Bitcoin Forum
December 09, 2016, 12:01:16 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: android wallet to webcam client?  (Read 1769 times)
Defkin
Member
**
Offline Offline

Activity: 80


View Profile
January 20, 2012, 05:12:24 PM
 #1


I am still fairly new to BTC so please forgive me if this has been suggested before. My concern is having my BTC secure and easy to use without the headache of use a bootable usb or worry about malware trojans etc.


1. Cheap $50 android pad, no web access ,app that has your private keys and can do transactions (suitably backed up).
2. PC with webcam and a client that keeps track of your transactions plus internet.

Step 1. Display your beneficiaries QR code on the PC's monitor.
Step 2. Use android pad to scan QR code.
Step 3. Carry out transaction and display resulting QR code on pad's screen.
Step 4. Scan Android pad's screen using PC's webcam
Step 5. Client on PC sends transaction to the net.
 
The only communication to the web by the device holding the private keys is via QR code so should be petty much hacker proof.
The inconvenience factor is relativity small in light of other methods such as booting the PC off a USB OS.

What do you think? And better still where can I get the software needed ready made Cheesy

1481241676
Hero Member
*
Offline Offline

Posts: 1481241676

View Profile Personal Message (Offline)

Ignore
1481241676
Reply with quote  #2

1481241676
Report to moderator
1481241676
Hero Member
*
Offline Offline

Posts: 1481241676

View Profile Personal Message (Offline)

Ignore
1481241676
Reply with quote  #2

1481241676
Report to moderator
Some PGP public keys you should import: theymos, BadBear, Sirius, Stefan, Wladimir, Gavin, Gregory, Jeff, Pieter
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
March 15, 2012, 08:36:45 PM
 #2

Sounds exactly like armory's offline transactions.

VVS dump
Jr. Member
*
Offline Offline

Activity: 57



View Profile
March 18, 2012, 03:31:42 AM
 #3

this is totally possible, except that the return of the signed transaction to you computer can not be stored inside a single qr code most of the time. QR codes provide only limited storage, and transactions can be multiple kilobytes in size. this might be possible to circumvent using multiple qr codes in a sequence though.
Defkin
Member
**
Offline Offline

Activity: 80


View Profile
March 18, 2012, 06:45:28 AM
 #4

this is totally possible, except that the return of the signed transaction to you computer can not be stored inside a single qr code most of the time. QR codes provide only limited storage, and transactions can be multiple kilobytes in size. this might be possible to circumvent using multiple qr codes in a sequence though.

This is good to know, the idea of having my private keys never in contact with the internet has a lot of appeal to me. This way assuming my wallet and PC has been hacked and hopelessly compromised my BTC is still safe? I cannot keep my PC safe between OS day one flaws and clever hackers but I know I can keep a pad or old phone off the net.

Is there any way the transaction data can be messed with once it has been sent back (via 2 x qr codes) to the PC besides just preventing the transaction?

If there is a solid foundation to the concept and interest maybe I can start a bounty on it. I am sure many people have old smartphones etc that can be used for the purpose.


etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 19, 2012, 04:11:00 AM
 #5

I had considered this idea for Armory's offline wallets (webcams to move data around between offline and online devices).  It turns out to be kind complicated and cumbersome, and subject to driver issues because webcams do not always work easily on every OS.  Instead, I've resorted to USB keys between a regular online computer and an offline system.  And a recommendation to update full anti-virus and disable all autorun on the offline computer!  (plus paper backups to ensure even more security against device failure)

It's a million times better than any online-wallet setup.   However, it's only 99.99%, and people with lots of Bitcoins and even more paranoia probably want 100.00%.  Webcams + QR codes would theoretically work, but honestly I think it would be a mess.  Multiple sequential QR codes, driver issues, designing a real-time-feedback UI for using the camera, resolution issues, wires everywhere, etc.   Instead I'm working on a serial-port-based solution right now that really should be 100%.  I just have to investigate exactly how USB-serial-port adapters work, and make sure that there is exactly 0.0% chance of remote code execution based on incoming serial port data.

