Time to bust a myth. Paper wallets are less secure than normal encrypted wallets

[Blazr]

all of this isn't necessary for the average user and what I have a few steps creating a standard paper wallet is far more secure than electrum on a windows PC.

No its not. How do you spend your paper wallet? on the same PC, putting it in exactly the same risk as the electrum one, which is also safe until you enter you password to send from it (assuming the creation process was done safely much like the paper wallet). And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

[1715632756]

1715632756

[1715632756]

1715632756

[1715632756]

1715632756

[1715632756]

1715632756

[1715632756]

1715632756

[1715632756]

1715632756

[inBitweTrust]

How do you spend your paper wallet? on the same PC, putting it in exactly the same risk as the electrum one, which is also safe until you enter you password to send from it (assuming the creation process was done safely much like the paper wallet). And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

Nope.... you are making assumptions which I already refuted. I keep multiple devices that are air gaped (sneakerware tech(TM )) that allows me to import small amounts of cold storage into hardware that hasn't touched the network and cannot touch the network until needed.

You are suggesting that one should secure their life savings on the same PC they browse porn on ?

I'm currently writing up a guide. Keep an eye out for it, it's easier than fumbling with paper wallets and provides tangible security. There is no need to have different levels of security when the highly paranoid option is easy and cheap.

Sounds good , I am always open to new ideas and criticisms... look forward to your guide.

[Blazr]

You are completely ignoring the relative costs and difficulties of each attack vector. You are also ignoring the fact that users do not need to choose between options but can employ multiple types of security, where if any of them fail due to a mistake, security flaw or backdoor, than most of the savings is still secure because it was secured with other methods or at a different time and with different hardware.

Which attack do you think is out of range for the actual hackers who are making millions off of ripping off banks?

I think the main thing putting you off was me mentioning the NSA firmware thing as a way to infect a live CD. While that attack is rare and expensive, you only need to write the malware once and you can infect millions of people with it. The NSA had the unit cost of their malware listed as $0, meaning an infection cost them nothing, they only had to pay the few million to make it, and I think that price is in range of criminals. So all the bad guys gotta do is write the malware once and then spread it to as many people as they can, so it doesn't matter if you have 1BTC or 1,000BTC, you could still be infected by multi-million dollar malware just as easily.

And thats not even the only way to steal from a live CD. Like I said before, the RNG on a live CD is predictable, with some analysis with common computer hardware it may be possible to crack it. The RNG used on the website http://brainwallet.org was broken in a similar fashion and everyone who used it had all their bitcoins stolen. The LRNG would be harder to break than the brainwallet.org one of course, and it won't get everyone, some people may not have their funds stolen.

And when you burn the CD, how do you know the ISO you wanted was burnt? It is trivial to write up a piece of malware that could switch the ISO the burning software uses. You can protect against this by checking the CD again on another machine however.

And if you are burning it to a USB, if you happen to plug that USB in anytime in the future when your running your main OS then the malware can modify the kernel and backdoor the RNG, I have a patch file right here that will backdoor the LRNG, it's insanely easy to do.

[Blazr]

Nope.... you are making assumptions which I already refuted. I keep multiple devices that are air gaped (sneakerware tech(TM )) that allows me to import small amounts of cold storage into hardware that hasn't touched the network and cannot touch the network until needed.

GREAT! the airgap provides actual tangible security. That is what is giving you the security, not the paper wallets. You could store electrum on that and it would be just as secure as the paper wallets.

[inBitweTrust]

And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

The average user only needs to unplug their router, plug in an entropy, click a button a few times to create multiple SSS paper wallets, print a few more documents to clear cache, input one set of their shards into their encrypted password manager and destroy the paper associated. For remaining 2 shards of all the sets laminate them place one set in a safe, and the 2nd set secure at their parents or relatives safe or time capsule, and send their BTC to the public addresses.

This isn't that complicated and a one time task and way more secure than what you are suggesting.

