Bitcoin Forum
December 12, 2024, 05:52:10 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 [174] 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 ... 265 »
  Print  
Author Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet  (Read 966226 times)
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 16, 2014, 02:31:38 PM
 #3461

A simpler way by which a malicious fake hardware wallet could steal your coins:

https://bitcointalk.org/index.php?topic=581411.msg9856659#msg9856659

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
chrisrico
Hero Member
*****
Offline Offline

Activity: 496
Merit: 500


View Profile
December 16, 2014, 05:10:13 PM
 #3462

A simpler way by which a malicious fake hardware wallet could steal your coins:

https://bitcointalk.org/index.php?topic=581411.msg9856659#msg9856659


I would hope that RFC6979 deterministic signatures would be the standard for hardware wallets (that's what Trezor uses). Anyway, I doubt this would be used as an attack vector, since it's not guaranteed that the attacker would be the one claiming the funds (see: white hat returning lost BC.i funds).
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 16, 2014, 06:12:14 PM
 #3463

A simpler way by which a malicious fake hardware wallet could steal your coins:

https://bitcointalk.org/index.php?topic=581411.msg9856659#msg9856659


I would hope that RFC6979 deterministic signatures would be the standard for hardware wallets (that's what Trezor uses). Anyway, I doubt this would be used as an attack vector, since it's not guaranteed that the attacker would be the one claiming the funds (see: white hat returning lost BC.i funds).

If I read that paper correctly, with that attack the attacker (the person who wrote the malicious tx-signing code) would be the only person able to recover the private key from the transaction signature (or even to notice that the signature is leaking the key).  Thus, that attack it is more subtle than the BCI fiasco -- where everybody had a copy of the faulty RNG, and thus could reproduce the k values, identify the compromised addresses, and sweep them.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
December 16, 2014, 09:07:01 PM
 #3464

A simpler way by which a malicious fake hardware wallet could steal your coins:

https://bitcointalk.org/index.php?topic=581411.msg9856659#msg9856659


I would hope that RFC6979 deterministic signatures would be the standard for hardware wallets (that's what Trezor uses). Anyway, I doubt this would be used as an attack vector, since it's not guaranteed that the attacker would be the one claiming the funds (see: white hat returning lost BC.i funds).

If I read that paper correctly, with that attack the attacker (the person who wrote the malicious tx-signing code) would be the only person able to recover the private key from the transaction signature (or even to notice that the signature is leaking the key).  Thus, that attack it is more subtle than the BCI fiasco -- where everybody had a copy of the faulty RNG, and thus could reproduce the k values, identify the compromised addresses, and sweep them.

If you read the paper correctly would you like to place a numerical estimate on how likely this attack is ...e.g. 50%, 10%, 1%, 0.001%?

Thanks in advance for reducing the FUD spreading.

sandpaper
Sr. Member
****
Offline Offline

Activity: 373
Merit: 250


View Profile
December 16, 2014, 09:54:59 PM
 #3465

Just following up letting it be known that I received mine yesterday 12-15-14. I ordered it on 11/17/14 and it was shipped 11/18/14. I am east coast usa. Not too bad shipping wise. Less than a month from EU with no DHL shipping.
klokan
Full Member
***
Offline Offline

Activity: 120
Merit: 100


View Profile
December 16, 2014, 11:33:50 PM
 #3466

A simpler way by which a malicious fake hardware wallet could steal your coins:

https://bitcointalk.org/index.php?topic=581411.msg9856659#msg9856659


I would hope that RFC6979 deterministic signatures would be the standard for hardware wallets (that's what Trezor uses). Anyway, I doubt this would be used as an attack vector, since it's not guaranteed that the attacker would be the one claiming the funds (see: white hat returning lost BC.i funds).

If I read that paper correctly, with that attack the attacker (the person who wrote the malicious tx-signing code) would be the only person able to recover the private key from the transaction signature (or even to notice that the signature is leaking the key).  Thus, that attack it is more subtle than the BCI fiasco -- where everybody had a copy of the faulty RNG, and thus could reproduce the k values, identify the compromised addresses, and sweep them.

If you read the paper correctly would you like to place a numerical estimate on how likely this attack is ...e.g. 50%, 10%, 1%, 0.001%?

Thanks in advance for reducing the FUD spreading.

Trezor is open source and running only the signed firmware. This attack is not feasible in such circumstances, because everybody would see the "malicious tx-signing code" on github.

