Pages:
Author

Topic: Time to bust a myth. Paper wallets are less secure than normal encrypted wallets - page 4. (Read 12404 times)

hero member
Activity: 658
Merit: 501
This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

I don't like "very difficult". Very difficult depends on the attackers capabilities, and who knows whos attacking you, money is money attackers will attack anyone who has money. It's possible the attacker may think you have more money than you do, or the attack may be entirely automated so they are just going after anyone they can infect.

Mostly agreed, and there is a whole "social" layer of security that must be considered as well. The fact that I am discussing this with you, the fact that I am in IT, the fact that I have certain political opinions, the fact that I have a bitcointalk account, ect... all make me a much larger target than someone without those traits. I am cognizant of these weaknesses and this is why I took paranoid steps to secure my cold storage... short of doing a 100% audit on every line of code.

Good security is very complicated and even the best security experts occasionally make some mistakes(and thus why you should never have a single point of failure) for securing all your wealth.

 One great thing about Bitcoin is its forcing the users and society to adapt and develop better security and auditing. Most traditional fiat banks have abysmal security but its losses are ignored and amortized.


 
hero member
Activity: 882
Merit: 1006
This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

I don't like "very difficult". Very difficult depends on the attackers capabilities, and who knows whos attacking you, money is money attackers will attack anyone who has money. It's possible the attacker may think you have more money than you do, or the attack may be entirely automated so they are just going after anyone they can infect.
hero member
Activity: 658
Merit: 501
When you make a transaction your client needs to insert a random number in it, called an R value. If this number isn't random the attacker can compute your private key by scanning the blockchain. This is what happened to blockchain.info when they almost lost >1000BTC recently.

This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

Pretty much, except for the connecting to the internet part. I'm still working on the guide along with some handy python tools. You don't need security patches, very few security issues in the OS will affect you, you may need to update your bitcoin client however but that can be done relatively safely now that you have the dev's PGP key on your cold PC. You can actually do a git pull over the audio cable (I have a python scripts that can do this in a safe manner) and verify the sigs and check a diff of the code if you wish. it's awesome.

Sounds good, I look forward to adding your guide to my list of recommendations. I haven't listed my security arrangement yet because it is too complicated for the average user and I don't feel like writing it all out.
hero member
Activity: 882
Merit: 1006
We may simply be talking past each other.... If what you are suggesting is that you can take separate computer with a clean linux install and only use it to secure your bitcoins and than disable the networking on it (possibly temporarily enabling for periodic updates and patches that are audited)... and while it might be slightly weaker security than what I suggested it still is good enough security for most.

Pretty much, except for the connecting to the internet part. I'm still working on the guide along with some handy python tools. You don't need security patches, very few security issues in the OS will affect you, you may need to update your bitcoin client however but that can be done relatively safely now that you have the dev's PGP key on your cold PC. You can actually do a git pull over the audio cable (I have a python scripts that can do this in a safe manner) and verify the sigs and check a diff of the code if you wish. it's awesome.
hero member
Activity: 658
Merit: 501
I haven't suggested anything yet, but to setup a pretty secure cold storage, all you need to do is type this into a linux terminal:

git clone https://github.com/spesmilo/electrum
gpg --recv-keys 0x2BD5824B7F9470E6
git tag -v 2.0.4 (check it says good signature, if so, your download has not been tampered with)
git checkout 2.0.4
chmod +x electrum
./electrum

This will download electrum from source, verify its signature to prevent tampering.
If it runs copy the folder onto your cold PC and run git tag -v 2.0.4 and git checkout 2.0.4 again in case it was tampered by your main PC.

select standard wallet
write down seed on paper
set strong password
wallet > MPK and scan QR code with online PC.
Connect audio cable between online PC and cold PC.

Done. Like your example this could be a lot better, but its pretty good.

I completely agree, and what you just explained is one security method I originally did for myself before I created a more elaborate method with paper wallets.

We may simply be talking past each other.... If what you are suggesting is that you can take separate computer with a clean linux install and only use it to secure your bitcoins and than disable the networking on it (possibly temporarily enabling for periodic updates and patches that are audited)... and while it might be slightly weaker security than what I suggested it still is good enough security for most.
hero member
Activity: 882
Merit: 1006
You are making an assumption that the Live CD is what should be used to create the paper wallets and not merely spend them. I agree that  online generators are more vulnerable.