Personally , I have gone way beyond this but only because it was a fun process in security.

GREAT! cold storage provides actual tangible security. That is what is giving you the security, not the paper wallets. You could store electrum on that and it would be just as secure as the paper wallets.

Yes, only if I used multisig or Shamir's Secret Sharing splits between multiple sets of hardware. You know how many laptops and raspberry pis I would need to buy?
 
This is where paper wallets are useful.

[Blazr]

And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

The average user only needs to unplug their router, plug in an entropy, click a button a few times to create multiple SSS paper wallets, print a few more documents to clear cache, input one of their shards into their encrypted password manager and destroy the paper associated. For remaining 2 shards of all the sets laminate them place one set in a safe, and the 2nd set secure at their parents or relatives safe or time capsule, and send their BTC to the public addresses.

This isn't that complicated a one time task and way more secure than what you are suggesting.

Personally , I have gone way beyond this but only because it was a fun process in security.

I haven't suggested anything yet, but to setup a pretty secure cold storage, all you need to do is type this into a linux terminal:

git clone https://github.com/spesmilo/electrum
gpg --recv-keys 0x2BD5824B7F9470E6
git tag -v 2.0.4 (check it says good signature, if so, your download has not been tampered with)
git checkout 2.0.4
chmod +x electrum
./electrum

This will download electrum from source, verify its signature to prevent tampering.
If it runs copy the folder onto your cold PC and run git tag -v 2.0.4 and git checkout 2.0.4 again in case it was tampered by your main PC.

select standard wallet
write down seed on paper
set strong password
wallet > MPK and scan QR code with online PC.
Connect audio cable between online PC and cold PC.

Done. Like your example this could be a lot better, but its pretty good.

[Cruxer]

For me they are both as secure as their end-user

[inBitweTrust]

Which attack do you think is out of range for the actual hackers who are making millions off of ripping off banks?

A centralized repository to secure multiple accounts is insecure by design and why I typically tell users to avoid bitcoin banks or exchanges for storing their savings.

I think the main thing putting you off was me mentioning the NSA firmware thing as a way to infect a live CD. While that attack is rare and expensive, you only need to write the malware once and you can infect millions of people with it. The NSA had the unit cost of their malware listed as $0, meaning an infection cost them nothing, they only had to pay the few million to make it, and I think that price is in range of criminals. So all the bad guys gotta do is write the malware once and then spread it to as many people as they can, so it doesn't matter if you have 1BTC or 1,000BTC, you could still be infected by multi-million dollar malware just as easily.

They cannot retroactively insert malware into existing and audited linux images. Yes, there could have been a unknown vulnerability that was missed initially (I.E..heartbleed) but this doesn't necessarily mean you are compromised and that your bitcoins will be stolen when you import part of your savings.

Like I said before, the RNG on a live CD is predictable, with some analysis with common computer hardware it may be possible to crack it. The RNG used on the website http://brainwallet.org was broken in a similar fashion and everyone who used it had all their bitcoins stolen. The LRNG would be harder to break than the brainwallet.org one of course, and it won't get everyone, some people may not have their funds stolen.

You are making an assumption that the Live CD is what should be used to create the paper wallets and not merely spend them. I agree that  online generators are more vulnerable.

And when you burn the CD, how do you know the ISO you wanted was burnt? It is trivial to write up a piece of malware that could switch the ISO the burning software uses. You can protect against this by checking the CD again on another machine however.

And if you are burning it to a USB, if you happen to plug that USB in anytime in the future when your running your main OS then the malware can modify the kernel and backdoor the RNG, I have a patch file right here that will backdoor the LRNG, it's insanely easy to do.

Yes , there are some extra security steps that must be checked and followed that most users will never do. This is why there are hardware wallets and devices like entropy... because they allow easy and good enough security for the average person.

[Blazr]

You are making an assumption that the Live CD is what should be used to create the paper wallets and not merely spend them. I agree that  online generators are more vulnerable.

