sure there's a good security stripe that gets folded over the alphanumeric private key as well.

Thanks for the advice!



Whats wrong with using a third sticker? Or a foil sticker on the inside?
sr. member
Activity: 261
Merit: 285
What is preventing me from taking a stripe of paper with some expose tape in the end, slip it in the flap and pulling out the folded part? The security tape can be finger held down by the opening to prevent it from tearing.  I just tried it on a test paper and it worked as the whole flap came out.

I worked on about 5 or 6 variations last night before I hit on this one which isn't significantly more difficult to cut out with scissors. In my own tests, this new shape overcomes this exploit while still using the original design that calls for two strips of 2" x .625" tamper-evident tape. (When you fold this new design up, the tape now sticks to all three "panels" in the folded area so the innermost panel can't be snuck out.)

Thanks again yellowcoin for the excellent experiment.



PS: Yes, those are live keys, but there's nothing stored in them this time. Yet. Smiley
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
May I suggest that while you have this nice dollar bill size paper wallet, you can also make a nice A4 or Letter size full page paper wallet. Easier for people to use a printer, as they just put the whole page in.

Also, you can put more newbie type instructions on the full page paper wallet, the QR codes can be larger, and you have more design artwork space, and maybe more space for additional fund deposit information.

I personally have tried two cheap paper wallets:
1. one page that contains 50+ private keys / public keys / pairs. No QR code.
2. one page that contains only 1 public / private key pair. Giant text. Giant QR code.

Your size = fits in a real wallet like any other fiat money.
My full size = fits in an envelope, looks like a stock certificate or bearer bond or something really valuable.
sr. member
Activity: 261
Merit: 285
You should put the clear instruction on the wallet that it is for ONE TIME USE ONLY

How's this for an updated reverse?

full member
Activity: 196
Merit: 116
Entrepreneur, coder, hacker, pundit, humanist.
Very nice work cantor!

I can't wait till you launch the site.
sr. member
Activity: 261
Merit: 285
You should put the clear instruction on the wallet that it is for ONE TIME USE ONLY

A million percent agreed. Here's the current back of the wallet, though I wonder if the point should be amplified...




And here's the related bit of instructions as they'll appear on the web. Note the tip in the middle. Especially that typo. Oops. Smiley



The link to "lose your balance forever" goes to this excellent thread:
http://www.reddit.com/r/Bitcoin/comments/1c9xr7/psa_using_paper_wallets_understanding_change/

I welcome any edits/ideas/additions to making this hugely important point as clear as possible.
full member
Activity: 140
Merit: 100
Mining FTW
The one concern I still have about paper wallets, which a lot of people seem to forget. (seeing this here too on the instructions on the front)

You should put the clear instruction on the wallet that it is for ONE TIME USE ONLY the moment you used the private key to transfer (some) of the BTC, the paper wallet is technically no longer safe. Best is to transfer them all to a normal wallet, take what you need and create a new paper wallet for the remaining funds.

Hence also why its better to have 50 paper wallets with 20 BTC each, than 1 with 1000 BTC.
sr. member
Activity: 261
Merit: 285
1) What is preventing me from taking a stripe of paper with some expose tape in the end, slip it in the flap and pulling out the folded part?

THAT IS FRIGGING AWESOME. I didn't think it was possible reading your post, but then I tried it myself on a test wallet and was able to reveal the inner flap without disturbing the tape. That's a superb low-tech work-around, nice job.

I could add a third sticker requirement to cover the open fold - could even be a nice circular hologram of a BTC or something. Or, I could change the design so it includes an extra cut in the middle like so:



This way the tape holds down the innermost flap as well.

I can't quite decide whether it's better to have more stickers plastered on the thing, or require that users make an additional (farily deft) set of cuts. Opinions?

2) The worse enemy of all stickers ... good old heat gun / blow dryer

Good idea. I'll have to experiment with dry heat (if Niko hasn't already) to see if these tamper-evident stickers are susceptible.

Thanks for the excellent feedback. Just sent you a beers-worth of BTC to your address.
https://blockchain.info/address/15kFAbgWsSM28N7x5ZbWAehABkGnp9dPPT
sr. member
Activity: 261
Merit: 285
When you do find out how the keys were compromised please let us know so similar risks can be avoided.

Well I found out a couple hours after Niko first noticed the balance was missing. I've just been too embarrassed to fess up to what happened. Here's the skinny:

Back when I generated Niko's test wallet I was still using a photoshop template to make these wallets. (Now I'm using a fork of bitaddress.org / javascript.) The same day that I printed out his wallet, I also did some work in photoshop on a different (non-folding) bitcoin template for another project on bitcointalk.org. I used my photoshop template as a starting point (which still had Niko's codes on it) and I accidentally included the QR code from Niko's test wallet in a couple of design templates over here:

https://bitcointalk.org/index.php?topic=155847.100

Someone apparently tried out the codes, realized there was a balance, and swiped the wallet. That person was kind enough to contact me anonymously and let me know that s/he had swiped the bounty. If Niko wins the bet I'll just have to send him his BTC the "old fashioned" way.

tl/dr: I screwed up and posted an image containing the private key QR code to bitcointalk.org.
Pages:
Jump to: