Smart card wallet, take 2

[JustThinking]

Hello,

Being a bitcoin lurker for a while, the main showstopper for me has been the complexity of required procedures for secure bitcoin handling.
As a hardware security/PKI guy, the obvious choice for anything handling private keys in a small scale is a smart card. Unfortunately there is no support for smart cards in bitcoin at the moment. There has been some initial work in the wiki: https://en.bitcoin.it/wiki/Smart_card_wallet but the work has stalled and it also seems that the expectations are not too realistic for the chosen solution (no card I know can do on-card programmable displays at the moment, for a reasonable price).

Building on the idea of storing the wallet securely in a smart card and requiring the smart card and a PIN code for any outgoing transactions, I made some tests with some hardware, based on information gathered from the web (https://en.bitcoin.it/wiki/Protocol_specification). AFAIU, the required primitives are plain ECDSA with secp256k1, ripemd160 and sha-256, where in fact only plain ECDSA is required to be implemented on the card.

I made a website, http://smartcardwallet.org, but I'm asking for feedback on feasibility here.

Do understand that this is a vaporware at the moment, but the time  to market is really short, unlike more fancy ideas. Suitable smart cards exist, required algorithms seem to be present, the set of tasks required for securing a wallet seem to be defined (at least in my head) and somebody on #bitcoin-dev even suggested to integrate a C library implementing the hardware wallet into bitcoind, if time permits (I would assume that time can be bought with money).

Given prior experience with the field, I would suggest that this can be implemented in a month or two, and would give a real physical wallet, with comparable security to traditional chip cards (without the bad terminal<->card protocol in EMV ).

Would somebody be interested in this? Would people pay for it (I wrote down some rough prices of hardware that would be required. For a successful business, the development cost should probably be financed through ready-made kits) ?

Saying this, I must admit again that I'm a bitcoin lurker with less than 1BTC on one account, but a somewhat seasoned person in the smart card, applied cryptography and overall security field. Bitcoin usually crosses my information barrier when things break (like the links in the "why" section) so I decided to have a look at the *technical* feasibility of protecting a bitcoin wallet in the fastest (in terms of R&D) and most secure way (in terms of validated, established smart cards).

What do you think? If there is enough interest that would justify a few weeks of interesting hacking, I'd continue with an overall POC hack.



(and somebody dealing with the moderation of the forum, please shift this topic to the tech & dev board)

[1713887034]

1713887034

[1713887034]

1713887034

[1713887034]

1713887034

[John (John K.)]

Whitelisted, and moved to Project Development.

[2112]

Given prior experience with the field, I would suggest that this can be implemented in a month or two, and would give a real physical wallet, with comparable security to traditional chip cards (without the bad terminal<->card protocol in EMV ).

Given your prior experience I have one question: is anyone storing irreplaceable data on the smartcards? Thus far in my limited experience all practical cryptosystems relied on the fact that in case of smartcard/device failure the custody chain can provide replacement of the key material at a cost of inconvenience.

Is there any practical application where lost/damaged keys have actual value lost together with them?

[JustThinking]

Given prior experience with the field, I would suggest that this can be implemented in a month or two, and would give a real physical wallet, with comparable security to traditional chip cards (without the bad terminal<->card protocol in EMV ).

Given your prior experience I have one question: is anyone storing irreplaceable data on the smartcards? Thus far in my limited experience all practical cryptosystems relied on the fact that in case of smartcard/device failure the custody chain can provide replacement of the key material at a cost of inconvenience.

Is there any practical application where lost/damaged keys have actual value lost together with them?

Sure, if your system is built up like that. Usually keys matter if you have something irreversible associated to them. For example encryption keys or in the case of bitcoin, value associated with the ability to use a *specific* key.

In usual PKI deployments the association is done by a CA and underlying keys can change without a problem.

In the context of SmartCardWallet, the ability to make secure copies of your wallet to a smart card card with the same capabilities is planned, but not in 0.1 version.

[2112]

Sure, if your system is built up like that. Usually keys matter if you have something irreversible associated to them.

In usual PKI deployments the association is done by a CA and underlying keys can change without a problem.

I apologise for the awkward wording of my question.

Lets forget the Bitcoin for the moment, just look back into the past for the PKI systems that already exist, are deployed and in use.

1) Is/was there any system where the cryptographic keys carried any value higher than the cost of inconvenience to replace them?

2) Are/were there any smartcards/cryptodevices that provide internal error detection and correction and use it to signal impending failure instead of simply zeroizing the key material and self-destructing?