When you make a transaction your client needs to insert a random number in it, called an R value. If this number isn't random the attacker can compute your private key by scanning the blockchain. This is what happened to blockchain.info when they almost lost >1000BTC recently.

[inBitweTrust]

I haven't suggested anything yet, but to setup a pretty secure cold storage, all you need to do is type this into a linux terminal:

git clone https://github.com/spesmilo/electrum
gpg --recv-keys 0x2BD5824B7F9470E6
git tag -v 2.0.4 (check it says good signature, if so, your download has not been tampered with)
git checkout 2.0.4
chmod +x electrum
./electrum

This will download electrum from source, verify its signature to prevent tampering.
If it runs copy the folder onto your cold PC and run git tag -v 2.0.4 and git checkout 2.0.4 again in case it was tampered by your main PC.

select standard wallet
write down seed on paper
set strong password
wallet > MPK and scan QR code with online PC.
Connect audio cable between online PC and cold PC.

Done. Like your example this could be a lot better, but its pretty good.

I completely agree, and what you just explained is one security method I originally did for myself before I created a more elaborate method with paper wallets.

We may simply be talking past each other.... If what you are suggesting is that you can take separate computer with a clean linux install and only use it to secure your bitcoins and than disable the networking on it (possibly temporarily enabling for periodic updates and patches that are audited)... and while it might be slightly weaker security than what I suggested it still is good enough security for most.

[Blazr]

We may simply be talking past each other.... If what you are suggesting is that you can take separate computer with a clean linux install and only use it to secure your bitcoins and than disable the networking on it (possibly temporarily enabling for periodic updates and patches that are audited)... and while it might be slightly weaker security than what I suggested it still is good enough security for most.

Pretty much, except for the connecting to the internet part. I'm still working on the guide along with some handy python tools. You don't need security patches, very few security issues in the OS will affect you, you may need to update your bitcoin client however but that can be done relatively safely now that you have the dev's PGP key on your cold PC. You can actually do a git pull over the audio cable (I have a python scripts that can do this in a safe manner) and verify the sigs and check a diff of the code if you wish. it's awesome.

[inBitweTrust]

When you make a transaction your client needs to insert a random number in it, called an R value. If this number isn't random the attacker can compute your private key by scanning the blockchain. This is what happened to blockchain.info when they almost lost >1000BTC recently.

This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

Pretty much, except for the connecting to the internet part. I'm still working on the guide along with some handy python tools. You don't need security patches, very few security issues in the OS will affect you, you may need to update your bitcoin client however but that can be done relatively safely now that you have the dev's PGP key on your cold PC. You can actually do a git pull over the audio cable (I have a python scripts that can do this in a safe manner) and verify the sigs and check a diff of the code if you wish. it's awesome.

Sounds good, I look forward to adding your guide to my list of recommendations. I haven't listed my security arrangement yet because it is too complicated for the average user and I don't feel like writing it all out.

[Blazr]

This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

I don't like "very difficult". Very difficult depends on the attackers capabilities, and who knows whos attacking you, money is money attackers will attack anyone who has money. It's possible the attacker may think you have more money than you do, or the attack may be entirely automated so they are just going after anyone they can infect.

[inBitweTrust]

This is very difficult to pull off , and creating enough entropy if you are aware of this attack is fairly easy to do. blockchain.info was an easy target because it was a central point of failure as well.

I don't like "very difficult". Very difficult depends on the attackers capabilities, and who knows whos attacking you, money is money attackers will attack anyone who has money. It's possible the attacker may think you have more money than you do, or the attack may be entirely automated so they are just going after anyone they can infect.

Mostly agreed, and there is a whole "social" layer of security that must be considered as well. The fact that I am discussing this with you, the fact that I am in IT, the fact that I have certain political opinions, the fact that I have a bitcointalk account, ect... all make me a much larger target than someone without those traits. I am cognizant of these weaknesses and this is why I took paranoid steps to secure my cold storage... short of doing a 100% audit on every line of code.

