easy offline transactions - 1 BTC bounty

[xDan]

Hello, I'd like to propose a project idea for the simplest possible way to perform offline transactions from a single cold storage WIF private key (such as is gotten from bitaddress.org). The idea is to securely redeem a small part of some larger BTC balance, while leaving the majority where it is in cold storage.

I'll put a bounty of 1 BTC, valid for the rest of April. If you think this is a good idea, please chip in too.

I'm not really sure the exact work involved, but since there are open source projects already that do large parts of this, it hopefully wouldn't be too much. e.g.:

- brainwallet.org ( https://github.com/brainwallet/brainwallet.github.com )
- offlineTransaction.html ( https://bitcointalk.org/index.php?topic=50797.0 )

What I envisiage is the follows: Two HTML/Javascript pages, one for creating the transaction online in an insecure environment, and one for signing the transaction offline in a highly secure environment.


** Part 1. The online, insecure, part. ("createtransaction.html")

On this page are fields for the source cold storage bitcoin address, the destination payment address, amount to be sent, and transaction fee. After filling in these fields you select "Create transaction" and some resulting transaction data appears as text that can be copied and pasted. As part of this process a cross domain query is required (see brainwallet.org code for reference) to get whatever outputs data is necessary from blockexplorer.com. This should happen automatically and transparently to the user when they click "create transaction".


** Part 2. The offline, secure part. ("signtransaction.html")

On this page, you paste the generated transaction data from part 1 into a text box. After doing this, the source and destination bitcoin addresses and the BTC amount and transaction fee are shown to the user for verification (in case anything malicious happened at part 1). It should be assumed that part (1) is malicious, so the verification details shown to the user must be based on calculating what will actually occur from the given transaction data. The user can then enter their cold storage private key into a text field and click "Sign transaction" and the signed raw transaction data is created, suitable for then transferring to an online system and submitting via https://blockchain.info/pushtx


Other notes:

- change should be returned to the original cold storage address.
- the emphasis here is to create something foolproof and extremely simple - hence not even requiring the user to copy/paste data from blockexplorer.
- no fancy CSS necessary.

[1715011847]

1715011847

[1715011847]

1715011847

[jackjack]

There are already some ways to do this, I know that pywallet does and I assume Armory too

[xDan]

There are already some ways to do this, I know that pywallet does and I assume Armory too

Yeah. And they are all - to quote a certain Onion news video - ass backwards as f*ck.

(No offense, I'm joking just a little there. But there is nothing that hits my measure of being easy to use.)

Just as an example: I stumbled across some reddit article the other day about some guy who lost a ton of BTC by trying to redeem his private key in some Linux live CD with some client that sent change to a new address that was lost when he shut down the machine (he didn't know about change addresses and assumed all BTC would remain on his original private key).

People have lost big money because of how tricky this is! And they will continue to do so.

Something like the solution described here, if widely popularised, would have saved that guys neck.

I want a solution that:

- doesn't rely on the block chain being stored locally, even on the online machine (Armory out)
- doesn't rely on anything other than bare private keys (no wallet generation seeds or anything specific to one client. It should be able to redeem BTC from bitaddress.org printed private keys, a lot of people use that service)
- doesn't rely on any command line stuff
- uses tech that runs on any computer
- guides you through every step along the way in a logical manner (creating a transaction then signing it offline is logical to a noob. Grubbing around to find blockchain data to copy paste across is not logical to a noob.)

offlineTransaction.html comes very close, however still is a bit over complicated (relying on copy pasting blockchain output, which is very confusing unless you understand bitcoin and "inputs" and "outputs" deeply, as I still don't really). And also it relies on typing out the source/destination btc addresses on the offline machine; I think it's far more user friendly for this to be done on the online machine and then simply verified on the offline machine.) Aaaand it was giving me Javascript errors the last time I tried it.

I found this a great chore even being fairly technically literate, I can only imagine what someone less literate would feel.

Of course if there exists something precisely as I described do tell.

