A sneak peak at the future of Bitcoin Cold Storage

[crazy_rabbit]

This is very cool, I just dont see how we can be 100% sure that the chips or whatever electronics will still work in 5 years ect, cds, usb sticks, memory cards, are not exactly "long term" in lifetime, why should this last longer?

Well it 'should' last longer, but it's true- any sort of device like this has it's own limits. NFC is pretty durable however, especially if you don't use it very often.

The term NFC doesn't tell much about the type of IC you're using or even the encryption/protection technology employed.  I'm assuming you're using an off-the-shelf RFID IC.  If you tell everyone which IC is used in the design, everyone can go fetch the datasheet and observe the data retention spec and what the protection scheme employed is.  If you're not willing to say which actual IC, even the frequency (125kHz? 13.56MHz?) and protection technology (MIFARE DESfire/EV1/EV2?) would at least be something.  From there, everyone will be able to better assess (a) how long the data is likely to be (accurately) retained by the device, and (b) what the strength of the encryption/protection scheme employed is and that it isn't designed around an NFC solution that has already been compromised (like, say, MIFARE Classic).

Not sure there's much use not disclosing which RFID IC is used.  As soon as people have them, someone's going to probe it with an RFID reader or Proxmark and fingerprint the IC (assuming it's an off-the-shelf IC), and then everyone will know anyway.

Off-the-shelf RFID IC's don't have unlimited data retention (same situation with most EEPROM and flash technologies).  As an example, the MIFARE DESfire line of RFID IC's spec a minimum data retention of 10 years.  They'll probably still be readable without flipped bits for some time beyond that, but that is not guaranteed.

The only reason I haven't said is that I haven't decided. I started with the DesFire 4K but NXP has new, potentially more exciting models out and now I'm going to be testing with the NTAG216. There is no secret behind the IC itself. The technology is secure enough to work for this product, being able to 'sniff' the data, or steal the data, does nothing to alter the integrity of the device. All data stored on the chip is intended to be encrypted by the user.  So if you really did let someone sniff your chip somehow, then you're still just as secure as before. Bruteforcing the encrypted data would be the same as brute forcing your bitcoin public key. Makes no difference.

Memory retention is the only issue here that should be worried about- indeed minimum 10 years is a pretty good start. Once again though, you could just print out the encrypted data from the chip and store it with the device if you were really worried about this. Still doesn't change the integrity of the device.

I am not engineering a custom NFC device. There are too many security issues that would crop up from somehow designing my own security system and chip. This is off the shelf, standard components. No tricks, no surprises. I may even offer a choice of chip to users: Desfire 4K or NTAG216.

[crazy_rabbit]

Just to quickly answer a few questions:

I The idea is that once your data is written to the NFC chip inside, you lock it permanently, and then to redeem the data inside you must break the device open to obtain the main password to decrypting the device NFC chips which is kept on the inside.

I understand most of this but one aspect is a bit fuzzy to me.

it must be broken to redeem. the password to decrypt the NFC data is etched inside in some fashion? on something that is not destroyed by breaking the glass but not visible or scannable (say by a CT scanner)?

just how unbreakable is it. I mean I can swing a hammer really hard could one break it "too hard" to the point the password is not recoverable? or the NFC chip is broken? or do you read the chip data before breaking it?  perhaps (brief) instructions should be somehow visible when looking at the thing by eye? 30 years from now it may not be easy to figure out what this is if a decedent of mine finds it with no instructions.

Oh, it's not unbreakable. It IS breakable. How resistant it is to breaking is still to be determined. I'm still thinking about the "breaking too hard" problem though. Obviously pulverising the device would be a bad idea, but it's hard for me to quantify how much force someone might put into breaking it. Thus far the designers and myself have concluded that the device should be relatively easy to break so as to not encourage anyone to over do it in trying to break it and thus destroyed the password inside. The compromise however is that we need to expect users to treat the device with care and not, as someone else mentioned, leave it around in street to be run over by trucks. It is really intended to be handled like a valuable object, where it's value is contingent upon it not being broken. People seem to do a pretty good job of this in general: Expensive jewels, expensive vases, expensive pieces of art. Sure things get knocked over once and while, but if it's in a safe deposit box or your home safe, it should be pretty okay. Even paintings by great painters get dug out of the trash by automechanics who then go on to protect them without knowing their true value. Hence the idea of making it looks REALLY special. People will be inclined to treat the device well.

