security of bitcoin light wallets aka spv
play

Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz - PowerPoint PPT Presentation

Sep 23, 2022 •209 likes •375 views

Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September 9th, 2017 Speakers bio Senior security expert working @ Econocom Digital Security (https://www.digitalsecurity.fr/en/) Main interests: Security of protocols

  1. Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September 9th, 2017

  2. Speaker’s bio ● Senior security expert working @ Econocom Digital Security (https://www.digitalsecurity.fr/en/) ● Main interests: – Security of protocols – Wireless protocols – Cryptography – Blockchain! ● Bitcoin & Ethereum developper & enthusiast ● Public presentations: https://speakerdeck.com/rlifchitz ● Twitter: @nono2357 Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 2

  3. What are light wallets? ● Light wallets = lightweight clients = thin clients ● A kind of wallet that doesn’t need to download the full blockchain to work ● SPV (Simplified Payment Verification): – Most light wallets use SPV – SPV suggested in original Bitcoin paper: https://bitcoin.org/bitcoin.pdf – Use of all block headers and tx count to know if a transaction was already included in the blockchain (only ~ 4.2 Mb/year) – Use of Bloom filters to request&match its own transactions Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 3

  4. What are light wallets? Source: https://eprint.iacr.org/2014/763.pdf Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 4

  5. Bloom fjlters ● Space-efficient data structure ● Used to test whether an element is a member of a set without storing the full set ● Probabilistic but... no false negative! (only few false positive) ● Used in SPV to know what transactions can be related to some user’s addresses Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 5

  6. Bitcoin light wallets examples ● Most smartphone wallets... for performance reasons ● Jaxx: https://jaxx.io/ ● Electrum: https://electrum.org/ Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 6

  7. Peer discovery ● Needed to connect to full nodes to: – Download block headers – Submit Bloom filters – Download specific transactions ● Possibilities to bootstrap the discovery: – Hardcoded list of nodes – Use of DNS seeds ● Sensitive because an attacker can set up malicious nodes ● Sybil attacks: if an attacker is able to set up a lot of malicious nodes, the victim will probably pick one of them... Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 7

  8. Peer discovery – DNS seeds $ host seed.bitcoin.sipa.be seed.bitcoin.sipa.be has address 83.149.125.79 seed.bitcoin.sipa.be has address 150.140.188.181 (... 21 other IPv4 hosts ...) seed.bitcoin.sipa.be has address 104.199.142.247 seed.bitcoin.sipa.be has address 37.120.174.32 seed.bitcoin.sipa.be has IPv6 address 2607:5300:204:40f1:: seed.bitcoin.sipa.be has IPv6 address 2001:0:9d38:90d7:3858:553f:92ce:18b8 (... 11 other IPv6 hosts ...) seed.bitcoin.sipa.be has IPv6 address 2001:0:4137:9e76:24f9:302a:4d39:ee08 seed.bitcoin.sipa.be has IPv6 address 2001:0:9d38:6ab8:18c2:3a46:a1ec:987c $ host seed.bitcoin.sipa.be seed.bitcoin.sipa.be has address 37.120.174.32 seed.bitcoin.sipa.be has address 104.199.142.247 (... 21 other IPv4 hosts ...) seed.bitcoin.sipa.be has address 150.140.188.181 seed.bitcoin.sipa.be has address 83.149.125.79 seed.bitcoin.sipa.be has IPv6 address 2001:0:9d38:6ab8:18c2:3a46:a1ec:987c seed.bitcoin.sipa.be has IPv6 address 2001:0:4137:9e76:24f9:302a:4d39:ee08 (... 11 other IPv6 hosts ...) seed.bitcoin.sipa.be has IPv6 address 2001:0:9d38:90d7:3858:553f:92ce:18b8 seed.bitcoin.sipa.be has IPv6 address 2607:5300:204:40f1:: DNS seeds are predictable because of DNS Round-Robin! Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 8

  9. T ypology of possible attacks ● An attacker might: – Spoof some full nodes – Block some SPV requests – Spoof some SPV requests – Sniff some SPV requests – Block some SPV answers ● But spoofing full answers shouldn’t be possible because of transactions hash verification ● IMHO, most possible attacks are LAN attacks against SPV user or full Bitcoin node Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 9

  10. Local network (LAN) attacks ● If the attacker is on the same local network as the victim: – Prevent any (full or light) node from working (denial of service) – Spoof any node request/response – Spoof any unprotected request (HTTP) to a Bitcoin explorer API or web site Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 10

  11. Local network (LAN) attacks ● A lot of techniques can be used: – ARP cache spoofing/poisoning – DNS cache spoofing/poisoning – DHCP spoofing – ICMP redirect – MAC flooding Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 11

