Shouldn't keypairs be "1"?

[cellard]

I have seen much discussion lately of people wondering if HD wallets are safe or not. People worry that they are "steal-once" wallets, as in once you get a backup, you have access to that wallet forever. Not sure if the comfortableness of not needing to do backups when you create X amount of keys (it used to be 100, now 1000 if im not mistaken) is worth the risk.

Im also worried that a smart enough individual could somehow derivate private keys from owning a couple of private keys + the master public key (so they could have access to ALL private keys generated thereon)

I was wondering: Isn't the ideal design to be that you would need to backup your wallet every single time you create a new address? so if an attacker managed to steal your wallet.dat, that is all he would get, he couldn't sit and let you store BTC indefinitely until he steals all of it (waiting either for 100, 1000 or infinite addresses in the case of HD), he would only get whatever your wallet.dat had at the time he stole it.

If this makes no sense let me know and I will try to rephrase my point, it's just an idea, and would like further discussions on either what's safer, classic wallet.dat format or new BIP32 HD format.

[1714137004]

1714137004

[1714137004]

1714137004

[1714137004]

1714137004

[aleksej996]

Well it is not a straightforward solution to this. Other then risk of a hack, there is a risk of hardware failure and what if you didn't have time to make a backup before the disk crashed or what if you simply forgot? When you get hacked, you likely either know that you are hacked or your computer continues being infected and wallet continuously stolen. If you know you are hacked, then you can create a new wallet, and if you don't, then a classic wallet won't save you anyway.

I guess it is about the risk of being hacked vs the risk of losing a backup of your wallet. For a regular user, risk of getting hacked might be lower then of all the other problems that they can get themselves into on their own. And for users that need high security, well using a paper or a hardware wallet might be a better choice for them anyway.

[cellard]

Well it is not a straightforward solution to this. Other then risk of a hack, there is a risk of hardware failure and what if you didn't have time to make a backup before the disk crashed or what if you simply forgot? When you get hacked, you likely either know that you are hacked or your computer continues being infected and wallet continuously stolen. If you know you are hacked, then you can create a new wallet, and if you don't, then a classic wallet won't save you anyway.

I guess it is about the risk of being hacked vs the risk of losing a backup of your wallet. For a regular user, risk of getting hacked might be lower then of all the other problems that they can get themselves into on their own. And for users that need high security, well using a paper or a hardware wallet might be a better choice for them anyway.

I don't think so. You could have been hacked and have no idea about it... good hackers don't leave traces. And once they got your HD wallet, they got all of your future keys. That's the problem.

Hardware wallet devices aren't really to be trusted in my opinion. A general purpose laptop with Linux in an airgapped way to store the private keys is the best way I can think off. If you create a brand new wallet in an airgapped Linux laptop, I guess even if it's HD, it wouldn't matter, the chances that it gets hacked are really low. Paperwallets suck, you need to deal with several addresses, so you would need several papers all over the place, not very convenient.

[ranochigo]

Im also worried that a smart enough individual could somehow derivate private keys from owning a couple of private keys + the master public key (so they could have access to ALL private keys generated thereon)

That's only applicable for non-hardened keys. For hardened keys, they aren't susceptible to this because they don't even have master public keys in the first place. Now first of all, you shouldn't be sharing any of your private keys and if they have access to one, they would have access to the master private key.

I was wondering: Isn't the ideal design to be that you would need to backup your wallet every single time you create a new address? so if an attacker managed to steal your wallet.dat, that is all he would get, he couldn't sit and let you store BTC indefinitely until he steals all of it (waiting either for 100, 1000 or infinite addresses in the case of HD), he would only get whatever your wallet.dat had at the time he stole it.

If this makes no sense let me know and I will try to rephrase my point, it's just an idea, and would like further discussions on either what's safer, classic wallet.dat format or new BIP32 HD format.

It isn't the ideal design by any standards. If you had to backup your wallet every single time, most probably won't bother changing addresses and that results in the problem with address reuse. You would guess that most probably wouldn't bother backing up it every single time and more coins would be lost.

Hardware wallet devices aren't really to be trusted in my opinion. A general purpose laptop with Linux in an airgapped way to store the private keys is the best way I can think off. If you create a brand new wallet in an airgapped Linux laptop, I guess even if it's HD, it wouldn't matter, the chances that it gets hacked are really low. Paperwallets suck, you need to deal with several addresses, so you would need several papers all over the place, not very convenient.

