Jazkal
|
|
June 28, 2011, 12:52:32 PM |
|
Two-factor authentication exacerbates the problem. Now, instead of one thing that can go wrong causing you to lose your bitcoins (loss of the wallet), there are three things -- loss of the wallet, loss of the password, and loss of the second factor. Well, I'm not suggesting that you be forced to use any method. If you want to continue to use the current wallet.dat as is, then go ahead, I could care less what happens to your wallet or anyone else's for that matter. All I'm saying/asking, is give us some options, so if I'm okay with having more points of failure (loss of the wallet, loss of the password, and loss of the second factor), then I have those options to choose from. Because as is right now, I don't have ANY other options.
|
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1452
|
|
June 28, 2011, 01:10:12 PM |
|
Well, I'm not suggesting that you be forced to use any method. If you want to continue to use the current wallet.dat as is, then go ahead, I could care less what happens to your wallet or anyone else's for that matter. All I'm saying/asking, is give us some options, so if I'm okay with having more points of failure (loss of the wallet, loss of the password, and loss of the second factor), then I have those options to choose from. Because as is right now, I don't have ANY other options.
1. mount truecrypt volume 2. start bitcoind with datadir=T:\bitcoin\ (truecrypt mounted volume) 3. unmount when you're done
|
|
|
|
kloinko1n
|
|
June 28, 2011, 01:15:26 PM |
|
Propose a scheme. I don't know how to do it so that the upside exceeds the downside. If you do, please share.
If I use GPG for my e-mails in Evolution, for every encrypted e-mail it asks for the password. Why not implement this also in a bitcoin client: for every transaction the password is required, and the wallet is decrypted but not saved on HD, only in RAM when it is needed for the transaction. This way the wallet is never decrypted in a file on the HD and is difficult to be stolen.
|
|
|
|
Gabi (OP)
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
June 28, 2011, 01:19:17 PM |
|
Grue method is nice but adding an option to set the T:\bitcoin\ (truecrypt mounted volume) thing in the client would really help, instead of having to type datadir etc etc
|
|
|
|
BubbleBoy
|
|
June 28, 2011, 01:21:26 PM |
|
I don't think you understand fully the problem two-factor authentication solves. It's impossible to create a client that uses two factor authentication, once you are "authenticated" to the local client and it proceeds to decript your wallet, your bitcoins are available to the attacker. What I am proposing is NOT two factor, but an embedded wallet that handles the private key operations and minimal user input using secure hardware. Using a pin to unlock the device is purely optional, to prevent from physical theft. Two factor is usable for authenticating against PayPal/MtGox online wallets, assuming you trust them to handle security better than your own computer. Two-factor authentication exacerbates the problem. Now, instead of one thing that can go wrong causing you to lose your bitcoins (loss of the wallet), there are three things -- loss of the wallet, loss of the password, and loss of the second factor.
The embedded wallet makes an encrypted backup each time you connect it to your computer. You can easily arrange online backup. The backup is encrypted with a key that you can read of the wallet's display, write on a piece of paper, and store it in a safe place. Sure, you can loose that too, but it's a practical solution that actually works. Your solution "just keep your computer safe and make plenty of (safe) backups" is simply not practical for 90% of the people out there, because securing your computer has a tremendous learning curve. Securing a piece of paper on the other hand is something people do pretty well, see paper money.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
June 28, 2011, 01:39:51 PM |
|
Sure, you can loose that too, but it's a practical solution that actually works. Your solution "just keep your computer safe and make plenty of (safe) backups" is simply not practical for 90% of the people out there, because securing your computer has a tremendous learning curve. Securing a piece of paper on the other hand is something people do pretty well, see paper money.
Most people don't keep long-term savings in the form of paper money precisely because paper can be easily lost, stolen, or damaged. That said, I do think appropriate hardware is probably the best solution for most people. (Assuming trusting someone else with your key is out of the question.)
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
bcearl
|
|
June 28, 2011, 01:58:21 PM |
|
As soon as Bitcoin is accepted more broadly, the industry will produce smartcards for Bitcoin. Then you will have the keys generated on the smartcard, and they will never leave it. And the smartcard asks for a long PIN, which is typed into a trusted reader rather than a PC, and you have only a limited count of chances to enter the correct PIN.
This will be very secure, but it will include the danger of loss like almost every secure solution.
For what I read in the last few days, I think when I start buying large amounts of bitcoins, I will have an offline machine generating secure wallet keys and print them on paper for backups.
