Bitcoin Forum
November 22, 2017, 10:26:06 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Ledger Nano: is it secure?  (Read 1065 times)
Lionel
Sr. Member
****
Offline Offline

Activity: 388


View Profile
September 09, 2017, 01:05:58 AM
 #1


Suppose i am using Electrum with Ledger Nano S.
When i send a payment, i must manually enter the PIN on the USB device (source: https://ledger.groovehq.com/knowledge_base/topics/how-to-setup-electrum-nano-slash-nano-s )

But i wonder if the Nano shows me the transaction details as well ( destination address(es), amount(s) ).
If not, i don't consider this solution very safe.

Suppose a virus on my PC acts as a man-in-the-middle when the payment command is sent from Electrum to the USB device.
The virus may change the payment destination address on-the-fly after the command goes out of Electrum wallet but before it enters the USB bus to reach the device.

Anyone of you that has a Nano and can confirm that it displays transaction info upon PIN request ?
Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511389566
Hero Member
*
Offline Offline

Posts: 1511389566

View Profile Personal Message (Offline)

Ignore
1511389566
Reply with quote  #2

1511389566
Report to moderator
1511389566
Hero Member
*
Offline Offline

Posts: 1511389566

View Profile Personal Message (Offline)

Ignore
1511389566
Reply with quote  #2

1511389566
Report to moderator
GreenBits
Hero Member
*****
Offline Offline

Activity: 910


I have no mouth and I must scream.


View Profile
September 09, 2017, 01:27:42 AM
 #2


Suppose i am using Electrum with Ledger Nano S.
When i send a payment, i must manually enter the PIN on the USB device (source: https://ledger.groovehq.com/knowledge_base/topics/how-to-setup-electrum-nano-slash-nano-s )

But i wonder if the Nano shows me the transaction details as well ( destination address(es), amount(s) ).
If not, i don't consider this solution very safe.

Suppose a virus on my PC acts as a man-in-the-middle when the payment command is sent from Electrum to the USB device.
The virus may change the payment destination address on-the-fly after the command goes out of Electrum wallet but before it enters the USB bus to reach the device.

Anyone of you that has a Nano and can confirm that it displays transaction info upon PIN request ?

the generation of the transaction is handled onboard the wallet. the only information exposed to memory, to the best of my knowledge, is the transaction itself, which is encrypted. the virus would have to hijack the device itself to compromise the transaction. this is why the transaction details are confirmed via interface. if those details are correct, then the transaction broadcasted to the network would be composed of those details.

the best a mitm attack could do is change a copy/paste address by hijacking the ram and subverting things sent to the clipboard. if you simply confirm the details, you should be able to detect the change in address, and move the device to a stable/secure environment Wink

hardware wallets ftw.

HCP
Sr. Member
****
Offline Offline

Activity: 434

<insert witty quote here>


View Profile
September 09, 2017, 11:55:29 AM
 #3


... the generation of the transaction is handled onboard the wallet. the only information exposed to memory, to the best of my knowledge,
No, the transaction is created in your software wallet (Ledger app or Electrum etc). It is the SIGNING of the transaction with the appropriate private keys that happens on the hardware wallet.


Anyone of you that has a Nano and can confirm that it displays transaction info upon PIN request ?
And to answer the OPs question... yes, it displays the address and amount and you have to confirm it before the transaction is signed and returned to the software wallet for broadcasting.

Lionel
Sr. Member
****
Offline Offline

Activity: 388


View Profile
September 09, 2017, 01:39:54 PM
 #4


Anyone of you that has a Nano and can confirm that it displays transaction info upon PIN request ?
And to answer the OPs question... yes, it displays the address and amount and you have to confirm it before the transaction is signed and returned to the software wallet for broadcasting.

Sounds good then Smiley
Lionel
Sr. Member
****
Offline Offline

Activity: 388


View Profile
September 09, 2017, 07:26:32 PM
 #5

What happens if my Nano burns or i lose it?

Does it support BIP 38 seeds so that i can restore my private key ?
xSkyer
Full Member
***
Online Online

Activity: 154


JOLYY - The future of beauty!


View Profile WWW
September 09, 2017, 07:28:25 PM
 #6

What happens if my Nano burns or i lose it?

Does it support BIP 38 seeds so that i can restore my private key ?

Yes. On the first boot you are given 24 words which you can write down on included in the box recovery sheet. Most of the things like seed, pin, transactions show up on ledger's screen and require usage of buttons on the device.

TryNinja
Sr. Member
****
Offline Offline

Activity: 476



View Profile
September 09, 2017, 07:30:31 PM
 #7

What happens if my Nano burns or i lose it?

Does it support BIP 38 seeds so that i can restore my private key ?
That's why you need to backup your seed when creating your wallet. Then, if you lose your device, you can:

1. Buy a new Nano and restore your wallet.
2. Restore your wallet in any any wallet supporting 24-word passphrases, compatible with:
  • BIP39 wordlist,
  • BIP32 (Hierarchical Deterministic wallets specifying a generic key derivation method),
  • BIP44 (specifying how the keys are derived) standards.

Every known wallet compatible with the Ledger Nano backup phrase can be found here[1].

[1] http://support.ledgerwallet.com/knowledge_base/topics/how-to-restore-my-backup-without-a-ledger-wallet

Lionel
Sr. Member
****
Offline Offline

Activity: 388


View Profile
September 09, 2017, 11:33:41 PM
 #8

Very good.

And if someone steals your Nano they cannot read the Seed because they haven't the PIN.
But they may disassemble the Nano and directly read the flash memory in it, and copy directly your private key.

So you better not lose your Nano and if so, immediately restore the wallet with the seed with another Electrum instance and transfer the coins elsewhere
HCP
Sr. Member
****
Offline Offline

Activity: 434

<insert witty quote here>


View Profile
September 10, 2017, 06:03:59 AM
 #9

And if someone steals your Nano they cannot read the Seed because they haven't the PIN.
But they may disassemble the Nano and directly read the flash memory in it, and copy directly your private key.
You make it sounds like they just need to crack open the case and read some data from the "flash memory" to be able to get the private key...

The Ledger Nano S Hardware Wallets use a "secure element" (aka smartcard) that makes it extremely difficult for anyone but very well resourced attackers with very high levels of technical expertise and specialised equipment to be able to perform the private key extraction attack.

Ref: https://www.ledger.fr/2015/01/17/bitcoin-security-why-smart-cards-matter/

Granted, this is an article written by the manufacturer, but the theory is sound...

XXX_BTC1@
Newbie
*
Offline Offline

Activity: 28


View Profile
November 03, 2017, 06:54:55 AM
 #10


Suppose i am using Electrum with Ledger Nano S.
When i send a payment, i must manually enter the PIN on the USB device (source: https://ledger.groovehq.com/knowledge_base/topics/how-to-setup-electrum-nano-slash-nano-s )

But i wonder if the Nano shows me the transaction details as well ( destination address(es), amount(s) ).
If not, i don't consider this solution very safe.

Suppose a virus on my PC acts as a man-in-the-middle when the payment command is sent from Electrum to the USB device.
The virus may change the payment destination address on-the-fly after the command goes out of Electrum wallet but before it enters the USB bus to reach the device.

Anyone of you that has a Nano and can confirm that it displays transaction info upon PIN request ?

ledger nano s is the hardware wallet we have to save out bit coins and lite coins, zcash coins, dash coins, ethereum coins and ripple coins. so you have to buy and keep your bit coin in to this wallet and hold long time. ledger nano s is the best and secure wallet. it can carry easily and good for security.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!