Time to bust a myth. Paper wallets are less secure than normal encrypted wallets

[CIYAM]

I created the CIYAM Safe (https://susestudio.com/a/kp8B3G/ciyam-safe) for the purpose of making safe offline "cold storage".

To be really secure I would advise buying an *old computer" that predates any of the NSA attacks upon hard-drive firmware, etc. (yes it is a pity that they have made all modern hardware now suspect).

Like it or not we are in the middle of a "war' against privacy (which the major governments of this world hope we will lose).

[1715143677]

1715143677

[Blazr]

I create the CIYAM Safe (https://susestudio.com/a/kp8B3G/ciyam-safe) for the purpose of making safe offline "cold storage".

To be really secure I would advise buying an *old computer" that predates any of the NSA attacks upon hard-drive firmware, etc. (yes it is a pity that the US has made all modern hardware now suspect).

The NSA hard drive firmware malware used browser exploits and other techniques to gain access to the device and then reflash the hard drive firmware in order to hide it's existence from the operating system and survive a reformat. Also their malware is at least 6 years old, so you'll need some REALLY old hardware.

I would recommend just walking into a computer shop and picking up a sealed computer off the shelf from a manufacturer you trust. You need to trust the manufacturer hasn't inserted any backdoors, which can be difficult. Picking up one at random from a store prevents against targetted attacks, for example the NSA are known to intercept computer hardware in the mail and insert backdoors into it (the infamous Cisco router).

[CIYAM]

Also their malware is at least 6 years old, so you'll need some REALLY old hardware.

My cold storage laptop is around 10 years old (which actually made it very cheap to buy).

And it *cannot* connect to the internet (apart from getting its WiFi card removed I ruined its plugs to prevent anyone plugging in anything to connect it).

[Blazr]

My cold storage laptop is over 10 years old (which actually made it very cheap to buy).

And it *cannot* connect to the internet (apart from getting its WiFi card removed I ruined its plugs to prevent anyone plugging in anything to connect it).

Yep a good step, however as you know there is the whole R value issue, and the method used to transmit the transaction data. I believe your system uses QR codes to transmit the transaction data, which is good.

One issue is if there was malware on both cold PC and online PC then the QR code could simply be replace by the malware with the actual private key and when you scan the QR the online PC sweeps it into the hackers wallet. Also I don't think your solution can prevent against the R value issue, can it?

[CIYAM]

Yep a good step, however as you know there is the whole R value issue, and the method used to transmit the transaction data. I believe your system uses QR codes to transmit the transaction data, which is good, but I don't think your solution can prevent against the R value issue, can it?

I'd need to change the signature system to use deterministic values to be certain against that (if vanitygen would add that then it would be relatively easy to incorporate).

[Blazr]

Yep a good step, however as you know there is the whole R value issue, and the method used to transmit the transaction data. I believe your system uses QR codes to transmit the transaction data, which is good, but I don't think your solution can prevent against the R value issue, can it?

I'd need to change the signature system to use deterministic values to be certain against that (if vanitygen would add that then it would be relatively easy to incorporate).

I have been reading about this, I don't know enough about deterministic values, they aren't widely used yet, I believe Armory is only testing them right now, hopefully they can improve the situation.

[Pietjebel]

He typed the private key into his computer to send some bitcoins out of it and a few hours later the rest of the funds on the paper wallet were stolen.

How is this even possible, the funds belonging to a private key needs to be spend all at once right?

No. You need to "spend" all the funds in each input that you are sending however it is possible to make the chance go back to the address that originaly had the funds as is encouraged by the use of paper wallets.

It would be possible to have multiple inputs to an address and only spend one or some of them.

Thanks for explaining, didn't know.

[CIYAM]

I believe Armory is only testing them right now, hopefully they can improve the situation.

My problem with Armory has always been that they don't do QR codes (instead rely upon USB devices that could be hacked) simply because they try to be a "wallet" rather than just a "cold storage" solution (so CIYAM Safe is actually *safer* than Armory).