Also, RFC6979 is the answer to this problem that Trezor implements. With it, there is not a choice of k, thus the attack is not possible.

With a piece of software writing skills, you can initialize Trezor, use it to sign a couple of transactions, then import master private key into bip32.org, generate all private keys and verify that RFC6979 was used. This can be used with real or fake inputs in "blackbox testing" OR it can be used after some coins go missing to prove the maliciousness of the firmware...
keithers
Legendary
*
Offline Offline

Activity: 1456
Merit: 1001


This is the land of wolves now & you're not a wolf


View Profile
December 17, 2014, 12:13:23 AM
 #3467

I am still using my trezor daily since I got it months ago.   I want to try out that new USB hardware wallet that came out recently too...
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 17, 2014, 12:21:46 AM
 #3468

A simpler way by which a malicious fake hardware wallet could steal your coins:

https://bitcointalk.org/index.php?topic=581411.msg9856659#msg9856659


I would hope that RFC6979 deterministic signatures would be the standard for hardware wallets (that's what Trezor uses). Anyway, I doubt this would be used as an attack vector, since it's not guaranteed that the attacker would be the one claiming the funds (see: white hat returning lost BC.i funds).

If I read that paper correctly, with that attack the attacker (the person who wrote the malicious tx-signing code) would be the only person able to recover the private key from the transaction signature (or even to notice that the signature is leaking the key).  Thus, that attack it is more subtle than the BCI fiasco -- where everybody had a copy of the faulty RNG, and thus could reproduce the k values, identify the compromised addresses, and sweep them.

If you read the paper correctly would you like to place a numerical estimate on how likely this attack is ...e.g. 50%, 10%, 1%, 0.001%?

Thanks in advance for reducing the FUD spreading.

I would say 90% chance that someone will try that attack sometime in the next 10 years, either a blanket attack (sell hundreds of fake devices on eBay or on a local eletronics store, then scoop whatever falls into the net) or an attack directed against some specific fat target.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 17, 2014, 12:27:12 AM
 #3469

A simpler way by which a malicious fake hardware wallet could steal your coins:

https://bitcointalk.org/index.php?topic=581411.msg9856659#msg9856659


I would hope that RFC6979 deterministic signatures would be the standard for hardware wallets (that's what Trezor uses). Anyway, I doubt this would be used as an attack vector, since it's not guaranteed that the attacker would be the one claiming the funds (see: white hat returning lost BC.i funds).

If I read that paper correctly, with that attack the attacker (the person who wrote the malicious tx-signing code) would be the only person able to recover the private key from the transaction signature (or even to notice that the signature is leaking the key).  Thus, that attack it is more subtle than the BCI fiasco -- where everybody had a copy of the faulty RNG, and thus could reproduce the k values, identify the compromised addresses, and sweep them.

If you read the paper correctly would you like to place a numerical estimate on how likely this attack is ...e.g. 50%, 10%, 1%, 0.001%?

Thanks in advance for reducing the FUD spreading.

Trezor is open source and running only the signed firmware. This attack is not feasible in such circumstances, because everybody would see the "malicious tx-signing code" on github.

Also, RFC6979 is the answer to this problem that Trezor implements. With it, there is not a choice of k, thus the attack is not possible.

With a piece of software writing skills, you can initialize Trezor, use it to sign a couple of transactions, then import master private key into bip32.org, generate all private keys and verify that RFC6979 was used. This can be used with real or fake inputs in "blackbox testing" OR it can be used after some coins go missing to prove the maliciousness of the firmware...

Trezor is well designed and certainly better than using a PC, even an off-line PC with air gap.  But it is not 100% safe.  I already explained how a criminal can get around its safety features, by using social engineering or fake malicious hardware.  The fact that people keep denying those risks only makes those risks more significant.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
klokan
Full Member
***
Offline Offline

Activity: 120
Merit: 100


View Profile
December 17, 2014, 07:35:18 AM
 #3470


Trezor is open source and running only the signed firmware. This attack is not feasible in such circumstances, because everybody would see the "malicious tx-signing code" on github.

Also, RFC6979 is the answer to this problem that Trezor implements. With it, there is not a choice of k, thus the attack is not possible.

