Super secure BitCoin storage

I wrote about multisig with different hardware wallets something more than a year ago. Back then It was awfully complicated and I didn’t really get it working. A lot of progress has been made since then. The functionality was added to electrum last summer for trezor. I couldn’t test it however because my two trezor are initialized to the same seed, and the recovery sheet is distributed geographically. On top of that, the functionality was, and still is not implemented for ledger wallets. Like I wrote in a previous post, I recently received a keepkey. Multisig functionality was one of the main topics I wanted to experiment with the new device. My goal with this is not for everyday use but for super secure storage of BitCoin.

We are going to create a multisig wallet consisting of trezor, keepkey and ledger HW1. I assume, an electrum wallet is already set up for each of them. Further I assume, the seeds for each of them are written on the paper cards. These cards shall be properly secured. To further improve security, you can split the cards and distribute the contents geographically for example in different vaults.

First you will have to extract the xpub from each one of them. I used the main account. While I assume it would work with secondary accounts as well, I can’t be sure without testing. To construct the multisig watch-only wallet with electrum, follow these steps:

  • File -> New/Restore
  • Enter a name of choice. I use 2ofTKH to indicate 2 of x multisig with Trezor, Keepkey and HW1
  • Select “Restore a wallet or import keys” and “Multi-signature wallet”
  • Select 2 of 3
  • Enter the xpub’s from the three different hardware wallets into the three edit fields
  • Wait for electrum to generate the addresses

Receiving works the same way as every other electrum wallet. But for sending, follow these steps:

With the multisig watchonly wallet:

  • Go to the send tab, and enter the information just like with regular electrum wallets.
  • Click the “Send…” button
  • Notice that the transaction dialog doesn’t have a send button
  • Click the Save button, and save the file as unsigned.txn
  • Close the transaction dialog

With the trezor wallet:

  • Tools -> Load transaction -> From file
  • Select the unsigned.txn that you saved before
  • On the Transaction dialog that opened, click Sign
  • Confirm the transaction on the trezor
  • Note that the status is: Partially signed (1/2)
  • Click Save, and select a name like partially_signed.txn
  • Close the transaction dialog

With the keepkey wallet:

  • Tools -> Load transaction -> From file
  • Select the partially_signed.txn that you saved before
  • On the Transaction dialog that opened, click Sign
  • Confirm the transaction on the keepkey
  • Note that the status is: Signed
  • Click the Broadcast button
  • Close the transaction dialog

The Ledger HW1 can also do multisig, that’s why I used it as the third key. But so far, the functionality is not implemented in the plugin.

The reason I wanted to constuct the multisig wallet with hardware wallets from different vendors is this: Suppose a weakness was found in one of them, at most one of the keys of the multisig could be compromised.

Yes, the procedure is somewhat lengthy and cumbersome. It is not intended for everyday use, but for secure storage of higher value savings. So the usability tradeoff is completely ok for me. Given the security offered by this scheme, it is the most user friendly procedure that I am aware of.

 

keepkey premium bitcoin hardware wallet

I’m always interested when a new hardware wallet is announced. Naturally also for the keepkey. In contrast to most competitors, they didn’t take pre-orders. Instead they began to accept orders only when the product was finished and they were ready to ship. When they announced that the devices were finished and could be ordered, I was disappointed to find out that the price was a lot higher than I anticipated. It costs more than twice as much as a trezor. Since it also looks very shiny, I jokingly called it the iKeepKey.

Fast forward a few months, I packaged a new version of the trezor python library for debian. Since I knew that electrum also has a plugin for the keepkey, I figured I could just as well package the keepkey library to make the usage with electrum a bit more convenient for the owners of these devices on debian and its derivatives. The only thing I could verify without a device was that the option for the keepkey appeared when creating a new wallet with hardware support in electrum. Before I committ the package to debian propper, I wanted to be sure everything worked. So I sent an eMail to keepkey, asking if they could test my experimental package. Within hours I had an answer offering to send me a device free of charge. I couldn’t have hoped for so much generosity, but of course I happily agreed.