As for CT scanning it. At the moment I'm limited in how thoroughly I can test this. But there are a few ways to mitigate the threat of some exotic method of scanning a device: Multi-Sig and Salting. Simply salting the password with something that's not contained in the device can make it impractical to attempt to scan (although now you need to protect your salt). The other thing is, you can simply require more then one device to access your bitcoin- Multisig. Meaning as long as you can do a good job ensuring that at least some number of your devices can't fall into the hands of someone who might scan them, you should be okay.

The device is intended to simplify storing your bitcoin securely, but of course, the greater the resources of your potential attacker, the greater lengths you will need to go to thwart their efforts.


Also, this device doesn't have to be just for bitcoin. You could store your gmail password, or any other short string of data in it.

[WindMaster]

The only reason I haven't said is that I haven't decided. I started with the DesFire 4K but NXP has new, potentially more exciting models out and now I'm going to be testing with the NTAG216. There is no secret behind the IC itself. The technology is secure enough to work for this product, being able to 'sniff' the data, or steal the data, does nothing to alter the integrity of the device. All data stored on the chip is intended to be encrypted by the user.  So if you really did let someone sniff your chip somehow, then you're still just as secure as before. Bruteforcing the encrypted data would be the same as brute forcing your bitcoin public key. Makes no difference.

Given the choice, I'd tend to steer well toward the "new, potentially more exciting models" of the MIFARE line that are available.  Even if you're not relying on any security in the NFC solution at all, and you're using it as effectively an openly read/writable storage device with security equivalent to just using a USB thumb drive, there's still going to be a public perception issue in that DESFire's security mechanism was cracked 2.5 years ago and exploits are readily available.  If you meant DESFire EV1 or EV2, that perception problem might not exist (yet), until someone develops a similar attack for EV1 or EV2.  If it's the original DESFire you're targeting, the EV1, EV2 and MIFARE Plus would tend to be viable alternatives.  The original 4 variants of the DESFire IC have actually been end-of-lifed by NXP due to publication of exploits to bypass the DESFire security.

I am not engineering a custom NFC device. There are too many security issues that would crop up from somehow designing my own security system and chip. This is off the shelf, standard components. No tricks, no surprises. I may even offer a choice of chip to users: Desfire 4K or NTAG216.

Actually, if you're not going to use the security features and access control of the RFID chip at all and are just going to use it as read/write data storage, you could probably safely homebrew a solution as well without compromising security relative to a DESFire 4K.  Effectively the security of a DESFire 4K IC is currently equivalent to an open-access EEPROM.

You have me curious about the security model you're planning to use.  If arbitrary ability for anyone to read the EEPROM off the RFID IC (even from quite a few feet away if you've seen some of the fun antennas people have come up with for the Proxmark) isn't important to the security model, are you planning to make the hidden key stored within the glass be the private key for an asymmetric cipher, with a public key otherwise available to the user (printed?) external to the glass (and/or visible through it), and all the actual cryptography will just occur in software external to the device with the user entering the public key?  Or have you designed it such that the user generates their own private key, prints it, then somehow seals it within the glass capsule after the device is already in the user's possession?  The concept of storing the private key to decrypt the data on the RFID tag within a break-once glass capsule is a neat idea, though I haven't quite grasped how the execution of the crypto is going to work here.  All of the ways I've been able to imagine interpreting your description so far result in the private key existing outside of the glass at some point in time in advance of the final glass breaking ceremony when the device fulfills it's purpose.

Not that I'm questioning your design or anything, just playing devil's advocate to help make sure you've contemplated the attack vectors and how the crypto side of things is going to work out, and arrive at a product with superior, well thought-out-security.  

[crazy_rabbit]

The only reason I haven't said is that I haven't decided. I started with the DesFire 4K but NXP has new, potentially more exciting models out and now I'm going to be testing with the NTAG216. There is no secret behind the IC itself. The technology is secure enough to work for this product, being able to 'sniff' the data, or steal the data, does nothing to alter the integrity of the device. All data stored on the chip is intended to be encrypted by the user.  So if you really did let someone sniff your chip somehow, then you're still just as secure as before. Bruteforcing the encrypted data would be the same as brute forcing your bitcoin public key. Makes no difference.