As you can tell, there's a few folks already using the USB-based solution, and they seem quite happy with it.   Check it out yourself:  
Main Page
Offline Wallet Tutorial
And of course, if you're offering bounties for such a solution, then please consider visiting my crowdfunding page to help me continue this project.  Only 12 hours left!  Smiley


EDIT: I realize this solution doesn't use a phone like you suggested, but any old about-to-be-junked laptop will work.  Get one off of craigslist for $40 and disable the wifi card in the BIOS.  In the next couple months, I will be setting up a system for using a phone for two-factor authentication via multi-signature transactions which will be a decent alternative for people who don't want to find/setup/maintain an old laptop for the above solution.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Andreas Schildbach
Hero Member
*****
Offline Offline

Activity: 563



View Profile WWW
March 21, 2012, 03:58:11 PM
 #6

Perhaps this info will help:

Bitcoin Wallet for Android can export/import transactions via QR code. This means you can use an isolated phone for signing, and use a second phone for transmitting into the P2P network.

Bitcoin Wallet for Android: Your own Bitcoins, in your own pocket!
https://play.google.com/store/apps/details?id=de.schildbach.wallet
Defkin
Member
**
Offline Offline

Activity: 80


View Profile
March 22, 2012, 11:33:16 AM
 #7

Thanks for the replies.

The concept I am looking for is a portable, physically isolated device that I can verify with my own two eyes data that goes in and out.

You hear in the news every day about hacks, data stolen. Even in this community people have had BTC stolen through hacks. NASA and Oak Ridge cannot keep their data safe. Physically isolated systems in nuclear reactors are getting targeted worms through usb sticks......the list goes on.

I understand that the limitation on the web cam idea is a hardware/driver problem. As a compromise would it be feasible to have the android device connect via head phone and use audio? It would be extremely unlikely there is an existing vulnerability in the OS and other software that could be exploited by this communication method.

Have wallet send {receiving address - amount - private key to use} via audio. Android program receives data {display incoming data [user ack] generate payment hash - send to audio}.

You would need a patch audio cable..... but short of making a specific hardware platform I am out of idea atm.

This way I could go to an internet cafe and use a web based wallet and be still be secure by jacking into the headphone socket?
Defkin
Member
**
Offline Offline

Activity: 80


View Profile
March 22, 2012, 11:40:15 AM
 #8

Perhaps this info will help:

Bitcoin Wallet for Android can export/import transactions via QR code. This means you can use an isolated phone for signing, and use a second phone for transmitting into the P2P network.


so to sign the transaction the 2nd phone will never be connected to net and the only interaction is needs to to see and display the qr codes?

But won't the private keys still be on the 1st phone, the one that connects to the net? So if the hacker steals the private keys off the 1st phone what need would they have to compromise the 2nd?
Andreas Schildbach
Hero Member
*****
Offline Offline

Activity: 563



View Profile WWW
March 22, 2012, 12:33:20 PM
 #9

At least one of the device need to be connected to the Bitcoin P2P network obviously.

There is two devices:

- connected device (to Bitcoin P2P network)
- signing device (interfaces limited to QR or NFC)

You need a fully updated blockchain on the connected device. You create a tx with that device, send the tx to the signing device using QR or NFC, sign, and send back to the connected device. The connected device distributes the tx into the P2P network.

Actually, this usecase is not yet fully implemented by Bitcoin Wallet. But part of it is already there, maybe someone wants to continue on that side project?

Bitcoin Wallet for Android: Your own Bitcoins, in your own pocket!
https://play.google.com/store/apps/details?id=de.schildbach.wallet
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 22, 2012, 12:43:00 PM
 #10

At least one of the device need to be connected to the Bitcoin P2P network obviously.

There is two devices:

- connected device (to Bitcoin P2P network)
- signing device (interfaces limited to QR or NFC)

You need a fully updated blockchain on the connected device. You create a tx with that device, send the tx to the signing device using QR or NFC, sign, and send back to the connected device. The connected device distributes the tx into the P2P network.

Actually, this usecase is not yet fully implemented by Bitcoin Wallet. But part of it is already there, maybe someone wants to continue on that side project?


What you described is exactly what Armory does with a second computer.  And having an old, spare laptop is probably more likely for many people than having a spare smartphone that's not connected to any network.  That's not to say that it is unnecessary to have such a smartphone client, but I'm telling you that that precise functionality exists in an available program already, using a second computer.

I'm working with a friend on two-factor authentication, to be used with Armory (or any other BIP-0010-supporting program).  There's no reason I can't combine the two ideas to use a smart-phone as the offline signing device.  It will just require transferring the signatures back from the phone to computer.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!