wallet security wallets
play

Wallet Security Wallets Keep track of the world If you want - PowerPoint PPT Presentation

Sep 04, 2023 •385 likes •772 views

Wallet Security Wallets Keep track of the world If you want Synchronize with the network if you fall behind Address end user needs Send coin Receive coin Answer queries What is my balance? What is my activity

  1. Wallet Security

  2. Wallets • Keep track of the world • If you want • Synchronize with the network if you fall behind • Address end user needs • Send coin • Receive coin • Answer queries • What is my balance? • What is my activity history in this network?

  3. This Lecture • How do you engineer safe wallets?

  4. Architecture • Daemon, client architecture • Daemon: • Long running • Client: • CLI or GUI that talks to daemon • Short lived process

  5. OUTSIDE DAEMON WORLD CLIENT

  6. Followed By • Armory • Coinbase • Parity Daemon

  7. Attack Surface • Key handling: • Client / daemon responsible • Communication: • Are messages designed correctly • Crypto: • Are you doing things right

  8. Daemon Client Communication • How do they communicate? • IPC • TCP, Sockets, Message queues…

  9. What About HTTP • A small example: • GET http://localhost:8000/balance • POST http://localhost:8000/send • GET http://localhost:8000/history

  10. Flow • Client makes HTTP requests to Daemon • Issues?

  11. Issues? • Anyone can make those requests • If you load a webpage, that webpage can issue requests to http://localhost:8000

  12. History • Zoom: • Video conferencing product • Recent successful IPO

  13. Zoom Daemon • The Zoom software ran a daemon on http://localhost:PORT • Visiting https://zoom.us/j/meeting-id • Would cause the webpage to issue a request to the localhost server • Which would: • Join the user to a call • Update the zoom client • etc.

  14. Zoom Daemon • Further: • Buffer overflows in this undocumented web- server

  15. Zoom Daemon • Users figured this out • Vuln was demonstrated using a third party website that: • Could join a random user into a zoom meeting that they didn’t want to join • Install a zoom client without their interaction

  16. For Your Wallet • Any third party page can figure out: • What’s your balance • What sort of transactions you’ve conducted in the past • Etc.

  17. Doing It Right • Well tested architectures: • Docker daemon + client: • Unix domain socket for IPC on OS X, Linux • TCP on windows • Avoids our http exploit

  18. Links • https://medium.com/bugbountywriteup/zoom-zero- day-4-million-webcams-maybe-an-rce-just-get- them-to-visit-your-website-ac75c83f4ef5

  19. Protocol • You can secure comm layer • But what you send over the wire can still cause problems

  20. Example • Daemon / Client • Client issues request: • {recipient: ABC-DEF-…, AMOUNT: 100} • Daemon signs and broadcasts

  21. Protocol • Any other process can do that too

  22. MISC • You can log things like keys • Happens even now at large firms • Coredumps

  23. Coredumps • You can dump a running process to disk • And inspect the state • If you keep the keys loaded in memory, they can be found there

  24. Crypto • Bitcoin wallet • Private keys stored in wallet.dat • AES-256 encryption of these private keys • Master key: • Passphrase -> SHA 512

  25. Deterministic Wallet • Seed Phrase • Wallets contain a wordlist: • 2048 words mapped to integers • Pick 12 random words from this wordlist

  26. Seed Phrase • This is your seed phrase: • 2048 ^ 12 combinations • 12 word seed phrase has about 128 bits of security

  27. Seed Phrase • Write down this 12 word list • It is sufficient to recover your bitcoin

  28. HD Wallet

  29. HD Wallet • Single Seed Phrase for all private keys • Master Public Key: • Generate from Master Private Key • Can generate all additional public keys but not their private keys • Private Keys from the Master Private Keys are Master Private Keys themselves.

  30. HD Wallet • Computing n^th private key: • Compute an offset: H(n, Master PubKey) • Master Private Key + offset

  31. HD Wallet • Computing n^th Master Public Key: • Compute an offset: H(n, Master PubKey) • Master Public Key + get_pubkey(offset)

  32. Hierarchy • Root of pub / priv keys

  33. Key Best Practices • Brand new address to receive each payment • Ask for a brand new address from the recipient

  34. Threshold Signatures • Constructing a single signature is: • Split between two devices • Single device won’t be at risk

  35. Threshold Signatures • Each party (device) creates a key independently • A signing protocol • Each share does part of the signing

  36. Hardware Wallets • BitFI “Unhackable” Wallet

  37. Exploits • Can easily read finger movements on device • Taps etc. • Can read out data being sent • Can easily tamper with the device

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

T - Labs Views on waLLeTs Jrg Heuer, Mar 2014 T - Labs deVeLopmenT HisTory A journey from eArly

T - Labs Views on waLLeTs Jrg Heuer, Mar 2014 T - Labs deVeLopmenT HisTory A journey from eArly

T - Labs Views on waLLeTs Jrg Heuer, Mar 2014 T - Labs deVeLopmenT HisTory A journey from eArly mobile wAllet components towArds A convergent cross - operAtor wAllet supporting online And proximity trAnsActions And vAlue Added services.