Given the choice, I'd tend to steer well toward the "new, potentially more exciting models" of the MIFARE line that are available.  Even if you're not relying on any security in the NFC solution at all, and you're using it as effectively an openly read/writable storage device with security equivalent to just using a USB thumb drive, there's still going to be a public perception issue in that DESFire's security mechanism was cracked 2.5 years ago and exploits are readily available.  If you meant DESFire EV1 or EV2, that perception problem might not exist (yet), until someone develops a similar attack for EV1 or EV2.  If it's the original DESFire you're targeting, the EV1, EV2 and MIFARE Plus would tend to be viable alternatives.  The original 4 variants of the DESFire IC have actually been end-of-lifed by NXP due to publication of exploits to bypass the DESFire security.

I am not engineering a custom NFC device. There are too many security issues that would crop up from somehow designing my own security system and chip. This is off the shelf, standard components. No tricks, no surprises. I may even offer a choice of chip to users: Desfire 4K or NTAG216.

Actually, if you're not going to use the security features and access control of the RFID chip at all and are just going to use it as read/write data storage, you could probably safely homebrew a solution as well without compromising security relative to a DESFire 4K.  Effectively the security of a DESFire 4K IC is currently equivalent to an open-access EEPROM.

You have me curious about the security model you're planning to use.  If arbitrary ability for anyone to read the EEPROM off the RFID IC (even from quite a few feet away if you've seen some of the fun antennas people have come up with for the Proxmark) isn't important to the security model, are you planning to make the hidden key stored within the glass be the private key for an asymmetric cipher, with a public key otherwise available to the user (printed?) external to the glass (and/or visible through it), and all the actual cryptography will just occur in software external to the device with the user entering the public key?  Or have you designed it such that the user generates their own private key, prints it, then somehow seals it within the glass capsule after the device is already in the user's possession?  The concept of storing the private key to decrypt the data on the RFID tag within a break-once glass capsule is a neat idea, though I haven't quite grasped how the execution of the crypto is going to work here.  All of the ways I've been able to imagine interpreting your description so far result in the private key existing outside of the glass at some point in time in advance of the final glass breaking ceremony when the device fulfills it's purpose.

Not that I'm questioning your design or anything, just playing devil's advocate to help make sure you've contemplated the attack vectors and how the crypto side of things is going to work out, and arrive at a product with superior, well thought-out-security.   

Thats dense- I'll do it step by step:

I'm skipping the MiFare line as I understand they aren't fully compatible with Samsung/Android phones and other makes of phone. That said, I'll be making them in small batches, so if someone wanted something custom inside, it wouldn't be a problem. Precious Metals or Diamonds (or Diamonds with laser engraved private keys) are all possible things, but I'm trying to keep it simple to start. I had not planned on using the Desfire 4k's built in cryptographic functions. But you're right on the perception thing. The security isn't relevant, but yeah, people will probably react before really reading how it works, so that might be a good idea.

As for engineering a custom type of chip- I guess it's really just necessary at this point. I thought about sticking something like an arduino inside, but then, I don't quite see the point. The more complicated the device, the more complicated it will be to bring to market- regardless of how simple. It's hard enough trying to figure out how to seal the glass properly without destroying the chip and keeping structure intact. Like this users can use standard NFC software from NXP to encode the chip and work with the chip as they please. The novelty is the combination of these elements in the device in this fashion, not really the technology.

As for the Security model:

Basically you've got it exactly right. There is a bitcoin private key inside the device (NOT INTENDED TO HOLD FUNDS) and a public key which is given to the users. The user then encrypts their own secret with the public key, or public key+salt and then stores the encrypted data on the chip. To get decrypt the encrypted data, they break the container open, get the private key, regenerate the public key, optionally add their salt, and decrypt the encrypted data on the chip. (Or I may have more then on chip inside where the salt could be stored, etc...)

I've put a lot of thought into it, and it seems to be one of the simplest solutions I could think of. Even if the user chooses not to salt their password, they need only to a) keep it secure and protect it (as they would any other physical object of value, like gold), b) use multisig c)store the different multisig devices separately, and they have a very secure solution within the realm of reason. 

To protect the device from unauthorised scanning, you simply slip it into it's protective container (essentially a metal tube) and it can no longer be scanned, and should be even safe from EMP.

You still have to take care when first encoding the device and transporting the device, but the new NXP chips have access counters, so you can keep track of the number of times the device has been scanned- an easy tip off to knowing if something sneaky is going on.

It's a clever mix of low-tech, high-tech and human support.

What do you think? I'd love to hear criticisms as I'm still prototyping.