Today the parcel was delivered. The device is as shiny and good looking as it appears on the photos. It has a big, nicely readable screen that shows effects and animations. To host the bigger screen it naturally has to be signifficantly bigger than a trezor. The premium appearance doesn’t stop at the device itself, but also the woven cable, and the leather sleeve for storing the seed restoration card are very slick. I don’t know how much for the internals, but at least for the protocol, the trezor was used as a starting point. This is surely a very good choice.

There are other hardware wallets that descend from the trezor. But there is a big and important difference. The keepkey seems to be the only one so far that is trustworthy. The chinese clones such as bwallet or ewallet look good at first. But some people or even satoshilabs themselves were quick to point out that they didn’t properly sign their firmwares and did not release their source code. Effectively stealing the previous work and putting users at risk. In contrast to this, keepkey really play by the rules for the benefit of their users.

The card that comes with the keepkey, is about how to use it with a chrome browser plugin. I almost always prefer native applications over web apps. I try not to use chromium after a recent breach of trust. And it is not in the trisquel repositories anyway. So I want to operate it fully from within electrum. The last time I initialized a trezor, I’m pretty sure I had to use the firefox plugin. But in the meantime I noticed that the initialization part was added to the electrum plugin. So to initialize the keepkey in electrum I executed the following steps:

  • File -> New/Restore
  • provide a name for the new wallet
  • Select “Create a new wallet” and “Hardware Wallet”
  • Select “initialize a new or wiped device” and “KeepKey wallet”
  • Select your preferred use of pin and password
  • The keepkey shows some entropy information
  • Enter your new pin twice using the same method as known from trezor
  • Choose the number of words for your restore seed
  • Write down the words for the seed (very important to store securely)
  • And voila .. your keepkey electrum wallet is ready to use

Spending and everything I tested so far worked flawlessly. The operations work effectively the same way as with the trezor. But where appropriate it makes use of the bigger screen to show more information at once. So I guess I can start preparing my package for debian.

Here are some pictures to compare the size with other bitcoin hardware wallets:

HardwareWallets1 HardwareWallets2

case bitcoin hardware wallet

Part of the reason why I pre-ordered a case hardware wallet, was probably that there is no good wallet software on ubuntu phone. But the case is way more secure than a software wallet on a phone. Roughly the same size of the smallest feature phone you can buy, it contains an eInk display, a camera, a GSM chip, a fingerprint reader and wireless charging. For improved security it makes use of Bitcoin’s multisig feature. One key is on the device and one on the case servers. The third key is used only to restore funds in case the device is lost or stolen. You can either leave it with a third party or manage it yourself. Of course I chose to manage it myself, after all BitCoin is about empowering people instead of depending on third parties. The server part allows to implement spending limits and maybe other validity checks in the future. The fingerprint is used to authenticate against the server.

When the presale started in early May, the projected shipping date was end of summer. It was later fixed to September 21st. Because they found a problem with the uptate mechanism, they postponed the delivery. Communication suffered during this period. Everybody understands that this kind of problem can happen with such an early limited batch of a new class of product. But weekly updates would be very valuable in this situation to keep customers happy.

November 20th the box was finally delivered. The packaging is not as nice as with the trezor, but I don’t mind. The contents are much more important than the box. Build quality looks good. When I read that it is charged wirelessly and has no connector, I assumed it would be water proof. That is definitely not the case, but wouldn’t be too hard to achieve as it looks. It has tiny gaps around the fingerprint reader and the camera where water and dust can enter. The buttons are from the same film that covers the screen.

The setup process looks simple. You scan a qrcode from the website and your xpub for the 3rd key. Then you register your fingerprint by swiping it ten times. I was warned that it had to be at the right speed and angle. My first two tries were misreads, but after that I had only two more in total. It is easy to get right. The bigger problems were the server error messages that I got ten times in a row. Maybe the server had too much load. When I tried it again after waiting for an hour, it succeeded the first time.

Updating the firmware is a breeze, and worked like a charm the first time I tried.

Sending and receiving BitCoins couldn’t be easier and works very well. The connection can take a moment sometimes, but I think they are working on improving this aspect. Although I can’t tell for sure, but I had the impression it improved already with the first firmware upgrade. Specifically, I could now see the bars of the GSM signal already while scanning the qrcode.

What I miss is the current balance of the account.