With a piece of software writing skills, you can initialize Trezor, use it to sign a couple of transactions, then import master private key into bip32.org, generate all private keys and verify that RFC6979 was used. This can be used with real or fake inputs in "blackbox testing" OR it can be used after some coins go missing to prove the maliciousness of the firmware...

Trezor is well designed and certainly better than using a PC, even an off-line PC with air gap.  But it is not 100% safe.  I already explained how a criminal can get around its safety features, by using social engineering or fake malicious hardware.  The fact that people keep denying those risks only makes those risks more significant.

JorgeStolfi: I was talking about a situation when you have TREZOR. Then this attack simply does not apply. I never said in my post that having a money in a fake bank is as safe as having them in a real bank. Please explain to me, how I'm denying this fact in my post.

However, I did say, that this is both blackbox testable before you start using the device and that maliciousness is backward provable after the device has been malicious. So the users who will be affected with this kind of attack have some tools to fight back.
mmortal03
Legendary
*
Offline Offline

Activity: 1762
Merit: 1011


View Profile
December 17, 2014, 07:59:16 AM
 #3471


BTW: I am old enough to remember the Year 2000 bug - millions of $$$ worldwide went into trying to fix it - but at the end... it was only a big IT FUD... Are you from that generation JorgeStolfi?

Off topic, but since you brought it up -- Y2K was a real issue that the preparations worldwide actually fixed.
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 17, 2014, 08:00:07 AM
 #3472

Trezor is well designed and certainly better than using a PC, even an off-line PC with air gap.  But it is not 100% safe.  I already explained how a criminal can get around its safety features, by using social engineering or fake malicious hardware.  The fact that people keep denying those risks only makes those risks more significant.

@JorgeStolfi:  doomsday again? Please give us a break, will you?

Your repeated and repeated and repeated comments only makes you more ... well... less significant.

BTW: I am old enough to remember the Year 2000 bug - millions of $$$ worldwide went into trying to fix it - but at the end... it was only a big IT FUD... Are you from that generation JorgeStolfi?

No, sorry, I was busy at Troy, desperately trying to warn my compatriots that that Greek horse could be a trojan horse.  But they just told me to stop spreading FUD and fuck off.

The Y2K bug was not a disaster because, thanks to the harping by the FUDsters, it was mostly fixed or hacked around in time.  How can you tell that it was pointless FUD and waste of money?

Unfortunately, 95% of people cannot believe that a real risk can happen until they see it happening.  The other 5% are dismissed as paranoids and FUDsters before it happens, and quickly forgotten afterwards.  One could fill volumes with cases where warnings by "FUDsters" were ignored, and then the disaster happened much worse than their worst case scenarios. See Fukushima.

The BCI debacle was caused by a bug accidentally introduced in the javascript that people downloaded to generate the keys and sign the transactions.  The bug was fixed after a few hours, but even so it affected hundreds of people and allowed the "theft" of more than 500 BTC -- fortunately, most of them by a "benevolent thief" who returned them to BCI.  In fact, the extent of the damage is still not known precisely, more compromised accounts are still being found.

The BCI javascript was open source, and the buggy version was duly posted on github.  It was not discovered by looking at the code, but because the "benevolent thief" was continuosly monitring the blockchain for certain type of weak signatures, and started seeing many of them.  The programmer who committed the bug acted irresponsably, but apparently within his normal privileges and habits.  Couldn't it have happened with the Trezor firmware instead of the BCI javascript?

Now imagine a criminal aiming his skill and resources to expliting that type of attack...

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
klokan
Full Member
***
Offline Offline

Activity: 120
Merit: 100


View Profile
December 17, 2014, 08:25:15 AM
Last edit: December 17, 2014, 12:47:07 PM by klokan
 #3473

The BCI javascript was open source, and the buggy version was duly posted on github.  It was not discovered by looking at the code, but because the "benevolent thief" was continuosly monitring the blockchain for certain type of weak signatures, and started seeing many of them.  The programmer who committed the bug acted irresponsably, but apparently within his normal privileges and habits.  Couldn't it have happened with the Trezor firmware instead of the BCI javascript?

This reveals the amateurism of BCI. C'mon, using javascript rng and even failing at it when people are FOR YEARS saying that the only way to go is a fully deterministic signatures with RFC6979? WTF BCI?

If you have a deterministic signatures and tests: https://github.com/trezor/trezor-crypto/blob/master/tests.c#L360 then the BCI type of issue cannot affect you.

