Idea for Highly Secure Paper Wallet - Using Split Keys

[BkkCoins]

When reading the forum today about this reported 8000 btc theft I had this idea that is a bit of a twist on usual usage patterns.

I believe a paper wallet is the closest thing to highly secure cold storage. But the problem is that you need to print the keys on a guaranteed secure computer. That's hard to be sure about.

So how about using the third-party key addition technique to print two partial keys on paper in two different places?

So you generate some keys on bitaddress.org and print them out. But you don't use these keys for your wallet. You take them to another system, somewhere else totally independent of the first one and you scan in the public key.

With the publickey you can use vanitygen (with the -P option) to generate addresses and partial keys, and print them out on that system.

Now you have addresses and two separately produced pieces of paper that only can be used for spends when both keys are scanned in and combined.

Either system could be compromised in any way and as long as the same person/group didn't compromise both then they would never be able to use the partial keys alone.

If this sounds like a good idea I may make up a simple web page that any joe-average can use in two easy steps to create split key paper wallets.

[1713880085]

1713880085

[1713880085]

1713880085

[1713880085]

1713880085

[1713880085]

1713880085

[CIYAM]

I think this is a pretty good idea - you might also want to take a look at: https://ubtcbank.com/

(it is using the same sort of approach technically)

[Jutarul]

I believe a paper wallet is the closest thing to highly secure cold storage. But the problem is that you need to print the keys on a guaranteed secure computer. That's hard to be sure about.

Well actually it's easy. Use a Linux live CD and install a trusted copy of Armory. If you want to connect to the internet, make sure you're fire walled and do not allow remote access.

[franky1]

best bet is to not use third party services that offer you private keys..

although i have not heard anything bad about bitaddress.org or the other suggestions above. safest bet is to clean wipe /recover your computer to factory settings. use ur own client EG bitcoin D to give u a fresh address and privkey.. then write it down on a piece of paper laminate it and put it in a safety deposit box.

making websites that ask you to type in their priv keys, will make a few people think.. hmmm why would they ask.

if anyone truly wanted to split their priv key up.. think of the easy way...

1 x paper 1 x scissors = 2x paper

store each piece in separate places

[BkkCoins]

I believe a paper wallet is the closest thing to highly secure cold storage. But the problem is that you need to print the keys on a guaranteed secure computer. That's hard to be sure about.

Well actually it's easy. Use a Linux live CD and install a trusted copy of Armory. If you want to connect to the internet, make sure you're fire walled and do not allow remote access.

Wow. I can't believe you just said that. Unless you were kidding.

Can we please talk about the viability of this method rather than whatever your pet method is? There are already a hundred threads discussing the many other ways to do it.

And many users will agree that none of them are very easy for a new user, and often not even for experienced users. I'm talking about a method than can be used anywhere, even on a compromised system, and still result in a highly secure paper wallet.

I don't need you to tell me about other ways as I have already been thru many and read about dozens of others but no one so far that I have read has shown a simple as pie way to do it on a compromised system.

[hamdi]

simply store the key without a note what it is.

[BkkCoins]

if anyone truly wanted to split their priv key up.. think of the easy way...

1 x paper 1 x scissors = 2x paper

store each piece in separate places

This is idiotic. Why cut it up on paper if you already had the key on your compromised system. It would already have been captured and sent to someone. At that point you don't even need to bother printing it.

I guess people just aren't getting the whole point of what I wrote.  

[Jutarul]

I believe a paper wallet is the closest thing to highly secure cold storage. But the problem is that you need to print the keys on a guaranteed secure computer. That's hard to be sure about.

Well actually it's easy. Use a Linux live CD ...

Can we please talk about the viability of this method rather than whatever your pet method is? There are already a hundred threads discussing the many other ways to do it.

So you'd like to have a secure paper wallet for dummies? But you want to avoid the trouble of making sure you have access to an uncompromised system? Why doesn't that make sense to me?

[BkkCoins]

I think this is a pretty good idea - you might also want to take a look at: https://ubtcbank.com/

(it is using the same sort of approach technically)

Had a look but didn't immediately see what they were doing. They indicate you need to push tx the final transaction so I guess it isn't for someone who doesn't know how to do that anyway.

[CIYAM]

Had a look but didn't immediately see what they were doing. They indicate you need to push tx the final transaction so I guess it isn't for someone who doesn't know how to do that anyway.

True - the technical stuff would need to be hidden "under the hood" with your idea but what they are doing is creating "two signature" keys (which I believe is the main thing necessary for security).

[BkkCoins]

I believe a paper wallet is the closest thing to highly secure cold storage. But the problem is that you need to print the keys on a guaranteed secure computer. That's hard to be sure about.

Well actually it's easy. Use a Linux live CD ...

Can we please talk about the viability of this method rather than whatever your pet method is? There are already a hundred threads discussing the many other ways to do it.