When you make a transaction your client needs to insert a random number in it, called an R value. If this number isn't random the attacker can compute your private key by scanning the blockchain. This is what happened to blockchain.info when they almost lost >1000BTC recently.
hero member
Activity: 658
Merit: 501
Which attack do you think is out of range for the actual hackers who are making millions off of ripping off banks?

A centralized repository to secure multiple accounts is insecure by design and why I typically tell users to avoid bitcoin banks or exchanges for storing their savings.

I think the main thing putting you off was me mentioning the NSA firmware thing as a way to infect a live CD. While that attack is rare and expensive, you only need to write the malware once and you can infect millions of people with it. The NSA had the unit cost of their malware listed as $0, meaning an infection cost them nothing, they only had to pay the few million to make it, and I think that price is in range of criminals. So all the bad guys gotta do is write the malware once and then spread it to as many people as they can, so it doesn't matter if you have 1BTC or 1,000BTC, you could still be infected by multi-million dollar malware just as easily.

They cannot retroactively insert malware into existing and audited linux images. Yes, there could have been a unknown vulnerability that was missed initially (I.E..heartbleed) but this doesn't necessarily mean you are compromised and that your bitcoins will be stolen when you import part of your savings.

Like I said before, the RNG on a live CD is predictable, with some analysis with common computer hardware it may be possible to crack it. The RNG used on the website http://brainwallet.org was broken in a similar fashion and everyone who used it had all their bitcoins stolen. The LRNG would be harder to break than the brainwallet.org one of course, and it won't get everyone, some people may not have their funds stolen.

You are making an assumption that the Live CD is what should be used to create the paper wallets and not merely spend them. I agree that  online generators are more vulnerable.


And when you burn the CD, how do you know the ISO you wanted was burnt? It is trivial to write up a piece of malware that could switch the ISO the burning software uses. You can protect against this by checking the CD again on another machine however.

And if you are burning it to a USB, if you happen to plug that USB in anytime in the future when your running your main OS then the malware can modify the kernel and backdoor the RNG, I have a patch file right here that will backdoor the LRNG, it's insanely easy to do.

Yes , there are some extra security steps that must be checked and followed that most users will never do. This is why there are hardware wallets and devices like entropy... because they allow easy and good enough security for the average person.
full member
Activity: 184
Merit: 100
Bitcoin FTW!
For me they are both as secure as their end-user Smiley
hero member
Activity: 882
Merit: 1006
And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

The average user only needs to unplug their router, plug in an entropy, click a button a few times to create multiple SSS paper wallets, print a few more documents to clear cache, input one of their shards into their encrypted password manager and destroy the paper associated. For remaining 2 shards of all the sets laminate them place one set in a safe, and the 2nd set secure at their parents or relatives safe or time capsule, and send their BTC to the public addresses.

This isn't that complicated a one time task and way more secure than what you are suggesting.

Personally , I have gone way beyond this but only because it was a fun process in security.


I haven't suggested anything yet, but to setup a pretty secure cold storage, all you need to do is type this into a linux terminal:

git clone https://github.com/spesmilo/electrum
gpg --recv-keys 0x2BD5824B7F9470E6
git tag -v 2.0.4 (check it says good signature, if so, your download has not been tampered with)
git checkout 2.0.4
chmod +x electrum
./electrum

This will download electrum from source, verify its signature to prevent tampering.
If it runs copy the folder onto your cold PC and run git tag -v 2.0.4 and git checkout 2.0.4 again in case it was tampered by your main PC.

select standard wallet
write down seed on paper
set strong password
wallet > MPK and scan QR code with online PC.
Connect audio cable between online PC and cold PC.

Done. Like your example this could be a lot better, but its pretty good.
hero member
Activity: 658
Merit: 501
And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

The average user only needs to unplug their router, plug in an entropy, click a button a few times to create multiple SSS paper wallets, print a few more documents to clear cache, input one set of their shards into their encrypted password manager and destroy the paper associated. For remaining 2 shards of all the sets laminate them place one set in a safe, and the 2nd set secure at their parents or relatives safe or time capsule, and send their BTC to the public addresses.

