Bitcoin Forum
October 17, 2018, 11:09:14 AM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Request for comments: Developing guide for very high-security bitcoin storage  (Read 2326 times)
Cubic Earth
Legendary
*
Offline Offline

Activity: 1106
Merit: 1018



View Profile
December 10, 2016, 07:58:55 PM
 #21

The guide seems reasonable, and nice to see some work being put into this.

Here is my method for secure cold storage:

4) I modify the private key by hand! I make about 7 changes, including deletions, additions, and substitutions. I also add a short word to make visual confirmation easy. I just make sure the key ends up being the same length as it started out.

i especially like the part i bolded. word could be a hint as to what that key/addy is for, contains, whatever.

more work but more potential usefulness.

Also a potential side channel, its probably not much, but a key with a word in it is easier to guess than a key thats entirely random. If you dont trust the crappy java prng, just use the one the OS provides.

A short word of 4 - 6 characters does reduce the entropy over a truly random key, but there would still be so much entropy left that it wouldn't make a practical difference. Using the OS's RNG is a good idea, and I would still strongly suggest making some alterations by hand.

                 ▄███▄
                ███████░
               █████████▄
              ████████████
             ███████████▓▓▓░
            ███████████▓▓▓▓▓
          ░███████████▓▓▓▓▓░░░
         ░███████████▓▓▓▓▓░░░░░
        ░███████████▓▓▓▓▓░░░░░░░
       ░███████████▓▓▓▓▓░░░░░░░░░░
      ░███████████▓▓▓▓▓░░░░░░░░░░░░
    ░░███████████▓▓▓▓▓░░░░░░░░░░░░░░
    ░███████████▓▓▓▓▓░░░░░░░░░░░░░░░░
██
██
██
██
██
██
██
.............PayPal  of   Cryptocurrencies ...........
  Blockchain Protocol + 12 Working Modules - Use Crypto as Cash
██
██
██
██
██
██
██
...........Invest Now...........
     ▄████████████████████████▄
    ███████████████████████████▌
    ████████████████▀▀ ---¬█████
    ███████████████        █████
    ██████████████    ▄▄▄▄▄█████
    ██████████████    ▀█████████
    ██████████▌            █████
    ██████████▌            █████
    ██████████████    ██████████
    ██████████████    ██████████
    ██████████████    ██████████
    ▐█████████████    █████████
      ▀▀▀▀▀▀▀▀▀▀▀▀    ▀▀▀▀▀▀▀
▄▓█████████████████████▓▓▄
▓██████████████████████████▌
███████████████████▓▓▀  ▓██▌
██████████████▓▀▀       ▓██▌
████████▓▀▀      ▄█    ▐███▌
███▓▀        ▄▄▓▀      ▓███▌
███▓▄▄▄   ▄▓█▓         ████▌
████████▓ ▓▌          ▓████▌
█████████▓    ▄       █████▌
██████████▌ ▄▓██▓▄   ▐█████▌
███████████████████▓▓██████▌
▐██████████████████████████
  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
▄███████████████████▄
██████████████████████▌
██████████████████████▌
████████████     █▀███▌
███   █████        ▐██▌
███               ▐███▌
███               ████▌
████             █████▌
█████▄▄         ██████▌
████         ▄████████▌
██████████████████████▌
██████████████████████▌

    ██▄▄             ▄███▄
    ███████▄        ▄████████▄▄
    ██████████     ████████████▌
    ███████████▄ ▄████████████░░
    ████████████████████████░░░░
    ███████████████████████░░░░░
    █████████████████████░░░░░░░
    █████████   ▀▀███████░░░░░░░
    █████████        ▀░░░░░░░░░░
       ▀▀████             ░░░░░░
           ▀▀                 ░░
1539774554
Hero Member
*
Offline Offline

Posts: 1539774554

View Profile Personal Message (Offline)

