winnetou (OP)
|
|
May 31, 2012, 10:08:14 AM |
|
Hi, Recently I thought about how you can make Bitcoin web projects more secure. I came up with the following idea: - Encrypt your php files (e.g. with http://www.sourceguardian.com/) - Create a hash of every financial sensible db entry (transactions, account balances etc.) and check the hash on every access Benefits: If a hacker gets access to the database he can not add new transactions or change existing ones because he does not know the algorithm of your hash. Even if he gets access to the entire server he can not get (at least not easily I think) the hash algorithm because the php files are encrypted. Furthermore you can add an alarm when one hash is invalid that causes a stop to your bitcoin transaction handler or something like that. What do you think and has somebody experience with encryption of php files? (In a trice I found no good open source tool for doing that)
|
|
|
|
|
|
|
|
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin Core, which will follow the rules of the network no matter what miners do. Even if every miner decided to create 1000 bitcoins per block, full nodes would stick to the rules and reject those blocks.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
Pieter Wuille
Legendary
Offline
Activity: 1072
Merit: 1174
|
|
May 31, 2012, 10:29:53 AM |
|
If an attacker gets access to you system, he can just run the code to update the hashes as well...
|
I do Bitcoin stuff.
|
|
|
winnetou (OP)
|
|
May 31, 2012, 10:30:51 AM |
|
But he does not know the code / hash algo. because the php files are encrypted
|
|
|
|
Pieter Wuille
Legendary
Offline
Activity: 1072
Merit: 1174
|
|
May 31, 2012, 10:39:42 AM |
|
He doesn't need to understand them - he can just execute them.
|
I do Bitcoin stuff.
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 31, 2012, 11:36:13 AM |
|
The server runs the encrypted code "somehow". If the attacker gains admin access he can do anything the server can.
|
|
|
|
hamdi
|
|
May 31, 2012, 11:37:31 AM |
|
php encryptions are all not safe. they can all be reversed.
you could compile a custom hashing executable and call that from within php
|
|
|
|
Pieter Wuille
Legendary
Offline
Activity: 1072
Merit: 1174
|
|
May 31, 2012, 11:42:11 AM |
|
And the attacker will just run the custom hashing executable.
|
I do Bitcoin stuff.
|
|
|
btctree
Newbie
Offline
Activity: 47
Merit: 0
|
|
May 31, 2012, 12:14:35 PM Last edit: May 31, 2012, 02:59:55 PM by btctree |
|
let's say if a hacker get access of your sql and file system(like he got your root password)
so he can: 1: call ./bitcoind send command in ssh to send your bitcoins to his address. 2: upload a php (for example,JSON-RPC), to control your bitcoind with same command in 1 3: decrypt your php encode, then get the algo of hash of your sql data, won't be too hard if he has skill to hack your server 4: or just leave some small scripts in your payment process code which allows him to receive bitcoins when you pay/receive bitcoins, he can also set many conditions for this "steal program" so you can't find out there is problem only after long time or huge damage. 5: many others, predictable and unpredictable...
there is no 100%(not even 99%) secure at this moment for hosting a bitcoin in/out project. once your system get cracked, your bitcoins are gone. but i know there is a new thing called "multi-sig transactions" coming out on bitcoin's application which can stop unauthorized payments be processed even your system has been cracked.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 31, 2012, 01:08:20 PM |
|
In order to run code in an autonomous manner, a server must store the decryption key somewhere, and a hacker can usually find it, rendering the encryption useless. Limited exceptions can be made for keys that are required on boot and not stored, but when that happens they are stored in memory and can possibly still be had by a smart hacker.
|
|
|
|
btctree
Newbie
Offline
Activity: 47
Merit: 0
|
|
May 31, 2012, 01:13:56 PM |
|
In order to run code in an autonomous manner, a server must store the decryption key somewhere, and a hacker can usually find it, rendering the encryption useless. Limited exceptions can be made for keys that are required on boot and not stored, but when that happens they are stored in memory and can possibly still be had by a smart hacker.
walletpassphrase won't help, because the hacker can either: scan your memory cache or just use the same session you are already using. for example, use your own JSON-RPC to send bitcoins.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 31, 2012, 01:27:44 PM |
|
In order to run code in an autonomous manner, a server must store the decryption key somewhere, and a hacker can usually find it, rendering the encryption useless. Limited exceptions can be made for keys that are required on boot and not stored, but when that happens they are stored in memory and can possibly still be had by a smart hacker.
walletpassphrase won't help, because the hacker can either: scan your memory cache or just use the same session you are already using. for example, use your own JSON-RPC to send bitcoins. Exactly, and the type of attack depends on how much access the hacker has, and how he got in. If he was able to reset the root password through a control panel for instance (like bitcoinica), he would have root access to plant a keylogger or pick up the passphrase if it were stored on disk. If he broke in through a SQL vulnerability, he could grab the passphrase from memory, even if it were not stored on disk. It's a difficult kind of situation, but HSMs such as what DeathAndTaxes is looking into can mitigate the risk somewhat.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
May 31, 2012, 02:50:04 PM |
|
there is no 100%(not even 99%) secure at this moment for hosting a bitcoin in/out project. once your system get cracked, your bitcoins are gone. Yet. If the host knows the private keys then an attacker who seizes controls of host seizes control of the private keys. So what if the host never knows the private keys? BSM Host: v0.0.1.1238 Module: v0.0.1.608 Runtime: v4.0.30319
Initializing BSM with root key to form deterministic seed. Host: 'Initialize(ZOpK/CiAP/aU1HlNOiJxeyCD8MUI/Zf1xCDFtOJPpGU=)' Module: 'OK'
Verifying root key (module should return SHA256 hash of Root Key) Host: 'RootHash()' Module: 'E9o5VWDsusAWOTf5lVPHWI13YeMCXJ85S+SYqFfW6Lc='
Requesting a new address Host: 'GetAddress(1)' Module: '112ypupfk6upHCL65NhqNhtv9RBwW1jR1w' Even storing private keys (and fund control rules) into hardware device isn't 100% secure but it should raise the bar substantially. All major robberies to date have been "smash and grabs". Once attacker gained access to the server he simply copied the private keys to a client he controlled and transferred the funds.
|
|
|
|
|