[gagalady]

you made it for yourself only or?

[crazy_rabbit]

you made it for yourself only or?

No, no, I'm going to sell them! Just have to fix a few things, get packaging, etc....

[WindMaster]

Couple thoughts:

I'm skipping the MiFare line as I understand they aren't fully compatible with Samsung/Android phones and other makes of phone. That said, I'll be making them in small batches, so if someone wanted something custom inside, it wouldn't be a problem. Precious Metals or Diamonds (or Diamonds with laser engraved private keys) are all possible things, but I'm trying to keep it simple to start. I had not planned on using the Desfire 4k's built in cryptographic functions. But you're right on the perception thing. The security isn't relevant, but yeah, people will probably react before really reading how it works, so that might be a good idea.

I've never tried with a Samsung Android device.  But if that combination of hardware + Android causes trouble with the MIFARE line, you'll have problems with the DESFire 4K since it's part of the MIFARE line (it is literally the "MIFARE DESFire 4K").  NXP pretty much calls their entire line of 13.56MHz RFID IC's by the MIFARE trademark.  I have no experience with interacting with MIFARE from Samsung devices though so I can't say one way or the other which chips in the MIFARE line are compatible.

As for the Security model:

Basically you've got it exactly right. There is a bitcoin private key inside the device (NOT INTENDED TO HOLD FUNDS) and a public key which is given to the users. The user then encrypts their own secret with the public key, or public key+salt and then stores the encrypted data on the chip. To get decrypt the encrypted data, they break the container open, get the private key, regenerate the public key, optionally add their salt, and decrypt the encrypted data on the chip. (Or I may have more then on chip inside where the salt could be stored, etc...)

Random thought here, which country are you in?  This security model means you'll have the private keys (at least at the time of manufacture).  Just as an example, if you were in the US or are a US citizen, you could be compelled to produce the private keys to the US government via an NSL (National Security Letter).  If you didn't retain the private keys, at that point you're pretty much stuck in legal limbo unless you have a definitive way to prove the private keys are not in your possession (been there, but NSL's carry with them a gag order so details will not be forthcoming).  I'm unfamiliar with the regulations in other countries but wouldn't be surprised if similar regulations exist.  Given the libertarian bent of much of the Bitcoin adopter population, there's likely a good portion of them that actually see their government as one of the parties they're trying to guard their BTC (or other data) against.  Particularly over the last 10 months as views have started shifting to the possibility that various governments are actively acting as an aggressor and will stop at nothing to obtain data you hold dear or to seize your property (or as the IRS likes to put it, to "take your rights to own property" if anyone has received one of those love letters).

On the other side of it, the user will have to have trust in you that you did not retain the private keys.  I think if there is some way this could be structured such that you actually don't have the private keys, you'd have a really elegant solution.  Implementing such would probably depend on utilizing the security features of the NFC IC you select however, and trusting that access control of that IC will not be compromised (multiple members of the MIFARE family have already fallen to exploits, after all).  It would be a rather slick product if you arrived at a zero-trust solution in which you as the manufacturer never actually possess the private key (or at least the private key that actually encrypts the stored data).

[phillipsjk]

Basically you've got it exactly right. There is a bitcoin private key inside the device (NOT INTENDED TO HOLD FUNDS) and a public key which is given to the users. The user then encrypts their own secret with the public key, or public key+salt and then stores the encrypted data on the chip. To get decrypt the encrypted data, they break the container open, get the private key, regenerate the public key, optionally add their salt, and decrypt the encrypted data on the chip. (Or I may have more then on chip inside where the salt could be stored, etc...)

I've put a lot of thought into it, and it seems to be one of the simplest solutions I could think of. Even if the user chooses not to salt their password, they need only to a) keep it secure and protect it (as they would any other physical object of value, like gold), b) use multisig c)store the different multisig devices separately, and they have a very secure solution within the realm of reason. 

To protect the device from unauthorised scanning, you simply slip it into it's protective container (essentially a metal tube) and it can no longer be scanned, and should be even safe from EMP.

I really liked the concept until you explained the details.

The user has to supply a "secret" or "private key" if you will. They need to keep it private, yet it has to look valuable enough that it won't be thrown in the trash.

I understand that the user needs to supply their own secret to avoid trusting the manufacturer, but that also implies that the device(s) are no longer self-contained.