As opposed to hardware wallets being insecure, I would say that its just too expensive, as compared to a Raspberry Pi. Most of the firmware are audited and open sourced so it can be trusted, if you know what you're doing.
The new HD wallets are definitely superior as compared to the old wallet.dat. The hardened key derivation for Bitcoin Core doesn't allow others to use the master public key which eliminates that attack vector. With the old wallet.dat, you are supposed to backup every 100/1000 transaction which is what many failed to do and lost loads of money due to that. The new HD wallet.dat basically only requires 1 backup, unless you encrypt/change password. You shouldn't be worried about getting hacked. There would be more people losing money by forgetting to backup and hacking as compared to HD wallets. Hackers aren't all that interested in potential long term profit.

[aleksej996]

Well it is not a straightforward solution to this. Other then risk of a hack, there is a risk of hardware failure and what if you didn't have time to make a backup before the disk crashed or what if you simply forgot? When you get hacked, you likely either know that you are hacked or your computer continues being infected and wallet continuously stolen. If you know you are hacked, then you can create a new wallet, and if you don't, then a classic wallet won't save you anyway.

I guess it is about the risk of being hacked vs the risk of losing a backup of your wallet. For a regular user, risk of getting hacked might be lower then of all the other problems that they can get themselves into on their own. And for users that need high security, well using a paper or a hardware wallet might be a better choice for them anyway.

I don't think so. You could have been hacked and have no idea about it... good hackers don't leave traces. And once they got your HD wallet, they got all of your future keys. That's the problem.

Hardware wallet devices aren't really to be trusted in my opinion. A general purpose laptop with Linux in an airgapped way to store the private keys is the best way I can think off. If you create a brand new wallet in an airgapped Linux laptop, I guess even if it's HD, it wouldn't matter, the chances that it gets hacked are really low. Paperwallets suck, you need to deal with several addresses, so you would need several papers all over the place, not very convenient.

As I said in my original reply, if you don't know you are hacked and you have a classic wallet, then it doesn't matter that your future keys will be unknown as hackers would still have access to your computer. They can't steal your bitcoins and you not know about it (hopefully).

If you know about it, then you change your wallet and there is no risk of them having new keys, since you create a new one.
You understand what I am saying?

I don't see a scenario where you are better of with a classic wallet and are aware of where your bitcoins are.
What would that scenario be?

Someone hacked you and stole your bitcoins? Then you just create a new wallet so hackers can't steal your future keys.
Someone hacked you and didn't steal your bitcoins? Then you create a new wallet when they steal your bitcoins as then you would have to know you have been hacked. And that period where you didn't know you were hacked, hackers would just update to the newest wallet you have with all the keys.

There is just no realistic benefit here, as you can always adapt to your situation.

[cellard]

That's only applicable for non-hardened keys. For hardened keys, they aren't susceptible to this because they don't even have master public keys in the first place. Now first of all, you shouldn't be sharing any of your private keys and if they have access to one, they would have access to the master private key.

What do you mean with hardened keys specifically? you mean encrypted? airgapped? I don't get how you use "hardened" here.

It isn't the ideal design by any standards. If you had to backup your wallet every single time, most probably won't bother changing addresses and that results in the problem with address reuse. You would guess that most probably wouldn't bother backing up it every single time and more coins would be lost.

I don't think so. You can easily copy your wallet.dat every couple of days in an USB or whatever and that's that. Also, there's nothing wrong with reusing an address. To keep privacy you must know how to control inputs and outputs, for this you don't necessarily need a new address each time, just know when you need a new address.

As opposed to hardware wallets being insecure, I would say that its just too expensive, as compared to a Raspberry Pi. Most of the firmware are audited and open sourced so it can be trusted, if you know what you're doing.

Hardware wallets have been known to do stupid things such as:
https://www.reddit.com/r/TREZOR/comments/6yti7p/trezor_bridge_trezordexe_calling_home/

And some like ledger, don't have 100% open parts. Honestly why even use these, when a general purpose laptop can act as a better hardware wallet. We just need Core to get their shit together and give us a refined, proper interface to manage offline transaction signing similar to Armory.