In case you wonder: those are real questions, not the rhetorical ones. I don't know the answer. Years ago I've seen brochures (in German) of some vendor offering the system consisting of a safe, a stripped-down laptop and an anti-personnel mine hooked up to the glass lockout plate inside the safe. The only communication with the laptop was through the serial port. But this was a really expensive product.

[unclemantis]

Hello,

Being a bitcoin lurker for a while, the main showstopper for me has been the complexity of required procedures for secure bitcoin handling.
As a hardware security/PKI guy, the obvious choice for anything handling private keys in a small scale is a smart card. Unfortunately there is no support for smart cards in bitcoin at the moment. There has been some initial work in the wiki: https://en.bitcoin.it/wiki/Smart_card_wallet but the work has stalled and it also seems that the expectations are not too realistic for the chosen solution (no card I know can do on-card programmable displays at the moment, for a reasonable price).

Building on the idea of storing the wallet securely in a smart card and requiring the smart card and a PIN code for any outgoing transactions, I made some tests with some hardware, based on information gathered from the web (https://en.bitcoin.it/wiki/Protocol_specification). AFAIU, the required primitives are plain ECDSA with secp256k1, ripemd160 and sha-256, where in fact only plain ECDSA is required to be implemented on the card.

I made a website, http://smartcardwallet.org, but I'm asking for feedback on feasibility here.

Do understand that this is a vaporware at the moment, but the time  to market is really short, unlike more fancy ideas. Suitable smart cards exist, required algorithms seem to be present, the set of tasks required for securing a wallet seem to be defined (at least in my head) and somebody on #bitcoin-dev even suggested to integrate a C library implementing the hardware wallet into bitcoind, if time permits (I would assume that time can be bought with money).

Given prior experience with the field, I would suggest that this can be implemented in a month or two, and would give a real physical wallet, with comparable security to traditional chip cards (without the bad terminal<->card protocol in EMV ).

Would somebody be interested in this? Would people pay for it (I wrote down some rough prices of hardware that would be required. For a successful business, the development cost should probably be financed through ready-made kits) ?

Saying this, I must admit again that I'm a bitcoin lurker with less than 1BTC on one account, but a somewhat seasoned person in the smart card, applied cryptography and overall security field. Bitcoin usually crosses my information barrier when things break (like the links in the "why" section) so I decided to have a look at the *technical* feasibility of protecting a bitcoin wallet in the fastest (in terms of R&D) and most secure way (in terms of validated, established smart cards).

What do you think? If there is enough interest that would justify a few weeks of interesting hacking, I'd continue with an overall POC hack.



(and somebody dealing with the moderation of the forum, please shift this topic to the tech & dev board)

I need to argue with this line "Smart Card Wallet does the obvious: stores your bitcoins securely inside a smart card."

the bitcoins are stored on the NETWORK. The KEYS are stored anywhere you want to store them. Multiple copies at multiple locations.

[JustThinking]

Sure, if your system is built up like that. Usually keys matter if you have something irreversible associated to them.

In usual PKI deployments the association is done by a CA and underlying keys can change without a problem.

I apologise for the awkward wording of my question.

Lets forget the Bitcoin for the moment, just look back into the past for the PKI systems that already exist, are deployed and in use.

1) Is/was there any system where the cryptographic keys carried any value higher than the cost of inconvenience to replace them?

Assuming I understand your question, the answer is yes. This implies that the *key* has any value that can not be replaced (like the ability to decrypt something valuable which is toed to the key or the ability to authorize transactions, like with bitcoin)

2) Are/were there any smartcards/cryptodevices that provide internal error detection and correction and use it to signal impending failure instead of simply zeroizing the key material and self-destructing?

None that I know of. The primary purpose of crypto devices is usually to protect the keys. If you worry about degradation or something similar, it is not in the scope of a single device. Your backup procedures must be sound. Though most intelligent devices and applications do make internal integrity checks.

[JustThinking]

I need to argue with this line "Smart Card Wallet does the obvious: stores your bitcoins securely inside a smart card."

the bitcoins are stored on the NETWORK. The KEYS are stored anywhere you want to store them. Multiple copies at multiple locations.

Certain adjustments in terminology must be made to make it understandable to "common people". Unless you have heard about common people talking about PKI, then you might not know that "people sign with certificates" (not private keys) or "sign with PIN codes" (not private keys).

[flipperfish]

I have been thinking about somethin like that, too. But I came up with some attacks, that have to be prevented for a smart card to be useful (more than some kind of offline storage netbook).

In my opinion the system to which the reader is connected has to be considerd as totally corrupted with trojans, rootkits, etc.

The reader or the smartcard has to ensure, that the host system can't have arbitrary signature requests signed by the card.
The only solution, that came to my mind, was to display the to be signed transaction at the reader (which is secure, and therefore does not display a bogus transaction). Then the user has to enter the pin/password at the reader (so it can not get into the host system), which gives it to the smartcard, which in turn can use it to decrypt the private keys and sign the transaction.