But what I miss even more is an option to set the transaction fees. MultiSig transactions are bigger than standard transactoin, and thus the transaction fee is naturally higher. But a standard transaction in electrum with the dynamic fees slider in the middle costs usually mBTC 0.05  ($ 0.02) @ 223 bytes. The three outgoing transactions I did so far with the case were not that much bigger at 372 bytes but carried a transaction fee of mBTC 4.43751 ($ 1.43). This is more than an order of magnitude too high, and there needs to be a way to adjust.
Update: The fourth transaction with my case which I performed just an hour after writing this post, and the fifth the day after, had a regular transaction fee of mBTC 0.1 ($ 0.03).

Of course the three keys of the multisig are not just three ordinary BitCoin addresses. On the transaction level they are, but they are part of three hierarchical deterministic wallets that are linked together just like multisig wallets in electrum. Thus I was releaved to see that it asked me for an xpub as my 3rd key, and I could happily use one from the Trezor. But so far I couldn’t figure out how to retrieve the xpub’s of the other two components. Once I get them I can setup a readonly multisig wallet in electrum to track the transactions and the current ballance. But even more importantly, I can then assign descriptions to the transaction in a familiar environment for my personal accounting.

After the important issues above will be fixed, we can move to some wishes I would also have:

It would be nice if I could use the case for a custom multisig scheme. With the xpub of a Trezor, a HW1 and the Case, I could set up a multisig wallet in electrum. With electrum I would construct the transaction, and partially sign it with the Trezor. Then I would display the partially signed tx with electrum on my computer screen. Case could scan it from there and add it’s signature to it. Then it would either display a qrcode with the signed transaction on its screen, or transmit it to the BitCoin network over GSM. Once this works, I could set up an electrum wallet with the same xpubs as used in normal case operation. This would give me peace of mind because it would allow me to access my funds even if case went out of business or decided to censor my payments for whatever reason.

To improve privacy, it would be cool if I could run the server part on my own web server. This would require it to be open sourced, and a configuration option would have to be added to the firmware.

Last but not least, an option to sweep paper wallets by scanning the private key would also be useful.

 

case_bitcoin_hardware_wallet_box

MultiSig with HardwareWallets

2014 is touted as the year of multi-signature for BitCoin. It is being integrated into some wallets and services. But not quite the way I expected.

  • Electrum has an implementation that assumes multiple hierarchical deterministic wallets distributed over different machines, that know the other’s master private keys. -> This should work well for corporate environments or other organizations.
  • GreenAddress has a cool, but for my taste too obscure solution. I would recommend it for new users. But for myself, I want to be fully in control.
  • OpenBazaar, although not fully functional yet, will integrate arbitration with multi-sig.
  • and I hear more announcements almost on a daily basis…

When I first read into MultiSig, I understood it like I could combine any Bitcoin Addresses of my choosing to create a MultiSig address. If one of the involved addresses was in my wallet, it would automatically display the MultiSig address as well. And I could then partially sign a transaction with the GUI, and magically forward to the other signing parties. Turns out that is not quite how it works. To combine addresses of my choosing into a MultiSig address, I have to resort to the commandline. There are a couple of good tutorials on the net on how to do that, and also on how to spend. But it’s not like executing a few simple commands. It’s quite hardcore. There are wallets where you can add them as view only addresses, but I’m not aware of a wallet where you can partly sign a transaction in such a setting.

MultiSig brings us escrow services and a load of similar stuff that was not even imaginable before the rise of BitCoin. MultiSig is also good if you want to implement a setting where at least two of your accountants need to sign transaction in a corporate environment. What this adds is security. You surely saw movies where a few generals had to use their physical keys to launch missiles. That’s done to add security. So that the terrorists would have to steal the keys from more than one general, before they could launch a missile. The same works for bank vaults. And the same idea is behind BitCoin MultiSig, only that it goes much further.

MultiSig is just one facet of pay to script (P2SH). You can implement other rules than just MultiSig. I became only recently aware of that, when GreenAddress gave me a transaction that I could use to get my funds off the MultiSig wallet in case they went out of business. What that means, is that if too many parties loose their keys, funds on a MultiSig address are rendered inaccessible. As a measure against that, they created and signed a transaction with their key to transfer all funds, but with a time restriction. This transaction will only become valid after a certain configurable point in time. BitCoin has a stack based scripting language for expressing such rules. For my taste it’s very complicated at first sight, but it’s cool what you can do with it. That’s actually, where ethereum’s main focus is to improve. That’s all good and nice, but wasn’t it possible to program rules for a long time? Of course, but with BitCoin nobody can cheat, and you have to trust nobody. You cannot just change the system time on your computer, or buy a fake certificate to trick a system into using your timestamp server. BitCoin has a distributed consensus, that is very hard to come by.