The new HD wallets are definitely superior as compared to the old wallet.dat. The hardened key derivation for Bitcoin Core doesn't allow others to use the master public key which eliminates that attack vector. With the old wallet.dat, you are supposed to backup every 100/1000 transaction which is what many failed to do and lost loads of money due to that. The new HD wallet.dat basically only requires 1 backup, unless you encrypt/change password. You shouldn't be worried about getting hacked. There would be more people losing money by forgetting to backup and hacking as compared to HD wallets. Hackers aren't all that interested in potential long term profit.

I remember reading about how a command in the client would show the master public key or something (basically like the seed) that would allow for future access to the private keys.

[ranochigo]

What do you mean with hardened keys specifically? you mean encrypted? airgapped? I don't get how you use "hardened" here.

BIP32 HD keys have 2 versions; hardened and non-hardened. Hardened keys are specifically designed to counter such attacks against the master private, with only one master public and one master private. Hardened keys do not have master public key, which is applicable for Bitcoin Core.

I don't think so. You can easily copy your wallet.dat every couple of days in an USB or whatever and that's that. Also, there's nothing wrong with reusing an address. To keep privacy you must know how to control inputs and outputs, for this you don't necessarily need a new address each time, just know when you need a new address.

What guarantees that within that timeframe, your HDD won't fail? Of course there is nothing wrong with address reuse, that is unless you value privacy. Using a new address everytime significantly increases the difficulty of anyone tracking your spending.

You'd be surprised how many people back up only once.

Hardware wallets have been known to do stupid things such as:
https://www.reddit.com/r/TREZOR/comments/6yti7p/trezor_bridge_trezordexe_calling_home/

And some like ledger, don't have 100% open parts. Honestly why even use these, when a general purpose laptop can act as a better hardware wallet. We just need Core to get their shit together and give us a refined, proper interface to manage offline transaction signing similar to Armory.

Trezor didn't endanger the people's privacy in anyway so I don't think that warrants a "cannot be trusted" tag. Hardware wallets are a lot more for if you want excellent security with convenience. It's really not easy to use a Linux as a hardware wallet. Bitcoin Core isn't designed to be very user friendly, especially if you want cold storage. That's why we have Armory.

I don't see any reason for trusting Bitcoin Core more than Armory. You don't know the developers personally, you have to vet the code yourself if you want to trust any of them.

I remember reading about how a command in the client would show the master public key or something (basically like the seed) that would allow for future access to the private keys.

It's a master private key, not the master public key. Yes. You can use dumpwallet command to get access to it and it would give anyone the access to all your future address. Those two are different.

[cellard]

What guarantees that within that timeframe, your HDD won't fail? Of course there is nothing wrong with address reuse, that is unless you value privacy. Using a new address everytime significantly increases the difficulty of anyone tracking your spending.

You'd be surprised how many people back up only once.

If you make backups daily you would be safe, or just instantly after creating a new address, also there are RAID disk configurations. If you only make a backup once you are an idiot that shouldn't be using bitcoin.

Trezor didn't endanger the people's privacy in anyway so I don't think that warrants a "cannot be trusted" tag. Hardware wallets are a lot more for if you want excellent security with convenience. It's really not easy to use a Linux as a hardware wallet. Bitcoin Core isn't designed to be very user friendly, especially if you want cold storage. That's why we have Armory.

I don't really care about what is easier to use if there are alternatives that are safer, and in general, a general purpose laptop with a librebooted bios, linux etc, it's (unless someone can argument otherwise) safer than a device specifically designed with bitcoin in mind.

I don't see any reason for trusting Bitcoin Core more than Armory. You don't know the developers personally, you have to vet the code yourself if you want to trust any of them.

For reasons such as this:

https://www.reddit.com/r/Bitcoin/comments/72dfy1/armory_wallet_fragmented_backups_may_be/

Core tends to be more conservative with the features they add. So I would like them to simply add GUI support to manage offline transactions, so we avoid chances of screwing up during crafting a rawtransaction command on the console.

It's a master private key, not the master public key. Yes. You can use dumpwallet command to get access to it and it would give anyone the access to all your future address. Those two are different.

Indeed dumpwallet. Well it's a problem, if a hacker manages to get that it's over.