So you'd like to have a secure paper wallet for dummies? But you want to avoid the trouble of making sure you have access to an uncompromised system? Why doesn't that make sense to me?

The point is you can print a secure paper wallet without being sure if you have a secure system. The security of the wallet will not depend on the security of the system using this method. That is the point.

Most people cannot be sure they have a secure system. And it takes a fair amount of effort to try a best effort at making sure a system is secure. So a method that doesn't require a secure system can be used by anyone. And that makes it highly attractive especially to newbie users.

Right now this is a bit fudgy as you need to know what to do. But a web page designed for this purpose could be dead simple for even newbie users with 1.2.3. steps

Step 1 - print these two QR codes #1 and #2 (and text).
Step 2 - go to another system in another location and photo/scan QR code #2.
Step 3 - print this new QR code #3(and text)

Save QR code #1 and #3. They are each half of your key.
When you scan them back in they get combined and can used.

---
How to Generate Keys and Stop Worrying...

You could do the same thing with two USB sticks as well and skip paper. The first one you save your private keys on. The second one you save your public keys on. You go to the secondary system and insert the public key one. You generate partial keys and addresses from the public keys and save them to that usb stick. Now each stick has half-keys and the keys in each stick have only ever been in one system, and hence could never have possibly been together on a compromised system.

[Jutarul]

So you'd like to have a secure paper wallet for dummies? But you want to avoid the trouble of making sure you have access to an uncompromised system? Why doesn't that make sense to me?

The point is you can print a secure paper wallet without being sure if you have a secure system. The security of the wallet will not depend on the security of the system using this method. That is the point.

I appreciate the effort to establish a protocol for creating a secure paper wallet which even works if the used systems are compromised. Know that the user needs to use two uncorrelated systems though, because if both systems are compromised, chances are they are compromised by the same entity. I propose using a home computer and then maybe go to an apple retail store or best buys and create another component there...

[BkkCoins]

So you'd like to have a secure paper wallet for dummies? But you want to avoid the trouble of making sure you have access to an uncompromised system? Why doesn't that make sense to me?

The point is you can print a secure paper wallet without being sure if you have a secure system. The security of the wallet will not depend on the security of the system using this method. That is the point.

I appreciate the effort to establish a protocol for creating a secure paper wallet which even works if the used systems are compromised. Know that the user needs to use two uncorrelated systems though, because if both systems are compromised, chances are they are compromised by the same entity. I propose using a home computer and then maybe go to an apple retail store or best buys and create another component there...

Agree 100%. They should be as randomly unrelated as feasible. Different OS even is good. They should not be ones on the same network or one that you sync from another, eg. your phone and your desktop.

[TTBit]

If I understand correctly, you will have 2 private keys (5J... and 5H... for example) combined to make a 3rd private key (5K...).

Could you send 0.10 BTC to the first address (5J...) and 0.10 to the 2nd (5H...) but send 100 btc to the 3rd (5K...)

Set up to be notified when one of the first 2 addresses are drained, this lets you know you have been compromised on 1 system.

[BkkCoins]

If I understand correctly, you will have 2 private keys (5J... and 5H... for example) combined to make a 3rd private key (5K...).

Could you send 0.10 BTC to the first address (5J...) and 0.10 to the 2nd (5H...) but send 100 btc to the 3rd (5K...)

Set up to be notified when one of the first 2 addresses are drained, this lets you know you have been compromised on 1 system.

Not exactly. The second key is not valid alone (it would be rejected) and the address created with it does not work on either key alone. But the address does work when you combine (using suitable EC math) the first key and the second key to make a final "real key". But you would only do that at the time you want to spend your balance.

I guess you could put a balance on the first key if you chose and it would be theoretically less secure since it's on your possibly compromised system. My intention wasn't to monitor the systems using honeypot keys. You could do that entirely independently with other keys if you wanted. But of course it may tell you nothing as a hacker may just wait until he sees a significant balance on the address.

---
If you wanted to test this out for yourself you would do the following, using the vanitygen programs (because at this time they are the only ones I know that do the partial key math, although there is a patched bitaddress.org around now that does key combining).

Sys #1 Run,
keyconv -G
Save the private key on usb #1. Save the public key on usb #2

Sys #2 Insert usb #2 and run,
vanitygen 1 -P <paste public key>

The private key and address would be saved on usb#2 now.
But if you want to test it then run,

keyconv -c <paste key#1> <paste key#2>

And it will output your "real key" and address should be same as above.

In real life I think I would lean towards using paper since moving usb keys between systems has the potential to carry an infection also.

[franky1]

if anyone truly wanted to split their priv key up.. think of the easy way...

1 x paper 1 x scissors = 2x paper

store each piece in separate places

This is idiotic. Why cut it up on paper if you already had the key on your compromised system. It would already have been captured and sent to someone. At that point you don't even need to bother printing it.