For (Paper) "Bitcoin checks" I wanted to develop (but have been too lazy to): I instead focused on ways the manufacture could prove they printed a document. This, combined with the manufacture trying to prove to themselves that they or their employees can not inadvertently record the private keys, should be secure enough for transient storage.

[crazy_rabbit]

Couple thoughts:

I'm skipping the MiFare line as I understand they aren't fully compatible with Samsung/Android phones and other makes of phone. That said, I'll be making them in small batches, so if someone wanted something custom inside, it wouldn't be a problem. Precious Metals or Diamonds (or Diamonds with laser engraved private keys) are all possible things, but I'm trying to keep it simple to start. I had not planned on using the Desfire 4k's built in cryptographic functions. But you're right on the perception thing. The security isn't relevant, but yeah, people will probably react before really reading how it works, so that might be a good idea.

I've never tried with a Samsung Android device.  But if that combination of hardware + Android causes trouble with the MIFARE line, you'll have problems with the DESFire 4K since it's part of the MIFARE line (it is literally the "MIFARE DESFire 4K").  NXP pretty much calls their entire line of 13.56MHz RFID IC's by the MIFARE trademark.  I have no experience with interacting with MIFARE from Samsung devices though so I can't say one way or the other which chips in the MIFARE line are compatible.

As for the Security model:

Basically you've got it exactly right. There is a bitcoin private key inside the device (NOT INTENDED TO HOLD FUNDS) and a public key which is given to the users. The user then encrypts their own secret with the public key, or public key+salt and then stores the encrypted data on the chip. To get decrypt the encrypted data, they break the container open, get the private key, regenerate the public key, optionally add their salt, and decrypt the encrypted data on the chip. (Or I may have more then on chip inside where the salt could be stored, etc...)

Random thought here, which country are you in?  This security model means you'll have the private keys (at least at the time of manufacture).  Just as an example, if you were in the US or are a US citizen, you could be compelled to produce the private keys to the US government via an NSL (National Security Letter).  If you didn't retain the private keys, at that point you're pretty much stuck in legal limbo unless you have a definitive way to prove the private keys are not in your possession (been there, but NSL's carry with them a gag order so details will not be forthcoming).  I'm unfamiliar with the regulations in other countries but wouldn't be surprised if similar regulations exist.  Given the libertarian bent of much of the Bitcoin adopter population, there's likely a good portion of them that actually see their government as one of the parties they're trying to guard their BTC (or other data) against.  Particularly over the last 10 months as views have started shifting to the possibility that various governments are actively acting as an aggressor and will stop at nothing to obtain data you hold dear or to seize your property (or as the IRS likes to put it, to "take your rights to own property" if anyone has received one of those love letters).

On the other side of it, the user will have to have trust in you that you did not retain the private keys.  I think if there is some way this could be structured such that you actually don't have the private keys, you'd have a really elegant solution.  Implementing such would probably depend on utilizing the security features of the NFC IC you select however, and trusting that access control of that IC will not be compromised (multiple members of the MIFARE family have already fallen to exploits, after all).  It would be a rather slick product if you arrived at a zero-trust solution in which you as the manufacturer never actually possess the private key (or at least the private key that actually encrypts the stored data).

I'm not in the US, and not manufacturing them in the US, but I am American. And for emphasis: The Key Pair in the device is NOT FOR STORING BITCOIN (emphasis for anyone reading this in a cursory manor)

You have a very good scenario- but I'm not so sure it's applicable to this case as a simple procedure will protect you from the government strong arming me as the manufacturer. The device is not intended to protect you from someone in possession of m-of-n devices. It is up to you to hide the devices from the 3rd parties. If you are really rich and really worried (I'm looking at you Karples) you put them in safe deposit boxes around the world. Or you bury them under apple trees. Or you drop one to the bottom of a lake. Etc... The government still has to posses m-of-n devices to make any use of any data they might force from me.

If this is a serious concern of a user- the solution is to make sure your encryption is properly salted. If you want, you can use another set of devices to protect your salt. If you trust the security of the NFC chip, you can leave it all inside the chip.

Security is always a significant trade-off. This device is to make estate planing easier, to ensure your spouse has access to your bitcoin in case you're in an accident and are in a coma and can't enter your wallet password.

Either you leave a way for the people you care about to be able to access your bitcoin in the event of an accident, you trust electronic technology completely, or you memorize the password in your head and take your chances. I like to think of this being a nice compromise between all these things. And if used correctly should keep people far safer with their bitcoin storage then they are now.