So in essence, MultiSig is about increasing the security. This is mainly against malware that can infect your notebook and steal the files of your wallet software. There is also another cure against the same threat: HardwareWallets. I wrote about the Trezor and HW1 on my blog before. Now how about combining the two measures? That should raise the level of security up to a point equivalent as storing your gold and silver and diamonds inside a bunker in the Swiss mountains, and guard it with a Russian tank, driven by a rogue artificial intelligence. But I can tell you upfront: just like that rogue AI, it’s not going to be user friendly. While user friendliness and security are often opposing, this is an extreme case. After reading this, don’t be tempted to think BitCoin was difficult to use. BitCoin is wonderful and easy – for normal use.

So let’s begin with the commandline fu. I won’t repeat every step from the gist from atweiden, but concentrate on the special parts:

You don’t need to create any wallets. I assume, the hardware wallets are initialized and ready to use. Continue reading “MultiSig with HardwareWallets”

HW1 tiny BitCoin hardware wallet

While the trezor is certainly a great device for securing BitCoins, I’m also interested in alternative hardware wallets. Even in my very first discussions about increasing the scurity of BitCoin we talked about SmartCard solutions. After all, that’s also how I secure my GPG keys. But a regular SmartCard alone only protects the keys. If the computer is malware infected, it could sign another transaction than the one you initiated, and thus spend all your coins at once. The trezor solves this problem nicely with displaying the transaction details on the screen, waiting for a button press to confirm. Then came the HW1, a tiny BitCoin hardware wallet, based on smartcard technology with some extras. Since it has no display nor buttons, I was ready to get somewhat reduced security compared to the trezor. But in fact they are also very clever, and it turns out the security is just as high at the cost of a bit of convenience. But as I understand it, that level is configurable. I just opted for the more secure option.

So, If I want to spend some Coins from my HW1, I plug the dongle which is smaller than a regular key on my keychain into an USB port on my computer. Then I start up electrum, and send the coins. Now the HW1 has to sign the transaction. It asks me to remove the dongle and plug it into another computer, that is preferably not connected to the internet. If I don’t have too much funds on this wallet, I can also plug it into the same one again. A text editor should be opened beforehand, and it should have focus. The dongle then acts as a keyboard, typing the transaction details along with a TAN code to validate the transaction. Next I remove the HW1 again, and plug it into the former computer. I type the TAN code, HW1 signs the transaction, and electrum distributes it to the BitCoin network. That’s it: simple and secure.

Just as electrum itself and trezor, the HW1 uses a deterministic hierarchical wallet. To be sure I can trust the device and the method in general, it was not enough for me to test that I can spend from it. I wanted to also be sure I keep my coins in case the device gets damaged or lost. That means I have to be able to restore it from a seed. The seed is generated when I first initialize the dongle. And like the TAN code it is printed out in HID keyboard mode. If you have it print it on a machine that could be compromised, there would be no point in using a hardware walled in the first place. So have it print the seed to an air-gapped secure computer. If you already initialized your HW1, you can’t restore another seed onto it, unless you reset it first. I couldn’t find any documentation on how to reset it though. A developer told me to enter a wrong PIN three times to reset it. After that, don’t choose restore, but initialize. In the BTChip personalization manager that follows, you choose restore. I did this on a machine where I removed the harddisk, and booted from a fresh USB stick. Getting electrum usable with all the required plugins and libraries was the most work. Before typing in the seed, unplug the network cable and disable WiFi. After the seed was typed in, and the dongle restored, I issued “sudo dd if=/dev/random of=/dev/sda” and waited for the kernel to go belly up. That’s for making sure no sensitive information remained on the USB dongle. Don’t do this on your regular computer.