[jackjack]

Yeah I missed the noob-friendly part
Anyway, the next release of pywallet (which should comply with your 5 needs, if not, tell me) is planned on this week-end and will have transactions management. That would not be tough to make what you ask possible
I don't know if other software already does it though

[xDan]

> Anyway, the next release of pywallet (which should comply with your 5 needs, if not, tell me) is planned on this week-end and will have transactions management

That's really great if you are doing that.

(Though, for this particular bounty, I would like something precisely as I described using HTML/Javascript.)

[jackjack]

 I'll try to see what I can do with JavaScript but I'm already working on 3 projects so I'm not sure I'll find some time

[w1R903]

> Anyway, the next release of pywallet (which should comply with your 5 needs, if not, tell me) is planned on this week-end and will have transactions management

That's really great if you are doing that.

(Though, for this particular bounty, I would like something precisely as I described using HTML/Javascript.)

Out of curiosity, I started playing around with this to see how it would be done, and I've ended up finishing most of Part 1.  I'll see if I can finish up Part 1 and do Part 2 this weekend and release them both on Monday.  It's a good idea.

[btcven]

Electrum -> https://github.com/spesmilo/electrum/blob/master/docs/offline_wallets

Here is how to sign a transaction with an offline Electrum wallet.

1. With your online (seedless) wallet, create the transaction using mktx:

Code:

./electrum mktx 1Cpf9zb5Rm5Z5qmmGezn6ERxFWvwuZ6UCx 0.1
{
    "complete": false, 
    "hex": "010000000296f054a6eccd3051444aec20e9c5c9b58739e70c7d958e4eb03587acf99d02e70000000000ffffffffdf350752fe6e27534633bb59327d9feb347756fe8d6e5b0b56312aca57df0eb30000000000ffffffff02f4345c35000000001976a914aaf437e25805f288141bfcdc27887ee5492bd13188ac80969800000000001976a91481acc8b7f9ec7cbf45a02dd8b758c6ac6a1481ca88ac00000000", 
    "input_info": "[{'scriptPubKey':'76a91411bbdc6e3a27c44644d83f783ca7df3bdc2778e688ac','electrumKeyID':(15,False),'vout':0,'txid':u'e7029df9ac8735b04e8e957d0ce73987b5c9c5e920ec4a445130cdeca654f096'},{'scriptPubKey':'76a914aaf437e25805f288141bfcdc27887ee5492bd13188ac','electrumKeyID':(112,True),'vout':0,'txid':u'b30edf57ca2a31560b5b6e8dfe567734eb9f7d3259bb334653276efe520735df'}]"
}

Note that returned json contains the unsigned tx in "hex". The field
"complete" is false because the transaction is not signed, and
"input_info" contains parameters that need to be passed to the offline
wallet so that it knows which private keys to generate.

2. Sign the transaction with your offline wallet: pass "hex" and "input_info" to 'signrawtransaction':

Code:

