Topic: Time to bust a myth. Paper wallets are less secure than normal encrypted wallets - page 4. (Read 12337 times)

Mostly agreed, and there is a whole "social" layer of security that must be considered as well. The fact that I am discussing this with you, the fact that I am in IT, the fact that I have certain political opinions, the fact that I have a bitcointalk account, ect... all make me a much larger target than someone without those traits. I am cognizant of these weaknesses and this is why I took paranoid steps to secure my cold storage... short of doing a 100% audit on every line of code.

Good security is very complicated and even the best security experts occasionally make some mistakes(and thus why you should never have a single point of failure) for securing all your wealth.

 One great thing about Bitcoin is its forcing the users and society to adapt and develop better security and auditing. Most traditional fiat banks have abysmal security but its losses are ignored and amortized.


 

I don't like "very difficult". Very difficult depends on the attackers capabilities, and who knows whos attacking you, money is money attackers will attack anyone who has money. It's possible the attacker may think you have more money than you do, or the attack may be entirely automated so they are just going after anyone they can infect.

This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.


Sounds good, I look forward to adding your guide to my list of recommendations. I haven't listed my security arrangement yet because it is too complicated for the average user and I don't feel like writing it all out.

Pretty much, except for the connecting to the internet part. I'm still working on the guide along with some handy python tools. You don't need security patches, very few security issues in the OS will affect you, you may need to update your bitcoin client however but that can be done relatively safely now that you have the dev's PGP key on your cold PC. You can actually do a git pull over the audio cable (I have a python scripts that can do this in a safe manner) and verify the sigs and check a diff of the code if you wish. it's awesome.

I completely agree, and what you just explained is one security method I originally did for myself before I created a more elaborate method with paper wallets.

We may simply be talking past each other.... If what you are suggesting is that you can take separate computer with a clean linux install and only use it to secure your bitcoins and than disable the networking on it (possibly temporarily enabling for periodic updates and patches that are audited)... and while it might be slightly weaker security than what I suggested it still is good enough security for most.

When you make a transaction your client needs to insert a random number in it, called an R value. If this number isn't random the attacker can compute your private key by scanning the blockchain. This is what happened to blockchain.info when they almost lost >1000BTC recently.

A centralized repository to secure multiple accounts is insecure by design and why I typically tell users to avoid bitcoin banks or exchanges for storing their savings.


They cannot retroactively insert malware into existing and audited linux images. Yes, there could have been a unknown vulnerability that was missed initially (I.E..heartbleed) but this doesn't necessarily mean you are compromised and that your bitcoins will be stolen when you import part of your savings.


You are making an assumption that the Live CD is what should be used to create the paper wallets and not merely spend them. I agree that  online generators are more vulnerable.



Yes , there are some extra security steps that must be checked and followed that most users will never do. This is why there are hardware wallets and devices like entropy... because they allow easy and good enough security for the average person.

For me they are both as secure as their end-user

I haven't suggested anything yet, but to setup a pretty secure cold storage, all you need to do is type this into a linux terminal:

git clone https://github.com/spesmilo/electrum
gpg --recv-keys 0x2BD5824B7F9470E6
git tag -v 2.0.4 (check it says good signature, if so, your download has not been tampered with)
git checkout 2.0.4
chmod +x electrum
./electrum

This will download electrum from source, verify its signature to prevent tampering.
If it runs copy the folder onto your cold PC and run git tag -v 2.0.4 and git checkout 2.0.4 again in case it was tampered by your main PC.

select standard wallet
write down seed on paper
set strong password
wallet > MPK and scan QR code with online PC.
Connect audio cable between online PC and cold PC.

Done. Like your example this could be a lot better, but its pretty good.

The average user only needs to unplug their router, plug in an entropy, click a button a few times to create multiple SSS paper wallets, print a few more documents to clear cache, input one set of their shards into their encrypted password manager and destroy the paper associated. For remaining 2 shards of all the sets laminate them place one set in a safe, and the 2nd set secure at their parents or relatives safe or time capsule, and send their BTC to the public addresses.