Good security is very complicated and even the best security experts occasionally make some mistakes(and thus why you should never have a single point of failure) for securing all your wealth.

 One great thing about Bitcoin is its forcing the users and society to adapt and develop better security and auditing. Most traditional fiat banks have abysmal security but its losses are ignored and amortized.


 

[colinistheman]

Isn't this a safe way to spend bitcoins from a paper wallet:

1.) Boot from a Linux Live DVD
2.) Visit blockchain.info
3.) perform a sweep of the entire contents of the private key to your destination.

Using the Live DVD prevents any malware or key loggers.

And sweeping the key, removes the funds fully from your private key and puts them where you want without re-using the original private key.

[Blazr]

Isn't this a safe way to spend bitcoins from a paper wallet:

1.) Boot from a Linux Live DVD
2.) Visit blockchain.info
3.) perform a sweep of the entire contents of the private key to your destination.

Using the Live DVD prevents any malware or key loggers.

And sweeping the key, removes the funds fully from your private key and puts them where you want without re-using the original private key.

You are exposing yourself to all kinds of risks by using blockchain.info. Yes, I know they are trustworthy, but they CAN access your funds despite what people say as they can modify the code at anytime, or a hacker whos broken in can modify the code, or they could mess up again and introduce another bug like last time where they almost lost 1,000's of BTC. It's an unnecessary risk. In the past, lots of people were hacked when they accessed blockchain.info over Tor. This is due to man-in-the-middle attacks, which happen all over the internet, not just on the Tor network although they are more common there due to the way the Tor network is designed.

Malware CAN jump from your main OS onto your live CD, I explained a few ways this can happen in this thread. This is not something the happens a lot, but it is trivial for a hacker to do some of the techniques I described, and I'm sure eventually hackers will start looking into these kinds of techniques if people are using live CD's to protect their coins.

Not reusing the paper wallet is a good idea. You should definitely do that.

[colinistheman]

Isn't this a safe way to spend bitcoins from a paper wallet:

1.) Boot from a Linux Live DVD
2.) Visit blockchain.info
3.) perform a sweep of the entire contents of the private key to your destination.

Using the Live DVD prevents any malware or key loggers.

And sweeping the key, removes the funds fully from your private key and puts them where you want without re-using the original private key.

You are exposing yourself to all kinds of risks by using blockchain.info. Yes, I know they are trustworthy, but they CAN access your funds despite what people say as they can modify the code at anytime, or a hacker whos broken in can modify the code, or they could mess up again and introduce another bug like last time where they almost lost 1,000's of BTC. It's an unnecessary risk. In the past, lots of people were hacked when they accessed blockchain.info over Tor. This is due to man-in-the-middle attacks, which happen all over the internet, not just on the Tor network although they are more common there due to the way the Tor network is designed.

Malware CAN jump from your main OS onto your live CD, I explained a few ways this can happen in this thread. This is not something the happens a lot, but it is trivial for a hacker to do some of the techniques I described, and I'm sure eventually hackers will start looking into these kinds of techniques if people are using live CD's to protect their coins.

Not reusing the paper wallet is a good idea. You should definitely do that.

What's the best way to spend the bitcoin on my paper wallets then? Since the bitcoins are already stored there.

[Blazr]

What's the best way to spend the bitcoin on my paper wallets then? Since the bitcoins are already stored there.

What you can do is you can create a custom version of Ubuntu that contains an SPV client like multibit or electrum and burn that to a CD and use that. Though creating a custom version of Ubuntu is annoying to do. You could also install a copy of electrum on the live cd, to do that simply type "sudo apt-get install electrum" into a terminal when running the live CD, though you'll have to do this each time you boot the live CD.

After you do that make a throwaway wallet and import the private key into that and sweep the funds off to a new address.

