Bitcoin Forum
November 11, 2024, 02:58:39 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Extracting the Private Key from a TREZOR ... with a 70 $ Oscilloscope  (Read 5171 times)
unamis76
Legendary
*
Offline Offline

Activity: 1512
Merit: 1012


View Profile
April 25, 2015, 06:13:37 PM
 #21

I always feel uneasy to connect a device with private key directly to an untrusted online computer

I hope something like a audio modem could be implemented but seems it's too slow to be practically used?

https://bitcointalk.org/index.php?topic=135423.0

It is already implemented in Electrum, just not easy to setup and use...

Be it slow or fast it seems a nice and secure idea, I think...
EliptiBox
Newbie
*
Offline Offline

Activity: 22
Merit: 0


View Profile WWW
May 02, 2015, 05:16:02 PM
 #22

I always feel uneasy to connect a device with private key directly to an untrusted online computer

I hope something like a audio modem could be implemented but seems it's too slow to be practically used?

https://bitcointalk.org/index.php?topic=135423.0

It is already implemented in Electrum, just not easy to setup and use...

Be it slow or fast it seems a nice and secure idea, I think...

We have just the solution for this problem - firewall between the crypto controller and the interface, implemented directly in silicon:
http://www.eliptibox.com/#!Hardware-Firewall-for-Hardware-Wallet/cw4e/54ecb8670cf27a657a44c314

EliptiBox Team
www.eliptibox.com

gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4270
Merit: 8805



View Profile WWW
May 02, 2015, 07:50:44 PM
 #23

We have just the solution for this problem - firewall between the crypto controller and the interface, implemented directly in silicon:
http://www.eliptibox.com/#!Hardware-Firewall-for-Hardware-Wallet/cw4e/54ecb8670cf27a657a44c314
EliptiBox Team
www.eliptibox.com
You are spamming;  advertising your product is off-topic for this thread, doubly so since its already been spamvertised once here;  but since you've been so bold--  I inquired and found out that your product is based off the same weak, barely tested/reviewed, and slow as heck naive cryptographic code used in the product being discussed here.  The information leak here is so severe that I am very doubtful that your (quite laudable) improved hardware isolation can prevent-- e.g. the code in question leaks several bits of information about the key from just the time it takes.

Furthermore, Your "directly in silicon" is an FPGA with a loading procedure 'under the seal', this is potentially yet another back door vector, it sinks a lot of power, and really seems to be of dubious value. I would have preferably seen all the external interfaces over simple low-ish-speed serial interfaces with good electrical isolation, rather than a huge power sucking FPGA under the secure-area can.  Use of a BGA probably also means you need a 4 layer board for signals routing and thus probably can't use an extra layer as a separate ground to complete the shield can. The FPGA just seems like a costly gimmick to me, and that you're misrepresenting this as a solution to bad cryptographic code (which you have made a similar failure by selecting to use it) doesn't bode well for the security of your product.
virtualx
Hero Member
*****
Offline Offline

Activity: 672
Merit: 508


LOTEO


View Profile
May 03, 2015, 11:17:20 AM
 #24

I always feel uneasy to connect a device with private key directly to an untrusted online computer

I hope something like a audio modem could be implemented but seems it's too slow to be practically used?

https://bitcointalk.org/index.php?topic=135423.0

It is already implemented in Electrum, just not easy to setup and use...

Be it slow or fast it seems a nice and secure idea, I think...

It should be pretty easy to use because Electrum supports plugins, does it come as a patch for the source code  Huh

...loteo...
DIGITAL ERA LOTTERY


r

▄▄███████████▄▄
▄███████████████████▄
▄███████████████████████▄
▄██████████████████████████▄
▄██  ███████▌ ▐██████████████▄
▐██▌ ▐█▀  ▀█    ▐█▀   ▀██▀  ▀██▌
▐██  █▌ █▌ ██  ██▌ ██▌ █▌ █▌ ██▌
▐█▌ ▐█ ▐█ ▐█▌ ▐██  ▄▄▄██ ▐█ ▐██▌
▐█  ██▄  ▄██    █▄    ██▄  ▄███▌
▀████████████████████████████▀
▀██████████████████████████▀
▀███████████████████████▀
▀███████████████████▀
▀▀███████████▀▀
r

RPLAY NOWR
BE A MOON VISITOR!
[/center]
EliptiBox
Newbie
*
Offline Offline

Activity: 22
Merit: 0


View Profile WWW
May 05, 2015, 09:13:27 PM
 #25

We have just the solution for this problem - firewall between the crypto controller and the interface, implemented directly in silicon:
http://www.eliptibox.com/#!Hardware-Firewall-for-Hardware-Wallet/cw4e/54ecb8670cf27a657a44c314
EliptiBox Team
www.eliptibox.com
You are spamming;  advertising your product is off-topic for this thread, doubly so since its already been spamvertised once here;  but since you've been so bold--  I inquired and found out that your product is based off the same weak, barely tested/reviewed, and slow as heck naive cryptographic code used in the product being discussed here.  The information leak here is so severe that I am very doubtful that your (quite laudable) improved hardware isolation can prevent-- e.g. the code in question leaks several bits of information about the key from just the time it takes.

