wallet security wallets
play

Wallet Security Wallets Keep track of the world If you want - PowerPoint PPT Presentation

Sep 04, 2023 •385 likes •772 views

Wallet Security Wallets Keep track of the world If you want Synchronize with the network if you fall behind Address end user needs Send coin Receive coin Answer queries What is my balance? What is my activity

  1. Wallet Security

  2. Wallets • Keep track of the world • If you want • Synchronize with the network if you fall behind • Address end user needs • Send coin • Receive coin • Answer queries • What is my balance? • What is my activity history in this network?

  3. This Lecture • How do you engineer safe wallets?

  4. Architecture • Daemon, client architecture • Daemon: • Long running • Client: • CLI or GUI that talks to daemon • Short lived process

  5. OUTSIDE DAEMON WORLD CLIENT

  6. Followed By • Armory • Coinbase • Parity Daemon

  7. Attack Surface • Key handling: • Client / daemon responsible • Communication: • Are messages designed correctly • Crypto: • Are you doing things right

  8. Daemon Client Communication • How do they communicate? • IPC • TCP, Sockets, Message queues…

  9. What About HTTP • A small example: • GET http://localhost:8000/balance • POST http://localhost:8000/send • GET http://localhost:8000/history

  10. Flow • Client makes HTTP requests to Daemon • Issues?

  11. Issues? • Anyone can make those requests • If you load a webpage, that webpage can issue requests to http://localhost:8000

  12. History • Zoom: • Video conferencing product • Recent successful IPO

  13. Zoom Daemon • The Zoom software ran a daemon on http://localhost:PORT • Visiting https://zoom.us/j/meeting-id • Would cause the webpage to issue a request to the localhost server • Which would: • Join the user to a call • Update the zoom client • etc.

  14. Zoom Daemon • Further: • Buffer overflows in this undocumented web- server

  15. Zoom Daemon • Users figured this out • Vuln was demonstrated using a third party website that: • Could join a random user into a zoom meeting that they didn’t want to join • Install a zoom client without their interaction

  16. For Your Wallet • Any third party page can figure out: • What’s your balance • What sort of transactions you’ve conducted in the past • Etc.

  17. Doing It Right • Well tested architectures: • Docker daemon + client: • Unix domain socket for IPC on OS X, Linux • TCP on windows • Avoids our http exploit

  18. Links • https://medium.com/bugbountywriteup/zoom-zero- day-4-million-webcams-maybe-an-rce-just-get- them-to-visit-your-website-ac75c83f4ef5

  19. Protocol • You can secure comm layer • But what you send over the wire can still cause problems

  20. Example • Daemon / Client • Client issues request: • {recipient: ABC-DEF-…, AMOUNT: 100} • Daemon signs and broadcasts

  21. Protocol • Any other process can do that too

  22. MISC • You can log things like keys • Happens even now at large firms • Coredumps

  23. Coredumps • You can dump a running process to disk • And inspect the state • If you keep the keys loaded in memory, they can be found there

  24. Crypto • Bitcoin wallet • Private keys stored in wallet.dat • AES-256 encryption of these private keys • Master key: • Passphrase -> SHA 512

  25. Deterministic Wallet • Seed Phrase • Wallets contain a wordlist: • 2048 words mapped to integers • Pick 12 random words from this wordlist

  26. Seed Phrase • This is your seed phrase: • 2048 ^ 12 combinations • 12 word seed phrase has about 128 bits of security

  27. Seed Phrase • Write down this 12 word list • It is sufficient to recover your bitcoin

  28. HD Wallet

  29. HD Wallet • Single Seed Phrase for all private keys • Master Public Key: • Generate from Master Private Key • Can generate all additional public keys but not their private keys • Private Keys from the Master Private Keys are Master Private Keys themselves.

