Bitcoin Forum
September 16, 2019, 11:54:27 PM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Having a YUBIKEY as one of the parties for m-of-n signatures  (Read 4440 times)
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 09, 2012, 07:55:54 AM
 #1

Assumption: Yubikeys are harder to hack into than most PCs.

Can we use this assumption to construct a key storage scheme that is at least as secure as other systems, but is more convenient?

Idea: Store bitcoins at an address composed of three private keys, using a 2-out-of-3 scheme:
1. A strong password
2. A paper wallet, printed on your own computer using 2-factor paper wallets
3. A Yubikey!

The first two have been discussed before, so I won't elaborate on them.
The Yubikey address is a special kind of address, that requires usage of Scripts.

This joined address can receive Bitcoins, that can only be spent with 2 signatures out of the 3 above. The "Yubikey signature" is specifically a one-time password generated using a Yubikey, with a particular timestamp that matches the current blockchain time (to prevent replay attacks).

Advantages:
1. For this system to be cracked, you have to access to two out of the above 3 secrets. A paper wallet, printed on a clean, formatted computer which is subsequently wiped, especially using 2-factor auth, should be virtually impossible to obtain (store it in a bank vault). Your password can be accessed by a trojan, but the internal private key stored in the Yubikey cannot be retrieved, and its signatures are only valid for a very short time.

2. It is rather convenient to use. You can use this system even on semi-trusted computers ... the password element of the secret is basically just a sanity check ... even if it's compromised, the attackers can't do anything without physical access to your Yubikey or bank vault.

3. Yubikeys have 2 different password generation modes, triggered by either a short press or a long press on the key. You could have a system where a "short press password" is only allowed to transfer amounts of up to 100 BTC per day, and a "long press password" is required to manage this setting or transfer larger amounts of BTC. This way, a trojan working in real time can't snatch more than 100 BTC, despite snooping both password and OTP from the Yubikey.

Implementation
All of the above can, AFAIK, be implemented using Scripts.
More detailed specification of the protocol is left as an exercise to the reader.


Your thoughts?

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3514
Merit: 6233


View Profile
August 09, 2012, 08:42:48 AM
 #2

Yubikey uses symmetric crypto. The entity validating the Yubikey code knows the Yubikey's secret key and can therefore produce valid Yubikey codes for the person being validated. Even if Script was powerful enough to validate Yubikey codes (it's not), you'd have to publish your Yubikey secret key to the network, which makes it pointless.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 09, 2012, 09:35:25 AM
 #3

Yubikey uses symmetric crypto. The entity validating the Yubikey code knows the Yubikey's secret key and can therefore produce valid Yubikey codes for the person being validated. Even if Script was powerful enough to validate Yubikey codes (it's not), you'd have to publish your Yubikey secret key to the network, which makes it pointless.

Sad

Thanks for the feedback.

Is there another similar device based on public key cryptography?
If there were, would Script have been powerful enough? If not, why not?
Is it because it's not Turing complete, and thus it's not possible/feasible to run complex algorithms like verifying signatures?
Can this be feasibly changed in the near future?

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
jl2012
Legendary
*
Offline Offline

Activity: 1792
Merit: 1010


View Profile
August 09, 2012, 10:01:26 AM
 #4

That would be great to have a public key cryptography version of Yubikey

Yubikey uses symmetric crypto. The entity validating the Yubikey code knows the Yubikey's secret key and can therefore produce valid Yubikey codes for the person being validated. Even if Script was powerful enough to validate Yubikey codes (it's not), you'd have to publish your Yubikey secret key to the network, which makes it pointless.

Sad

Thanks for the feedback.

Is there another similar device based on public key cryptography?
If there were, would Script have been powerful enough? If not, why not?
Is it because it's not Turing complete, and thus it's not possible/feasible to run complex algorithms like verifying signatures?
Can this be feasibly changed in the near future?

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 09, 2012, 10:54:05 AM
 #5

http://www.quora.com/Cryptography/Is-there-a-Yubikey-like-device-that-uses-public-key-cryptography

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3514
Merit: 6233


View Profile
August 09, 2012, 10:54:25 AM
 #6

Is it because it's not Turing complete, and thus it's not possible/feasible to run complex algorithms like verifying signatures?

Right. Script has opcodes for some hashing and signing algorithms built in, but it's not powerful enough to implement other crypto algorithms (bignum math isn't possible, for example). It's possible to make Script Turing-complete, but I don't see this happening any time soon since it would be backward-incompatible, it introduces potential security problems, and there's not that much benefit to it.

Quote from: ripper234
Is there another similar device based on public key cryptography?

