Time to bust a myth. Paper wallets are less secure than normal encrypted wallets

[Blazr]

This seems to be a pretty common myth among Bitcoiners now. Often what I hear people say is that paper is not hackable, therefore your Bitcoins are safe from hackers. However given actual realworld scenarios I am going to show you that a paper wallet provides no extra security than a properly made encrypted wallet stored on the PC.

For my examples, here are how the two types of wallets are created.




Paper wallet:
The user downloads software to generate a paper wallet, a common one is https://bitaddress.org.
Often times the user will disconnect their internet when generating the wallet, or if they are extra paranoid they will also use a live operating system, like a Ubuntu live CD, to run the paper wallet software.
The user generates a number of paper wallets, paranoid users will encrypt them with a password. The user will either print these out or handwrite them


Encrypted wallet:
The user downloads wallet software such as electrum
The user then creates a new wallet and encrypts it with a strong unique password, the user should never enter this password anywhere else other than the wallet software, and the password should be at least 80bits strong. In my example the user will use a randomly generated 16 character password made up of upper and lower letters, numbers and special symbols, which is 106bits.




The creation process:

We are going to pretend that the OS you use everyday on your computer is infected with malware during the creation process and see how the two types of wallets are vulnerable.

Paper wallet:
When you are creating the paper wallet, any malware on your PC can read the private keys. What most people will tell you to do is disconnect from the internet, that this will prevent the malware from sending back the private key, but it won't, the malware will simply wait until you reconnect to the internet and send the private key then.

But it doesn't even need internet to steal your bitcoins. The malware can interfere with the generation process itself, and give you a private key and Bitcoin address that is already known to the hacker. This is called
 backdooring the random number generator.

Now one will be quick to point out that if we are using a live OS like ubuntu that the malware won't be running and cannot do anything. That might be the case for many types of dumb malware, however there does exist malware that can hide in the BIOS and firmware of your computer and can infect your live operating system. Here are some examples of this type of malware in the wild:

http://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/
https://en.wikipedia.org/wiki/BadBIOS

If you print out your wallet, the printer provides a whole other avenue for attack. If it is a networked printer, when you hit print your computer will send your wallet out over the network unencrypted to the printer, allowing anyone to listen in and steal it. Some printers also have a built-in memory that stores what is printed out, even if you clear this memory it is possible to recover it in some cases with proper forensics tools.

Encrypted wallet:
An encrypted wallet is just as vulnerable as a paper wallet during the creation process. It too can have it's private keys transmitted by malware, or it's random number generator backdoored.

Summary:
Both wallets are just as vulnerable to theft. Paper wallets are slightly more vulnerable if you use a printer.

Disconnecting from the internet is entirely pointless and provides no extra security whatsoever. Running a live OS will somewhat protect you from dumb malware, however this is basically security through obscurity.




While your bitcoin is in storage:

Now we are going to pretend you've been infected with malware while your Bitcoins are in your wallet.

Paper wallet:
There is a small chance that whatever software you used to generate the paper wallet has left a trace behind on your computer during the creation process. The private key may have accidentally entered your swap and ended up written to disk. If this has happened then the malware can steal your Bitcoins.

If this has not happened then you are safe, because malware can't "jump" from your PC onto your paper wallet.
However you are not safe from physical theft unless you encrypted your paper wallet.

Encrypted wallet:
The malware can steal your wallet file, however, the wallet file is encrypted. Because the password is 16 characters long, the hacker cannot access your wallet. If the hacker had the computing power of all Bitcoin miners combined it would take 45964.97 years to crack just your wallet - and thats under a best case scenario. So even though the malware can read the wallet, it cannot do anything with it. Now some of you are going to say "keylogger" - we'll get to that in the next part.

Summary:
While the Bitcoins are being stored in the wallet, both wallets are very safe. Bitcoins can be physcially stolen from paper wallets if they are not encrypted, and if you use a weak password on your normal encrypted wallet then they can also be stolen.




While Sending Bitcoins:
Now we are going to pretend you've been infected with malware while you attempt to send Bitcoins from your wallet:

Paper wallet:
Once you enter in the private key into your computer the malware can immediately steal it and it's game over. Much like the creation process disconnecting from the internet or using a live OS won't help much as Bitcoin transaction has a random number called a K value, which the malware can backdoor to steal your Bitcoins even if you are offline. Also you need to go online to broadcast the transaction anyway.

Encrypted wallet:
Once you enter in the password into your computer the malware can immediately steal it (keylogger) and it's game over.

Summary:
Both wallets are completely vulnerable to theft.