[crazy_rabbit]

Basically you've got it exactly right. There is a bitcoin private key inside the device (NOT INTENDED TO HOLD FUNDS) and a public key which is given to the users. The user then encrypts their own secret with the public key, or public key+salt and then stores the encrypted data on the chip. To get decrypt the encrypted data, they break the container open, get the private key, regenerate the public key, optionally add their salt, and decrypt the encrypted data on the chip. (Or I may have more then on chip inside where the salt could be stored, etc...)

I've put a lot of thought into it, and it seems to be one of the simplest solutions I could think of. Even if the user chooses not to salt their password, they need only to a) keep it secure and protect it (as they would any other physical object of value, like gold), b) use multisig c)store the different multisig devices separately, and they have a very secure solution within the realm of reason. 

To protect the device from unauthorised scanning, you simply slip it into it's protective container (essentially a metal tube) and it can no longer be scanned, and should be even safe from EMP.

I really liked the concept until you explained the details.

The user has to supply a "secret" or "private key" if you will. They need to keep it private, yet it has to look valuable enough that it won't be thrown in the trash.

I understand that the user needs to supply their own secret to avoid trusting the manufacturer, but that also implies that the device(s) are no longer self-contained.

Well I hope I haven't lost you just yet.

There are still a few ways around this that I am experimenting with and I think it depends on what users are looking for. The lowest tech solution to this is simply writing with permanent marker on the device. Again, I can't protect users from a 3rd party that has the ability to seize all your devices (or m-of-n) devices, because if I could- that would defeat the purpose of allowing you to do things like estate planning or "you are in a coma we need your bitcoin to pay your medical bills" situation.

The market for this device is to protect you from yourself, more or less and the regular thieves that in the future will one day be after bitcoin too. The ability to which it protects you from the government depends on your ability to hide it from the government. Which is a reasonable trade off for most people. If this is a serious concern for you, and you don't mind your bitcoin going with you to the grave, there's no reason to not memorise a really exceptionally long brainwallet and leave it at that. If you want to access your bitcoin on a daily basis, and be secure, then Trezor is a better option.

This is for long term storage and planning of your bitcoin that doesn't require trusting me, the manufacturer, but also assumes that you can take care of protecting the device relatively well yourself, within reason considering whatever your situation might be. If at the very least, this eliminates the systemic threat that physical bitcoin manufactures pose. For all the people minting coins or printing plastic cards- the manufacturer has the ability to steal all the bitcoin of all the people who have ever purchased their products all at once. If I were to somehow get compromised, a 3rd party would still have to hunt down every user individually AND hunt down every m-of-n number of devices of very person AND still have to break whatever extra encryption or security strategy they may choose to employ. It's orders of magnitude more secure for the entire physical bitcoin ecosystem.

So I hope viewed through that perspective, you can keep your mind open. If you are so valuable that someone would commit themselves to hunting you down, and hunting every instance of this device that you own down, then you need to really consider some other options. If you're like many people coming into bitcoin now, investing 10K that might go to your kids college fund and you don't want to have to worry about Maleware getting it for the next 5 years, or getting married (like myself) and would like to have a joint "bitcoin savings fund" that you don't have to worry getting Goxxed, then this might just be perfect.

[phillipsjk]

I get the impression the slug in the middle is hard to duplicate. What about the glass sleeve? is that marked somehow? Perhaps with an integrated marble?

BTW: I fear the greatest threat of Bitcoin loss is people loosing their encryption keys (assuming they are using some kind of sane cold-storage). M-of-N keys in multiple locations can really help protect against physical key destruction.

[rocks]

Thanks for the detailed response to my questions above, look forward to hearing more as this moves forward.

One thing to consider is support to backup not just a private key but also a deterministic wallet seed. For those of us that use deterministic wallets this would be more useful IMHO.

[dogechode]

I know you said you don't want to get too specific on price but what you alluded to sounds more than fair to me. Can the glass be colored or does that complicate the process too much?

[crazy_rabbit]

I get the impression the slug in the middle is hard to duplicate. What about the glass sleeve? is that marked somehow? Perhaps with an integrated marble?

BTW: I fear the greatest threat of Bitcoin loss is people loosing their encryption keys (assuming they are using some kind of sane cold-storage). M-of-N keys in multiple locations can really help protect against physical key destruction.