[ben-abuya]

I have been thinking about somethin like that, too. But I came up with some attacks, that have to be prevented for a smart card to be useful (more than some kind of offline storage netbook).

In my opinion the system to which the reader is connected has to be considerd as totally corrupted with trojans, rootkits, etc.

The reader or the smartcard has to ensure, that the host system can't have arbitrary signature requests signed by the card.
The only solution, that came to my mind, was to display the to be signed transaction at the reader (which is secure, and therefore does not display a bogus transaction). Then the user has to enter the pin/password at the reader (so it can not get into the host system), which gives it to the smartcard, which in turn can use it to decrypt the private keys and sign the transaction.

Beyond this, there has to be a more secure way of presenting the recipient bitcoin address. Imagine that the host computer is infected with a virus. The virus monitors all unsigned transactions sent for signing, and when a particularly big one shows up, it slightly modifies the recipient address to an address owned by the attacker. This address could be generated on the fly, or generated in the background based on past addresses the virus has seen in use by the user, or even related addresses it finds on the blockchain. It's very hard to visually diff bitcoin addresses on two separate screens.

One solution would be to convert the public recipient address into a phrase, similar to what Electrum does for private seeds. Perhaps the universe of words used for the conversion could be pruned so that there are no similar words. Of course, this phrase would have to published by the recipient himself, and not by the potentially infected host software. However, even if the recipient didn't publish the phrase, this might still be pretty strong, since it could be very hard to find a bitcoin address that is both similar to the original recipient address and has a very similar phrase.

[apetersson]

have you seen the bitcoincard
http://www.bitcoincard.org

[JustThinking]

I have been thinking about somethin like that, too. But I came up with some attacks, that have to be prevented for a smart card to be useful (more than some kind of offline storage netbook).

In my opinion the system to which the reader is connected has to be considerd as totally corrupted with trojans, rootkits, etc.

The reader or the smartcard has to ensure, that the host system can't have arbitrary signature requests signed by the card.
The only solution, that came to my mind, was to display the to be signed transaction at the reader (which is secure, and therefore does not display a bogus transaction). Then the user has to enter the pin/password at the reader (so it can not get into the host system), which gives it to the smartcard, which in turn can use it to decrypt the private keys and sign the transaction.

Yes and no.

Yes, there are always attacks and successful attacks.
Yes, the computer should be considered a probably contaminated area.
Yes, using a pinpad reader is the obvious way to protect from unauthorized signatures from trojans.

But. This (a reader with a secure display or a card controlling it) is not the target of this development. The target of the development is simple: protecting the keys from arbitrary copying (which is still possible with offline storage netbooks and such instances, and also way cheaper). The ability to interact with commodity hardware and software, securely with the reader, displaying card-controlled information, just doesn't exist at the moment.

With "software data" you never know if and where there are two copies.

[JustThinking]

have you seen the bitcoincard
http://www.bitcoincard.org

Yes I have, and that has no immediate relation to SmartCardWallet.

SmartCardWallet has a very simple yet powerful goal: protect in hardware the keys that authorize transactions. No fancy self-made hardware, no extra displays and pay buttons. Just a smart card much like your VISA or electronic identity card.

First, it builds upon "established standards and practices" (readily-available, certified hardware)
Second, it includes no self-made hardware components or hardware R&D, relying on commodity (CCID readers, plenty of them already installed in computers)
Third, it does not want to change everything or change the world or become the ubiquitous way of using bitcoins. It just wants to make "storing your coins"  safer than it would be with software keys. That's it.

[ripper234]

I want this card.

Related posts:
- On the Hardware Bitcoin Wallet thread
- Thinking of m-of-n tx with Yubikey.

Someone should just get up and do it.
I know zero about hardware and device drivers, and have relatively little time, so I can't be a lot of help at this point I'm afraid.

How much time are you dedicating to working on it?
Would you increase this time if sufficient donations came in? (Like the Donations for Armory)

[JustThinking]

I want this card.

Related posts:
- On the Hardware Bitcoin Wallet thread
- Thinking of m-of-n tx with Yubikey.

Someone should just get up and do it.
I know zero about hardware and device drivers, and have relatively little time, so I can't be a lot of help at this point I'm afraid.

How much time are you dedicating to working on it?
Would you increase this time if sufficient donations came in? (Like the Donations for Armory)

Thanks for the links, I'll be reading them (but I must admit that I have a very fixed concept already).