Edit: And by the way: Having a Trezor firmware signed by multiple people means than no single irresponsible programmer can do this with Trezor on his own. This again shows how SL processes are superior to those of BCI.

Disclaimer for JorgeStolfi: I did not claim nor I think that any mentioned systems are 100% safe, nor I believe that fake devices cannot be manufactured or that coins cannot be stolen thru social engineering.
TwinWinNerD
Legendary
*
Offline Offline

Activity: 1680
Merit: 1001


CEO Bitpanda.com


View Profile WWW
December 17, 2014, 09:45:19 PM
 #3474

Is there a safe alternative to mytrezor? Because it is getting really unreliable. I can't use it for my business funds, if it isn't connecting to bits of proof 2 times a day....

klokan
Full Member
***
Offline Offline

Activity: 120
Merit: 100


View Profile
December 17, 2014, 10:01:18 PM
Last edit: December 17, 2014, 11:18:14 PM by klokan
 #3475

Is there a safe alternative to mytrezor? Because it is getting really unreliable. I can't use it for my business funds, if it isn't connecting to bits of proof 2 times a day....

Any alternative that works is as safe as myTrezor from the nature of the device. The only problem is that there is none released. There is Electrum 2.0 beta with this install tutorial:
http://www.reddit.com/r/TREZOR/comments/2jp9uk/tutorial_install_electrum_20_beta_with_trezor/
Mickeyb
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000

Move On !!!!!!


View Profile
December 18, 2014, 09:53:01 PM
 #3476

Is there a safe alternative to mytrezor? Because it is getting really unreliable. I can't use it for my business funds, if it isn't connecting to bits of proof 2 times a day....

Any alternative that works is as safe as myTrezor from the nature of the device. The only problem is that there is none released. There is Electrum 2.0 beta with this install tutorial:
http://www.reddit.com/r/TREZOR/comments/2jp9uk/tutorial_install_electrum_20_beta_with_trezor/

Is there a windows tutorial somewhere?

Thanks
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 18, 2014, 10:17:38 PM
 #3477

You may like to know that the display-less competition has a serious weakness.

The risk is a malicious software on the PC that plays the man-in-the-middle attack: it displays the merchant's address to the user, but uses the thief's address in the thansaction that is given to the device to sign.

The Trezor guards against that attack by displaying the address on its own window and asking the user to confirm through a Trezor button.  The malware on the PC cannot interfere with that step.

The competition's device instead asks the user to pick a few specific letters from the displayed address, look them up in a code card provided by the manufacturer, and enter the corresponding codes on the PC keyboard.  The malware on the PC does not know the code table, so it cannot convince the device to sign a different address...

... well, not right away, no.  However, while signing a transaction honestly, the malware on the PC can record the letters shows to the user, and the corresponding codes that he typed.  After honestly signing a certain number of transactions, it will know enough entries of the code table to pull the man-in-the-middle attack.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
btchip
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
December 18, 2014, 11:53:00 PM
 #3478

You may like to know that the display-less competition has a serious weakness.

Which is why it'll be upgraded soon, but well, you need to bootstrap something at some point. Also, surprisingly, we still have a thread, which is, even more surprisingly, still not self administrated since the last few times I mentioned that to you => http://bitcointalk.org/index.php?topic=134999.0

JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 19, 2014, 01:00:14 AM
 #3479

You may like to know that the display-less competition has a serious weakness.

Which is why it'll be upgraded soon, but well, you need to bootstrap something at some point. Also, surprisingly, we still have a thread, which is, even more surprisingly, still not self administrated since the last few times I mentioned that to you => http://bitcointalk.org/index.php?topic=134999.0

Thanks for the reminder, but I suppose that you have already discussed that problem over there.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
btchip
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
December 19, 2014, 07:42:19 AM
 #3480

Thanks for the reminder, but I suppose that you have already discussed that problem over there.

That's kind of easy to check by yourself, isn't it ? This is the Trezor thread, it'd be great if you could keep it Trezor related, otherwise 2015 is going to be fun when you'll feel the need to compare Trezor to Bitcoincard, Bitstash, Case, Coolbitx, our next devices and the few others similar things that'll be out next year and other people feel the need to do the same in each manufacturer thread.

Please feel free to open a hardware wallet comparison thread instead. End of derailing for me, sorry for the inconvenience.

Pages: « 1 ... 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 [174] 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 ... 265 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!