Bitcoin Forum
September 14, 2024, 07:40:28 AM *
News: Latest Bitcoin Core release: 27.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Bitcoin Hardware Wallet [Last Updated: August 31st, 2013]  (Read 10367 times)
fpgaminer (OP)
Hero Member
*****
Offline Offline

Activity: 560
Merit: 517



View Profile WWW
February 14, 2013, 10:48:23 AM
Last edit: August 31, 2013, 09:44:09 AM by fpgaminer
 #1

Bitcoin Hardware Wallet
Codename: Bitcoin Titan
by: FPGAMiner


Protects Your Bitcoins From Hackers and Thieves

This thread documents the progress on my Hardware Wallet project, code-named the Bitcoin Titan.  The Bitcoin Titan is a USB accessory which connects to a desktop/phone/tablet and safely stores a user's private keys (optionally encrypted).  Even when a hacker compromises your computer, or steals your Titan, the Bitcoins it secures will remain safe.

I have been working on this project off-and-on since May 2012.  As of May 2013, the firmware and software has entered the alpha testing stage; fully functional, but requiring further polish and testing.  The hardware design is undergoing its first revision.




June 25th, 2013: First Board Spin Working


The first board spin for this project has been assembled and tested, and is working beautifully.  Previously I was prototyping the Bitcoin Titan using existing development kits and other components.  This moves it to a custom PCB; no more wires sprawling everywhere!


The board itself



With the screen attached and running



In case you're wondering, those pins poking out the top and bottom are only for development and aren't normally attached.

The above picture also shows off part of the UI redesign.  Once the UI redesign is finished I'll release another demo video.



May 16th, 2013: Video Demonstration of Alpha Software


Today I am releasing a demonstration video of the Bitcoin Titan, now that the software/firmware is in alpha testing.  I demonstrate how to set up the Titan for the first time, receiving bitcoins, and securely send bitcoins.  Click below to watch!

Click to Watch the Video Demonstration







Original Post:

Submitted for your entertainment, one of my old projects back in May '12:

http://www.youtube.com/watch?v=bhWVv7_ecMY

The project is long since dead, since I got too busy to finish it.  Luckily it looks like slush and stick announced a similar project a few months ago (Trezor), so at least the community can finally move past storing private keys on their PCs.

For the curious folks out there, this was built on an STM32F4 Discovery Kit.



EDIT: Project ever so slightly revived:

whitenight639
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
February 15, 2013, 08:07:27 AM
 #2

Why did you not finish this it looks like you got so close to finishing it.


Were the electronics custom, because it looks kinda like an arduino?


I take it the device is useless without a PC, its not like you can take it you a friend and pay him, (if he had one too)?

125uWc197UW5kM659m4uwEakxoNHzMKzwz
someone42
Member
**
Offline Offline

Activity: 78
Merit: 11

Chris Chua


View Profile
February 16, 2013, 12:58:19 AM
 #3

Submitted for your entertainment, one of my old projects back in May '12:

http://www.youtube.com/watch?v=bhWVv7_ecMY

The project is long since dead, since I got too busy to finish it.  Luckily it looks slush and stick announced a similar project a few months ago (Trezor), so at least the community can finally move past storing private keys on their PCs.

For the curious folks out there, this was built on an STM32F4 Discovery Kit.
Is there any chance you could open-source some of your contributions? For example, it looks like you did some significant work interfacing bitcoind with your wallet; as far as I know, no-one else has done that.

I understand that there may be licensing issues with some of the microcontroller code/libraries, but I think there's value in seeing your approach.
fpgaminer (OP)
Hero Member
*****
Offline Offline

Activity: 560
Merit: 517



View Profile WWW
February 16, 2013, 11:04:19 AM
 #4

Quote
Were the electronics custom, because it looks kinda like an arduino?
Nope, it's just an STM32F4DISCOVERY plus an LCD module I wired up.  Anyone could built it up with the code and some soldering (or run it without an LCD; less secure though).

Quote
I take it the device is useless without a PC, its not like you can take it you a friend and pay him, (if he had one too)?
That functionality is possible, but wasn't planned for the first revision.  I more envisioned stores accepting it like a credit card; you go to the local dinner, eat their delicious food, and then plug your Physical Bitcoin Wallet into their cash register to pay.  100% secure, 100% easy.

Friend-to-friend would probably be easier handled by interfacing the PBW with your friend's phone over bluetooth or something (if bluetooth were added).  That way your friend can immediately broadcast the transaction that your PBW signed to the Bitcoin network, and not have to worry about you double spending your coins.