  30. HD Wallet • Computing n^th private key: • Compute an offset: H(n, Master PubKey) • Master Private Key + offset

  31. HD Wallet • Computing n^th Master Public Key: • Compute an offset: H(n, Master PubKey) • Master Public Key + get_pubkey(offset)

  32. Hierarchy • Root of pub / priv keys

  33. Key Best Practices • Brand new address to receive each payment • Ask for a brand new address from the recipient

  34. Threshold Signatures • Constructing a single signature is: • Split between two devices • Single device won’t be at risk

  35. Threshold Signatures • Each party (device) creates a key independently • A signing protocol • Each share does part of the signing

  36. Hardware Wallets • BitFI “Unhackable” Wallet

  37. Exploits • Can easily read finger movements on device • Taps etc. • Can read out data being sent • Can easily tamper with the device

Recommend

T - Labs Views on waLLeTs Jrg Heuer, Mar 2014 T - Labs deVeLopmenT HisTory A journey from eArly

T - Labs Views on waLLeTs Jrg Heuer, Mar 2014 T - Labs deVeLopmenT HisTory A journey from eArly

T - Labs Views on waLLeTs Jrg Heuer, Mar 2014 T - Labs deVeLopmenT HisTory A journey from eArly mobile wAllet components towArds A convergent cross - operAtor wAllet supporting online And proximity trAnsActions And vAlue Added services.

192 views • 6 slides
Wallet Prototyping Jordyn Anderson Andrew Gibson Interviews Small wallets are easy to hold

Wallet Prototyping Jordyn Anderson Andrew Gibson Interviews Small wallets are easy to hold

Wallet Prototyping Jordyn Anderson Andrew Gibson Interviews Small wallets are easy to hold Minimal Bulkiness Takeaways Key Holding capabilities Hands-Free or integrable Secure Easy to access cards and keys Prototypes Prototype 1

346 views • 5 slides
HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs>

HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs>

HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs> FOSDEM '19 Vulnerabilities in hardware wallets https://blog.trezor.io/details- https://wallet.fail/wallets/nanos https://blog.trezor.io/fixing-

473 views • 12 slides
HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL

HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL

HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL DETERMINISTIC WALLETS The problems of address reuse BIP 32 - HD Wallets BIP 39 - Mnemonics for HD wallet seeds BIPs 43 and 44 -

480 views • 32 slides
PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers

PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers

PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers consumers to participate in the token economy. SECURITY MOBILE AS A COLD WALLET Wallets are stored on your phone, Wallets are safe if we get hacked

552 views • 17 slides
Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September 9th, 2017 Speakers bio

Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September 9th, 2017 Speakers bio

Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September 9th, 2017 Speakers bio Senior security expert working @ Econocom Digital Security (https://www.digitalsecurity.fr/en/) Main interests: Security of protocols

375 views • 15 slides
The best Ethereum wallet Intro My main goal with the Pillar wallet design was to ensure maximal

The best Ethereum wallet Intro My main goal with the Pillar wallet design was to ensure maximal

The best Ethereum wallet Intro My main goal with the Pillar wallet design was to ensure maximal possible security for the users, without unnecessary limitations. Furthermore, I have focused on the reduction of redundant steps, legibility and

543 views • 16 slides
www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage,

www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage,

INFORMATION SECURITY AWARENESS keeping yourself and your family safe in a tech driven world www.isea.gov.in www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage, security and Guidelines Insta loan

604 views • 29 slides
On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35 A. Wallet About todays talk Its post-quantum (public-key) crypto time! Cryptography = building secure schemes Theoretical security = reduction

659 views • 49 slides
Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December

Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December

Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December 28, 2018 1 My Background Professional Background Diplominformatiker (eq. masters degree in CS) Security Analyst (cnlab security ag,

633 views • 30 slides
Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli .ch PGP: CA1A2908DCE2F13074C62CDE1EB776BB03C7922D Privacy Security Trust Privacy Transaction / scripts privacy Security Trust No-trust

700 views • 43 slides
Digital Wallets Executive Briefing Michael Bradley Managing Director, NorthCard Inc.

Digital Wallets Executive Briefing Michael Bradley Managing Director, NorthCard Inc.

Digital Wallets Executive Briefing Michael Bradley Managing Director, NorthCard Inc. mike.bradley@northcard.com 416-929-0422 11-June-14 Digital Wallets Executive Digital Wallets Executive Briefing Briefing I. Digital Wallets 3 II.

