So, bitcoin client still use unencrypted wallet.dat

[Jazkal]

http://en.wikipedia.org/wiki/Two-factor_authentication

Someone give me a client that I can use two-factor authentication with. Until then, all other methods are insecure to some extent or other.

Two-factor authentication exacerbates the problem. Now, instead of one thing that can go wrong causing you to lose your bitcoins (loss of the wallet), there are three things -- loss of the wallet, loss of the password, and loss of the second factor.

Well, I'm not suggesting that you be forced to use any method. If you want to continue to use the current wallet.dat as is, then go ahead, I could care less what happens to your wallet or anyone else's for that matter. All I'm saying/asking, is give us some options, so if I'm okay with having more points of failure (loss of the wallet, loss of the password, and loss of the second factor), then I have those options to choose from. Because as is right now, I don't have ANY other options.

[1715328904]

1715328904

[1715328904]

1715328904

[1715328904]

1715328904

[grue]

Well, I'm not suggesting that you be forced to use any method. If you want to continue to use the current wallet.dat as is, then go ahead, I could care less what happens to your wallet or anyone else's for that matter. All I'm saying/asking, is give us some options, so if I'm okay with having more points of failure (loss of the wallet, loss of the password, and loss of the second factor), then I have those options to choose from. Because as is right now, I don't have ANY other options.

1. mount truecrypt volume
2. start bitcoind with datadir=T:\bitcoin\ (truecrypt mounted volume)
3. unmount when you're done

[kloinko1n]

Propose a scheme. I don't know how to do it so that the upside exceeds the downside. If you do, please share.

If I use GPG for my e-mails in Evolution, for every encrypted e-mail it asks for the password.
Why not implement this also in a bitcoin client: for every transaction the password is required, and the wallet is decrypted but not saved on HD, only in RAM when it is needed for the transaction.
This way the wallet is never decrypted in a file on the HD and is difficult to be stolen.

[Gabi]

Grue method is nice but adding an option to set the T:\bitcoin\ (truecrypt mounted volume) thing in the client would really help, instead of having to type datadir etc etc

[BubbleBoy]

http://en.wikipedia.org/wiki/Two-factor_authentication

Someone give me a client that I can use two-factor authentication with. Until then, all other methods are insecure to some extent or other.

I don't think you understand fully the problem two-factor authentication solves. It's impossible to create a client that uses two factor authentication, once you are "authenticated" to the local client and it proceeds to decript your wallet, your bitcoins are available to the attacker. What I am proposing is NOT two factor, but an embedded wallet that handles the private key operations and minimal user input using secure hardware. Using a pin to unlock the device is purely optional, to prevent from physical theft.

Two factor is usable for authenticating against PayPal/MtGox online wallets, assuming you trust them to handle security better than your own computer.

Two-factor authentication exacerbates the problem. Now, instead of one thing that can go wrong causing you to lose your bitcoins (loss of the wallet), there are three things -- loss of the wallet, loss of the password, and loss of the second factor.

The embedded wallet makes an encrypted backup each time you connect it to your computer. You can easily arrange online backup. The backup is encrypted with a key that you can read of the wallet's display, write on a piece of paper, and store it in a safe place.
Sure, you can loose that too, but it's a practical solution that actually works. Your solution "just keep your computer safe and make plenty of (safe) backups" is simply not practical for 90% of the people out there, because securing your computer has a tremendous learning curve. Securing a piece of paper on the other hand is something people do pretty well, see paper money.

[JoelKatz]

Sure, you can loose that too, but it's a practical solution that actually works. Your solution "just keep your computer safe and make plenty of (safe) backups" is simply not practical for 90% of the people out there, because securing your computer has a tremendous learning curve. Securing a piece of paper on the other hand is something people do pretty well, see paper money.

Most people don't keep long-term savings in the form of paper money precisely because paper can be easily lost, stolen, or damaged. That said, I do think appropriate hardware is probably the best solution for most people. (Assuming trusting someone else with your key is out of the question.)