[bitebits]

However I had a friend who had his paper wallet hacked recently, which is why I decided to make this thread. He typed the private key into his computer to send some bitcoins out of it and a few hours later the rest of the funds on the paper wallet were stolen. We're still looking into what exactly what happened [...]

You are aware that the remaining bitcoins go to a new change address?

You should always sweep the complete balance, as it's not safe to try to partially spend directly from the paper wallet itself.

[Blazr]

You are aware that the remaining bitcoins go to a new change address?

You should always sweep the complete balance, as it's not safe to try to partially spend directly from the paper wallet itself.

It doesn't really matter because the hacker still could've just had the malware send all the funds to his wallet once the second the private key was typed in. In this case the hacker was lazy and just did it manually a few hours later, but the next hacker won't be so lazy.

Using change addresses with paper wallets requires using a new paper wallet each time you make a transaction, which you obviously should do, but very few people actually do that as it's not very convenient.

[Blazr]

My problem with Armory has always been that they don't do QR codes (instead rely upon USB devices that could be hacked) simply because they try to be a "wallet" rather than just a "cold storage" solution (so CIYAM Safe is actually *safer* than Armory).

Yes of course. There are a WHOLE lotta problems with USB sticks. QR codes are much much better. I personally like using an audiomodem to transmit the transaction data via sound card over a 3.5mm audio cable. Qr codes have an advantage over an audiomodem in that an audiomodem can transmit data both ways which is a security risk, but the audiomodem is much more convenient, I always had trouble scanning the QR codes with the camera as my laptop only has a front-facing camera. I think an audiomodem is the best way to transmit the transaction data in the end of the day.

[CIYAM]

I think an audiomodem is the best way to transmit the transaction data in the end of the day.

I think it probably depends upon the software being used - but assuming it doesn't allow for "executable code" (or scripts) then either QR or audio should be okay.

[ACCTseller]

I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

When you do file>save copy in Electrum, the copy will be encrypted if the original was. Of course any wallet you put in the cloud should be encrypted, a few years ago dropbox had a security issue that allowed anyone to log in to anyone else account without a password. The issue remained for a few hours.

Only the hand-written seed should be unencrypted, I would not recommend encrypting it as if you forget your password you'll have no way of accessing your funds, you should always have the means to access your wallet in the event you've forgotten your password.

you could tell it to display the seed and then save the text of the seed in a PGP encrypted file.

This would be essentially the same thing you would do with armory, except that armory is much more encouraging for you to back it up this way.

[Blazr]

I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

When you do file>save copy in Electrum, the copy will be encrypted if the original was. Of course any wallet you put in the cloud should be encrypted, a few years ago dropbox had a security issue that allowed anyone to log in to anyone else account without a password. The issue remained for a few hours.

Only the hand-written seed should be unencrypted, I would not recommend encrypting it as if you forget your password you'll have no way of accessing your funds, you should always have the means to access your wallet in the event you've forgotten your password.

you could tell it to display the seed and then save the text of the seed in a PGP encrypted file.

This would be essentially the same thing you would do with armory, except that armory is much more encouraging for you to back it up this way.

The problem is though, if you happen to get diagnosed with amnesia, you won't be able to access your Bitcoins to pay for treatment as you'll have forgotten all your passwords, so you should always have a way in to your wallet without a password in case you forget your passwords, which is why I recommend an unencrypted handwritten seed. If you absolutely must encrypt the seed, then you should at least store a password hint with it and you shouldn't use a really high iteration count so if you forget a character or two you'll be able to bruteforce your way in. Obviously such a seed should be kept in a very safe location if physical theft is an issue.

Armory also tries to force you to make at least one unencrypted backup for this reason. Without a way of getting into your wallet without a password your wallet essentially becomes a brain wallet.

[ACCTseller]

I didn't say it is hard to backup. It is just that people don't care to do so. I don't like the idea of storing your seed in plaintext though, I would encrypt it with a weak PGP password (instead of a private PGP key) that way someone that hacks your cloud storage with social engineering cannot have immediate access to your private keys and you should have time to move your funds once you discover your cloud storage service is hacked. Plus if your computer is hacked then there is a good chance your cloud storage service account would get hacked as well.