Conclusion:
Paper wallets are hackable, despite claims that some people make, and are just as vulnerable as properly created encrypted wallets.
Paper wallets also have extra security concerns such as physical theft or if you use a printer.
Paper wallets may be cool, and they may be useful for some situations, but if you want to secure your Bitcoins, ignore all of the half-informed sheeple telling you to create a paper wallet and create a normal encrypted wallet, encrypt it with a strong randomly generated password and never enter this password anywhere other than the wallet software. This is safer than a paper wallet and MUCH more convenient. Also paper wallets encourage address reuse which is bad, if you use paper wallets you need to make a new wallet everytime you make a transaction if you want any kind of privacy at all.

[Blazr]

Any feedback would be much appreciated, I am still updating this. I had to explain to someone today how their paper wallet was hacked when they went to send Bitcoins from it, they were shocked when I told them paper wallets could be hacked just as easy if not easier than encrypted wallets. There is too much FUD and half-truths out there when it comes to information on Bitcoin, lots of people are completely misinformed.

[Blazr]

If I haven't created a M of N wallet on a permanently air gapped machine, and then stored the pieces in multiple different physical locations, I don't feel secure.

Yep. That is cold storage. If you are not creating your wallet and only using it on a permanently airgapped machine, then it is not cold storage. Paper wallets are not cold storage unless they are created and exclusively used on an airgapped machine.

[Jakesy]

As a sort of counter argument for some of the paper wallet drawbacks (i.e. printer, hacked computer)... you can create your own machine AND printer as an all-in-one device that never touches the internet: https://github.com/piperwallet/Piper

You can inspect the code for these backdooor random number generator.  And you can order your own raspberry pi and printer accessories online to assemble yourself.  Bonus: it doubles as a digital backup AND you can backup to as many USBs as you would like.  

The ONLY drawback to this method is that you have to keep the machine as safe as your paper wallets (safe from theft).

[Blazr]

As a sort of counter argument for some of the paper wallet drawbacks (i.e. printer, hacked computer)... you can create your own machine AND printer as an all-in-one device that never touches the internet: https://github.com/piperwallet/Piper

You can inspect the code for these backdooor random number generator.  And you can order your own raspberry pi and printer accessories online to assemble yourself.  Bonus: it doubles as a digital backup AND you can backup to as many USBs as you would like.  

The ONLY drawback to this method is that you have to keep the machine as safe as your paper wallets (safe from theft).

Storing an encrypted wallet on the separate machine is just as safe, if not safer (physical theft), and  it's much more convenient than scanning QR codes/typing in private keys and printing a new paper wallet each time you make a transaction.

By the way, the software you chose there, Piper, uses a weak random number generator:
https://github.com/piperwallet/Piper/blob/master/randomPass.py

it is using random.randint to generate the seed, this is not a cryptographically secure way of generating random numbers:
https://blog.spideroak.com/20121205114003-exploit-information-leaks-in-random-numbers-from-python-ruby-and-php

It may be possible for a hacker to predict the private keys of everyone who uses that software. I would stay far away from this project.

[Light]

Paper wallets also have extra security concerns such as physical theft or if you use a printer.

Paper wallets may be cool, and they may be useful for some situations, but if you want to secure your Bitcoins, ignore all of the half-informed sheeple telling you to create a paper wallet and create a normal encrypted wallet, encrypt it with a strong randomly generated password and never enter this password anywhere other than the wallet software.

This is safer than a paper wallet and MUCH more convenient. Also paper wallets encourage address reuse which is bad, if you use paper wallets you need to make a new wallet everytime you make a transaction if you want any kind of privacy at all.

Agree with most of it.

Since we're going into the scenarios where you have malware residing in your BIOS specifically aimed at adjusting the RNG of your address generator (which is highly unlikely), you've ignored the fact that someone could break into your house and steal you're air gapped device. It is just as prone to physical theft.

TBH, paper wallets are pretty much just as secure as an air gapped machine (assuming you use BIP38 to secure it) - but yes they are less convenient if you need to move coins regularly. For people like myself you don't intend to move coins for an eternity, I don't necessarily need an airgapped machine to sign transactions I'm not going to make.

Mathematically, reuse makes the address marginally less secure - but yes, it hurts your privacy.

[Blazr]

Since we're going into the scenarios where you have malware residing in your BIOS specifically aimed at adjusting the RNG of your address generator (which is highly unlikely),

Thats actually not as difficult to do as you might imagine, all the malware needs to do is mess with the RNG in the Linux kernel, which is stored in a known place and is stored unencrypted even in most types of full disk encrypted machines. So it's just "run this patch against the kernel". The hard part is that there are many different kinds of BIOS's, and the malware needs to be tailored against each type. This can be overcome by not using the BIOS but using the hard drive firmware like the NSA did in the article I linked, almost all hard drives come from 12 manufacturers and each manufacturers firmware is almost identical across all their products so you only need 12 variants to be able to infect almost any hard drive.

you've ignored the fact that someone could break into your house and steal you're air gapped device. It is just as prone to physical theft.