[bcearl]

As soon as Bitcoin is accepted more broadly, the industry will produce smartcards for Bitcoin. Then you will have the keys generated on the smartcard, and they will never leave it. And the smartcard asks for a long PIN, which is typed into a trusted reader rather than a PC, and you have only a limited count of chances to enter the correct PIN.

This will be very secure, but it will include the danger of loss like almost every secure solution.

For what I read in the last few days, I think when I start buying large amounts of bitcoins, I will have an offline machine generating secure wallet keys and print them on paper for backups.


EDIT:
At the moment, I watch my offline address with block explorer, but that's not perfectly secure, they could fool me into believing that there happened something.

[BubbleBoy]

I don't believe smartcards will be any more secure than a password protected wallet.dat.
Once you enter your PIN, the trojanized client takes over the communication with the smart card, and instructs it to sign a transaction that empties your wallet to the hacker's address. Since you have no control on the amount that the smart card is signing away, there's no way you can prevent it or detect it, and it's equivalent to a trojan stealing your wallet.dat and password.

The hacker does not care about your private key, what he needs is the ability to impersonate you, that's why it is essential that a dedicated hardware wallet has it's own secure display and keyboard, with which you can verify the paid amount and a user friendly representation of the payee address.

Generating keys on an offline machine is probably the best solution at this point, but you will have to eventually need to connect to the network and spend, right ? Maybe you could split them in small amounts and have a paper version that you can scan and spend. Overall, not very user friendly.

[aral]

Sure, you can loose that too, but it's a practical solution that actually works. Your solution "just keep your computer safe and make plenty of (safe) backups" is simply not practical for 90% of the people out there, because securing your computer has a tremendous learning curve. Securing a piece of paper on the other hand is something people do pretty well, see paper money.

Most people don't keep long-term savings in the form of paper money precisely because paper can be easily lost, stolen, or damaged.

People keep important paper documents in a fireproof safe.  They don't keep paper money there because paper money depreciates while governments inflate the money supply.

[bcearl]

I don't believe smartcards will be any more secure than a password protected wallet.dat.
Once you enter your PIN, the trojanized client takes over the communication with the smart card, and instructs it to sign a transaction that empties your wallet to the hacker's address. Since you have no control on the amount that the smart card is signing away, there's no way you can prevent it or detect it, and it's equivalent to a trojan stealing your wallet.dat and password.

The hacker does not care about your private key, what he needs is the ability to impersonate you, that's why it is essential that a dedicated hardware wallet has it's own secure display and keyboard, with which you can verify the paid amount and a user friendly representation of the payee address.

Generating keys on an offline machine is probably the best solution at this point, but you will have to eventually need to connect to the network and spend, right ? Maybe you could split them in small amounts and have a paper version that you can scan and spend. Overall, not very user friendly.

That's why I said: You need a smart card reader with a PIN pad, you should never enter the PIN into a PC. Especially for Bitcoin it would be very easy to display the transaction facts on the reader as well.

[JoelKatz]

People keep important paper documents in a fireproof safe.  They don't keep paper money there because paper money depreciates while governments inflate the money supply.

In other words, it's just on paper. But they put that paper in a super-secure location. Which is exactly what the client already supports.

[djproject]

This is the logic of all the hardcore anti-encryption people in this thread:

Durrr, public-private key encryption is useless because integer factorization is Turing computable!  Therefore all secure communication should be carried out via hand-passed notes!

Good thing JoelKatz wasn't the one running MtGox or he would've stored all the passwords in outright cleartext ("no point hashing the passwords, an attacker who obtains the database can just brute force them all anyway")

[djproject]

Also, you should never bother washing your clothes because you might get hit by a planecrash tomorrow in which case the effort would be wasted  (this is RE: forgotten password paranoia)

[Horkabork]

http://en.wikipedia.org/wiki/Two-factor_authentication

Someone give me a client that I can use two-factor authentication with. Until then, all other methods are insecure to some extent or other.

Two-factor authentication exacerbates the problem. Now, instead of one thing that can go wrong causing you to lose your bitcoins (loss of the wallet), there are three things -- loss of the wallet, loss of the password, and loss of the second factor.