Furthermore, Your "directly in silicon" is an FPGA with a loading procedure 'under the seal', this is potentially yet another back door vector, it sinks a lot of power, and really seems to be of dubious value. I would have preferably seen all the external interfaces over simple low-ish-speed serial interfaces with good electrical isolation, rather than a huge power sucking FPGA under the secure-area can.  Use of a BGA probably also means you need a 4 layer board for signals routing and thus probably can't use an extra layer as a separate ground to complete the shield can. The FPGA just seems like a costly gimmick to me, and that you're misrepresenting this as a solution to bad cryptographic code (which you have made a similar failure by selecting to use it) doesn't bode well for the security of your product.


Thank you for raising important issues. To refrain from spamming, the following prior link discusses the technical points raised here:
https://bitcointalk.org/index.php?topic=970998.msg11295854#msg11295854

EliptiBox Team


lay785
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile
May 07, 2015, 11:18:15 AM
 #26

Wow much respect for johoe.

He should be hired as a professional tester by BTC hardware wallet companies.

Just curious what Johoe himself uses to store his bitcoins? Hardware wallet? Air-gapped machine?  Multisig?
btchip
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
May 07, 2015, 12:20:19 PM
 #27

Wow much respect for johoe.

He should be hired as a professional tester by BTC hardware wallet companies.

Hired could make him less independent,donating to pay for testing equipment upgrade makes more sense iMHO. At least that's what I plan to do.

Newar
Legendary
*
Offline Offline

Activity: 1358
Merit: 1001


https://gliph.me/hUF


View Profile
May 31, 2015, 02:02:55 AM
 #28

I always feel uneasy to connect a device with private key directly to an untrusted online computer

I hope something like a audio modem could be implemented but seems it's too slow to be practically used?

https://bitcointalk.org/index.php?topic=135423.0

It is already implemented in Electrum, just not easy to setup and use...

Be it slow or fast it seems a nice and secure idea, I think...

Any wallet software that has offline signing functionality will work using software like minimodem. An example using Armory:
https://bitcointalk.org/index.php?topic=735111.0

How fast it works depends on your tx size. I agree slow don't matter much in this case, as security should be our main concern.

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
Newar
Legendary
*
Offline Offline

Activity: 1358
Merit: 1001


https://gliph.me/hUF


View Profile
May 31, 2015, 02:06:31 AM
 #29

Wow much respect for johoe.

He should be hired as a professional tester by BTC hardware wallet companies.

Just curious what Johoe himself uses to store his bitcoins? Hardware wallet? Air-gapped machine?  Multisig?

He mentions it at the bottom of his report:

Quote
I own two TREZORs my­self (one for stor­ing my sav­ings and one for hacks like this) and I am still think­ing hard­ware wal­lets are the best way to pro­tect against most at­tack vec­tors.

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
dasource
Hero Member
*****
Offline Offline

Activity: 821
Merit: 1000


View Profile
June 02, 2015, 12:01:13 PM
 #30

<snip>

My next project is analysing the Ledger.  This has no filtering caps worth mentioning.  It is just the secure element with a USB connector.  The oscilloscope shows much more details.  However, some of it is noise the device is producing deliberately to make these kinds of analysis more difficulty.  It also randomizes the timing.  I will probably report more of this, once the analysis is finished.  Still, even with the secure elements, you can see a lot of details of the executed code on the power line.  The producers of the Ledger are aware of this and use constant time code to compute the public from the private key.  We will see, whether they did this right.

Keep up the great work and looking forward to seeing your analysis of Ledger Wallet once ready.

^ I am with STUPID!
ed_teech
Hero Member
*****
Offline Offline

Activity: 508
Merit: 500


Jahaha


View Profile
June 02, 2015, 01:41:10 PM
 #31

This was very cool, how do they make this immune to the side channel attack ?
dasource
Hero Member
*****
Offline Offline

Activity: 821
Merit: 1000


View Profile
June 02, 2015, 03:29:39 PM
Last edit: June 02, 2015, 05:19:08 PM by dasource
 #32

This was very cool, how do they make this immune to the side channel attack ?

Best option would be to use multi-sig across multiple devices ...
It could be a couple of years before you can trust a single device with your "stash"

^ I am with STUPID!
michinzx
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 02, 2015, 05:10:24 PM
 #33

great read, crazy what people can do with technology these days. even though a trezor might be considered incredibly safe, its clear there are always workarounds for anything.
Newar
Legendary
*
Offline Offline

Activity: 1358
Merit: 1001


https://gliph.me/hUF


View Profile
August 04, 2018, 12:48:26 PM
 #34

I get a malware warning from WOT on this website. Are there other (more established) sites who published this article also. Otherwise could someone summarize the main points?  Cheesy

The one in the first post?

https://web.archive.org/web/*/http://johoe.mooo.com/trezor-power-analysis/
http://archive.is/WhLkl

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
Kprawn
Legendary
*
Offline Offline

Activity: 1904
Merit: 1074


View Profile
August 08, 2018, 07:40:58 PM
 #35

You obviously have to be in possession of the physical device to use the Oscilloscope, so by the time the owner of the device

picked up that his Trezor was stolen, he or she could have used the seed to access the coins and to move it to another Bitcoin

address. This is not a massive threat, because this is very difficult to pull off and you need specialized tools. To protect you

from this, make sure you know where your device is and do not store your device with your seed.  Roll Eyes

THE FIRST DECENTRALIZED & PLAYER-OWNED CASINO
.EARNBET..EARN BITCOIN: DIVIDENDS
FOR-LIFETIME & MUCH MORE.
. BET WITH: BTCETHEOSLTCBCHWAXXRPBNB
.JOIN US: GITLABTWITTERTELEGRAM
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!