Ignore
1539774554
Reply with quote  #2

1539774554
Report to moderator
1539774554
Hero Member
*
Offline Offline

Posts: 1539774554

View Profile Personal Message (Offline)

Ignore
1539774554
Reply with quote  #2

1539774554
Report to moderator
1539774554
Hero Member
*
Offline Offline

Posts: 1539774554

View Profile Personal Message (Offline)

Ignore
1539774554
Reply with quote  #2

1539774554
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
bitsec731
Newbie
*
Offline Offline

Activity: 32
Merit: 0


View Profile
December 10, 2016, 10:46:30 PM
 #22

The guide seems reasonable, and nice to see some work being put into this.

Here is my method for secure cold storage:

1) Start with clean, offline computer, with wireless capability disabled

There is no clean pc if the BIOS and CPU firmware is closed source.

The wireless should be detached physically, disabling it in the BIOS is not good enough, a sophisticated malware that is embedded in the CPU can easily send out keys through the wireless port covertly, wtihout the host OS noticing it. It would be totally passive, no way to detect it.


Can't comment on the crypto & key generation part, that is not my area, but it seems flawed to manually mess around with the key.



6) I archive private keys as appropriate, via encrypted thumb drives and paper backups which I cut (with scissors) into fragments and distributed.

7) The addresses I isolate and make available to online machines.


The nice part about this method is, between modifying the private keys by hand, and cross referencing address generation among different pieces of software, the opportunity for malicious software to compromise funds is severely limited.

A thumb drive can easily have a malware in the MBR sector that can just save your secret key there and wait for the PC to connect to the internet and send it out covertly.

There were actual cases of this happening at some corporation, some corporate secrets leaked this way from a secure offline computer, look it up in the news.
Cubic Earth
Legendary
*
Offline Offline

Activity: 1106
Merit: 1018



View Profile
December 11, 2016, 12:39:46 AM
 #23

The guide seems reasonable, and nice to see some work being put into this.

Here is my method for secure cold storage:

1) Start with clean, offline computer, with wireless capability disabled

There is no clean pc if the BIOS and CPU firmware is closed source.

The wireless should be detached physically, disabling it in the BIOS is not good enough, a sophisticated malware that is embedded in the CPU can easily send out keys through the wireless port covertly, wtihout the host OS noticing it. It would be totally passive, no way to detect it.


Can't comment on the crypto & key generation part, that is not my area, but it seems flawed to manually mess around with the key.

Yes, absolutely better to physically remove wireless capabilities.  Older computers are better for this purpose, with Pentium-era laptops being a more than sufficient. As far as open BIOS and CPU... you have to ask yourself on an isolated machine, what is the 'sophisticated malware' embedded in the BIOS or CPU capable of doing? Exhilarating keys... perhaps, but being aware of the higher level software to the extent of being able to compromise different applications (which most likely didn't even exist at the time the supposed malware was written) in an identical fashion, which in this example would have to mean making the multiples instances give the same incorrect address derivation, I don't think is a plausible vector.

But yes, a modern machine where the wireless capabilities cannot be disabled, that is certainly riskier. One solution is to go somewhere with no surrounding wireless signals, like a cabin in the woods.



6) I archive private keys as appropriate, via encrypted thumb drives and paper backups which I cut (with scissors) into fragments and distributed.

7) The addresses I isolate and make available to online machines.


The nice part about this method is, between modifying the private keys by hand, and cross referencing address generation among different pieces of software, the opportunity for malicious software to compromise funds is severely limited.

A thumb drive can easily have a malware in the MBR sector that can just save your secret key there and wait for the PC to connect to the internet and send it out covertly.

There were actual cases of this happening at some corporation, some corporate secrets leaked this way from a secure offline computer, look it up in the news.

Yeah, my post didn't address a procedure for spending from the secure private keys.  You are right that contaminated drives are a risk.

For big balances, I would manually type an archived key into a clean, offline computer that had wallet software capable of generating an offline-transaction. Compare the transaction to one generated by different software. Copy onto a fresh thumb drive, and bring over to an online computer to broadcast the transaction.