This isn't that complicated and a one time task and way more secure than what you are suggesting.

Personally , I have gone way beyond this but only because it was a fun process in security.

GREAT! cold storage provides actual tangible security. That is what is giving you the security, not the paper wallets. You could store electrum on that and it would be just as secure as the paper wallets.

Yes, only if I used multisig or Shamir's Secret Sharing splits between multiple sets of hardware. You know how many laptops and raspberry pis I would need to buy?
 
This is where paper wallets are useful.
hero member
Activity: 882
Merit: 1006
Nope.... you are making assumptions which I already refuted. I keep multiple devices that are air gaped (sneakerware tech(TM Tongue )) that allows me to import small amounts of cold storage into hardware that hasn't touched the network and cannot touch the network until needed.

GREAT! the airgap provides actual tangible security. That is what is giving you the security, not the paper wallets. You could store electrum on that and it would be just as secure as the paper wallets.
hero member
Activity: 882
Merit: 1006
You are completely ignoring the relative costs and difficulties of each attack vector. You are also ignoring the fact that users do not need to choose between options but can employ multiple types of security, where if any of them fail due to a mistake, security flaw or backdoor, than most of the savings is still secure because it was secured with other methods or at a different time and with different hardware.

Which attack do you think is out of range for the actual hackers who are making millions off of ripping off banks?

I think the main thing putting you off was me mentioning the NSA firmware thing as a way to infect a live CD. While that attack is rare and expensive, you only need to write the malware once and you can infect millions of people with it. The NSA had the unit cost of their malware listed as $0, meaning an infection cost them nothing, they only had to pay the few million to make it, and I think that price is in range of criminals. So all the bad guys gotta do is write the malware once and then spread it to as many people as they can, so it doesn't matter if you have 1BTC or 1,000BTC, you could still be infected by multi-million dollar malware just as easily.

And thats not even the only way to steal from a live CD. Like I said before, the RNG on a live CD is predictable, with some analysis with common computer hardware it may be possible to crack it. The RNG used on the website http://brainwallet.org was broken in a similar fashion and everyone who used it had all their bitcoins stolen. The LRNG would be harder to break than the brainwallet.org one of course, and it won't get everyone, some people may not have their funds stolen.

And when you burn the CD, how do you know the ISO you wanted was burnt? It is trivial to write up a piece of malware that could switch the ISO the burning software uses. You can protect against this by checking the CD again on another machine however.

And if you are burning it to a USB, if you happen to plug that USB in anytime in the future when your running your main OS then the malware can modify the kernel and backdoor the RNG, I have a patch file right here that will backdoor the LRNG, it's insanely easy to do.
hero member
Activity: 658
Merit: 501
How do you spend your paper wallet? on the same PC, putting it in exactly the same risk as the electrum one, which is also safe until you enter you password to send from it (assuming the creation process was done safely much like the paper wallet). And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

Nope.... you are making assumptions which I already refuted. I keep multiple devices that are air gaped (sneakerware tech(TM Tongue )) that allows me to import small amounts of cold storage into hardware that hasn't touched the network and cannot touch the network until needed.

You are suggesting that one should secure their life savings on the same PC they browse porn on ?

I'm currently writing up a guide. Keep an eye out for it, it's easier than fumbling with paper wallets and provides tangible security. There is no need to have different levels of security when the highly paranoid option is easy and cheap.

Sounds good , I am always open to new ideas and criticisms... look forward to your guide. Smiley
hero member
Activity: 882
Merit: 1006
all of this isn't necessary for the average user and what I have a few steps creating a standard paper wallet is far more secure than electrum on a windows PC.

No its not. How do you spend your paper wallet? on the same PC, putting it in exactly the same risk as the electrum one, which is also safe until you enter you password to send from it (assuming the creation process was done safely much like the paper wallet). And the method you described for creating a paper wallet is a lot of steps for the average user IMO.
hero member
Activity: 658
Merit: 501
The point of this whole thread is that paper wallets are not more secure than encrypted ones. People always tell me their paper wallets are more secure than normal ones, thats not true. If you leave out the risks due to printers etc they are essentially the same level of security as a normal encrypted wallet, so using a paper wallet does not improve your security at all, if anything it slightly lessens it due to aformentioned risks of printers etc.