Quote
Is there any chance you could open-source some of your contributions? For example, it looks like you did some significant work interfacing bitcoind with your wallet; as far as I know, no-one else has done that.
If I get the chance, sure.  About the bitcoind interface:  I forked bitcoind off github, and made a set of patches that removed all private key functionality (as well as a few other features that bogged down the code).  Then I added a patch to the transaction signing code that calls out to a separate piece of code that talks to the PBW.  The modifications to the transaction signing code work, but aren't fully tested and aren't thread-safe so they aren't ready for production.

Quote
I understand that there may be licensing issues with some of the microcontroller code/libraries, but I think there's value in seeing your approach.
If I recall correctly, I did not use any, or very little of STM's libraries.  The MCU side of the project was split into three pieces: a hand-written crypto library (code named strong-arm), a USB library, and all the rest of the MCU code.  The crypto library is ARM optimized, and implements all of the crypto algorithms (ECDSA, SHA-256, CSRNG, Entropy Source, etc).  I wrote it by hand to ensure that it was performant, didn't use a heap, and didn't have any security bugs (unit tests, too!).  Ensuring that remote-code exploits aren't possible is paramount.

I'll see if any of the code is in a state where it can be slapped on github.  It's forked off a now older version of bitcoind, so I don't know how easy it would be to bring it back up.

whitenight639
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
February 16, 2013, 11:26:48 AM
 #5

Were the electronics custom, because it looks kinda like an arduino?
Nope, it's just an STM32F4DISCOVERY plus an LCD module I wired up.  Anyone could built it up with the code and some soldering (or run it without an LCD; less secure though).

I understand that there may be licensing issues with some of the microcontroller code/libraries, but I think there's value in seeing your approach.[/quote]
If I recall correctly, I did not use any, or very little of STM's libraries.  The MCU side of the project was split into three pieces: a hand-written crypto library (code named strong-arm), a USB library, and all the rest of the MCU code.  The crypto library is ARM optimized, and implements all of the crypto algorithms (ECDSA, SHA-256, CSRNG, Entropy Source, etc).  I wrote it by hand to ensure that it was performant, didn't use a heap, and didn't have any security bugs (unit tests, too!).  Ensuring that remote-code exploits aren't possible is paramount.

I'll see if any of the code is in a state where it can be slapped on github.  It's forked off a now older version of bitcoind, so I don't know how easy it would be to bring it back up.
[/quote]


This is really good of you it will really help the bitcoin community make that step from virtual world to real world, It would be nice to see this as an Arduino project I know they have ARM processors but do not know if they would be capable of the cryptography, Anyway it's a fair bit above my abilities but cudos for sharing it.

125uWc197UW5kM659m4uwEakxoNHzMKzwz
fpgaminer (OP)
Hero Member
*****
Offline Offline

Activity: 560
Merit: 517



View Profile WWW
March 09, 2013, 05:28:21 AM
 #6

Starting this thread got me dreaming about this project again. I scraped together a little free time over the past few weekends to make the progress I had wanted to make almost a year ago now! Last year I ordered a 2.4" color TFT touchscreen to replace the dinky little screen I had before, so I wired that up. The whole thing looks a lot cooler now. Check out that shiny Bitcoin logo!





I also ripped up some of the code to replace the original key generation scheme. It's now using a variation of the Chain Code systems. With that modification, my modified Bitcoin Client can generate keys on its own, without having to ask for permission all the time. Though the system is also flexible enough that I don't have to authorize the Client, and can still force it to ask for public keys. Plus, when not used in deterministic mode, it becomes a two-factor authentication scheme requiring not only the information stored on the device, but also the information stored in the Bitcoin Client to spend any money. A bit overkill I think, but the option is there.

And I also put in the framework for encrypting the data stored on the Physical Wallet (now codenamed the Bitcoin Titan).  That way, even if someone physically steals the device it's still completely useless to them without the password.  I designed in AES-256 with HMAC-SHA256-PBKDF2.  Thanks to the touch screen I'll be able to enter the password on the device itself, negating the possibility of digital interception.

Finally, I moved away from coding everything in IAR studio.  I now have a pretty nice dev environment using GCC, GDB, custom Makefiles, and Eclipse CDT when I want to do some visual debugging. If/when I release the code, that should make it easy for anyone to pick up and dig in.

*sigh* Still a lot to do though.

fpgaminer (OP)
Hero Member
*****
Offline Offline

Activity: 560
Merit: 517



View Profile WWW
March 09, 2013, 06:58:52 AM
 #7

For my own clarity of thought, here are descriptions of the cryptographic systems currently in use by the Bitcoin Titan.  Obviously they may change, and some are missing (like all the schemes for firmware upgrades and such).