You can do a very similar procedure with electrum as well.

When you do file>save copy in Electrum, the copy will be encrypted if the original was. Of course any wallet you put in the cloud should be encrypted, a few years ago dropbox had a security issue that allowed anyone to log in to anyone else account without a password. The issue remained for a few hours.

Only the hand-written seed should be unencrypted, I would not recommend encrypting it as if you forget your password you'll have no way of accessing your funds, you should always have the means to access your wallet in the event you've forgotten your password.

you could tell it to display the seed and then save the text of the seed in a PGP encrypted file.

This would be essentially the same thing you would do with armory, except that armory is much more encouraging for you to back it up this way.

The problem is though, if you happen to get diagnosed with amnesia, you won't be able to access your Bitcoins to pay for treatment as you'll have forgotten all your passwords, so you should always have a way in to your wallet without a password in case you forget your passwords, which is why I recommend an unencrypted handwritten seed. If you absolutely must encrypt the seed, then you should at least store a password hint with it and you should probably turn down the iteration count a bit so if you forget a character or two you'll be able to bruteforce your way in. Obviously such a seed should be kept in a very safe location if physical theft is an issue.

Armory also tries to force you to make at least one unencrypted backup for this reason.

Yes. For your paper version you should leave it in plaintext form as it would allow you to access your btc in the event you forget even a weak password.

When storing your seed in the cloud however you should keep it somewhat encrypted. I suggested using PGP with a weak password/pass phrase to decrypt (an attacker won't know that your password is weak and probably won't go in order starting with "a" up to "000..." (With the last "try" being something very long) but would rather either use a dictionary attack or try to brute force attack, both of which would take a long time to theoretically break (to the point that it is not possible without *very* good luck so it probably won't even be tried). But using a weak password means it is more difficult to forget.

[Blazr]

When storing your seed in the cloud however you should keep it somewhat encrypted. I suggested using PGP with a weak password/pass phrase to decrypt (an attacker won't know that your password is weak and probably won't go in order starting with "a" up to "000..." (With the last "try" being something very long) but would rather either use a dictionary attack or try to brute force attack, both of which would take a long time to theoretically break (to the point that it is not possible without *very* good luck so it probably won't even be tried). But using a weak password means it is more difficult to forget.

Yes sorry I misunderstood you. Of course, you should encrypt all copies of your wallet except for the backup seed, especially the copy in the cloud. I'd personally recommend uploading a copy of the actual wallet file (which is what file>save copy does), since it's already encrypted (as long as you chose to encrypt the wallet in electrum) and you'll also backup your labels and any settings for electrum plugins that you use, plus you can import it straight into electrum without fumbling with PGP, which makes it easy to test your backup.

And you can see what the balance is without knowing the password, so if in 10 years time you find this wallet backup you'll be able to see it's empty and won't waste your time trying to crack it in hopes that you might have left 0.01BTC in there which could be worth a lot more then. I once found a really old truecrypt encrypted litecoin wallet on an old drive, I used to mine 50LTC a day back when it was like $0.05/LTC and LTC was now $20 so I was really stoked, took me ages to crack it as I didn't know what password I used and I didn't write down a hint or anything, but eventually I figured it out and it was empty

[inBitweTrust]

The great thing about this thread is that it discusses many of the security problems we have been concerned about and discussing for years.

The problem with this thread is it gives no context with the relative probabilities of each attack vector and exaggerates certain fears and than suggests one may as well simply use an encrypted wallet(which may or may not be true depending upon how the paper wallet was generated)

Ultimately, you can read the source code of entropy and even add your own salt to it if you believe it was tampered with but we must trust the hardware. This is why there is a growing movement of engineers supporting the open source hardware movement:

http://www.oshwa.org/
http://www.ohwr.org/

Good physical security and digital security is difficult to accomplish and you can never be 100% sure that your bitcoins are completely secure (or any of your physical items are 100% secure). What you can do is be extremely confident your bitcoins are secure. Additionally, the amount of effort you must place into security is highly relative depending upon if you are a political or legal target and how many bitcoins you need to secure. These aren't unique problems with bitcoin, but problems with securing any valuable assets.