[aleksej996]

Also, there's nothing wrong with reusing an address. To keep privacy you must know how to control inputs and outputs, for this you don't necessarily need a new address each time, just know when you need a new address.

It was always recommended to use a new address once the bitcoins are spent for the first time. This is a security thing, not the privacy one. As spending the coins from an address exposes the public key of that address. This potentially decreases the security as it adds a new vector of an attack and starts needing the security of public key cryptography used by Bitcoin. There are no known feasible attacks yet for the public key cryptography used by Bitcoin, but it is still a possibility.

As for the backing up part. As I said, it ain't a straightforward solution. Both have their benefits and costs. Will users rather create a new wallet once they get hacked or will they make a daily backup. I think the developers chose the one that seems to have less work in it and require less of the users and potentially save some funds from getting lost. The security is the same if you create a new wallet after a hack, but hacks are rarer then creation of new addresses, so it is less work for the same security.

[achow101]

And some like ledger, don't have 100% open parts. Honestly why even use these, when a general purpose laptop can act as a better hardware wallet.

Neither do general purpose laptops. They don't use 100% open parts. Furthermore, it is a well known fact that modern CPUs all have something that effectively allows remote access and control to your computer. Lots of firmware for the parts of your computer are propreitary and unknown to the public, more than just Ledger's secure element chip.

We just need Core to get their shit together and give us a refined, proper interface to manage offline transaction signing similar to Armory.

Pull requests welcome.

I remember reading about how a command in the client would show the master public key or something (basically like the seed) that would allow for future access to the private keys.

There is no command that shows any of the master keys (public or private). Furthermore, just having a master public key does not reveal any of the private keys.

[cellard]

Neither do general purpose laptops. They don't use 100% open parts. Furthermore, it is a well known fact that modern CPUs all have something that effectively allows remote access and control to your computer. Lots of firmware for the parts of your computer are propreitary and unknown to the public, more than just Ledger's secure element chip.

Indeed, which like I said, your laptop should be Librebooted, in other words, your laptop should most likely be an old Thinkpad of sorts (an x200 or T400 to run a node, with 8GB and 1TB SSD should do, and another one, cheaper, with a simple 100 GB HDD and 4GB of ram, airgapped, to store your private keys, and enjoy the benefits of Coin Control et all instead of having to rely on Trezor). Another reason to not have huge blocks btw, since we are stuck with old laptops to have freedom computers to run nodes and sign transactions.

Pull requests welcome.

Unfortunately... im not good enough of a coder. But IMO, this should be a priority way higher than scaling Bitcoin. We should've had proper ways to manage and sign offline transactions before segwit.

There is no command that shows any of the master keys (public or private). Furthermore, just having a master public key does not reveal any of the private keys.

This is confusing. I keep hearing people there are ways to show it and others say there's no way the HD wallet from Core could ever leak that info.

[ranochigo]

Indeed, which like I said, your laptop should be Librebooted, in other words, your laptop should most likely be an old Thinkpad of sorts (an x200 or T400 to run a node, with 8GB and 1TB SSD should do, and another one, cheaper, with a simple 100 GB HDD and 4GB of ram, airgapped, to store your private keys, and enjoy the benefits of Coin Control et all instead of having to rely on Trezor). Another reason to not have huge blocks btw, since we are stuck with old laptops to have freedom computers to run nodes and sign transactions.

Use raspberry pi with an old HDD. You would most likely have to load the blockchain using a desktop computer though.

Unfortunately... im not good enough of a coder. But IMO, this should be a priority way higher than scaling Bitcoin. We should've had proper ways to manage and sign offline transactions before segwit.

It's really not that much of an issue. People who uses cold storage probably also uses a client with that feature. The rest either have a hardware wallet or doesn't care at all. The demand for a cold storage UI isn't high enough to justify that. Scaling on the other hand, is way more important. What's the point of getting the UI if you have to spend even more money to use it? Core isn't free from vulnerabilities either.

This is confusing. I keep hearing people there are ways to show it and others say there's no way the HD wallet from Core could ever leak that info.

Okay. With the hardened derivation that Core uses, there is no way for Core to give you a master public key. As with the master key, you can get that with dumpwallet command, unless something changed; which I don't think so.