192 views • 6 slides
Wallet Prototyping Jordyn Anderson Andrew Gibson Interviews Small wallets are easy to hold

Wallet Prototyping Jordyn Anderson Andrew Gibson Interviews Small wallets are easy to hold

Wallet Prototyping Jordyn Anderson Andrew Gibson Interviews Small wallets are easy to hold Minimal Bulkiness Takeaways Key Holding capabilities Hands-Free or integrable Secure Easy to access cards and keys Prototypes Prototype 1

346 views • 5 slides
HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs>

HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs>

HWallet The simplest Bitcoin hardware wallet Nemanja Nikodijevi <nemanja@hacke.rs> FOSDEM '19 Vulnerabilities in hardware wallets https://blog.trezor.io/details- https://wallet.fail/wallets/nanos https://blog.trezor.io/fixing-

473 views • 12 slides
HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL

HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL

HIERARCHICAL DETERMINISTIC WALLETS JOHN NEWBERY @jfnewbery github.com/jnewbery HIERARCHICAL DETERMINISTIC WALLETS The problems of address reuse BIP 32 - HD Wallets BIP 39 - Mnemonics for HD wallet seeds BIPs 43 and 44 -

480 views • 32 slides
PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers

PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers

PRESENTATION DECK V3.3. SEPTEMBER 2018 A mobile-first crypto-exchange platform that empowers consumers to participate in the token economy. SECURITY MOBILE AS A COLD WALLET Wallets are stored on your phone, Wallets are safe if we get hacked

552 views • 17 slides
Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September 9th, 2017 Speakers bio

Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September 9th, 2017 Speakers bio

Security of Bitcoin light wallets (aka SPV) Renaud Lifchitz September 9th, 2017 Speakers bio Senior security expert working @ Econocom Digital Security (https://www.digitalsecurity.fr/en/) Main interests: Security of protocols

375 views • 15 slides
The best Ethereum wallet Intro My main goal with the Pillar wallet design was to ensure maximal

The best Ethereum wallet Intro My main goal with the Pillar wallet design was to ensure maximal

The best Ethereum wallet Intro My main goal with the Pillar wallet design was to ensure maximal possible security for the users, without unnecessary limitations. Furthermore, I have focused on the reduction of redundant steps, legibility and

543 views • 16 slides
www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage,

www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage,

INFORMATION SECURITY AWARENESS keeping yourself and your family safe in a tech driven world www.isea.gov.in www.infosecawareness.in Agenda Financial Safety and Security - Awareness E-wallet- Usage, security and Guidelines Insta loan

604 views • 29 slides
On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35

On the Ring-LWE and Polynomial-LWE problems Miruna Roca, Damien Stehl, Alexandre Wallet 1/35 A. Wallet About todays talk Its post-quantum (public-key) crypto time! Cryptography = building secure schemes Theoretical security = reduction

659 views • 49 slides
Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December

Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December

Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December 28, 2018 1 My Background Professional Background Diplominformatiker (eq. masters degree in CS) Security Analyst (cnlab security ag,

633 views • 30 slides
Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli .ch PGP: CA1A2908DCE2F13074C62CDE1EB776BB03C7922D Privacy Security Trust Privacy Transaction / scripts privacy Security Trust No-trust

700 views • 43 slides
Digital Wallets Executive Briefing Michael Bradley Managing Director, NorthCard Inc.

Digital Wallets Executive Briefing Michael Bradley Managing Director, NorthCard Inc.

Digital Wallets Executive Briefing Michael Bradley Managing Director, NorthCard Inc. mike.bradley@northcard.com 416-929-0422 11-June-14 Digital Wallets Executive Digital Wallets Executive Briefing Briefing I. Digital Wallets 3 II.