There are hardware devices that securely contain private keys and perform signing, but I don't know whether any existing devices would be able to sign Bitcoin transactions. Especially since Bitcoin uses an ECDSA curve used almost nowhere else.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 09, 2012, 11:19:39 AM
 #7

Is it because it's not Turing complete, and thus it's not possible/feasible to run complex algorithms like verifying signatures?

Right. Script has opcodes for some hashing and signing algorithms built in, but it's not powerful enough to implement other crypto algorithms (bignum math isn't possible, for example). It's possible to make Script Turing-complete, but I don't see this happening any time soon since it would be backward-incompatible, it introduces potential security problems, and there's not that much benefit to it.


Would it make sense to add a custom opcode that asks the client to validate an ECDSA signature?
Every Bitcoin client needs to have code for ECDSA validation, so it does't add a lot of complexity, nor does it open any security vulnerabilities.

Keeping Scripts Turing-incomplete is a very good idea.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
molecular
Donator
Legendary
*
Offline Offline

Activity: 2702
Merit: 1011



View Profile
August 09, 2012, 11:25:26 AM
 #8

Yubikey uses symmetric crypto. The entity validating the Yubikey code knows the Yubikey's secret key and can therefore produce valid Yubikey codes for the person being validated. Even if Script was powerful enough to validate Yubikey codes (it's not), you'd have to publish your Yubikey secret key to the network, which makes it pointless.

Sad

Thanks for the feedback.

Is there another similar device based on public key cryptography?

German Privacy Foundations cryptostick may (uses pgp afaik)

http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
MatthewLM
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile WWW
August 09, 2012, 12:04:49 PM
 #9

You can use the yubikey for authentication with a third-party that owns a second private key for multi-signature transactions.

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 09, 2012, 12:07:38 PM
 #10

You can use the yubikey for authentication with a third-party that owns a second private key for multi-signature transactions.

Not good enough ... we can do better than that.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
MatthewLM
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile WWW
August 09, 2012, 04:01:32 PM
 #11

Yes you can do better than that by having an offline transaction signing device. Preferably one that displays the bitcoin address and the transaction amount.

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
damnek
Hero Member
*****
Offline Offline

Activity: 614
Merit: 500



View Profile
August 10, 2012, 10:31:23 AM
 #12

Yes you can do better than that by having an offline transaction signing device. Preferably one that displays the bitcoin address and the transaction amount.

Perhaps the bitcoincard can be used as a signing device.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2702
Merit: 1011



View Profile
August 10, 2012, 01:22:41 PM
 #13

Yes you can do better than that by having an offline transaction signing device. Preferably one that displays the bitcoin address and the transaction amount.

Perhaps the bitcoincard can be used as a signing device.

It essentially is one. However, you would have to be able to put your own keys on there and have some protocol to have it sign stuff.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 11, 2012, 07:57:34 AM
 #14

In your opinion, would such a device be superior to other Hardware Bitcoin devices?
Would you buy it? For how much?

I see a lot of options here.

The killer feature is zero trust - you don't have to trust in the device's manufacturer, because you'll be using m-of-n signatures.
The scheme doesn't need any backups to the device itself - if it's lost, you still have n-1 other signatures, and can easily either move your funds to a traditional bitcoin address, or order another hardware authenticator and move the funds to a new m-of-n address with the new device.

I wouldn't trust a significant amount of coins to any of the other devices out there ... they're too experimental.
But this new device doesn't require you to trust your coins to it - it always increases your security, never decreases it.

I am quite interested in designing and developing this device.
I'm thinking of creating it as a completely open-source project, if possible.

If anyone is interested in teaming up to work on it, please post / pm me.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1008


View Profile
August 11, 2012, 06:29:13 PM
 #15

You don't need specific hardware. Just use a cheap second hand Android device. They flood onto the market at a fairly high rate. You can break its internet access by not giving it a SIM and switching off wifi, then do 2-factor signing using Bluetooth.
MatthewLM
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile WWW
August 12, 2012, 04:01:18 PM
 #16

You don't need specific hardware. Just use a cheap second hand Android device. They flood onto the market at a fairly high rate. You can break its internet access by not giving it a SIM and switching off wifi, then do 2-factor signing using Bluetooth.

I'm sure ripper234 wants a simple solution. This is not a solution for the general user that would want something specific and simple to use.

Bitcoin Extra Wallet | Peercoin Android Wallet
BTC: 1D5A1q5d192j5gYuWiP3CSE5fcaaZxe6E9  PPC: PH7fVn1Xs7nkUFmdwCX2ZRYfLPCSwGxAq9
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 12, 2012, 04:05:26 PM
 #17

You don't need specific hardware. Just use a cheap second hand Android device. They flood onto the market at a fairly high rate. You can break its internet access by not giving it a SIM and switching off wifi, then do 2-factor signing using Bluetooth.