This isn't that complicated and a one time task and way more secure than what you are suggesting.

Personally , I have gone way beyond this but only because it was a fun process in security.


Yes, only if I used multisig or Shamir's Secret Sharing splits between multiple sets of hardware. You know how many laptops and raspberry pis I would need to buy?
 
This is where paper wallets are useful.

GREAT! the airgap provides actual tangible security. That is what is giving you the security, not the paper wallets. You could store electrum on that and it would be just as secure as the paper wallets.

Which attack do you think is out of range for the actual hackers who are making millions off of ripping off banks?

I think the main thing putting you off was me mentioning the NSA firmware thing as a way to infect a live CD. While that attack is rare and expensive, you only need to write the malware once and you can infect millions of people with it. The NSA had the unit cost of their malware listed as $0, meaning an infection cost them nothing, they only had to pay the few million to make it, and I think that price is in range of criminals. So all the bad guys gotta do is write the malware once and then spread it to as many people as they can, so it doesn't matter if you have 1BTC or 1,000BTC, you could still be infected by multi-million dollar malware just as easily.

And thats not even the only way to steal from a live CD. Like I said before, the RNG on a live CD is predictable, with some analysis with common computer hardware it may be possible to crack it. The RNG used on the website http://brainwallet.org was broken in a similar fashion and everyone who used it had all their bitcoins stolen. The LRNG would be harder to break than the brainwallet.org one of course, and it won't get everyone, some people may not have their funds stolen.

And when you burn the CD, how do you know the ISO you wanted was burnt? It is trivial to write up a piece of malware that could switch the ISO the burning software uses. You can protect against this by checking the CD again on another machine however.

And if you are burning it to a USB, if you happen to plug that USB in anytime in the future when your running your main OS then the malware can modify the kernel and backdoor the RNG, I have a patch file right here that will backdoor the LRNG, it's insanely easy to do.

Nope.... you are making assumptions which I already refuted. I keep multiple devices that are air gaped (sneakerware tech(TM )) that allows me to import small amounts of cold storage into hardware that hasn't touched the network and cannot touch the network until needed.

You are suggesting that one should secure their life savings on the same PC they browse porn on ?


Sounds good , I am always open to new ideas and criticisms... look forward to your guide.

No its not. How do you spend your paper wallet? on the same PC, putting it in exactly the same risk as the electrum one, which is also safe until you enter you password to send from it (assuming the creation process was done safely much like the paper wallet). And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

You keep mentioning the risks from printers and I have already addressed those concerns. If you use a dumb/simple printer with minimal cache and temporarily disabled your LAN and WIFi functionality of your printer printed off the paper wallets from an entropy/clean and verified linux install, and than printed a few more documents after the fact to clear the cache their is almost no risk for those bitcoins to be stolen if they are properly secured. Of course we both can discuss many possible attack vectors under such a circumstance and if you thought you werre actively being targeted or spied upon you may want to use a open source laptop that a trusted friend bought for you , that you than checked and reviewed all the firmware and verified your version of linux , and printed off the paper wallets in grounded Faraday cage, ect... all of this isn't necessary for the average user and what I have a few steps creating a standard paper wallet is far more secure than electrum on a windows PC.


You are completely ignoring the relative costs and difficulties of each attack vector. You are also ignoring the fact that users do not need to choose between options but can employ multiple types of security, where if any of them fail due to a mistake, security flaw or backdoor, than most of the savings is still secure because it was secured with other methods or at a different time and with different hardware.

The point of this whole thread is that paper wallets are not more secure than encrypted ones. People always tell me their paper wallets are more secure than normal ones, thats not true. If you leave out the risks due to printers etc they are essentially the same level of security as a normal encrypted wallet, so using a paper wallet does not improve your security at all, if anything it slightly lessens it due to aformentioned risks of printers etc.