./electrum signrawtransaction 010000000296f054a6eccd3051444aec20e9c5c9b58739e70c7d958e4eb03587acf99d02e70000000000ffffffffdf350752fe6e27534633bb59327d9feb347756fe8d6e5b0b56312aca57df0eb30000000000ffffffff0280969800000000001976a91481acc8b7f9ec7cbf45a02dd8b758c6ac6a1481ca88acf4345c35000000001976a914aaf437e25805f288141bfcdc27887ee5492bd13188ac00000000 "[{'scriptPubKey':'76a91411bbdc6e3a27c44644d83f783ca7df3bdc2778e688ac','electrumKeyID':(15,False),'vout':0,'txid':u'e7029df9ac8735b04e8e957d0ce73987b5c9c5e920ec4a445130cdeca654f096'},{'scriptPubKey':'76a914aaf437e25805f288141bfcdc27887ee5492bd13188ac','electrumKeyID':(112,True),'vout':0,'txid':u'b30edf57ca2a31560b5b6e8dfe567734eb9f7d3259bb334653276efe520735df'}]" 
Password:
{
    "complete": true, 
    "hex": "010000000296f054a6eccd3051444aec20e9c5c9b58739e70c7d958e4eb03587acf99d02e7000000008b483045022100893c91ffcf3886aeb9dd6b11e5063b501546924d888826c3a92e5c7f3cf5e43602207667a4bd014d7eda2d48a651f18540937f4aeaae629e2a8851826bcfdf0967cb01410483aab8cc5fb1497bf438fef22556d1d3ccda8e96c36d39c616ae56979f939057f1eee07212e7d02080d62e366a1d7eaaa25d0740d8f8f61c01b3405577204ad3ffffffffdf350752fe6e27534633bb59327d9feb347756fe8d6e5b0b56312aca57df0eb3000000008c493046022100d6086e63e3f0beac314cb71f29c52159ad2e6dccfb257b2378eeff1cbb0c2038022100eb1808698c2275565418731e16a6377c69c57209aba46c5fb65dc4240f1c06ba014104315efb3001e2452f7848c43329234f11e54a4e59df7bcadd8b32f4dd9c3ca384dac96820f39860011243586e30fe79be920378d3709ec71b504e59bb450f5066ffffffff0280969800000000001976a91481acc8b7f9ec7cbf45a02dd8b758c6ac6a1481ca88acf4345c35000000001976a914aaf437e25805f288141bfcdc27887ee5492bd13188ac00000000"
}

The command returns a fully signed transaction, as indicated by the "complete" field.
This transaction can be sent to the network with 'sendrawtransaction'

[xDan]

Out of curiosity, I started playing around with this to see how it would be done, and I've ended up finishing most of Part 1.  I'll see if I can finish up Part 1 and do Part 2 this weekend and release them both on Monday.  It's a good idea.

Great! I look forward to it

btcven, the idea here is for something far simpler and more newbie friendly than that.

[btcven]

Out of curiosity, I started playing around with this to see how it would be done, and I've ended up finishing most of Part 1.  I'll see if I can finish up Part 1 and do Part 2 this weekend and release them both on Monday.  It's a good idea.

Great! I look forward to it

btcven, the idea here is for something far simpler and more newbie friendly than that.

Easy peasy ->

Make a normal transaction in a online insecure seedless wallet.
Grab the tx file and use the buttons shown in the image above ^ to sign the tx in the offline wallet.
Done!



edit: sorry for the screenshot in Spanish, but I'm not gonna upload the image again, I'm using my 3G plan

[BkkCoins]

I would tackle this slightly differently.

The main html page should have a place to paste in addresses and these immediately are updated with current balances (outputs summed). ie. it acts like a wallet page. The user can select any of these (or none if they don't care to select inputs) and then enters in an amount, fee and destination address. The last thing is a "Create" button.

This button doesn't create a block of info - it creates a new web page that contains the JS signing code, transaction summary (tech details exposed by click maybe for those interested), an area to paste in keys (either normal or deterministic seed are possible) and instructions/choices. And a "Send" button. Maybe it has a list of input addresses that get checked off as you paste each key.

Those who want to complete online can paste their keys and click "Send". Those who want to complete offline can use File,Save As to save it to a usb stick or hard disk. They would then reboot on LiveCD, or xfer usb stick to secure computer.

They open the "Send" page and paste in their keys, and click "Send". Again this creates a new web page with the final signed transaction embedded and JS code for sending. They either go online and click "Send" or File, Save As to a usb again for transport back to online computer. They open and click "Send".

This approach is easier for users than copy/pasting raw data since they're going to have to paste into a file for saving anyway in order to get it to the offline system.

I could code this but I'm not sure 1 btc is enough to do it. Maybe if I put advertising into the page and hosted it I could recoup the development effort. Anyway, I put this out there to see if people like the methodology. I think it's more friendly for non-techies as each step is explained right on the pages as you go.

I even happen to own a domain that could work for this: paperwallet.info

[CIYAM]

Although far from easy to use http://ciyam.org/rawtx_helper.html may be of some help to those who are putting this together (welcome to any of the .js if it useful).

