Bitcoin Forum
May 26, 2024, 12:26:29 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Improving Offline Wallets (i.e. cold-storage)
Pages: « 1 2 3 4 5 6 7 8 [9]  All
« previous topic next topic »
  Print  
Author Topic: Improving Offline Wallets (i.e. cold-storage)  (Read 19607 times)
gokudev
Newbie
*
Offline Offline

Activity: 30
Merit: 0


View Profile
April 28, 2014, 02:27:02 AM
 #161
Quote from: Ente on April 13, 2014, 10:33:11 AM
Quote from: gokudev on April 11, 2014, 06:20:49 PM
Quote from: flipperfish on April 11, 2014, 09:12:08 AM
Quote from: gokudev on April 09, 2014, 02:52:15 PM
Are there any problems with using a vpn connection instead of a usb ? What are some possible security risks?

If the VPN connection is based on OpenVPN, which uses OpenSSL by default, there would be for example the heartbleed bug, if it is not yet fixed on the machine you use.

So windows servers are not affected by this bug. Microsoft uses something called sstp to secure vpn.



It totally depends on the software used.
But in genertal, the more complex and big a system is, the more points of failure there are. And here, we have two instead of one computer, they both are online, and you have a vpn in between. Enhanced physical security may be worth it, depending on the situation. Nice to know that noone can just break in, grab a computer, and has everything he needs.

Edit:
The important part is to distinguish two designs:
- "security measures in parallel", like a chain where you only have to break the weakest link (break one of the two computers or the VPN)
- "security measures in series", like layers where you have to break through all of them (like n-of-m, on paper wallets, encrypted)

Besides that, a "safe fallback" is good. "If anything irregular happens, it all shuts down and is fine" (like full hdd encryption for example). Also, consider every single component to be compromised. A million bonus points for designing a setup where every single component may be compromised at the same time, and you still don't lose :-)

Ente

Ente

The system I am building for a project, will be responsible for transferring unsigned transactions from hot storage to cold storage, signed them and bring them back online via some api and broadcast them. The setup I have come up with is using VPN over SSTP protocol which is not affected by the heartbleed bug and 2 form authentication on azure. So the idea is everytime a user wants to either withdraw funds from cold storage or send bitcoins/altcoins and if there isnt enough coins in the hot wallet, the user would have to vpn into the cold storage and provide 2fa. Then the cold storage server will sign the transaction and send back the signed transaction to the hot storage through vpn.

 
Ente
Legendary
*
Offline Offline

Activity: 2126
Merit: 1001



View Profile
April 28, 2014, 05:09:51 PM
 #162
So the online computer has all necessary info, passwords, certificates, to connect to the 'offline' computer and have the transaction signed? With no human interaction? This sounds like a completely online system for me.
Yes, you wrote about 2FA. It might be safe when you do all of this right, including having things in mind like MITM- and replay-attacks.
The point about "cold storage", "offline computer" and "airgap", is, well, the non-connectivity to any other system besides the operator sitting in front of it ;-)

Ente
huanghq
Member
**
Offline Offline

Activity: 74
Merit: 28


View Profile
March 06, 2015, 08:08:53 AM
 #163

I write a simple application to transfer data through air gap by QR code movies:

flipqr
https://bitcointalk.org/index.php?topic=978033.msg10676780
Pages: « 1 2 3 4 5 6 7 8 [9]  All
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Improving Offline Wallets (i.e. cold-storage)
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!