No use, its an encrypted wallet.

TBH, paper wallets are pretty much just as secure as an air gapped machine

No.

[Light]

Thats actually not as difficult to do as you might imagine, all the malware needs to do is mess with the RNG in the Linux kernel, which is stored in a known place and is stored unencrypted even in most types of full disk encrypted machines. So it's just "run this patch against the kernel". The hard part is that there are many different kinds of BIOS's, and you would need to write one for each kind. This can be overcome by not using the malware but using the hard drive firmware like the NSA did in the article I linked, almost all hard drives come from 1 of 12 manufacturers and each manufacturers firmware is almost identical across all their products.

If you do it properly and buy a new machine (ie. Rasp Pi) and run a live version of Linux which you've checked against the SHA and MD5 sums it is incredibly unlikely. If we're going down the NSA route - the reality is there is nothing you can do about it. Good luck not using a computer which hasn't been tampered with if the NSA wants it tampered with. For all you know, the NSA could have broken all forms of encryption or inserted backdoors rendering it all useless.

No use, its an encrypted wallet.

I'm not saying it's gonna get your coins stolen - in comparison to paper wallets I'm saying BOTH can be physically stolen.

No.

How is it less secure than a cold storage device? Both are open to the same vulnerabilities - and unless your an actuary who can quanitfy the likelihood of risk associated with each vulnerability then I'll take them as being the same.

[Blazr]

If you do it properly and buy a new machine (ie. Rasp Pi) and run a live version of Linux which you've checked against the SHA and MD5 sums it is incredibly unlikely. If we're going down the NSA route - the reality is there is nothing you can do about it. Good luck not using a computer which hasn't been tampered with if the NSA wants it tampered with. For all you know, the NSA could have broken all forms of encryption or inserted backdoors rendering it all useless.

I mentioned the NSA as we know the most about their attacks on BIOS and firmware due to the leaks and Kaspersky's report, but these attacks are not THAT difficult to pull off. Some eastern european crybercriminal gangs have used similar techniques to steal from banks, and it's only a matter of time before they turn to Bitcoin.

If your going to buy a fresh PC use it for cold storage with an encrypted wallet, using a paper wallet provides no extra security and extra hassle.

I'm not saying it's gonna get your coins stolen - in comparison to paper wallets I'm saying BOTH can be stolen.

encrypted wallets have the benefit here, because they are encrypted with a strong password you can back them up remotely so even if your cold storage PC is stolen you can still get at your funds. Paper wallets can also be backed up of course, but storing them in remote locations can be difficult, and you have to physically go there to check if its still intact.

How is it less secure than a cold storage device? Both are open to the same vulnerabilities - and unless your an actuary who can quanitfy the likelihood of risk associated with each vulnerability then I'll take them as being the same.

What device do you use to spend from your paper wallet?

If you are using the paper wallet with a cold storage device then it is just as safe as the device itself. If you are using the paper wallet with your everyday PC, it is obviously less secure.

tl;dr; paper wallets are only as secure as the device you use them with, in the best case scenario.

[Light]

What device do you use to spend from your paper wallet?

If you are using the paper wallet with a cold storage device then it is just as safe as the device itself. If you are using the paper wallet with your everyday PC, it is obviously less secure.

tl;dr; paper wallets are only as secure as the device you use them with, in the best case scenario.

That's the thing I'm not planning on spending from those address for a very long time - meaning they're just there as storage. But if needs be I could easily set up a cold storage and sign txs offline.

For people in my case, you don't need a secondary device till you actually want to spend. The only vulnerability is the initial creation - which we have discussed.

Basically if done correctly - both are just as safe.

[Blazr]

What device do you use to spend from your paper wallet?

If you are using the paper wallet with a cold storage device then it is just as safe as the device itself. If you are using the paper wallet with your everyday PC, it is obviously less secure.

tl;dr; paper wallets are only as secure as the device you use them with, in the best case scenario.

That's the thing I'm not planning on spending from those address for a very long time - meaning they're just there as storage. But if needs be I could easily set up a cold storage and sign txs offline.

For people in my case, you don't need a secondary device till you actually want to spend. The only vulnerability is the initial creation - which we have discussed.

Basically if done correctly - both are just as safe.

You need a secure device to create it and a secure device to spend it. Sure you could keep it on a paper wallet instead of keeping it on the device itself, but seeing as you have to actually have the device to create the paper wallet I don't see the usefulness of this much.

In your case you had a secure device when creating the paper wallet, I don't know why you can't use this same secure device to store and spend them.

[Light]

You need a secure device to create it and a secure device to spend it. Sure you could keep it on a paper wallet instead of keeping it on the device itself, but seeing as you have to actually have the device to create the paper wallet I don't see the usefulness of this much.

In your case you had a secure device when creating the paper wallet, I don't know why you can't use this same secure device to store and spend them.