[xDan]

BkkCoins,

creating a new web page implies you must trust the online machine, no? Otherwise it could inject something malicious? e.g. send the btc to an attacker's address.

(I know that scenario is unlikely, but I'd still like to see something both user friendly and highly secure. The people who need this - people who are using offline wallets created on air gapped machines - obviously are very paranoid about security.)

with my method, the offline page would verify the transaction data. (We assume here the offline page can then be tested well by the community, perhaps even analysed and signed by some experienced and trusted member, and so trusted to correctly verify transactions.)

I guess the create a new web page approach can be trusted, but still you have to continue trusting it not to be corrupted at a later date (every time you create a transaction you may have some fear that it will have been compromised and behave differently this time). Whereas with the entirely offline approach you only have to apply trust once.

(I agree your approach might be more user friendly though)

...

hmm, now I'm wondering if some bug/flaw could be found in the offline web browser, triggered by something injected into the transaction data... I wonder if there exists a truly 100% perfectly secure approach? If only the block chain data wasn't required. (You see how paranoid I am )

...

There is also already an excellent and fairly easy to use page for anyone who is happy to do this online: http://brainwallet.org/#tx

[BkkCoins]

creating a new web page implies you must trust the online machine, no? Otherwise it could inject something malicious? e.g. send the btc to an attacker's address.

My intention was that the html would be fully self-contained and downloadable to your local machine. So you could verify it with sha like bitaddress.org. It would still need info while online to build the transaction. Since the web page is verified the page it creates for moving offline should be trustworthy to the same level as one that you already have offline that you would paste data into.

I'm not sure you give anything up because copy/pasting data has it's vulnerabilities too. I can imagine an infection that monitors clipboard data and when it sees transaction info it alters the destination address to it's own before the paste operation.

I suppose it could create a new page with just data which you then Save As to your offline disk. Even then the user has to be knowledgeable enough to visually inspect the data for changes since an infected system could alter data through almost any method.

A thought I had about doing it this way is that it allows using a LiveCD where absolutely nothing has been changed on the offline system. Otherwise you either need to build the offline image containing the special signing page, or copy it on after booting.

[xDan]

> Since the web page is verified the page it creates for moving offline should be trustworthy to the same level as one that you already have offline that you would paste data into.

You would have to re-verify it each time you use it though, if you think your online machine might be compromised in the future... if you keep it saved locally there is a running possibility of being compromised at a later date. I can imagine with the other approach this verification only needs doing once, so you only need care about being compromised the time at which you download + copy the "signtransaction.html" across to the offline machine. So the window of attack is smaller. (But still sadly present of course.)

>  I can imagine an infection that monitors clipboard data and when it sees transaction info it alters the destination address to it's own before the paste operation.

Well, you must visually confirm the destination address and other details on the offline system (as displayed by the "signtransaction.html"). This is an important part.

I assume after signing the transaction offline it is tied permanently to a particular amount and destination address and cannot be modified. (I hope that's correct, I'm no expert)

> A thought I had about doing it this way is that it allows using a LiveCD where absolutely nothing has been changed on the offline system. Otherwise you either need to build the offline image containing the special signing page, or copy it on after booting.

That is a very good point. Personally, I have a full (clean) linux system I use with hard drive, which I will use for signing.

[crazy_rabbit]

I will add .3BTC to this bounty (valid till the end of april) myself. This is crazy hard to do currently and frustrating to no end. Indeed, not spending BTC is simply the safest way to handle btc.

EDIT: Should have a look at Slush's TREZOR project. It's a hardware bitcoin wallet that might be useful for something like this.

[BitDreams]

What you do is heroic. Load it up with plenty of 'idiot lights' as displayed across my automobile dashboard. Road signs too: 'this computer is not offline!' 'you are about to access the big piggy!' Allow users to import 'skins' for all languages including all sorts of useful tips. 'usb detected' 'bluetooth request' detected... etc. So much work needs to be done, thanks for all you do.