For the truly paranoid, use multiple clean intermediary computers, with different operating systems. Copy the transaction onto the intermediary computer, and then copy it onto a clean thumb drive. The more hops, the less likely the private key is secretly getting dragged along with the signed tx.

                 ▄███▄
                ███████░
               █████████▄
              ████████████
             ███████████▓▓▓░
            ███████████▓▓▓▓▓
          ░███████████▓▓▓▓▓░░░
         ░███████████▓▓▓▓▓░░░░░
        ░███████████▓▓▓▓▓░░░░░░░
       ░███████████▓▓▓▓▓░░░░░░░░░░
      ░███████████▓▓▓▓▓░░░░░░░░░░░░
    ░░███████████▓▓▓▓▓░░░░░░░░░░░░░░
    ░███████████▓▓▓▓▓░░░░░░░░░░░░░░░░
██
██
██
██
██
██
██
.............PayPal  of   Cryptocurrencies ...........
  Blockchain Protocol + 12 Working Modules - Use Crypto as Cash
██
██
██
██
██
██
██
...........Invest Now...........
     ▄████████████████████████▄
    ███████████████████████████▌
    ████████████████▀▀ ---¬█████
    ███████████████        █████
    ██████████████    ▄▄▄▄▄█████
    ██████████████    ▀█████████
    ██████████▌            █████
    ██████████▌            █████
    ██████████████    ██████████
    ██████████████    ██████████
    ██████████████    ██████████
    ▐█████████████    █████████
      ▀▀▀▀▀▀▀▀▀▀▀▀    ▀▀▀▀▀▀▀
▄▓█████████████████████▓▓▄
▓██████████████████████████▌
███████████████████▓▓▀  ▓██▌
██████████████▓▀▀       ▓██▌
████████▓▀▀      ▄█    ▐███▌
███▓▀        ▄▄▓▀      ▓███▌
███▓▄▄▄   ▄▓█▓         ████▌
████████▓ ▓▌          ▓████▌
█████████▓    ▄       █████▌
██████████▌ ▄▓██▓▄   ▐█████▌
███████████████████▓▓██████▌
▐██████████████████████████
  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
▄███████████████████▄
██████████████████████▌
██████████████████████▌
████████████     █▀███▌
███   █████        ▐██▌
███               ▐███▌
███               ████▌
████             █████▌
█████▄▄         ██████▌
████         ▄████████▌
██████████████████████▌
██████████████████████▌

    ██▄▄             ▄███▄
    ███████▄        ▄████████▄▄
    ██████████     ████████████▌
    ███████████▄ ▄████████████░░
    ████████████████████████░░░░
    ███████████████████████░░░░░
    █████████████████████░░░░░░░
    █████████   ▀▀███████░░░░░░░
    █████████        ▀░░░░░░░░░░
       ▀▀████             ░░░░░░
           ▀▀                 ░░
jhogan
Newbie
*
Offline Offline

Activity: 6
Merit: 1


View Profile
December 14, 2016, 08:25:50 PM
 #24

4) I modify the private key by hand! I make about 7 changes, including deletions, additions, and substitutions. I also add a short word to make visual confirmation easy. I just make sure the key ends up being the same length as it started out.

5) I import the modified private key into several other wallets, and confirm that every generated address is the same.

Thanks -- these suggestions seem particularly interesting -- will make note of them.
faithupgrade
Sr. Member
****
Offline Offline

Activity: 407
Merit: 250


TOGACOIN is LIVE


View Profile
August 14, 2017, 02:55:55 PM
 #25

Hmm, looks like a nice tip to create a clean and secure Bitcoin address. Can I apply this trick while creating a Bitcoin vanity address?

The guide seems reasonable, and nice to see some work being put into this.