EDIT: At the moment, I watch my offline address with block explorer, but that's not perfectly secure, they could fool me into believing that there happened something.
|
Misspelling protects against dictionary attacks NOT
|
|
|
BubbleBoy
|
|
June 28, 2011, 04:30:10 PM |
|
I don't believe smartcards will be any more secure than a password protected wallet.dat. Once you enter your PIN, the trojanized client takes over the communication with the smart card, and instructs it to sign a transaction that empties your wallet to the hacker's address. Since you have no control on the amount that the smart card is signing away, there's no way you can prevent it or detect it, and it's equivalent to a trojan stealing your wallet.dat and password.
The hacker does not care about your private key, what he needs is the ability to impersonate you, that's why it is essential that a dedicated hardware wallet has it's own secure display and keyboard, with which you can verify the paid amount and a user friendly representation of the payee address.
Generating keys on an offline machine is probably the best solution at this point, but you will have to eventually need to connect to the network and spend, right ? Maybe you could split them in small amounts and have a paper version that you can scan and spend. Overall, not very user friendly.
|
|
|
|
aral
Newbie
Offline
Activity: 42
Merit: 0
|
|
June 28, 2011, 05:39:06 PM |
|
Sure, you can loose that too, but it's a practical solution that actually works. Your solution "just keep your computer safe and make plenty of (safe) backups" is simply not practical for 90% of the people out there, because securing your computer has a tremendous learning curve. Securing a piece of paper on the other hand is something people do pretty well, see paper money.
Most people don't keep long-term savings in the form of paper money precisely because paper can be easily lost, stolen, or damaged. People keep important paper documents in a fireproof safe. They don't keep paper money there because paper money depreciates while governments inflate the money supply.
|
|
|
|
bcearl
|
|
June 28, 2011, 05:46:55 PM |
|
I don't believe smartcards will be any more secure than a password protected wallet.dat. Once you enter your PIN, the trojanized client takes over the communication with the smart card, and instructs it to sign a transaction that empties your wallet to the hacker's address. Since you have no control on the amount that the smart card is signing away, there's no way you can prevent it or detect it, and it's equivalent to a trojan stealing your wallet.dat and password.
The hacker does not care about your private key, what he needs is the ability to impersonate you, that's why it is essential that a dedicated hardware wallet has it's own secure display and keyboard, with which you can verify the paid amount and a user friendly representation of the payee address.
Generating keys on an offline machine is probably the best solution at this point, but you will have to eventually need to connect to the network and spend, right ? Maybe you could split them in small amounts and have a paper version that you can scan and spend. Overall, not very user friendly.
That's why I said: You need a smart card reader with a PIN pad, you should never enter the PIN into a PC. Especially for Bitcoin it would be very easy to display the transaction facts on the reader as well.
|
Misspelling protects against dictionary attacks NOT
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
June 28, 2011, 05:57:22 PM |
|
People keep important paper documents in a fireproof safe. They don't keep paper money there because paper money depreciates while governments inflate the money supply. In other words, it's just on paper. But they put that paper in a super-secure location. Which is exactly what the client already supports.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
djproject
Newbie
Offline
Activity: 30
Merit: 0
|
|
June 28, 2011, 09:43:02 PM |
|
This is the logic of all the hardcore anti-encryption people in this thread: Durrr, public-private key encryption is useless because integer factorization is Turing computable! Therefore all secure communication should be carried out via hand-passed notes! Good thing JoelKatz wasn't the one running MtGox or he would've stored all the passwords in outright cleartext ("no point hashing the passwords, an attacker who obtains the database can just brute force them all anyway")
|
|
|
|
djproject
Newbie
Offline
Activity: 30
Merit: 0
|
|
June 28, 2011, 09:45:24 PM |
|
Also, you should never bother washing your clothes because you might get hit by a planecrash tomorrow in which case the effort would be wasted (this is RE: forgotten password paranoia)
|
|
|
|
Horkabork
|
|
June 28, 2011, 09:49:12 PM |
|
Two-factor authentication exacerbates the problem. Now, instead of one thing that can go wrong causing you to lose your bitcoins (loss of the wallet), there are three things -- loss of the wallet, loss of the password, and loss of the second factor. You're forgetting one thing, which is that you can have multiple copies of your wallet. Any risk in forgetting a password or losing your second factor can be mitigated by having an inaccessible wallet one a flash drive/CD in a safe. Also, although people forget passwords, they don't forget personal details. You can use a strong password for your day-to-day wallet encryption, but then on the backup flash drive, have your wallet also encrypted but with a slightly less-robust password that can be composed by you or only by someone who knows you very well. Put a text file on the flash drive with instructions on how to compose the password. I'm not talking about vague preference questions that can change, such as "What is your favorite book?" but details such as the name of the bone that you broke when you were 15, the occupation of the person you were named after, the name of the house you lived in in college, whom your nickname is a reference to, etc. No spaces, all lowercase, no grammatical articles. I would only forget such things if I was shot in the head, but I'm certain that my family could put together the password if I died and they cooperated.