Paper wallets are very useful, just not as a security tool.

You keep mentioning the risks from printers and I have already addressed those concerns. If you use a dumb/simple printer with minimal cache and temporarily disabled your LAN and WIFi functionality of your printer printed off the paper wallets from an entropy/clean and verified linux install, and than printed a few more documents after the fact to clear the cache their is almost no risk for those bitcoins to be stolen if they are properly secured. Of course we both can discuss many possible attack vectors under such a circumstance and if you thought you werre actively being targeted or spied upon you may want to use a open source laptop that a trusted friend bought for you , that you than checked and reviewed all the firmware and verified your version of linux , and printed off the paper wallets in grounded Faraday cage, ect... all of this isn't necessary for the average user and what I have a few steps creating a standard paper wallet is far more secure than electrum on a windows PC.

Your system is only safe as it's weakest point.

You are completely ignoring the relative costs and difficulties of each attack vector. You are also ignoring the fact that users do not need to choose between options but can employ multiple types of security, where if any of them fail due to a mistake, security flaw or backdoor, than most of the savings is still secure because it was secured with other methods or at a different time and with different hardware.
hero member
Activity: 882
Merit: 1006
I like the way you are thinking when you are considering the insecurities of the user themselves here but you just negated the whole point you initially were making because essentially you just created a insecure paperwallet with this suggestion.

The point of this whole thread is that paper wallets are not more secure than encrypted ones. People always tell me their paper wallets are more secure than normal ones, thats not true. If you leave out the risks due to printers etc they are essentially the same level of security as a normal encrypted wallet, so using a paper wallet does not improve your security at all, if anything it slightly lessens it due to aformentioned risks of printers etc.

Paper wallets are very useful, just not as a security tool.

Your system is only safe as it's weakest point. I don't use obscurity or rely on the difficulty of writing a piece of malware to protect my coins. Put it this way: I am not very smart but there is no attack I have mentioned here that I couldn't pull off on my own with moderate funds. Preventing or mitigating most of the attacks I have mentioned so far is possible, I'm currently writing up a guide. Keep an eye out for it, it's easier than fumbling with paper wallets and provides tangible security. There is no need to have different levels of security when the highly paranoid option is easy and cheap.
hero member
Activity: 658
Merit: 501
The problem is though, if you happen to get diagnosed with amnesia, you won't be able to access your Bitcoins to pay for treatment as you'll have forgotten all your passwords, so you should always have a way in to your wallet without a password in case you forget your passwords, which is why I recommend an unencrypted handwritten seed. If you absolutely must encrypt the seed, then you should at least store a password hint with it and you shouldn't use a really high iteration count so if you forget a character or two you'll be able to bruteforce your way in. Obviously such a seed should be kept in a very safe location if physical theft is an issue.

I like the way you are thinking when you are considering the insecurities of the user themselves here but you just negated the whole point you initially were making because essentially you just created a insecure paperwallet with this suggestion.

What we really need is a comprehensive guide which details a best course of action based upon the threat level of each individual.

Thus the threat level may look something like this:

1) minimal risk- Someone without a lot a bitcoins and generally good overall security behaviors
2) moderate risk - Someone nontechnical or poor security behaviors or with large amounts of bitcoin
3) High Risk - Journalists, political activists, IT administrators, Extremely wealthy or famous people
4) Paranoid risk level - high value criminals, large banks and exchanges, presidents and other political targets like snowden, applebaum, ect..

With each of these risk levels one would have different recommendations.
hero member
Activity: 658
Merit: 501
The great thing about this thread is that it discusses many of the security problems we have been concerned about and discussing for years.