Here is my method for secure cold storage:

1) Start with clean, offline computer, with wireless capability disabled

2) Load a few different wallets and pieces of address generating software onto the computer

3) I used Bitaddress.org as my key generator. Crappy java-script RNG? No problem. Did I check the sigs? Nope. I let it generate a key pair, and use that as the starting point.

4) I modify the private key by hand! I make about 7 changes, including deletions, additions, and substitutions. I also add a short word to make visual confirmation easy. I just make sure the key ends up being the same length as it started out.

5) I import the modified private key into several other wallets, and confirm that every generated address is the same.

6) I archive private keys as appropriate, via encrypted thumb drives and paper backups which I cut (with scissors) into fragments and distributed.

7) The addresses I isolate and make available to online machines.


The nice part about this method is, between modifying the private keys by hand, and cross referencing address generation among different pieces of software, the opportunity for malicious software to compromise funds is severely limited.


▄▄▄████████▄▄▄
▄████████████████▄
▄████  ▀▀▀▀▀▀▀▀  ████▄
██████▄▄███▌▐███▄▄██████
▐███  ▀▀▀▀██▌▐██▀▀▀▀  ███▌
████▄▄███ ██▌▐██ ███▄▄████
█████████ ██▌▐██ █████████
█████████ ██▌▐██ █████████
▐████████ ██▌▐██ ████████▌
████████ █▌  ▐█ ████████
▀█████▌ ▐████  ▐█████▀
▀████████████████▀
▀▀▀████████▀▀▀
TOGACOIN

   ▄▄
  ████
   ▀▀ ▀█▄
        ▀█▄ ▄▄
          ▀████
           ▐█▀
           █ █
          ▐▌ ▐▌
        ▄▄█   █
      ▄████▄  ▐▌
 ▄▄ ▄█▀ ▀▀ ▀█▄ █▄
████▀        ▀████
 ▀▀            ▀▀

 
 
 
     ▄▄
    ████
     █▀█▄
    █ █ ▀█▄
   ▐▌ ▐▌  ▀█▄
 ▄▄█   █    ▀█▄▄▄
████▄  ▐▌    ▄████
 ▀▀░▀█▄ █▄ ▄█▀░▀▀
      ▀████▀
        ▀▀

     ▄▄▄████████▄▄▄
   ▄██▀▀▄█▀  ▀█▄▀▀██▄
 ▄██▀ ▄█▀      ▀█▄ ▀██▄
████████████████████████
    ▀              ▀
 █▌   ▐█ █▌   ▐█ █▌   ▐█
 ▐█ █ █▌ ▐█ █ █▌ ▐█ █ █▌
  █▀ ▀█   █▀ ▀█   █▀ ▀█
    ▄              ▄
████████████████████████
 ▀██▄ ▀█▄      ▄█▀ ▄██▀
   ▀██▄▄▀█▄  ▄█▀▄▄██▀
     ▀▀▀████████▀▀▀

 
     ▄▄▄▄▄
   ▄██████
  ████████
  ████▀
▄▄████▄▄▄
█████████
▀▀████▀▀
  ████
  ████
  ████
  ████
  ████

 
                       ▄▄▄
                   ▄▄█████
               ▄▄████████▌
           ▄▄████████████
      ▄▄█████████████████
  ▄▄███████████▀░▄██████▌
███████████▀▀░░▄████████
  ▀▀▀▀▀██▌░░░░█████████▌
        █▌░▒▄██████████
        ▐▌▒▒▒█▀███████▌
         █▒█▀   ▀█████
         ▐▀      ▀███▌
                   ▀▀

 
 
                ▄█████▄▄
  ██▄          ████████████▀
  ████▄▄       ███████████▄
   ▀██████▄▄▄▄▄███████████
  ██▄████████████████████▌
   ▀████████████████████▌
    ▀███████████████████
   ▀███████████████████
      ▀▀██████████████
      ▄█████████████▀
   ▀████████████▀▀
.
  ▬ Presale
Available
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!