Deterministic Key Generation
The Titan uses a variation of the up-and-coming Chain Code ECDSA key generation schemes.  Traditional ECDSA generates key pairs by picking a random integer in the relevant finite field (slightly less than 2^256 in the case of secp256k1 ECC) and using that as the private key.  The corresponding Public Key is generated as follows using Elliptic Curve Arithmetic:

Code:
Q_a = d_a * G

Where Q_a is the Public Key, d_a is the Private Key, and G is the Generator for the particular ECC field.  This scheme requires the generation and storage of every private key one wishes to use.  Such a scheme makes backups difficult, requiring the user to create frequent backups to ensure they do not lose any of their private keys as new ones are generated.

In the Titan, a random Base Private Key is generated (using a TRNG) in the usual field, along with a 256-bit Chain Key.  Generation of key pairs occurs like so:

Code:
Q_b = d_b * G
d_n = d_b + AES(k,n)
Q_n = (d_b + AES(k,n)) * G
    = d_b * G + AES(k,n) * G
    = Q_b + AES(k,n) * G

Where d_b is the Base Private Key, Q_b is the Base Public Key, k is the Chain Key, n is a 128-bit Chain Index, d_n is the n'th key pair's private key, and Q_n is the n'th key pair's public key.  The Base Private Key is kept secret and secure on the Titan and never leaves the device unencrypted (it may leave the device in an encrypted backup).  The Base Public Key and Chain Key are shared with any Authorized Clients.  This allows the Authorized Clients to generate up to 2^128 Spendable Public Keys (using the last equation above), allowing Authorized Clients to receive Bitcoins.  However, without access to the Base Private Key, Authorized Clients cannot send Bitcoins and must defer to the secure Titan to do so.

Typically, Authorized Clients will use Chain Indexes starting from 0 and incrementing by 1 for every new Spendable Public Key needed.  This allows the Authorized Clients to re-generate all Spendable Public Keys at a future date using only the data stored on the Titan, and the number of keys to re-generate.  In case of data-loss, a Titan user only needs their Titan device, or a backup of it, to completely recover all their Bitcoins.

The usage of AES in this scheme prevents outside observers who do not have access to the Chain Key from knowing which Public Keys in the blockchain belong to a Titan user.

The only information that needs to be backed up in the typical usage of this scheme is the Base Private Key, and Chain Key.  Everything else can be re-created on demand.  Both of those pieces of data are generated exactly once on the Titan, and so need only be backed up once.  This means that a Titan user does not need to keep making constant backups of their wallet(s).

This scheme, in its typical application, also allows Authorized Clients to generate their own keys on demand without access to the Titan.  This differs from traditional ECDSA key generation in that access to the private key store must be granted every time a new Public Key is needed.

The risk factor with this scheme of key generation is that a malicious party who gains access to the user's Authorized Client compromises that user's privacy/anonymity.  However, this is the case even for traditional key generation.  The benefit of using a secure Titan still applies, preventing the malicious party from spending any of the user's Bitcoins.

Atypical usage allows for this system to be used in numerous other creative ways for enhanced security.  For example, if the user encrypts their Authorized Client, they can help prevent compromise of their privacy/anonymity.  Or, for the ultra paranoid, the Chain Indexes can be generated randomly, instead of deterministicly.  This is equivalent to two-factor authentication, requiring that the user have access to both their Authorized Client and their Titan to spend any money.  The random Chain Indexes may be encrypted as well.  The downside of this atypical usage is that constant backups are again required.  Or, the user may choose to never authorize their Client, and instead depend on the Titan to always generate Spendable Public Keys.  Or any mixture of these methods, along with CSPRNG generation of Chain Indexes, combined with external multi-factor authentication schemes.  Or ... etc.

NOTE: This usage of AES is based on Counter Block Mode ciphering, and as such behaves like a CSPRNG.  This differs from other Chain Code schemes that use a simple hash or other not CS scheme.  It should not make a difference, though; all that truly matters is that an attacker cannot predict the scalars used.  Also note that an IV is not required, since we aren't technically ever reusing the ciphertext.


Transaction Signing
Transaction signing can be one of the biggest weaknesses of systems like the Bitcoin Titan.  It is important to remember that while the Titan itself, and the information stored on it, is secure, the Client talking to the Titan should not be considered secure.  For example, a naive implementation would have the Titan merely receive an arbitrary transaction and sign it.  However, this allows an attacker to intercept the transaction before it reaches the Titan, modify the destination address (or any number of other modifications), and then hand it off to the Titan to be signed.

