Bitcoin Forum

Bitcoin => Hardware wallets => Topic started by: NotATether on October 23, 2020, 05:19:25 PM



Title: I need help understanding how card HW wallets work
Post by: NotATether on October 23, 2020, 05:19:25 PM
I'm talking about cards like Ballet Crypto and Coinfinity, which have a QR code on them, and possibly a public or private key. What is inside the QR code, and how do you load it with funds? If private keys are revealed then how is that possible without compromising security?

Is it true that cards are supposed to be for one-way sending, and when you extract the funds, the card becomes unusable? So it's effectively a piggy bank?

Sorry for these basic questions, I'm a complete noob to card wallets.


Title: Re: I need help understanding how card HW wallets work
Post by: HCP on October 23, 2020, 09:03:30 PM
I'm talking about cards like Ballet Crypto and Coinfinity, which have a QR code on them, and possibly a public or private key. What is inside the QR code, and how do you load it with funds? If private keys are revealed then how is that possible without compromising security?
Looking at the Ballet Crypto one... the visible QR Code is simply used for encoding the the deposit address... the underneath side of QR sticker, has a second QR code that contains the "encoded private key" (it's a BIP38 encrypted private key).
4. In Ballet’s secure printing facility, a two-layer QR code sticker is printed with the EPK on the concealed bottom layer and the deposit address on the exposed top layer.

To load with funds, you simply scan the QR code (or type in the displayed address) and send funds to the address as a normal transaction.


The passphrase for this BIP38 encrypted private key is stored under the "scratch off panel" on the front of the card...
8. At Ballet’s secure facility in the United States, the wallet passphrase and serial number are laser-etched onto the physical product.
a. The physical products and QR code stickers are double checked to ensure that all three serial numbers match correctly.
b. A strip of tamper-evident scratch-off material is then applied over the wallet passphrase to conceal it.


Is it true that cards are supposed to be for one-way sending, and when you extract the funds, the card becomes unusable? So it's effectively a piggy bank?
Yes, it is effectively a piggy bank... once you peel the sticker and scratch off the panel, the private key is essentially "compromised"... the key should be "swept" ASAP and funds transferred to another secure wallet. Re-use should be avoided if possible.


Essentially, it's just a fancy "paper wallet" (or "physical bitcoin"), just in a plastic credit card format instead of being printed on paper or on a "coin" shaped object. You can also get tamper evident stickers/seals for paper wallets and most physical bitcoins use them as well.


Title: Re: I need help understanding how card HW wallets work
Post by: NotATether on October 23, 2020, 10:45:45 PM
I'm talking about cards like Ballet Crypto and Coinfinity, which have a QR code on them, and possibly a public or private key. What is inside the QR code, and how do you load it with funds? If private keys are revealed then how is that possible without compromising security?
Looking at the Ballet Crypto one... the visible QR Code is simply used for encoding the the deposit address... the underneath side of QR sticker, has a second QR code that contains the "encoded private key" (it's a BIP38 encrypted private key).

This QR sticker also has to be peeled off to access the BIP38 private key QR code at the bottom layer, just like the passphrase has to be scratched off too to spend the money?


Title: Re: I need help understanding how card HW wallets work
Post by: HCP on October 24, 2020, 02:27:34 AM
Yes, it's a tamper-evident sticker... so when it has been peeled off to reveal the encrypted private key, the sticker has the tell-tale markings on it, so you can't peel it off, get the private key and then stick it back on again and it looks "normal".

Then you have to scratch the panel to get the decryption key for the encrypted private key... then you can decrypt the key and access the coins.


Title: Re: I need help understanding how card HW wallets work
Post by: Stalker22 on November 07, 2020, 12:19:47 PM
Yes, it's a tamper-evident sticker... so when it has been peeled off to reveal the encrypted private key, the sticker has the tell-tale markings on it, so you can't peel it off, get the private key and then stick it back on again and it looks "normal".

Then you have to scratch the panel to get the decryption key for the encrypted private key... then you can decrypt the key and access the coins.

Did I get it right, card wallets are predefined (manufactured) with a private/public key combination?
So, essentially, we have to trust the manufacturer that the keys are not stored anywhere in the production process and will never be leaked or hacked from some database?


Title: Re: I need help understanding how card HW wallets work
Post by: HCP on November 07, 2020, 12:50:26 PM
Yep, like a lot of premanufactured "physical" coins... you're relying on the manufacturer to not keep records on the private keys... with the Ballet Crypto one, they were claiming in the docs that the private key and encryption key are actually generated by 2 different parties and that nothing is stored anywhere etc

refer: https://www.balletcrypto.com/en/2FKG/#three


Title: Re: I need help understanding how card HW wallets work
Post by: Lucius on November 08, 2020, 11:10:48 AM
Did I get it right, card wallets are predefined (manufactured) with a private/public key combination?

It all really comes down to trust, only in the specific case of these crypto wallets that trust should really be great. When you buy a hardware wallet such as Nano S/X or Trezor, the process of generating the seed should ensure that only the owner is in possession of key information (seed words), and that this information was created at random. Ledger is using Random Number Generator (https://support.ledger.com/hc/en-us/articles/360010073520-Quality-of-randomness) which is part of their Secure Element.

While no HW is perfect, the fact is that those who pre-generate private keys should not be considered secure - because key information is not only known to the owner, but also to whoever generated that private key.


Title: Re: I need help understanding how card HW wallets work
Post by: Coin-Keeper on November 08, 2020, 06:35:30 PM
Did I get it right, card wallets are predefined (manufactured) with a private/public key combination?

It all really comes down to trust, only in the specific case of these crypto wallets that trust should really be great. When you buy a hardware wallet such as Nano S/X or Trezor, the process of generating the seed should ensure that only the owner is in possession of key information (seed words), and that this information was created at random. Ledger is using Random Number Generator (https://support.ledger.com/hc/en-us/articles/360010073520-Quality-of-randomness) which is part of their Secure Element.

While no HW is perfect, the fact is that those who pre-generate private keys should not be considered secure - because key information is not only known to the owner, but also to whoever generated that private key.

The other obvious option would be to use a fully/truly air-gapped Live Disk computer to generate your SEED.  Then use that when you load your hardware wallet.  This would seem to eliminate the possibility that the hardware wallet mfg did employ setup keys that could be broken by THEM.  Since this method is a Live Disk there would be NO digital possibility of SEED exposure.  Simply write the SEED words on a piece of paper and proceed from there with loading the hardware wallet.


Title: Re: I need help understanding how card HW wallets work
Post by: Stalker22 on November 08, 2020, 09:10:02 PM
Simply write the SEED words on a piece of paper and proceed from there with loading the hardware wallet.

Thanks for the advice but I think you were mistaken.This topic is about card HW wallets that are already pre-generated with private keys like Ballet Crypto card and the like.
Read a few posts above this or at least the title of the thread and the original post by NotATether.


Title: Re: I need help understanding how card HW wallets work
Post by: The Sceptical Chymist on November 22, 2020, 07:38:45 PM
So, essentially, we have to trust the manufacturer that the keys are not stored anywhere in the production process and will never be leaked or hacked from some database?
Yeah, that's the lousy part of it--and me being impulsive, I ordered a Ballet wallet and am expecting it to arrive today.  I don't own much bitcoin, so I don't really need it, but it just looks like a really cool thing and I'd like to experiment with it.  I know I could have generated a paper wallet for the price of a piece of printer paper, but I had some credit to blow on Amazon and bought one.

with the Ballet Crypto one, they were claiming in the docs that the private key and encryption key are actually generated by 2 different parties and that nothing is stored anywhere etc
Well that's something positive at least.  I don't expect I'll ever store much on the Ballet, but we'll see what happens. 

Does anyone here have a Ballet wallet?  I don't recall reading any posts in which anyone said they'd tried it out.


Title: Re: I need help understanding how card HW wallets work
Post by: HCP on November 23, 2020, 07:14:35 PM
So, essentially, we have to trust the manufacturer that the keys are not stored anywhere in the production process and will never be leaked or hacked from some database?
Yeah, that's the lousy part of it--and me being impulsive, I ordered a Ballet wallet and am expecting it to arrive today.  I don't own much bitcoin, so I don't really need it, but it just looks like a really cool thing and I'd like to experiment with it.  I know I could have generated a paper wallet for the price of a piece of printer paper, but I had some credit to blow on Amazon and bought one.
And you won't ever own much BTC if you keep impulse buying hardware wallets! hahaha :D ;D :P

Still, I'd be keen on a review once you receive the wallet... To me, it's basically just a physical "coin" in plastic card format... huh, I only just realised they're made from stainless steel!!?! :o :o :o


Title: Re: I need help understanding how card HW wallets work
Post by: Pmalek on November 23, 2020, 11:47:04 PM
@The Pharmacist
I wouldn't be interested in trying one to be honest. Pre-generated keys that are physically written and saved on the same device only to be reveled with a scratch-off. Seems like you have to trust everyone involved in the development process not to act in a malicious way.

I have already been let down by Ledger and their team. It's not really a good time to experiment further with my bitcoins. I am still interested how you like it, once, it's in your hands.  

Edit: Just saw your other thread with your feedback!


Title: Re: I need help understanding how card HW wallets work
Post by: The Sceptical Chymist on December 15, 2020, 09:12:30 PM
Edit: Just saw your other thread with your feedback!
Ehhhh.....not for nothing, but where did that thread go to?  I wanted to read some of the comments there that I remember, because some members had recommended a certain version of the Ballet, but for the life of me I can't find the thread that I created specifically about the Ballet.

Mods: any idea where that went to?  Did I break any rules with that?

I'm thinking of buying a late-minute Christmas present for a family member who I think would appreciate it, and it's probably going to be one of the Ballet wallets. 


Title: Re: I need help understanding how card HW wallets work
Post by: HCP on December 15, 2020, 10:31:56 PM
Ehhhh.....not for nothing, but where did that thread go to?  I wanted to read some of the comments there that I remember, because some members had recommended a certain version of the Ballet, but for the life of me I can't find the thread that I created specifically about the Ballet.

Mods: any idea where that went to?  Did I break any rules with that?

I'm thinking of buying a late-minute Christmas present for a family member who I think would appreciate it, and it's probably going to be one of the Ballet wallets. 
Do you mean this one: https://bitcointalk.org/index.php?topic=5292310.msg55658855#msg55658855 ???

It seems it got moved to the "Marketplace - Goods" section...

Also, PROTIP: check your "My profile -> Show the last topics started by this person" link to find threads you've created ;)