The great thing about paper wallets is you have the ability to combine physical security with digital security when they are in mutisig form or split with Shamir's Secret Sharing. The largest bitcoin exchanges and banks aren't doing this simply as a PR stunt because physical cold storage is a fad and to insinuating this is misleading at least.

[inBitweTrust]

The problem is though, if you happen to get diagnosed with amnesia, you won't be able to access your Bitcoins to pay for treatment as you'll have forgotten all your passwords, so you should always have a way in to your wallet without a password in case you forget your passwords, which is why I recommend an unencrypted handwritten seed. If you absolutely must encrypt the seed, then you should at least store a password hint with it and you shouldn't use a really high iteration count so if you forget a character or two you'll be able to bruteforce your way in. Obviously such a seed should be kept in a very safe location if physical theft is an issue.

I like the way you are thinking when you are considering the insecurities of the user themselves here but you just negated the whole point you initially were making because essentially you just created a insecure paperwallet with this suggestion.

What we really need is a comprehensive guide which details a best course of action based upon the threat level of each individual.

Thus the threat level may look something like this:

1) minimal risk- Someone without a lot a bitcoins and generally good overall security behaviors
2) moderate risk - Someone nontechnical or poor security behaviors or with large amounts of bitcoin
3) High Risk - Journalists, political activists, IT administrators, Extremely wealthy or famous people
4) Paranoid risk level - high value criminals, large banks and exchanges, presidents and other political targets like snowden, applebaum, ect..

With each of these risk levels one would have different recommendations.

[Blazr]

I like the way you are thinking when you are considering the insecurities of the user themselves here but you just negated the whole point you initially were making because essentially you just created a insecure paperwallet with this suggestion.

The point of this whole thread is that paper wallets are not more secure than encrypted ones. People always tell me their paper wallets are more secure than normal ones, thats not true. If you leave out the risks due to printers etc they are essentially the same level of security as a normal encrypted wallet, so using a paper wallet does not improve your security at all, if anything it slightly lessens it due to aformentioned risks of printers etc.

Paper wallets are very useful, just not as a security tool.

Your system is only safe as it's weakest point. I don't use obscurity or rely on the difficulty of writing a piece of malware to protect my coins. Put it this way: I am not very smart but there is no attack I have mentioned here that I couldn't pull off on my own with moderate funds. Preventing or mitigating most of the attacks I have mentioned so far is possible, I'm currently writing up a guide. Keep an eye out for it, it's easier than fumbling with paper wallets and provides tangible security. There is no need to have different levels of security when the highly paranoid option is easy and cheap.

[inBitweTrust]

The point of this whole thread is that paper wallets are not more secure than encrypted ones. People always tell me their paper wallets are more secure than normal ones, thats not true. If you leave out the risks due to printers etc they are essentially the same level of security as a normal encrypted wallet, so using a paper wallet does not improve your security at all, if anything it slightly lessens it due to aformentioned risks of printers etc.

Paper wallets are very useful, just not as a security tool.

You keep mentioning the risks from printers and I have already addressed those concerns. If you use a dumb/simple printer with minimal cache and temporarily disabled your LAN and WIFi functionality of your printer printed off the paper wallets from an entropy/clean and verified linux install, and than printed a few more documents after the fact to clear the cache their is almost no risk for those bitcoins to be stolen if they are properly secured. Of course we both can discuss many possible attack vectors under such a circumstance and if you thought you werre actively being targeted or spied upon you may want to use a open source laptop that a trusted friend bought for you , that you than checked and reviewed all the firmware and verified your version of linux , and printed off the paper wallets in grounded Faraday cage, ect... all of this isn't necessary for the average user and what I have a few steps creating a standard paper wallet is far more secure than electrum on a windows PC.

Your system is only safe as it's weakest point.

You are completely ignoring the relative costs and difficulties of each attack vector. You are also ignoring the fact that users do not need to choose between options but can employ multiple types of security, where if any of them fail due to a mistake, security flaw or backdoor, than most of the savings is still secure because it was secured with other methods or at a different time and with different hardware.