The problem with this thread is it gives no context with the relative probabilities of each attack vector and exaggerates certain fears and than suggests one may as well simply use an encrypted wallet(which may or may not be true depending upon how the paper wallet was generated)

Ultimately, you can read the source code of entropy and even add your own salt to it if you believe it was tampered with but we must trust the hardware. This is why there is a growing movement of engineers supporting the open source hardware movement:

http://www.oshwa.org/
http://www.ohwr.org/

Good physical security and digital security is difficult to accomplish and you can never be 100% sure that your bitcoins are completely secure (or any of your physical items are 100% secure). What you can do is be extremely confident your bitcoins are secure. Additionally, the amount of effort you must place into security is highly relative depending upon if you are a political or legal target and how many bitcoins you need to secure. These aren't unique problems with bitcoin, but problems with securing any valuable assets.

The great thing about paper wallets is you have the ability to combine physical security with digital security when they are in mutisig form or split with Shamir's Secret Sharing. The largest bitcoin exchanges and banks aren't doing this simply as a PR stunt because physical cold storage is a fad and to insinuating this is misleading at least.
hero member
Activity: 882
Merit: 1006
When storing your seed in the cloud however you should keep it somewhat encrypted. I suggested using PGP with a weak password/pass phrase to decrypt (an attacker won't know that your password is weak and probably won't go in order starting with "a" up to "000..." (With the last "try" being something very long) but would rather either use a dictionary attack or try to brute force attack, both of which would take a long time to theoretically break (to the point that it is not possible without *very* good luck so it probably won't even be tried). But using a weak password means it is more difficult to forget.

Yes sorry I misunderstood you. Of course, you should encrypt all copies of your wallet except for the backup seed, especially the copy in the cloud. I'd personally recommend uploading a copy of the actual wallet file (which is what file>save copy does), since it's already encrypted (as long as you chose to encrypt the wallet in electrum) and you'll also backup your labels and any settings for electrum plugins that you use, plus you can import it straight into electrum without fumbling with PGP, which makes it easy to test your backup.

And you can see what the balance is without knowing the password, so if in 10 years time you find this wallet backup you'll be able to see it's empty and won't waste your time trying to crack it in hopes that you might have left 0.01BTC in there which could be worth a lot more then. I once found a really old truecrypt encrypted litecoin wallet on an old drive, I used to mine 50LTC a day back when it was like $0.05/LTC and LTC was now $20 so I was really stoked, took me ages to crack it as I didn't know what password I used and I didn't write down a hint or anything, but eventually I figured it out and it was empty Sad
hero member
Activity: 532
Merit: 500
no longer selling accounts
I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

When you do file>save copy in Electrum, the copy will be encrypted if the original was. Of course any wallet you put in the cloud should be encrypted, a few years ago dropbox had a security issue that allowed anyone to log in to anyone else account without a password. The issue remained for a few hours.

Only the hand-written seed should be unencrypted, I would not recommend encrypting it as if you forget your password you'll have no way of accessing your funds, you should always have the means to access your wallet in the event you've forgotten your password.
you could tell it to display the seed and then save the text of the seed in a PGP encrypted file.

This would be essentially the same thing you would do with armory, except that armory is much more encouraging for you to back it up this way.

The problem is though, if you happen to get diagnosed with amnesia, you won't be able to access your Bitcoins to pay for treatment as you'll have forgotten all your passwords, so you should always have a way in to your wallet without a password in case you forget your passwords, which is why I recommend an unencrypted handwritten seed. If you absolutely must encrypt the seed, then you should at least store a password hint with it and you should probably turn down the iteration count a bit so if you forget a character or two you'll be able to bruteforce your way in. Obviously such a seed should be kept in a very safe location if physical theft is an issue.

Armory also tries to force you to make at least one unencrypted backup for this reason.
Yes. For your paper version you should leave it in plaintext form as it would allow you to access your btc in the event you forget even a weak password.

When storing your seed in the cloud however you should keep it somewhat encrypted. I suggested using PGP with a weak password/pass phrase to decrypt (an attacker won't know that your password is weak and probably won't go in order starting with "a" up to "000..." (With the last "try" being something very long) but would rather either use a dictionary attack or try to brute force attack, both of which would take a long time to theoretically break (to the point that it is not possible without *very* good luck so it probably won't even be tried). But using a weak password means it is more difficult to forget.
Pages:
Jump to: