Concerns over Hardware wallets

[Inside_and_UP]

from recent posts https://bitcoin.stackexchange.com/questions/88237/is-there-a-reason-to-why-bitcoin-core-does-not-implement-bip39/88244#88244
and older posts - https://bitcointalk.org/index.php?topic=812894.msg10907427#msg10907427  (Gregg Maxwell comment "Effectively BIP39 is a thinly veiled brainwallet scheme with a woefully weak KDF. It's prone to misuse, and when misused it picks up all the bad properties you might expect it to pick up.)

I am concerned about using Trezor, Ledger, Cold Card etc, regarding issues of PBKDF2. I believe that the seed is not adequate if I understand Greg Maxwell's comment..

 I would love direction from Greg Maxwell or other Core devs what method of cold storage is reasonable for security but not prone to significant error. Further one that provides reasonable redundancy for multiple locations.

Copying Private keys by hand for dozens of addresses seems a less than ideal way of securing value with out making substantial mistakes.
Someone suggested ZFEC for encrypton by Zooko, however that project seems to not be well maintained or still alive.

I have looked at the glacier protocol and Armory however, Bitcoin Armory is not well maintained and Glacier appears quite difficult.
But maybe that is the route one ought to take.

I am not a dev, as must be pretty obvious by now.
I would love some advice on is "best practices."And where might I find documentation for complete directions.

Thank you very much for your help.

[bob123]

Well, the problem with PBKDF2 is that it can be implemented with a small circuit.
This means it can be bruteforced at a fast rate using an ASCI (or even a GPU).

However, given that the keysize is way too big to even bruteforce a small portion of available keys, there are no practical security implications whatsoever.
If the number used to create the mnemonic is random (and not generated by a shitty/faulty PRNG) there is no negative effect from the key derivation function.

Gregg Maxwell comment "Effectively BIP39 is a thinly veiled brainwallet scheme with a woefully weak KDF. It's prone to misuse, and when misused it picks up all the bad properties you might expect it to pick up.)

This is completely quoted out of context.

BIP39 has nothing to do with a brain wallet. Maxwell was referring to the use of a password to additionally protect the seed.
If the original mnemonic code is known, it basically just is 'guessing' the correct password (which basically means that this layer of security is similar to a brain wallet).
If an attacker has the mnemonic code, he can simply bruteforce the passwords very efficiently (because of PBKDF2).

He was explicitly talking about the deniability in this context.



Practically, BIP39 is secure. It all depends on the RNG used.
If your seed is generated randomly (which then is being encoded into the mnemonic), you are fine.

Further, the 'plausible deniability' is not as strong as people think it is.


You can safely use BIP39 for cold storage, or you simply create a wallet using core (completely air-gapped of course), generate a few 100s or 1000s of addresses and use them to receive funds.

There are multiple approaches for cold storage.

[Inside_and_UP]

Thank you,
Can you point me to anything discussing  good methods for cold storage? Ideally there would be complete directions.
As I said I know of the glacier protocol.

[bob123]

You'll find a lot of articles and threads with google.


For as much security as possible, you need 1 thing:
An completely airgapped computer. Not connected to any network, no wifi/bluetooth, etc..

How exactly you store your private keys, is up to you.
You could use a core wallet.dat file, electrum, a hardware wallet which you only connect to that computer, an encrypted text file with private keys, multisig spread across multiple airgapped computers, etc...

[magdaniewczas]

You'll find a lot of articles and threads with google.


For as much security as possible, you need 1 thing:
An completely airgapped computer. Not connected to any network, no wifi/bluetooth, etc..

How exactly you store your private keys, is up to you.
You could use a core wallet.dat file, electrum, a hardware wallet which you only connect to that computer, an encrypted text file with private keys, multisig spread across multiple airgapped computers, etc...

Doesnt matter if the computer is airgapped if the passphrase is weak

[NeuroticFish]

Doesnt matter if the computer is airgapped if the passphrase is weak

If the cold storage is properly set, meaning it will never reach the internet, ever, the passphrase can even be empty!

OP will have watch-only wallet online which will be used to create the transactions and broadcast them and the intermediary step of signing them will be done by transporting the tx file with an USB stick to the offline cold storage.

The only security risk is the USB stick, but it's easy to configure to never actually run anything off it and it's OK.


Edit: I've set recently, for a test, a cold storage on Tails live OS with Electrum and it worked wonderfully.

[bob123]

Doesnt matter if the computer is airgapped if the passphrase is weak

What?

This doesn't make sense.


You could have the weakest passwords of all.. if no one gains access to the file, no one can actually even try a password.
On an airgapped computer, no one is supposed to gain access to the files except for you.
So no password is necessary.

Even on a standard desktop computer you don't need any password if you can guarantee (which you can't btw, but speaking theoretically here) that no one will access it.


What you rather should say is:
"Doesn't matter whether the passphrase is weak if the computer is airgapped"

That statement would be correct.. but would be absolutely unnecessary because no one claimed anything contradictory here.

[o_e_l_e_o]

The only security risk is the USB stick, but it's easy to configure to never actually run anything off it and it's OK.

A better option, rather than relying on any sort of live media to transfer transactions back and forth, is to use QR codes. Generate a transaction, turn it in to a QR code, scan it on the airgapped device, sign the transaction, turn it back in to a QR code, scan it on to the live device, and broadcast. That way you complete remove the risk of accidentally transferring malware to your airgapped device.

[bitmover]

Can you point me to anything discussing  good methods for cold storage? Ideally there would be complete directions.

For as much security as possible, you need 1 thing:
An completely airgapped computer. Not connected to any network, no wifi/bluetooth, etc..

As discussed already in other topics, this is certainly the best solution, however this is not viable for most of users.

Using a computer solely for that (as a wallet) is more expensive and requires additional work and knowledge than most of people are able to do.

I think ledger/trezor are still the best solutions for most users. Those wallets are easy to use, and as long you are not a completely newbie (such as putting your seed in your google drive or email draft) you are safe. Evil maid attack, or any other of those attacks are realistic almost impossible to happen, and a mistake while using an airgapped computer is much more likely to happen.