  12. Privacy issues ● SPV queries can be quite easily sniffed ● An attacker might associate user IP address, submitted Bloom filters and downloaded transactions to know all addresses of a given user ● See “On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients” (by Gervais et al.): https://eprint.iacr.org/2014/763.pdf Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 12

  13. Summary of possible impacts ● An attacker can: – Known (nearly) all victim’s Bitcoin addresses (or a superset of them) – Associate user IP, addresses, and owner together – Prevent the user to use SPV by blocking the network (denial of service) – Prevent any outgoing transaction from being broadcasted → the victim cannot spend bitcoins – Prevent any ingoing transaction from being seen → the victim cannot see earnings/incoming transactions – Spoof unprotected requests to API/web sites → create arbitrary fake transactions Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 13

  14. My recommendations about SPV ● To make an attack more difficult: – Use a VPN, or better a VPN connection to your own full Bitcoin node – Don’t directly use hardcoded nodes or DNS seeds (but use their direct or indirect neighbors) – Don’t use a precise Bloom filter – Cross-check with requests to a clean blockchain explorer API (HTTPS only, public CA, use of CRL) : tx count, balance, ... Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 14

  15. Thank you! @nono2357 Any questions? BTC: 1GfztUeyrt3ewxdCHXNr58SPaidUrswoJj Security of Bitcoin light wallets - September, 9th 2017 - Renaud Lifchitz 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli .ch PGP: CA1A2908DCE2F13074C62CDE1EB776BB03C7922D Privacy Security Trust Privacy Transaction / scripts privacy Security Trust No-trust

700 views • 43 slides
Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware Wallets ? - high level overview YES NO Do you want to send 1.337 BTC to Public data 1UnREADABLE Operations on private data, with user validation

739 views • 24 slides
Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET

Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET

Extracting Seeds from (Hardware) Wallets 9th of June, 2019 - Breaking Bitcoin - Charles GUILLEMET Ledger SAS Ledger Technologies Inc. 1, rue du Mail 121 2nd Street - Suite 5 75002 Paris - France 94105 San Francisco - USA Ledger 10+ years

912 views • 42 slides
Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers

Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers

Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers Joseph Bonneau CITP, Princeton Thanks to Andrew Miller, Arvind Narayanan, Jeremy Clark, Joshua Kroll, Ed Felten Part I: Bitcoin in 6 easy steps

752 views • 32 slides
Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin?

Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin?

Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin? Bitcoin is a cryptocurrency: a digital currency whose rules are enforced by cryptography and not by a trusted party (e.g., bank) Core ideal: avoid

1.02k views • 36 slides
HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs>

HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs>

HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs> FOSDEM '19 Vulnerabilities in hardware wallets https://blog.trezor.io/details- https://wallet.fail/wallets/nanos https://blog.trezor.io/fixing-

473 views • 12 slides
Wallet Security Wallets Keep track of the world If you want Synchronize with the

Wallet Security Wallets Keep track of the world If you want Synchronize with the

Wallet Security Wallets Keep track of the world If you want Synchronize with the network if you fall behind Address end user needs Send coin Receive coin Answer queries What is my balance? What is my activity

772 views • 37 slides
Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin work? The characteris5cs of Bitcoin WHAT IS BITCOIN Bitcoin is a form of digital currency, created and held electronically. No one controls it.

839 views • 17 slides
Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Cryptocurrency Technologies Mechanics of Bitcoin Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin Scripts Bitcoin Blocks The Bitcoin Network Limitations and Improvements Mechanics of

695 views • 33 slides
Outline Previous e-cash and techniques CSci 5271 Introduction to Computer Security Bitcoin

Outline Previous e-cash and techniques CSci 5271 Introduction to Computer Security Bitcoin

Outline Previous e-cash and techniques CSci 5271 Introduction to Computer Security Bitcoin design Missed topic: Electronic cash and Bitcoin Stephen McCamant Bitcoin experience University of Minnesota, Computer Science & Engineering

351 views • 5 slides
Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Privacy : Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher Independent investigative journalist Research focus: Bitcoin / cryptocurrencies, information security, privacy, surveillance, and

1.3k views • 85 slides
HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL

HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL

HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL DETERMINISTIC WALLETS The problems of address reuse BIP 32 - HD Wallets BIP 39 - Mnemonics for HD wallet seeds BIPs 43 and 44 -

480 views • 32 slides
THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers Agenda What is Bitcoin

THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers Agenda What is Bitcoin

BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE Daniel Chechik, Rami Kogan Security Researchers Agenda What is Bitcoin Bitcoin Transactions Transaction Malleability Vulnerability What Happened in MT.Gox Live Demo WHAT IS