To prevent these kinds of attacks, it is necessary to display all of the necessary information about a transaction to the user.  To this end, the Titan has strict requirements on the types of transactions that it will sign.  This is to be extended in the future to support more complex and diverse types of transactions, but for the time being only one kind of transaction is supported.  Many input, single output with or without change output.

By restricting the transaction to only a single destination, and possibly a change destination, the Titan can easily display all of the relavant information about the transaction to the user.  The Titan needs only to display the amount of money being sent to the destination, and the address of the destination.  No other information can be manipulated by an attacker in such a way that the user would lose money.

Each input of the transaction is given to the Titan along with the relevant scriptPubKey (from the referenced Outpoint), and Chain Index.  The change output, if it exists, is not given to the Titan as a scriptPubKey, but is instead given as a Chain Index.  This prevents an attacker from specifying their own address as the change address.  By specifying a Chain Index, the Titan can be sure that the change address belongs to the user.

N.B.  Although the key generation scheme used by the Titan, described above, allows for Chain Indexes up to 2^128-1, this presents a risk factor to the user.  An attacker could specify a change Chain Index as some random 128-bit number.  Though the resulting change address would technically belong to the user, it would be impossible for the user to find the corresponding 128-bit chain index.  To prevent this type of attack, the Titan will typically restrict Chain Indexes to 32-bits.  2^32 chain indexes could easily be brute forced if need-be by the user.

The Titan returns a fully signed transaction, which any Bitcoin Client can broadcast to the network.


Backups
Since the data on the Titan may be encrypted, backups (which only need to occur once) can be made directly from the Titan's datastores.


Titan Encryption
The Titan must store on its internal flash the Base Private Key, and Chain Key.  Both are encrypted using either keys derived from the user's passphrase, or using default keys.  Encryption is performed using AES-256, and authenticated with HMAC-SHA256 (Encrypt-then-MAC).  The encryption and authentication keys are derived using PBKDF2-HMAC-SHA256.  It is important to note that generation of the derived keys is performed by first deriving a Master Key using a high iteration count PBKDF2.  The derived keys are then generated from the Master Key.  Creating the derived keys directly from the the user's passphrase reduces the effort required by attackers to crack the keys, and increases the effort required by the Titan to generate the keys.

Cracking the AES encrypted Base Private Key and Chain Key is estimated to be more difficult than usual, since the data being encrypted is completely random.  The only way to verify that an attempt is correct is for the attacker to also have a sample Spendable Public Key generated from that data.  Even then, the attacker must incorporate ECDSA calculations into his brute-forcing attempts, increasing the computational complexity and requiring specialized (and thus not likely optimized) software/hardware.  Attacking the HMAC is more straightforward, and is likely to be the primary target of brute forcing attacks.  Paranoid users who store backups of their encrypted Titan data may choose to discard the HMAC, making brute force attempts more difficult.

A user may choose to encrypt their backups with a second layer of encryption of their choosing, using a different key.

NOTE: The Titan stores TRNG generated salts for the relevant CS functions.


Emulation
If a user finds themselves in a position where all they have is a backup of their Titan, but no Titan to restore the backup to, it is possible to emulate all the behavior of the Titan in software.  Though this is obviously insecure, it could be performed on a cold, air-gaped machine in case of emergency.


Additional Risk Factors
The Titan system is designed to secure the spending of Bitcoins.  It is not designed to aggressively secure the receiving of Bitcoins.  What I mean is that an attacker can install malware on a user's computer that can do any one of a number of things to trick the user into giving out the attacker's receiving addresses instead of the user's own receiving addresses. (Fill the wallet with the attacker's public keys, manipulate the clipboard when copying addresses, etc).  The Titan allows the user to verify and confirm the sending of any Bitcoins, but it doesn't stop these types of receiving attacks.

In the future, the Titan could be enhanced to help fend off these types of attacks.  It could generate and/or display receiving addresses itself, preventing interference by a malicious party, for example.

fpgaminer (OP)
Hero Member
*****
Offline Offline

Activity: 560
Merit: 517



View Profile WWW
May 16, 2013, 09:52:52 AM
 #8

Update coming soon; who's ready for a new demonstration video of the latest software?

fpgaminer (OP)
Hero Member
*****
Offline Offline

Activity: 560
Merit: 517



View Profile WWW
May 17, 2013, 05:55:43 AM
 #9

May 16th, 2013: Video Demonstration of Alpha Software


Today I am releasing a demonstration video of the Bitcoin Titan, now that the software/firmware is in alpha testing.  I demonstrate how to set up the Titan for the first time, receiving bitcoins, and securely send bitcoins.  Click below to watch!