As said, the card itself is done, but I failed in linking it (sensibly) to Electrum (which has too much internal stuff related to deterministic key generation etc built into it that I felt like an elephant in a crystal store). Next target is BitcoinJ, as it seems easier to refactor it to use hardware keystores because of Java than other options. Unfortunately higher priority events postponed working on it (which is not a difficult task per se, but wrapping it up into a nice package, be it for end-users or other developers, is more time-consuming than just "make it work").


See also: https://groups.google.com/forum/#!topic/bitcoinj/ukA640Q9J9g


At the moment it is purely a hobby project, no time is directly dedicated to *this* project (but I'm quite involved in "all things smart card" thus it might not be a fair description).

Sufficient donations (?) would of course justify scheduling time, but I don't know if I would like to "wait until it materializes" and try to market/sell it or make it a "take it all" open source solution.

I wouldn't mind collaborating with someone more involved with Bitcoin related activities, as for me it is a purely technical challenge (and the main obstacle for owning more than 10BTC)

I could send you a card and a simple reader for testing purposes, if needed, for around 50€ I guess.

[ripper234]

Thanks for the link, interesting discussion in the bitcoinj group.

I share Mike Hearn's concerns about a virus showing bogus addresses - I think a successful "hardware Bitcoin security device" needs to be immune to such attacks, and assume the threat model is a computer infested with a sophisticated virus that targets this wallet, can fake address, etc...

I think I'll be content to watch this project and others for the time being. I would want to own one such device when a usability & security threshold is reached, but perhaps it's premature.

[HeavyMetal]

A smart card is of course one of the best possible compute platforms for a portable wallet. Correct me if I am wrong but the software on the card can create new private keys in secure memory which can be extremely difficult to access outside of the provided API(like some sort of tunneling microscope).

Do these cards support signed software to prevent malware from being installed? I know some POS systems allow something like that.

[JustThinking]

Thanks for the link, interesting discussion in the bitcoinj group.

I share Mike Hearn's concerns about a virus showing bogus addresses - I think a successful "hardware Bitcoin security device" needs to be immune to such attacks, and assume the threat model is a computer infested with a sophisticated virus that targets this wallet, can fake address, etc...

I think I'll be content to watch this project and others for the time being. I would want to own one such device when a usability & security threshold is reached, but perhaps it's premature.

Regarding idealistic hardware devices: the same problem has haunted PKI (think: secure signature creation devices). People should understand, that there is no closed-world 100% secure modelled world available (read: not financially meaningful in civil sector). There has been reports of trojans that intercept smart card calls (Zeus IIRC) and thus have the theoretical capability of intercepting calls to smart cards and forging signatures etc. But in practical terms *stealing* keys in smart cards is really hard (requires a physical theft) and un-authorized use made much more difficult. If you rely 100% on the unbreakability of the smart card, then yes, there is a chance to break it, probably.

But I think there's much more needed for a full solution (including in the overall protocol layer of bitcoin) to have such perfect end2end secure transaction device. And it will take more time than SmartCardWallet.

SmartCardWallet target one weakness in the system and solves just a very traditional problem: secrecy of private keys. The same has been probably debated a long time ago by people smarter than me, that having your signature keys (like the keys in bitcoin are) in a smart card is way better than having them in an encrypted file somewhere.

[HeavyMetal]

Thanks for the link, interesting discussion in the bitcoinj group.

I share Mike Hearn's concerns about a virus showing bogus addresses - I think a successful "hardware Bitcoin security device" needs to be immune to such attacks, and assume the threat model is a computer infested with a sophisticated virus that targets this wallet, can fake address, etc...

I think I'll be content to watch this project and others for the time being. I would want to own one such device when a usability & security threshold is reached, but perhaps it's premature.

I disagree. The purpose of this device is to protect the key from being copied and to sign requests. Providing the correct address is a concern of the recipient of the funds, if the POS terminal is infected and the store does not get its money then it has nothing to do with the card.

I think this smartcard is solving a very specific problem and that other concerns must be addressed elsewhere.

[JustThinking]

A smart card is of course one of the best possible compute platforms for a portable wallet. Correct me if I am wrong but the software on the card can create new private keys in secure memory which can be extremely difficult to access outside of the provided API(like some sort of tunneling microscope).

Do these cards support signed software to prevent malware from being installed? I know some POS systems allow something like that.

Yes, of course the keys are generated on-card. But depending on cardholder wishes, keys can also be imported or exported or backed up to a similar smart card. This requires a specific card-application, so if you choose a no-export, no-import, no-backup card, you can be sure that the keys you have are the *only* copies on earth.

Software is integrity-checked, as one can't just load arbitrary software to the smart card. There's no point in having "signed software" in this context (the anchor of trust better be a person guarding the process of card manufacturing from source code)