You're right, I could. But I had other plans to use that device aside from just initially generating and storing a wallet.

But for me, where I'm located, fires and floods are a greater risk - so being able to store keys in different locations rather than on a single device in my home is a better solution. Theoretically I could purchase multiple Pi's or whatever but it kinda becomes inefficient and unfeasible - especially if you're storing it in hard to get places.

[gmaxwell]

Thanks. You might want to change the ":" to a "." since its easy to misread the title, I loaded this thread all ready to chew you out and disagree with you; only to realize that you were saying the opposite of what I expected from the title.

"Paper wallets" have been the subject of a bunch of marketing push from a couple different angles. They're fun, some people have a commercial interest in them, they make for good security theater. But seldom do they make for good security.  Ignoring malware the number one risk to people's bitcoins is loss/destruction, and often the paper does particular poor there without special care. (I've now dealt with two people that lost substantial amounts of bitcoins due to paper wallets and water damage!).

An extra data point is that the web services you see are cryptographic crapshoots.

They have random unreviewed crypto code, written by someone who's never done anything like it before or copy-pasta from someplace else that had no review. I've seen a fair amount of stuff that was so broken that you had to have at least four kinds of cluelessness before you would think that the approach taken had any chance of being correct. It's bad enough that you can't ever find intentional backdoors because the honest mistakes are so crazy and so common that an actual backdoor would just hide in the noise.

Not that this problem is unique to the paper wallet space, but it seems to be especially bad there...

The web and JS is already a very hostile environment for writing secure cryptographic code-- JS has a lot of subtle, browser specific, implicit behavior and "action at a distance" that makes it hard to review, review is just not a cultural norm for most web software, the browser execution environment fundamentally cannot provide constant time operation or data leak free operation. ... and basic "key generator" and "signing" code is fairly easy to do (at least if you don't care to do it very well) and a fun little project.  Then these pages are loaded without HTTPS across an untrusted network, through an untrusted CDN from an untrusted server, hosting files for an anonymous and untrusted author.

A bunch of things that would be better described as "Jonny learns to code" are finding themselves in production use with hundreds of thousands of dollars flowing through them, because the end user has no means to judge the integrity of the work or the process that produced it. (And often the authors themselves have no idea how risky things are, or worse-- developer confidence can be inverse related to competence due to the Dunning-Kruger effect).  I'm not sure what to do about this in the ecosystem; it's pretty clear to _me_ when some piece of code or its process has no evidence of meeting even the most basic standards, because I live them every day, but I have almost zero desire to go play gmaxwell-the-destroyer-crusher-of-dreams crapping on other people's project with unsolicited and often unappreciated reviews (it's amazing how hostile some developers are when you point out their stuff is actually broken, not just theoretically ugly), nor do I have the time to do it all myself.

[futureofbitcoin]

I guess now's a good time to ask...


Is there a good way that won't take hours to manually calculate a private-public key pair?

[Blazr]

Thanks for the reply gmaxwell. Yep you are right about the badly coded paper wallet generators, take a look a few posts above, someone linked me a "secure" paper wallet generater that uses python's random.randint to pick a seed - you couldn't even make this shit up.

Is there a good way that won't take hours to manually calculate a private-public key pair?

Use any normal wallet, Bitcoin Core, electrum, Armory. Don't mess around with private keys, only developers need to know what those are, just look after your wallet file (back it up) and your password (strong unique password that you ONLY type into the software) and your good to go.

[fox19891989]

I think so too, if thieves know bitcoin, they would easily steal the wallet, but he hardly know how to decrypt a wallet, that only hackers know.

So paper wallet is preventing hackers, but not thieves.

[Blazr]

I think so too, if thieves know bitcoin, they would easily steal the wallet, but he hardly know how to decrypt a wallet, that only hackers know.

So paper wallet is preventing hackers, but not thieves.

Please read the OP fully whenever your spamming your sig. TY.

[johnyj]

1. 99 dice cast gives you a perfect private key, base 6

2. The difficulty lies in how to review the code that transform this key into WIF format and address

3. If the above can be ensured, signing offline tx will do the spending part

[odolvlobo]

...
Paper wallet:

Plug Mycelium Entropy into printer USB port.
Print paper wallet.

FTFY

Creating a paper wallet can be completely immune to hacking.

[Blazr]

...
Paper wallet:

Plug Mycelium Entropy into printer USB port.
Print paper wallet.

FTFY

Creating a paper wallet can be completely immune to hacking.

Some printers have a built-in memory.

How do you spend the wallet? you need to enter the private key into a device to spend it putting it at risk of hacking. So it has the same risk of being hacked as a normal encrypted wallet, plus the risk of physical theft (if it is unencrypted or not properly backed up) and the risk of the printer memory potentially saving a copy of it.