Click to Watch the Video Demonstration


zapeta
Full Member
***
Offline Offline

Activity: 180
Merit: 100


View Profile
May 17, 2013, 03:47:21 PM
 #10

This is awesome.  I didn't even know that this project was out there until I saw the video today.  It could be a real competitor for the Trezor if you started producing them.
icellan
Newbie
*
Offline Offline

Activity: 18
Merit: 0


View Profile
May 18, 2013, 07:20:24 AM
 #11

Awesome! This looks really great.

What are the estimated production costs? Isn't it going to be expensive with such a nice display?
Operatr
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


www.DonateMedia.org


View Profile WWW
May 18, 2013, 11:01:25 AM
 #12

 Shocked Would totally buy one of these

dnaleor
Legendary
*
Offline Offline

Activity: 1470
Merit: 1000


Want privacy? Use Monero!


View Profile
May 20, 2013, 11:47:21 PM
 #13

saw your vid today, it seems a really nice wallet.

No frustration with another laptop or linux life CD or something like that. Just an easy hardware wallet !! Smiley

Really nice work. You should produce this , I think that it is very user friendly if

*there is a good application for it which communicates with the titan (seems you already have that done)
*there is an easy way of making backups from the hardware-wallet (You've said it's possible but don't really understand it)

I don't have much bitcoins, so I take the risk of storing them "cold" on an USB atm (not using armoury or elektrum).
But a friend of mine is looking for an offline wallet, but he REALLY knows nothing about encryption, linux, etc.

So this would be perfect for him (and he has a lot of BTC)

Do you have an idea of how much it would cost to produce? How much does the hardware cost? He really don't cares about money, so he would probably buy one. And if it's not too expensive, i will buy one too. (I'm planning on investing/using bitcoin more when more websites/local stores would accept it)
fpgaminer (OP)
Hero Member
*****
Offline Offline

Activity: 560
Merit: 517



View Profile WWW
May 23, 2013, 05:20:18 AM
 #14

Quote
saw your vid today, it seems a really nice wallet.
Thank you for your feedback!

Quote
*there is a good application for it which communicates with the titan (seems you already have that done)
The application I'm using in the demo is a modified Bitcoin-QT client; so it's the "stock" Bitcoin software modified to talk to the Titan.

Quote
*there is an easy way of making backups from the hardware-wallet (You've said it's possible but don't really understand it)
Right now, it's as simple as running a Python script.  The Titan will then ask for a Backup Password.  Once done, the encrypted backup will be saved on your computer as a small file.
Restoring is similar; another Python script.  Specify the backup file, enter Backup Password on the Titan, and it will be restored.

I plan to integrate the backup process into my modified Bitcoin-QT, to make it more user friendly than a Python script.

Also, the wallet is deterministic.  That means a user doesn't need to constantly update their backup.  So typically a user would create the backup when they first use the Titan, keep the backup in a safe place, and then rest assured they are safe from any failures or theft.

FlappySocks
Hero Member
*****
Offline Offline

Activity: 546
Merit: 500



View Profile
June 01, 2013, 01:06:43 AM
 #15

Cant wait to get my hands on one of these.

Adding NFC would be a nice touch. Hold the Titan to the back of a smartphone to make payments.
Having had bitcoins stolen from my Android, I'm waiting for something like this.
fpgaminer (OP)
Hero Member
*****
Offline Offline

Activity: 560
Merit: 517



View Profile WWW
June 25, 2013, 08:21:50 AM
 #16

June 25th, 2013: First Board Spin Working


The first board spin for this project has been assembled and tested, and is working beautifully.  Previously I was prototyping the Bitcoin Titan using existing development kits and other components.  This moves it to a custom PCB; no more wires sprawling everywhere!


The board itself



With the screen attached and running



In case you're wondering, those pins poking out the top and bottom are only for development and aren't normally attached.

The above picture also shows off part of the UI redesign.  Once the UI redesign is finished I'll release another demo video.

solex
Legendary
*
Offline Offline

Activity: 1078
Merit: 1006


100 satoshis -> ISO code


View Profile
June 25, 2013, 08:37:48 AM
 #17

Excellent project. An important development needed to take Bitcoin mainstream.

maz
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
June 25, 2013, 08:39:35 AM
 #18

Nice work, keep it up!
FlappySocks
Hero Member
*****
Offline Offline

Activity: 546
Merit: 500



View Profile
June 25, 2013, 10:58:39 AM
 #19

Drooool.  Grin
fizzisist
Hero Member
*****
Offline Offline

Activity: 720
Merit: 525



View Profile WWW
July 08, 2013, 01:26:56 PM
 #20

Sexy.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!