The way the device is closed is hard to duplicate, we seal it in such a way that there is a unique pattern that develops.  It's a tricky balance to get without thermally shocking it, and without heating it so much as to damage the chip. It should be nearly impossible (although perhaps the CIA could do it) that you could break the glass in such a way that you could put it back together without it being noticed. The outersleve is uniform in the glass 'flow', with special ribs, so tampering or attempting to 'reassemble' the device after breaking the device would be very obvious.

The middle slug/tube is hard to duplicate as well, but not nearly as hard as the outer construction as one piece. This part though is more mechanically functional in terms of the device appearance and less about security as the user won't really ever interact with the interior until it's broken.

Thanks for the detailed response to my questions above, look forward to hearing more as this moves forward.

One thing to consider is support to backup not just a private key but also a deterministic wallet seed. For those of us that use deterministic wallets this would be more useful IMHO.

I'm thinking to leave the NFC chip open for users to do as they wish and rather offer a guide as to how to potentially program it. I am developing some software, but there is such a variety of ways that a one might want to use the device that it seems perhaps more appropriate to let users work with the chips directly if they please. So yes- Deterministic wallet seeds would be supported as well.

I know you said you don't want to get too specific on price but what you alluded to sounds more than fair to me. Can the glass be colored or does that complicate the process too much?

Yeah, I'm hesitant to talk more about price until I've gotten the device design more clearly set.

Unfortunately, no the glass can not be colored. When I got started with this project, I imagine coloring glass was as easy as adding fruit coloring to jello. Turns out with glass if you get the ratio of color to glass wrong by even the smallest number of molecules the glass becomes extremely brittle or simply shatters.  I'm considering other processes- for example the glass tube on the inside has a really special coating to give it the nice color, although it's not colored glass itself. It's much harder to do then I had originally thought. Much more trial and error. :-)

[Abdussamad]

The same can be said for your mobile phone. Don't drop it. The device isn't intended to be handled on a daily basis. You get it, set it, and forget about it: Preferably somewhere safe other than your pocket or on the road.

Ah, but it's so pretty. If I bought it I would want to show it to everyone. What's the point of buying a shiny, expensive thing like this only to have it sit in a deposit box somewhere?

[stereotype]

The same can be said for your mobile phone. Don't drop it. The device isn't intended to be handled on a daily basis. You get it, set it, and forget about it: Preferably somewhere safe other than your pocket or on the road.

Ah, but it's so pretty. If I bought it I would want to show it to everyone. What's the point of buying a shiny, expensive thing like this only to have it sit in a deposit box somewhere?

A bit like some Casascius coins!

[crazy_rabbit]

The same can be said for your mobile phone. Don't drop it. The device isn't intended to be handled on a daily basis. You get it, set it, and forget about it: Preferably somewhere safe other than your pocket or on the road.

Ah, but it's so pretty. If I bought it I would want to show it to everyone. What's the point of buying a shiny, expensive thing like this only to have it sit in a deposit box somewhere?

You are supposed to use them with multi-sig and in a group of at least 3. Meaning at least one or two should be sitting somewhere safe. The third you can take out with you and show around no problem. But walking around with Titan Mint or Casacius coins is asking to get jumped and lose all your money, no? With this you can walk around with one, show it around no problem. Even if it's stolen you're still good. :-)

[Abdussamad]

You are supposed to use them with multi-sig and in a group of at least 3. Meaning at least one or two should be sitting somewhere safe. The third you can take out with you and show around no problem. But walking around with Titan Mint or Casacius coins is asking to get jumped and lose all your money, no?

Walking around with a shiny glass phallus is asking to get jumped too.

[zimmah]

You know  your idea is quite close to an idea I had myself the other day, but I am not in a position to realize that idea so I'll just share it.

My idea was to have 1oz gold or 1oz silver coins with a sort of chip in it with an encrypted private key and an unencrypted public key. With a standardized amount of bitcoin in the wallet when the coin is initially purchased. Of course the public key can be easily read because it's not encrypted.

The owner of the coin can read or (even better) use (without ever knowing the key) the private key using a decryption (possibly inside a ring or mobile phone or something) so the coin itself without the 'key' to decrypt it is only worth the precious metal. But once you have both the coin and the key to unlock it you have the value of the PM and the value of the bitcoins in it.

Not sure if it's feasible or even wanted but I thought it is an idea worth sharing.

[krach]

the main problem with any kind of chip being used is the lifetime of the chip, nobody knows exactly how long they will last. Would you trust a usb stick to last 5 years?