Smart people: How do you secure the private key on publicly sold paper wallets?

[yantis]

tl;dr - How do you secure the private key on publicly sold paper wallets (coins, cards, bills etc)?

Since there are a lot of smart people on these forums I figured I would bring this up here and see if anyone can come up with a solution to what I think would change the security of Bitcoin in a big way.

I am a huge fan of paper wallets. So much that I store all my Bitcoin on paper.. When I go out to eat I even tip the waiter/waitress in Bitcoin by pre printing out some piper paper wallets and leaving one as a tip with a note on how to use it.

Over the years I have watched people sell Bitcoin cards with holograms, Bitcoin bearer bonds, Bitcoin paper money etc and have seen these same wallets have the funds stolen from them because the creator knew the private key. There are close to 60,000 BTC in unopened Casascius coins out there. I know I would lose a bit of sleep knowing at if this 7 million in value turned into 700 million and someone decided to claim the coins because they had the private keys backed up somewhere.

What I would like to create is a Bitcoin card that you can buy with absolute confidence that only you know the private key. Then anyone can put Bitcoin in cold storage without any fear of it being hacked.

Imagine being able to buy an empty Bitcoin card and push any amount of Bitcoin to it and know with 100% certainty that this Bitcoin is secure as long as Bitcoin is (ie: proper random number generation, only inbound transactions etc, no brain wallet keys etc). Then you just send BTC to this address and watch it on the blockchain without ever losing any sleep.

To pull this off though there needs to be a way to put the private key on the card without actually having an opportunity for an employee or manufacturer or anyone for that matter to see it without breaking the tamper mechanism. Even more importantly that the end user knows that his key is secure and known only by him and that the key will actually work when he goes to access it.

One idea that might work would be a multi signature approach where you need both the private key on the card and the private key that you generate online to access the BTC then the creator can't steal the BTC.

[aantonop]

safepaperwallet.com supports BIP0038 encrypted private keys.

This you can use a PIN or passphrase to protect the private key. Without the decryption phrase you cannot spend.

[rolling]

There is no way it can be done with absolute certainty.  The only way to be certain with anything (especially trust) is to do it yourself.  If you buy a "card", it should come blank and you would load it manually with keys you generated in a secure, offline manner.  Perhaps sealed, once you add the key(s).

A viable long term solution should:

1) Use addresses and keys generated by the end user in a secure, offline manner.

2) Keep the address and the keys separate until you are ready to spend.  Addresses should be digital only and keys should be physical only.  Theft would require both a physical theft and a digital one.

3) Provide for backups of the keys.

4) Be destroyed once the keys have been used and any remaining balance moved to a new card.

EDIT: Removed reference to storing keys and addresses separately since you can generate the address from the private key.

[MA5H3D]

Just encrypt the private key, print it, then give the pass phrase to the recipient when you want to spend it.
www.bit2factor.org has a nice solution for this.

[stevenh512]

2) Keep the address and the keys separate until you are ready to spend.  Addresses should be digital only and keys should be physical only.  Theft would require both a physical theft and a digital one.

The address is derived from the public key, the public key is derived from the private key. Steal the private key (regardless of whether it's in physical or digital form) and you have everything you need to find the public key and the address. You also have the only thing you need (the private key itself) to steal any funds belonging to the address.

As far as securing the private keys on your paper wallets, there are two ways to be reasonably certain that it's secure. The first is to use something like safepaperwallet.com where you buy blanks and you generate and print the keys yourself. As long as you do that securely you know nobody else has access to those keys. The other way, as mentioned by a few people already in this thread, is to use BIP38 encrypted keys. You can use safepaperwallet.com, openpaperwallet, bit2factor.org or the Casascius Address Utility to generate these.

If you're buying pre-printed wallets BIP38 is the best option (other than not buying pre-printed wallets, of course) since you can generate an "intermediate code" derived from your password and the seller can generate an encrypted private key without ever knowing the key or your password. There are 2-factor Casascius physical bitcoins that are made this way, so even if he didn't generate the keys in a secure and private way (and destroy all key material as soon as they're printed) he would have no way of knowing the private keys.

[Abdussamad]

^^ That's true. People always judge a book by its cover.

EDIT: Removed reference to storing keys and addresses separately since you can generate the address from the private key once the address has received its first transaction.

You can generate the public key and address from the private key at any point. You don't have to wait for the first transaction. You don't even need the address except to look up how many bitcoins were sent to it.

[Abdussamad]

There is only one public key derived from a private key. There are two main encoding standards for bitcoin public keys - compressed and uncompressed. So the thief only has to watch two addresses.

_{edited for clarity}

[rolling]

There is only one public key derived from a private key. There are two main encoding standards for bitcoin public keys - compressed and uncompressed. So the thief only has to watch two addresses.

_{edited for clarity}

Ok.  I see now.  Thanks for the help.