That is somewhat better.  The ideal solution would be to use a separate cold storage PC, and if you are doing that you may as well just use a normal encrypted wallet.

[Kprawn]

And the method you described for creating a paper wallet is a lot of steps for the average user IMO.

The average user ...............

Some average users also make use of "office" equipment / printers / Photo copiers at their place of work with built in hard drives. This is also a point of failure for some people.

This has been demonstrated in one of the episodes in the TV Series "Hacking the system"   

Blazr - Your solution is a bit complicated for the "average" user. If I tell the general public to do that, they will not accept Bitcoin as a payment method.

How about a "Idiot's guide to create secure Cold storage" ?

I will use your more advanced guide ... thanks. 

[inBitweTrust]

Some average users also make use of "office" equipment / printers / Photo copiers at their place of work with built in hard drives. This is also a point of failure for some people.

On printers-
https://www.reddit.com/r/Bitcoin/comments/2aodta/on_printer_memory_for_the_security_of_printed/

PRINTERS WITH HARD-DRIVE:

Pretty much any home/personal printer will not have a hard drive, but most will have some kind of memory installed. Depending on the type of printer, as well as the model, will determine how much, if any, memory is installed.

Most memory that is in home/personal printers only hold the data for the current print job from anywhere from a few lines to a few pages, as the job is being printed. Once the job is complete or the printer is turned off, any data that was in memory is erased & unrecoverable. Printers commonly use basic RAM memory, which is commonly referred to as volatile memory since it cannot store data once power is removed.

NOTES ON PRINTERS WITH HARD-DRIVES:

    If the printer allows you to bypass its internal hard drive and print directly from RAM, select this setting for better security, and ensure that print jobs are not stored on the printer hard-drive.

    If you do choose to store print jobs on the drive, ensure that it is encrypted with a strong encryption method, such as AES.

    If the printer allows you to overwrite the data immediately after printing (or scanning or faxing, if it’s an all-in-one device), select that option.

    Almost all new models include a wipe disk function for decommissioning the printer, and most include disk encryption, so if you take the disk out of the printer you won't be able to read the information stored on it.

NOTE: Even old printers (laser, dot matrix, inkjet, etc....) had some kind of memory that they used for some data storage for printing.

NOTES ON PRINTER MEMORY:

    Most current printers have a couple megabytes of memory

    In some cases the printer may be using volatile memory with a battery backup, If it is, this should be mentioned in the user guide. In that case, leave it unplugged for however long the user guide says is too long.

MISC. NOTES FOR CREATING COLD STORAGE WALLETS:

    ALWAYS ASSUME YOUR DEVICES HAVE BEEN COMPROMISED BY BAD ACTORS (Criminals)
    Use a dedicated computer & printer for purposes of creating Cold-storage wallets.
    Keep both dedicated computer and printer off the internet, keep wireless options deactivated or physically removed if possible.

MOST POPULAR PRINTERS: Most Popular Printers with examples of on-board memory

Amazon top 13 Printers (Best Sellers)
#    Brand    Model    Memory Capacity    Notes
1    Canon    PIXMA MX922    Approx. 250 Pages12    FAX
2    Epson    XP-310 Wireless    NL    Not Listed
3    Brother    HL-2270DW Compact Laser    32MB    Standard
4    Epson    XP-410 Small-inkjet    NL    Not Listed
5    Canon    PIXMA PRO-100 Color    250 Pages    
6    HP    Envy 4500 Wireless    NL    Not Listed
7    Brother    MFCJ450DW    170 Page Fax Memory    
8    Epson    WF-3520 Wireless    NL    Not Listed
9    Epson    WF-2540 Wireless    NL    Not Listed
10    Epson    WF-3620 Wireless    Up to 180 pages    Fax Memory
12    Canon    LBP6000    2MB    buffer memory
13    Hewlett Packard    1102W Wireless    8 MB    Standard