I'm sure ripper234 wants a simple solution. This is not a solution for the general user that would want something specific and simple to use.

+1

Mike, what you suggest is possible, but it's not a turnkey solution.
I want something with the simplicity of a Yubikey.
It should support not just Bluetooth, but also USB (perhaps before Bluetooth).

I also want hardware level protection if possible. If the key is stored in a place on the hardware where the only output is ECDSA signatures, then it's absolutely secure.

I'm no hardware engineer though ... I need to understand how to model this device at the hardware level.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 12, 2012, 04:41:43 PM
 #18

Also, if the device is USB-only and no Bluetooth, then it doesn't require charging or even a battery, which is a nice usability bonus.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1008


View Profile
August 12, 2012, 05:32:23 PM
 #19

It's fun to dream but I think you guys need a reality check here:

1) Hardware engineering and manufacturing is a difficult, expensive business that relies on economies of scale.

2) Bitcoin is very small

Combine (1) and (2) means custom hardware for doing Bitcoin transactions is guaranteed to be very expensive, almost certainly more expensive than just re-using old phones, as phones have already achieved huge economies of scale. It's also far less likely to happen because the effort involved is much greater.

If you want to buy up old phones and reconfigure (or reflash) to a setup appropriate for Bitcoin usage, then re-ship to customers, that's something one or two people can do at low cost. Now you have your turnkey solution.

What's more, you really really want the superior hardware that phones give you. It's not safe to simply sign addresses without anything else. Otherwise your super-secure 3-factor coins or whatever, are secure until the time you want to spend them, and then you can be trivially fooled into sending your coins to somewhere other than where you think you're sending them (the virus on your host computer that motivates all this can rewrite the address). Doing ID verification using any existing proposal means having some kind of network access and processing power.

You could do all that with custom hardware too, but it increases the cost even further.

In the end, there's no point. How does malware get onto devices? By exploiting existing apps (ie, web browsers/chat clients/etc), and by convincing you to install it. If you have a dedicated phone that you never install software on and don't use any other apps with, it's as secure as a dedicated device. It's straightforward to make custom builds of Android that are cut down in this way and then reflash old devices with them.
ripper234
Legendary
*
Offline Offline

Activity: 1344
Merit: 1000


Ron Gross


View Profile WWW
August 12, 2012, 06:25:38 PM
 #20

It's fun to dream but I think you guys need a reality check here:

It might be cheaper to do this with old phones ... but would old 2nd hand phones be reliable enough?
Maybe.

1) Hardware engineering and manufacturing is a difficult, expensive business that relies on economies of scale.

2) Bitcoin is very small

Combine (1) and (2) means custom hardware for doing Bitcoin transactions is guaranteed to be very expensive, almost certainly more expensive than just re-using old phones, as phones have already achieved huge economies of scale. It's also far less likely to happen because the effort involved is much greater.

At least two Bitcoin hardware devices are in production ... so people are overcoming this difficulty. Sadly AFAIK none of them has shown the security properties I described.

If you want to buy up old phones and reconfigure (or reflash) to a setup appropriate for Bitcoin usage, then re-ship to customers, that's something one or two people can do at low cost. Now you have your turnkey solution.

That might be a good first milestone.

What's more, you really really want the superior hardware that phones give you. It's not safe to simply sign addresses without anything else. Otherwise your super-secure 3-factor coins or whatever, are secure until the time you want to spend them, and then you can be trivially fooled into sending your coins to somewhere other than where you think you're sending them (the virus on your host computer that motivates all this can rewrite the address). Doing ID verification using any existing proposal means having some kind of network access and processing power.

You could do all that with custom hardware too, but it increases the cost even further.

I'm planning on a small monitor that can only display a Bitcoin address + amount. To my simpleton mind, that should be too much of an added cost ... but as I said, I'm no hardware engineer.

In the end, there's no point. How does malware get onto devices? By exploiting existing apps (ie, web browsers/chat clients/etc), and by convincing you to install it. If you have a dedicated phone that you never install software on and don't use any other apps with, it's as secure as a dedicated device. It's straightforward to make custom builds of Android that are cut down in this way and then reflash old devices with them.

One major downside to the Android approach is that there is too much meat in it. The OS itself is huge, the original capabilities of the device including transmitting mobile signals ... how would you convince an end user that this device is safe?

I do agree that your points about difficulty and complexity are valid ones.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!