[w1R903]

hmm, now I'm wondering if some bug/flaw could be found in the offline web browser, triggered by something injected into the transaction data... I wonder if there exists a truly 100% perfectly secure approach? If only the block chain data wasn't required. (You see how paranoid I am )

I'm using JSON as the format of the paste generated by the online page.  As such, the JSON.parse() function provides significant protection against what you are describing.  JSON.parse() was created specifically as a way to prevent execution of arbitrary code embedded in JSON and is available on all modern browsers.  Plus, as you specified, I have a confirmation modal popup on the offline app displaying the values as they will be inserted into the raw tx.

Nonetheless, after creating an initial working prototype, I'm feeling more and more that the appropriate place to enter the destination address and transaction amount may be in the offline component.  Is convenience the main reason you want to enter the address and amount in the online component?

I've gone ahead and pushed my initial version as a way to kind of pre-claim the bounty, but I'm not finished yet.  In fact, please don't use the app yet for any transactions, even though I've already used it to send btc on the blockchain [1].  It's not been fully tested.

I plan on doing a lot of work on the UI tomorrow, doing some testing, and also producing a GPG-signed release of the MD5 hashes.  In fact, I may throw significant energy into this project, including hosting the online portion with SSL, hosting my own full Bitcoin node for querying the blockchain and broadcasting tx's, instead of farming it out to blockchain.info (which as done now requires a third-party intermediary since it's a cross-domain request), and perhaps some other fun stuff, all while keeping it extremely simple to use.  I'll probably put up some tasteful ads on the hosted online app to try to recoup the development and hosting costs, but the all the code needed to conduct these transactions will be open source so no one will have to use my hosted version if they don't want to.

I'm open sourcing the code under MIT, and will continue to open source the offline secure signing app and online component as described in xDan's spec above.  If I do code up some of the stuff I mention above, I may keep some of the server-side code closed.  We'll see.  But all the security-critical code will be open-source.

I've used significant code from both Brainwallet and BitcoinJS, which are Public Domain and MIT-licensed respectively.  So a big thanks to those guys, it's incredibly cool that all this stuff is being done with JS.  I've also used AngularJS and a few other standard liberally-licensed JS libraries.

Anyway, once xDan and crazy_rabbit are satisfied, the bounty can go to: 1KpN5iePG1czLnBvJLzSQWXz9cerBWuBo2  As a said, it's not ready yet, I still need to pretty-up the UI and build these apps into single-page HTML files, and issue GPG-signed hashes of the code.

GitHub repo: https://github.com/esbullington/bitcoin-secured
Transaction on blockchain created using this app: https://blockchain.info/tx/6549d360e1493865bebe5b90649de8f0d068e109655a2b618fa6d1f7648d8892  As you can see, the change goes back to the sending address, as requested.  Do note that you give up some anonymity in exchange for this convenience, since all your transactions will be tied to a single address.

One final note: if you're interested in offline transactions and don't mind maintaining a full node with bitcoind or bitcoin-qt, I'd strongly recommend taking a look at Bitcoin Armory.  Etotheipi has done a really great job.  That said, I think there's room for a real lightweight implementation of this that doesn't require the blockchain, thus my interest in xDan's proposal.

[w1R903]

What you do is heroic. Load it up with plenty of 'idiot lights' as displayed across my automobile dashboard. Road signs too: 'this computer is not offline!' 'you are about to access the big piggy!' Allow users to import 'skins' for all languages including all sorts of useful tips. 'usb detected' 'bluetooth request' detected... etc. So much work needs to be done, thanks for all you do.

Thanks for the tips.  Those types of UI additions are exactly what I'll be working on tomorrow.  However, this being a web-based project, there are limits to what kind of I/O monitoring I'll be able to do.  In any case, if you're dealing with large sums of btc, I'd really recommend disabling bluetooth and wifi altogether on your offline computer you use for signing, and keeping them off.  I physically removed the wifi receiver from my laptop that I turned into an offline transaction signer.

[CIYAM]

I physically removed the wifi receiver from my laptop that I turned into an offline transaction signer.

As well as removing the wifi card I plugged both the LAN and modem sockets on an old notebook with "sawn off" mangled plugs.