I guess people just aren't getting the whole point of what I wrote.  

compromised system??

lol maybe next time u should include the first part of my quote.. restore/recover system to factory settings.

but if u easily get a compromised system then ofcourse ur also gonna be deluded to trust typing your private key into some script kiddies website so they can do magical things to your private key.

simple fact about paper wallet is.. keep it on paper dont give it out to third party websites. and dont obtain it from third party websites either.

a paper wallet is just that. a paper wallet. anyone saying they are solving paper security by designing a website. has no idea what paper wallets are all about.

make it from ur own CLEAN system print it out and the only thing u have to worry about is someone in your real world life reading it. so cutting it in half and putting it in 2 locations will reduce that from happening.

[BkkCoins]

if anyone truly wanted to split their priv key up.. think of the easy way...

1 x paper 1 x scissors = 2x paper

store each piece in separate places

This is idiotic. Why cut it up on paper if you already had the key on your compromised system. It would already have been captured and sent to someone. At that point you don't even need to bother printing it.

I guess people just aren't getting the whole point of what I wrote.  

compromised system??

lol maybe next time u should include the first part of my quote.. restore/recover system to factory settings.

but if u easily get a compromised system then ofcourse ur also gonna be deluded to trust typing your private key into some script kiddies website so they can do magical things to your private key.

simple fact about paper wallet is.. keep it on paper dont give it out to third party websites. and dont obtain it from third party websites either.

a paper wallet is just that. a paper wallet. anyone saying they are solving paper security by designing a website. has no idea what paper wallets are all about.

make it from ur own CLEAN system print it out and the only thing u have to worry about is someone in your real world life reading it. so cutting it in half and putting it in 2 locations will reduce that from happening.

Sorry, you still have no clue what I'm even talking about.

[etotheipi]

Sorry, you still have no clue what I'm even talking about.

I don't understand what you are asking:  if your system holding your wallet is compromised already, your wallet is toast.  Get a system that will never touch the internet again, wipe it and put a clean version of whatever OS you want on it.  Install Bitcoin software (insert Armory plug here), and manually copy down the private keys and addresses (in Armory, it is "Backup Individual Keys").  There's your paper wallet.  If you want to "watch" it, produce a watching-only wallet.

In the absence of any good multi-sig solutions, you can do "manual" multi-sig using Armory's built-in ECDSA calculator.  It requires some mathematical prowess, but everything you need to know is on the forums.  The gist is:  create two private keys on two separate computers that have never touched the internet.  Copy/print the private keys on separate pieces of paper and store them away safely.  Copy/print the public keys and exchange them.  Now one computer has PrivA & PubB, and the other one has PubA & PrivB.   Both systems can use this to create a public key that is associated with a private key that is only recoverable when both original private keys are on the same computer. 

You can use this address for collecting money.  Use it for savings.  But it will be a bitch to move:  you'll have to transfer the private key from one computer to another.  Then plug them into the ECDSA calculator to get the master private key.  Create a new wallet and import that private key.  Then sign the transaction and take to an online computer to broadcast.

I don't actually recommend this because it's not simple by any means, but if you are that hardcore it can be done.  That's actually why I made the ECDSA calculator, for devs, and hardcore users like (and for myself to check ECDSA math when debugging stuff).  But it sounds like you're looking for something like this.

[franky1]

your talking about making a website that takes some ones private key and then gives them some split up version of it.

why need a website.. just give people the sourcecode to do it themselves if you think its a great idea. its not complicated script and does not need web hosting to allow people to use your idea of extra security.

i think those that want the caution of needing a paper wallet wont put their private keys into someone elses website.

its much easier for a website to be compromised then some ones own PC would be, especially if they recovered it back to factory settings to avoid trojans etc first.

but the low tech method of printing out or even....
hand writing the code is even easier. saves ink and any 'print queue' trojans.(if u aint already restored PC)

the simple as pie method is trust no one but urself. if ur computer is compromised.. restore it.. no need for third party services websites.

the other idea about using the ECDSA calculator.. is other the top of noobs heads. and still requiring third party stuff..

PAPER WALLET .. again PAPER WALLET.. has no need to store on 2 computers.. thats a digital wallet your talking about.

just keep it on paper. laminate it cut it in half so the long code is in 2 pieces and useless on its own. and store in a separate location, in PAPER form

[BkkCoins]

your talking about making a website that takes some ones private key and then gives them some split up version of it.

No, you don't understand. If I did anything at all it would be exactly like bitaddress,org where the html file can be saved and used offline any time, and completely open source and verifiable by anyone.

The point is that each private key generated would only exist and be printed from one system.

But one key is not enough to actually spend coins.

So a hacker would have to compromise two distinct and preferably unrelated systems in order to obtain a working spendable key.

The only thing someone uploads to the second system is the public key from the first system. The public also does not allow spending coins in any way.

The only reason to have it as a web site is to make it easy to distribute and use (it can have help text saying what to do) but it need not be online and connected when generating a key, in the same way that bitaddress.org doesn't need to be.