776 views • 66 slides
Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware Wallets ? - high level overview YES NO Do you want to send 1.337 BTC to Public data 1UnREADABLE Operations on private data, with user validation

739 views • 24 slides
The Green Assets Wallet Validating Green Investment through Blockchain 1 Green Assets Wallet

The Green Assets Wallet Validating Green Investment through Blockchain 1 Green Assets Wallet

The Green Assets Wallet Validating Green Investment through Blockchain 1 Green Assets Wallet (GAW) idea 2 GAW - background Delivering on the Paris Agreement and SDGs by Accelerating Green Finance and Investment through Blockchain

325 views • 8 slides
TREZOR Wallet Setup and BTC Transfer What is QR.CR? T he Worlds Best QR Code Mobile Marketing

TREZOR Wallet Setup and BTC Transfer What is QR.CR? T he Worlds Best QR Code Mobile Marketing

The Dynamic QR Code System TREZOR Wallet Setup and BTC Transfer What is QR.CR? T he Worlds Best QR Code Mobile Marketing System Secure Easy to use Accessible Interactive Versatile Why TREZOR Wallet? Keep Bitcoins Safe

423 views • 25 slides
the future of hardware wallets D419 C410 1E24 5B09 0D2C 46BF 8C3D 2C48 560E 81AC @StepanSnigirev

the future of hardware wallets D419 C410 1E24 5B09 0D2C 46BF 8C3D 2C48 560E 81AC @StepanSnigirev

the future of hardware wallets D419 C410 1E24 5B09 0D2C 46BF 8C3D 2C48 560E 81AC @StepanSnigirev stepan@cryptoadvance.io hardware wallets can : spend funds user input spending output user input user output receive funds multisig do

195 views • 15 slides
On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet Alexandre Wallet 1 / 37 ApproxSVP ApproxSVP ( O K -modules) ( O K -ideals) [LS15] [PRS17] [AD17] decision decision RLWE search RLWE

959 views • 54 slides
Makerspaces YSS - April 2014 Maker spaces : stop with the duct tape wallets already

Makerspaces YSS - April 2014 Maker spaces : stop with the duct tape wallets already

Making Library Makerspaces YSS - April 2014 Maker spaces : stop with the duct tape wallets already @doseofsnark cshoemaker@ryelibrary.o rg Libraries and Maker Spaces The Idea Box 4th Floor Maker Space Fab Lab HYPE Detroit, MI Tea

723 views • 31 slides
Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET

Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET

Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET Ledger SAS Ledger Technologies Inc. 1, rue du Mail 121 2nd Street - Suite 5 75002 Paris - France 94105 San Francisco - USA Ledger 10+ years

912 views • 42 slides
The spectral distance on the Moyal plane ( with: E. Cagnache, P . Martinetti, J.-C. Wallet

The spectral distance on the Moyal plane ( with: E. Cagnache, P . Martinetti, J.-C. Wallet

The spectral distance on the Moyal plane ( with: E. Cagnache, P . Martinetti, J.-C. Wallet arXiv:0912.0906 ) Francesco DAndrea International School for Advanced Studies (SISSA) Via Beirut 2-4, Trieste, Italy 24/02/2010 Laboratoire de

539 views • 18 slides
Whats in your wallet?! Lara Pudwell Valparaiso University January 27, 2017 Whats in your

Whats in your wallet?! Lara Pudwell Valparaiso University January 27, 2017 Whats in your

The Coin Keeper The Simple Spender The Gamblers The Small Spender The Whole Shebang ...and More Fun Whats in your wallet?! Lara Pudwell Valparaiso University January 27, 2017 Whats in your wallet?! Lara Pudwell The Coin Keeper The

1.19k views • 91 slides
UNRAVELLING THE BoP WALLET 1 2 Over 60% of the Kenyan BoP consumers own a mobile phone, but

UNRAVELLING THE BoP WALLET 1 2 Over 60% of the Kenyan BoP consumers own a mobile phone, but

UNRAVELLING THE BoP WALLET 1 2 Over 60% of the Kenyan BoP consumers own a mobile phone, but very few use applications other than M-PESA https://www.infodev.org/infodev-files/final_kenya_bop_study_web_jan_02_2013_0.pdf Challenge at Hand

639 views • 25 slides
Metric Aspects of the Moyal Algebra ( with: E. Cagnache, P . Martinetti, J.-C. Wallet J.

Metric Aspects of the Moyal Algebra ( with: E. Cagnache, P . Martinetti, J.-C. Wallet J.

Metric Aspects of the Moyal Algebra ( with: E. Cagnache, P . Martinetti, J.-C. Wallet J. Geom. Phys. 2011 ) Francesco DAndrea Department of Mathematics and Applications, University of Naples Federico II P .le Tecchio 80, Naples, Italy

543 views • 22 slides
Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

540 views • 28 slides

More recommend