776 views • 66 slides
Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware Wallets ? - high level overview YES NO Do you want to send 1.337 BTC to Public data 1UnREADABLE Operations on private data, with user validation

739 views • 24 slides
The Green Assets Wallet Validating Green Investment through Blockchain 1 Green Assets Wallet

The Green Assets Wallet Validating Green Investment through Blockchain 1 Green Assets Wallet

The Green Assets Wallet Validating Green Investment through Blockchain 1 Green Assets Wallet (GAW) idea 2 GAW - background Delivering on the Paris Agreement and SDGs by Accelerating Green Finance and Investment through Blockchain

325 views • 8 slides
TREZOR Wallet Setup and BTC Transfer What is QR.CR? T he Worlds Best QR Code Mobile Marketing

TREZOR Wallet Setup and BTC Transfer What is QR.CR? T he Worlds Best QR Code Mobile Marketing

The Dynamic QR Code System TREZOR Wallet Setup and BTC Transfer What is QR.CR? T he Worlds Best QR Code Mobile Marketing System Secure Easy to use Accessible Interactive Versatile Why TREZOR Wallet? Keep Bitcoins Safe

423 views • 25 slides
the future of hardware wallets D419 C410 1E24 5B09 0D2C 46BF 8C3D 2C48 560E 81AC @StepanSnigirev

the future of hardware wallets D419 C410 1E24 5B09 0D2C 46BF 8C3D 2C48 560E 81AC @StepanSnigirev

the future of hardware wallets D419 C410 1E24 5B09 0D2C 46BF 8C3D 2C48 560E 81AC @StepanSnigirev stepan@cryptoadvance.io hardware wallets can : spend funds user input spending output user input user output receive funds multisig do

195 views • 15 slides
Table of Contents 3 14 Q3/2017 highlights Balance sheet 25 Hedging experience 4 15

Table of Contents 3 14 Q3/2017 highlights Balance sheet 25 Hedging experience 4 15

Third Quarter 2017 Conference Call Presenters: Yvon Charest, President and CEO Ren Chabot, EVP, CFO and Chief Actuary November 8, 2017 1 Table of Contents 3 14 Q3/2017 highlights Balance sheet 25 Hedging experience 4 15 Acquisitions

748 views • 36 slides
STM32F3 DAC Cuauhtmoc Carbajal 24/10/2013 1 DAC1 Introduction The DAC module is a 12-bit,

STM32F3 DAC Cuauhtmoc Carbajal 24/10/2013 1 DAC1 Introduction The DAC module is a 12-bit,

STM32F3 DAC Cuauhtmoc Carbajal 24/10/2013 1 DAC1 Introduction The DAC module is a 12-bit, voltage output digital-to-analog converter. The DAC can be configured in 8- or 12-bit mode and may be used in conjunction with the DMA

209 views • 10 slides
DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall

DATABASE SECURITY CS4750 Database Systems Prof. Nada Basit Email: basit@virginia.edu Fall 2020 University of Virginia 1 Levels of DB Security There are 6 levels that impact database security Database Level database users and

591 views • 21 slides
ADAPTATION Michael Mullan Team lead Climate change adaptation and development Systemic

ADAPTATION Michael Mullan Team lead Climate change adaptation and development Systemic

SUPPORTING OECD COUNTRIES CLIMATE ADAPTATION Michael Mullan Team lead Climate change adaptation and development Systemic impacts of climate change require a systemic response Sector Adaptation example Agriculture Alter crop species

485 views • 5 slides
NDN-Trace A A PATH TRA RACING UT UTILITY Y FOR R NDN NDN SIHAM KHOUSSI, DAVIDE PESAVENTO ,

NDN-Trace A A PATH TRA RACING UT UTILITY Y FOR R NDN NDN SIHAM KHOUSSI, DAVIDE PESAVENTO ,

NDN-Trace A A PATH TRA RACING UT UTILITY Y FOR R NDN NDN SIHAM KHOUSSI, DAVIDE PESAVENTO , LOTFI BENMOHAMED, ABDELLA BATTOU NATIONA NA ONAL L INS NSTITUTE OF OF STAND NDARDS DS AND ND TECHNOL NOLOG OGY (NI NIST) NDN vs IP IP

478 views • 11 slides
Cray Management Services (CMS) Group Charter The Problem with Log and State Information

Cray Management Services (CMS) Group Charter The Problem with Log and State Information

Cray Management Services (CMS) Group Charter The Problem with Log and State Information Solutions CMS Log Manager Solutions CMS State Daemon Future Functionality Summary, Questions, and Contact Information

223 views • 10 slides
Efficient Memory Disaggregation with Infiniswap Juncheng Gu , Youngmoon Lee, Yiwen Zhang,

Efficient Memory Disaggregation with Infiniswap Juncheng Gu , Youngmoon Lee, Yiwen Zhang,

Efficient Memory Disaggregation with Infiniswap Juncheng Gu , Youngmoon Lee, Yiwen Zhang, Mosharaf Chowdhury, Kang G. Shin Agenda Motivation and related work Design and system overview Implementation and evaluation Future work and

857 views • 65 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides

More recommend