1k views • 73 slides
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim , Jinwoo Shin*, Yongdae Kim* *KAIST, Sungkyunkwan University 1 Governance conflict The number of Bitcoin transaction per month Bad scala bility

731 views • 46 slides
Advanced Network Security -. Bitcoin Jaap-Henk Hoepman Digital Security (DS) Radboud University

Advanced Network Security -. Bitcoin Jaap-Henk Hoepman Digital Security (DS) Radboud University

Advanced Network Security -. Bitcoin Jaap-Henk Hoepman Digital Security (DS) Radboud University Nijmegen, the Netherlands @xotoxot // * jhh@cs.ru.nl // 8 www.cs.ru.nl/~jhh Bitcoin 01-02- // Course outline 2 Jaap-Henk Hoepman // Radboud

1.53k views • 45 slides
Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Cryptocurrency Technologies Bitcoin as a Platform Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments Token tracking Multiparty lotteries Public randomness Prediction markets A fine stew

714 views • 38 slides
From theoretical crypto to practice: gloups an abominable gap Cryptie, Oblazy Cryptie, O. Blazy

From theoretical crypto to practice: gloups an abominable gap Cryptie, Oblazy Cryptie, O. Blazy

From theoretical crypto to practice: gloups an abominable gap Cryptie, Oblazy Cryptie, O. Blazy (Xlim) RMLL CC-BY-SA 4.0 1 / 35 Encryption and Signature: Just a 2 min reminder 1 Libraries 2 Funny Cryptography 3 Cryptie, O. Blazy (Xlim)

919 views • 52 slides
HARDWARE SECURITY MODULE For automotive applications Presented by Pieter Willems

HARDWARE SECURITY MODULE For automotive applications Presented by Pieter Willems

HARDWARE SECURITY MODULE For automotive applications Presented by Pieter Willems Pieter.willems@silexinsight.com December 2019 This is Silex Insight What we do: IP provider for security and video in embedded systems Headquarters in

408 views • 22 slides
Kotlin + Ethereum = Fun by ligi (https://ligi.de) At KotlinConf 2018 new computing platform c

Kotlin + Ethereum = Fun by ligi (https://ligi.de) At KotlinConf 2018 new computing platform c

Kotlin + Ethereum = Fun by ligi (https://ligi.de) At KotlinConf 2018 new computing platform c o w m o p r u l t d e r WEB3 Not a silver bullet Vitalik Buterin: Cryptoeconomic Protocols In the Context of Wider

1.01k views • 83 slides
Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world

Lightweight Cryptography Mar a Naya-Plasencia Inria, France Summer School on real-world crypto and privacy Sibenik, Croatia - June 15 2018 Outline Symmetric lightweight primitives Most used cryptanalysis Impossible

1.31k views • 76 slides
Blockchain 2.0 Opportunities and Risks Patrick Valduriez The Hype 2 Bitcoin Bitcoin: A

Blockchain 2.0 Opportunities and Risks Patrick Valduriez The Hype 2 Bitcoin Bitcoin: A

Blockchain 2.0 Opportunities and Risks Patrick Valduriez The Hype 2 Bitcoin Bitcoin: A Peer-to-Peer Electronic Cash System Satoshi Nakamoto (pseudo), Oct. 31, 2008 (Halloween) Cryptocurrency and payment system Blockchain is the

551 views • 44 slides
Cast of Characters Alice and Bob Applied Cryptography Week 1 Alice and Bob are always sending

Cast of Characters Alice and Bob Applied Cryptography Week 1 Alice and Bob are always sending

Cast of Characters Alice and Bob Applied Cryptography Week 1 Alice and Bob are always sending secret messages to Basic Tools and Protocols each other. Eve Frank Beatrous Eve is always listening in (Eavesdropping) on Alices and Bobs

245 views • 7 slides
Diffusion and Confusion Two properties that a good cryptosystem should have: Diffusion: change of

Diffusion and Confusion Two properties that a good cryptosystem should have: Diffusion: change of

Diffusion and Confusion Two properties that a good cryptosystem should have: Diffusion: change of one character in the plaintext results in several characters changed in the ciphertext Confusion: the key does not relate in a simple way to the

512 views • 6 slides
Tutorial on Public Key Cryptography RSA Eli Biham - May 3, 2005 c 386 Tutorial on Public

Tutorial on Public Key Cryptography RSA Eli Biham - May 3, 2005 c 386 Tutorial on Public

Tutorial on Public Key Cryptography RSA Eli Biham - May 3, 2005 c 386 Tutorial on Public Key Cryptography RSA (14) RSA the Key Generation Example 1. Randomly choose two prime numbers p and q . We choose p = 11 and q = 13. 2.

259 views • 22 slides

More recommend