In conclusion, I can say that:

  1. The security is just as high as with the trezor, if you let it type the TAN on a computer that is temporarily offline. But the convenience obviously suffers.
  2. If you only use it to store medium value funds, you can have it type on the same device, at reduced security. In that setting the convenience is about the same as with the trezor.
  3. Where the biggest difference lies for me, is restoring the device from a seed. Preparing a fully equipped air-gapped computer to securely restore the dongle from a seed proved to be quite some work. While with the trezor, you don’t need an additional computer. Luckily that’s a task that is required infrequently.

While the experience with the trezor was smooth from the beginning, I tested a lot with the HW1 to gain confidence with it. I found some minor bugs. I had the computer freeze a couple of times. I saw lots of messages about dongles not found. I had to reconnect and start over many many times. Some things were not documented or not obvious. All these problems became lesser the more I tested it. I can only explain it that way that I grew a sense for the correct timings and steps required. In the meantime I use it without problems, but I have the feeling that it is not as robust as the trezor. It will work in the end, but you might have to try a few times before it does.

I packaged the python library that is needed for the plugin for ubuntu. Once all parts and dependend libraries are out of beta, I will also try to get it into debian. On ubuntu, you can install it like this:

sudo apt-add-repository ppa:richi-paraeasy/bitcoin
sudo apt-get update
sudo apt-get install python-btchip

Ah yes, and there’s the price difference. A trezor costs $119 while a HW1 is just $20. At the moment they have a 2 for 1 offer, so go hurry.

Trezor BitCoin HardwareWallet

Today I received my Trezor BitCoin HardwareWallet. When I ordered it in June 2013, the expected delivery Date was October. But as it happens all that often with BitCoin related hardware, the dates get pushed back. They offered a device with plastic case for XBT 1 and one with an alloy case for XBT 3. After the Bitcoin price skyrocketed end of last year, they stopped taking pre-orders. The devices we early backers received, have a nice “First Edition” label at the back.

The trezor is the first hardware wallet for BitCoin that is mass produced. It has a small screen, two buttons and a microUSB connector. So it is actually a lot more secure than if you just stored the private key on a SmartCard, as could be done with a HW1 or a YubiKey NEO if the software was finally released. You can see the balances on the different addresses in the client on the computer. When you want to send some coins, you see the receiving address and the ammount on the small screen of the trezor. Once you confirm using two button presses, the trezor signs the transaction, and the client on the computer propagates it to the BitCoin network.

Build quality and form factor look quite nice. It is actually a bit smaller than I expected, which is a good thing. Fifteen Swiss Francs in Coins would require about the same space. I guess it helps in that regard that it doesn’t require a battery, but is powered from USB.

The first thing I did was setting it up with the browser plugin from https://mytrezor.com. It’s an easy process where you have to write down the seed which consists of 24 words. Then I sent a small amount back and forth. Only after seeing this succeed, I transferred bigger amounts to the addresses of the device.
Then I wanted to test the electrum plugin that slush recently noted, would be merged soon. I found it in a pull request on github. It didn’t work initially, but several people were quick to help. After all issues were sorted out, also sending with the trezor from electrum works fine.

It wouldn’t be a security device if it worked without entering some kind of secret. Entering the secret on the computer would make it less secure, as some malicious software could record it. Entering it on the device with only two buttons would be cumbersome, as not that many people these days are fluent in morse code. So, I was curious, how they solved that problem. The solution they came up with is actually quite nice. They display a 3×3 grid of buttons with question marks on the cumputer, while the trezor shows a 3×3 grid with digits 1 to 9 in random positions. That way, you enter your pin on the computer using a mouse or touch screen, using the positions found on the trezor screen. Even after playing with the trezor for only some hours, it’s evident that a lot of thought went into it.

I wonder what will happen next in that space.
I was not fully convinced by the HardBit. Indeed it turned out, somebody found out how to activate WiFi and bluetooth of the repurposed SmartPhone. That makes it way less secure. The developers seem eager and friendly, but it might be just not the most secure platform to begin with.
Recently I backed an interesting project called PRISMicide on Indiegogo, but with only 8% funding after half the time, it looks as if they won’t make it.
The picture and description of the BitSave from ButterflyLabs look really slick. But they have a history of overpromising and delivering late.
And finally, I’m sure SatishiLabs, the creators of trezor, will work on a follow up device that is even smaller and communicates with SmartPhones.