You're forgetting one thing, which is that you can have multiple copies of your wallet. Any risk in forgetting a password or losing your second factor can be mitigated by having an inaccessible wallet one a flash drive/CD in a safe. Also, although people forget passwords, they don't forget personal details. You can use a strong password for your day-to-day wallet encryption, but then on the backup flash drive, have your wallet also encrypted but with a slightly less-robust password that can be composed by you or only by someone who knows you very well. Put a text file on the flash drive with instructions on how to compose the password.

I'm not talking about vague preference questions that can change, such as "What is your favorite book?" but details such as the name of the bone that you broke when you were 15, the occupation of the person you were named after, the name of the house you lived in in college, whom your nickname is a reference to, etc.

No spaces, all lowercase, no grammatical articles.

I would only forget such things if I was shot in the head, but I'm certain that my family could put together the password if I died and they cooperated.

[memvola]

You're forgetting one thing, which is that you can have multiple copies of your wallet.

What about multiple keys (a la LUKS)? Granted, it will be slightly less secure, but you could burn an emergency recovery key under an obfuscated filename on a disc and hide it / give it to your wife. Or, cut the key in half and tell each half to two relatives who never talk to each other... Tattoo the last syllable on your private parts.

On the other hand, I agree that false sense of security is more dangerous than trojans for inexperienced users. They will eventually prefer online services, IMO. But since our primary concern seems to be losing of passwords, being able to define multiple keys could help, and it shouldn't be too hard to implement on top of currently proposed encryption scheme.

[bcearl]

This is the logic of all the hardcore anti-encryption people in this thread:

Durrr, public-private key encryption is useless because integer factorization is Turing computable!  Therefore all secure communication should be carried out via hand-passed notes!

Good thing JoelKatz wasn't the one running MtGox or he would've stored all the passwords in outright cleartext ("no point hashing the passwords, an attacker who obtains the database can just brute force them all anyway")

No, my anti-crypto criticism goes like this:

Cryptography is useless if you have the unencrypted data lying next to it.

And by the way, I am glad that there is no RSA involved in Bitcoin.

[JoelKatz]

Good thing JoelKatz wasn't the one running MtGox or he would've stored all the passwords in outright cleartext ("no point hashing the passwords, an attacker who obtains the database can just brute force them all anyway")

Actually, the business logic and web machine would not have been expected to protect the password. The authentication system, however, would have been a purpose-built fortress, and it would not have stored the password in cleartext.

My objection is to using encryption in applications where it creates more problems than it solves and doesn't solve the real problems anyway. I am a big advocate of secure encryption and authentication technologies when applied on appropriate hardware to the problems they actually solve.

[Pieter Wuille]

To give a small update about the encryption system currently implemented and being tested for the bitcoin client:

• Only private keys are encrypted, and you only need the private key to do transactions.
• The GUI currently only has one way for unlocking a wallet, namely by entering a passphrase. The disk format does support several independent passphrases, although adding a second one is currently not implemented. In the future, this may allow a "generate unlock code" wizard or something similar.
• There are almost no restrictions on what the passphrase can be, although the GUI will encourage you to choose a long one.
• Attempts are made to use mlock() and similar calls to prevent the memory pages containing passwords and encryption keys to leak to swap, but this is not in general possible (as it needs cooperation from openssl and graphic libraries).

[JoelKatz]

Great work. How computationally expensive is the algorithm that converts the passphrase to the key that decrypts the private keys? What I'm worried about is a trojan that captures the encrypted private keys and plaintext public keys (or hashes), and then knows how many BTC each wallet holds. He can then try to brute force the wallets with the most coins using compromised machines to do the brute forcing.

[Pieter Wuille]

Great work. How computationally expensive is the algorithm that converts the passphrase to the key that decrypts the private keys? What I'm worried about is a trojan that captures the encrypted private keys and plaintext public keys (or hashes), and then knows how many BTC each wallet holds. He can then try to brute force the wallets with the most coins using compromised machines to do the brute forcing.

You can find some technical details here: https://github.com/TheBlueMatt/bitcoin/commit/9914f01fac25ff3891c3af8ac76c3ad5d6c3e9c6