Paper wallets are very useful, just not as a security tool.

Your system is only safe as it's weakest point. I don't use obscurity or rely on the difficulty of writing a piece of malware to protect my coins. Put it this way: I am not very smart but there is no attack I have mentioned here that I couldn't pull off on my own with moderate funds. Preventing or mitigating most of the attacks I have mentioned so far is possible, I'm currently writing up a guide. Keep an eye out for it, it's easier than fumbling with paper wallets and provides tangible security. There is no need to have different levels of security when the highly paranoid option is easy and cheap.

I like the way you are thinking when you are considering the insecurities of the user themselves here but you just negated the whole point you initially were making because essentially you just created a insecure paperwallet with this suggestion.

What we really need is a comprehensive guide which details a best course of action based upon the threat level of each individual.

Thus the threat level may look something like this:

1) minimal risk- Someone without a lot a bitcoins and generally good overall security behaviors
2) moderate risk - Someone nontechnical or poor security behaviors or with large amounts of bitcoin
3) High Risk - Journalists, political activists, IT administrators, Extremely wealthy or famous people
4) Paranoid risk level - high value criminals, large banks and exchanges, presidents and other political targets like snowden, applebaum, ect..

With each of these risk levels one would have different recommendations.

The great thing about this thread is that it discusses many of the security problems we have been concerned about and discussing for years.

The problem with this thread is it gives no context with the relative probabilities of each attack vector and exaggerates certain fears and than suggests one may as well simply use an encrypted wallet(which may or may not be true depending upon how the paper wallet was generated)

Ultimately, you can read the source code of entropy and even add your own salt to it if you believe it was tampered with but we must trust the hardware. This is why there is a growing movement of engineers supporting the open source hardware movement:

http://www.oshwa.org/
http://www.ohwr.org/

Good physical security and digital security is difficult to accomplish and you can never be 100% sure that your bitcoins are completely secure (or any of your physical items are 100% secure). What you can do is be extremely confident your bitcoins are secure. Additionally, the amount of effort you must place into security is highly relative depending upon if you are a political or legal target and how many bitcoins you need to secure. These aren't unique problems with bitcoin, but problems with securing any valuable assets.

The great thing about paper wallets is you have the ability to combine physical security with digital security when they are in mutisig form or split with Shamir's Secret Sharing. The largest bitcoin exchanges and banks aren't doing this simply as a PR stunt because physical cold storage is a fad and to insinuating this is misleading at least.

Yes sorry I misunderstood you. Of course, you should encrypt all copies of your wallet except for the backup seed, especially the copy in the cloud. I'd personally recommend uploading a copy of the actual wallet file (which is what file>save copy does), since it's already encrypted (as long as you chose to encrypt the wallet in electrum) and you'll also backup your labels and any settings for electrum plugins that you use, plus you can import it straight into electrum without fumbling with PGP, which makes it easy to test your backup.

And you can see what the balance is without knowing the password, so if in 10 years time you find this wallet backup you'll be able to see it's empty and won't waste your time trying to crack it in hopes that you might have left 0.01BTC in there which could be worth a lot more then. I once found a really old truecrypt encrypted litecoin wallet on an old drive, I used to mine 50LTC a day back when it was like $0.05/LTC and LTC was now $20 so I was really stoked, took me ages to crack it as I didn't know what password I used and I didn't write down a hint or anything, but eventually I figured it out and it was empty

Yes. For your paper version you should leave it in plaintext form as it would allow you to access your btc in the event you forget even a weak password.

When storing your seed in the cloud however you should keep it somewhat encrypted. I suggested using PGP with a weak password/pass phrase to decrypt (an attacker won't know that your password is weak and probably won't go in order starting with "a" up to "000..." (With the last "try" being something very long) but would rather either use a dictionary attack or try to brute force attack, both of which would take a long time to theoretically break (to the point that it is not possible without *very* good luck so it probably won't even be tried). But using a weak password means it is more difficult to forget.