Bitcoin Forum
April 25, 2018, 09:54:05 AM *
News: Latest stable version of Bitcoin Core: 0.16.0  [Torrent]. (New!)
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 [9]  All
Author Topic: Improving Offline Wallets (i.e. cold-storage)  (Read 19253 times)
Jr. Member
Offline Offline

Activity: 30
Merit: 0

View Profile
April 28, 2014, 02:27:02 AM

Are there any problems with using a vpn connection instead of a usb ? What are some possible security risks?

If the VPN connection is based on OpenVPN, which uses OpenSSL by default, there would be for example the heartbleed bug, if it is not yet fixed on the machine you use.

So windows servers are not affected by this bug. Microsoft uses something called sstp to secure vpn.

It totally depends on the software used.
But in genertal, the more complex and big a system is, the more points of failure there are. And here, we have two instead of one computer, they both are online, and you have a vpn in between. Enhanced physical security may be worth it, depending on the situation. Nice to know that noone can just break in, grab a computer, and has everything he needs.

The important part is to distinguish two designs:
- "security measures in parallel", like a chain where you only have to break the weakest link (break one of the two computers or the VPN)
- "security measures in series", like layers where you have to break through all of them (like n-of-m, on paper wallets, encrypted)

Besides that, a "safe fallback" is good. "If anything irregular happens, it all shuts down and is fine" (like full hdd encryption for example). Also, consider every single component to be compromised. A million bonus points for designing a setup where every single component may be compromised at the same time, and you still don't lose :-)



The system I am building for a project, will be responsible for transferring unsigned transactions from hot storage to cold storage, signed them and bring them back online via some api and broadcast them. The setup I have come up with is using VPN over SSTP protocol which is not affected by the heartbleed bug and 2 form authentication on azure. So the idea is everytime a user wants to either withdraw funds from cold storage or send bitcoins/altcoins and if there isnt enough coins in the hot wallet, the user would have to vpn into the cold storage and provide 2fa. Then the cold storage server will sign the transaction and send back the signed transaction to the hot storage through vpn.


Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Hero Member
Offline Offline

Posts: 1524650045

View Profile Personal Message (Offline)

Reply with quote  #2

Report to moderator
Offline Offline

Activity: 2111
Merit: 1001

View Profile
April 28, 2014, 05:09:51 PM

So the online computer has all necessary info, passwords, certificates, to connect to the 'offline' computer and have the transaction signed? With no human interaction? This sounds like a completely online system for me.
Yes, you wrote about 2FA. It might be safe when you do all of this right, including having things in mind like MITM- and replay-attacks.
The point about "cold storage", "offline computer" and "airgap", is, well, the non-connectivity to any other system besides the operator sitting in front of it ;-)

Offline Offline

Activity: 74
Merit: 10

View Profile
March 06, 2015, 08:08:53 AM

I write a simple application to transfer data through air gap by QR code movies:


Pages: « 1 2 3 4 5 6 7 8 [9]  All
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!