|
|
|
|
memvola
|
|
June 28, 2011, 10:33:05 PM |
|
You're forgetting one thing, which is that you can have multiple copies of your wallet.
What about multiple keys (a la LUKS)? Granted, it will be slightly less secure, but you could burn an emergency recovery key under an obfuscated filename on a disc and hide it / give it to your wife. Or, cut the key in half and tell each half to two relatives who never talk to each other... Tattoo the last syllable on your private parts. On the other hand, I agree that false sense of security is more dangerous than trojans for inexperienced users. They will eventually prefer online services, IMO. But since our primary concern seems to be losing of passwords, being able to define multiple keys could help, and it shouldn't be too hard to implement on top of currently proposed encryption scheme.
|
|
|
|
bcearl
|
|
June 29, 2011, 07:04:44 AM |
|
This is the logic of all the hardcore anti-encryption people in this thread: Durrr, public-private key encryption is useless because integer factorization is Turing computable! Therefore all secure communication should be carried out via hand-passed notes! Good thing JoelKatz wasn't the one running MtGox or he would've stored all the passwords in outright cleartext ("no point hashing the passwords, an attacker who obtains the database can just brute force them all anyway") No, my anti-crypto criticism goes like this: Cryptography is useless if you have the unencrypted data lying next to it. And by the way, I am glad that there is no RSA involved in Bitcoin.
|
Misspelling protects against dictionary attacks NOT
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
June 29, 2011, 08:26:58 AM |
|
Good thing JoelKatz wasn't the one running MtGox or he would've stored all the passwords in outright cleartext ("no point hashing the passwords, an attacker who obtains the database can just brute force them all anyway")
Actually, the business logic and web machine would not have been expected to protect the password. The authentication system, however, would have been a purpose-built fortress, and it would not have stored the password in cleartext. My objection is to using encryption in applications where it creates more problems than it solves and doesn't solve the real problems anyway. I am a big advocate of secure encryption and authentication technologies when applied on appropriate hardware to the problems they actually solve.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
Pieter Wuille
Legendary
Offline
Activity: 1072
Merit: 1181
|
|
June 29, 2011, 09:02:13 AM |
|
To give a small update about the encryption system currently implemented and being tested for the bitcoin client: - Only private keys are encrypted, and you only need the private key to do transactions.
- The GUI currently only has one way for unlocking a wallet, namely by entering a passphrase. The disk format does support several independent passphrases, although adding a second one is currently not implemented. In the future, this may allow a "generate unlock code" wizard or something similar.
- There are almost no restrictions on what the passphrase can be, although the GUI will encourage you to choose a long one.
- Attempts are made to use mlock() and similar calls to prevent the memory pages containing passwords and encryption keys to leak to swap, but this is not in general possible (as it needs cooperation from openssl and graphic libraries).
|
I do Bitcoin stuff.
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
June 29, 2011, 09:44:10 AM |
|
Great work. How computationally expensive is the algorithm that converts the passphrase to the key that decrypts the private keys? What I'm worried about is a trojan that captures the encrypted private keys and plaintext public keys (or hashes), and then knows how many BTC each wallet holds. He can then try to brute force the wallets with the most coins using compromised machines to do the brute forcing.
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
Pieter Wuille
Legendary
Offline
Activity: 1072
Merit: 1181
|
|
June 29, 2011, 09:55:48 AM |
|
Great work. How computationally expensive is the algorithm that converts the passphrase to the key that decrypts the private keys? What I'm worried about is a trojan that captures the encrypted private keys and plaintext public keys (or hashes), and then knows how many BTC each wallet holds. He can then try to brute force the wallets with the most coins using compromised machines to do the brute forcing.
You can find some technical details here: https://github.com/TheBlueMatt/bitcoin/commit/9914f01fac25ff3891c3af8ac76c3ad5d6c3e9c6
|
I do Bitcoin stuff.
|
|
|
|