On the usability side:
I propose that this card contains a separate unique wallet which can
be recharged from the computer with the users main wallet (this could
be supported trough official bitcoin client) so that even in the case
of card loss the damage is limited.
Also the card should be able to provide the receiving address for the
main wallet, in case the transaction is not paying but receiving
bitcoins and we don't want to store it in the card wallet (i'm not to
sure on this)
What about NFC?
And also ince this is an open source project, we could try to be as
modular as possible to support different designs.
>
> physical connection between infeted machine and payment module does
> not mean that infection can spread to payment module, as long as
> reasonable security practices are kept
> its probably a good idea to keep program memory
> protected(unfortunately means no rewrites, so no software updates)
> along with decryption keys(no read back from onchip prom), and keep
> the wallet data encrypted in eeprom(offchip memory would probably be
> used)
>
We should start a few different threads with discussions related to
Hardware, Software (on-card, and desktop support), Security, Use
cases?
2011/6/21 Rassah <ras...@xnicole.com>:
Offtopic: I'm really excited about this project. If enough people
participate in this, this could become a real thing.
I'll write more tomorrow, it's after midnight here, and i need to get
to work in the morning :)
2011/6/21 r2k-in-the-vortex <rkor...@gmail.com>:
assuming that the SC decides what the screen says, I think this has
become a purely smartcard and pc programming task...
Im going to shy away from the project btw :D
2011/6/21 Uglješa Jovanović <ions...@gmail.com>:
Why are you going away from the the project? :(
2011/6/21 Uglješa Jovanović <ions...@gmail.com>:
2011/6/21 Uglješa Jovanović <ions...@gmail.com>:
I'm sorry i didn't notice your project before, otherwise i would have
gladly joined. It's great that you are an expert in this area, and I
think that should really help the development. I myself am a software
engineer, and i will mostly work on the desktop-client side, and maybe
in some part on card software development, although i need to freshen
up my C/C++ skills. I'll take a look at the links you posted later,
and give you some feedback, but keep in mind that I am just starting
to learn about smartcards/tokens.
On the other note, is someone willing to take the responsibility of
managing the wiki? :)
2011/6/22 Uglješa Jovanović <ions...@gmail.com>:
They offer a symbolically free (0.5 euro) smart card, if you develop
for opensmart card, they propose projects to enhance, or you can make
your own proposal (BitCoin wallet)
The card doesnt seem to have accelerated ECDSA capabilities (but I
dont see a real specification sheet, so maybe it does). And Im not
quite sure if javacard can still perform ECDSA using the chip as a
general purpouse processor, or if javacard crypto apis depend on
hardware implementation (which would be strange, since then all
combinations, and all existent card models must be present in the API
headers..., and also that would require that you compile applets for a
specific card, completely against javacard reduced bytecode
instruction set, so I tend to believe that if the card supports
javacard applets, AND if its memory is big enough, it can compute
ECDSA keys, and testing will only tell how fast this is...)
I think if the card supports javacard applets, you can try to write
any cryptographic functions as long as you stay within memory bounds,
and are satisfied with your card's specific performance (for which
some cards have develloped dedicated crypto coprocessors).
the ECDSA signing as I said is already present in javacard api, so
only testing will tell.
otherwise these cards cost 12.9 euros
you mean the feitian one? or the DoD one? the feitian one could use
any curve, as you say it can be implemented in software...
write would also be very desirable future, how else do you store
failed pin attempts etc? if "the fed" lays its hands on your card itll
try every possible pin combo (or smarter use timing attacks...), a
card could increase a counter before signing it after which it needs a
different PIN to let user confirm its really been so many signatures
ago and not an attack, to try detect statistical sidechannel attacks
(lots of attempts at signing without explanation (PIN))
what makes you think these cards are cheaper than javacards? is it a
significant difference?
I fully agree the security protocol should be worked out first, so
that different people can implement them. first versions seldom hit
the target though.
except for your experience with the card, will it be able to sign
using the secp256k1? if not will a new production line of processors
be started? what makes you think that the first version for a small
community of bitcoin users are going to be willing to pay that? I
think most will want to use smartcards since the proposer2card
protocol will likely change a lot in the first few versions...
first functionality then speed no? and those who are willing to pay
for faster more capable smartcards let them, they can load the same
applets.
what chip is in the fips 201 hspd12 cards? whats the card OS? whats
the card platform? does it support javacard, openplatform, ...? what
vendor specific hardware implemented functions does it provide? how
many were deployed? in belgium the population of 11 million is equiped
with smart card identity cards (javacards, the security architect of
beID published opensource the javacard applet so that other
nations/organizations can simply copy pasta it with their own keys and
CRLs etcetera)
we should do thorough market research, and ask price quotes and spec sheets.
for example the javacards with oncard buttons and flexible display
sounded like really expensive to me, but then again, who knows?
I would kill for a small "gameboy 0.01" capable smart card :D let
alone one which doesnt delegate displaying crucial information to a
device you might not trust (future real life bitcoin shop scenario)
I was also amazed to recently learn UK first trialled it in 2004?
Im not too old, so I cant really remember how long its been around
here, but from what I read it seemed to be deployed on broad scale in
france pretty early...
FIPS: "bits of security: 40-200" 40?? replace double hashing with
bruteforce and except for a constant factor (approximate 1 (2*64
rounds of about *24 register operations of 32 bits compared to
whatever you want to sign to guessed private key)) the current mining
rate is 2^51 hashes per 10 minutes, so thats 2^(51-40)=2048 expected
succeeding bruteforces per 10 minutes. thats if the bitcoin chain
decided to replace the hashes with providing 30 such signatures to
mint a valid new block.
Im also amazed the bitcoin community doesnt see that they reached the
theoretical attack of 2^51 for sha-1 collisions, if someone
implemented it for gpu's we would be within orders of producing sha1
collisions (the eid cards of belgium and lots of other cards still
sign with sha-1 hashes...)
2011/6/23 Ludwig Maes <ludwi...@gmail.com>:
while writing this I realize this is a NIST website... perhaps SECG
has a similar page where it lists smartcards that support SEC2 curves?
2011/6/23 Uglješa Jovanović <ions...@gmail.com>:
> I am also inclined to look into javacards because I'm very familiar
> with java, and from some limited research I have done they are
> available from multiple sources and are widely deployed.
> I found that in this list
> http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html there
> is a Gemalto java card that supports ALL-P ECC, but I'm not sure it
> supports secp256k1, if it doesn't we would have to implement it. I
> haven't looked into the prices, but I may obtain Gemalto java card,
> because i saw here in the company i work at someone is using Gemalto
> hardware, and there are people working with smart card / POS
> developement here, but they are in the other team. I'll look into that
> later. If i can't find gemalto java card here, I'll just ask Gemalto
> for one :)
>
> I agree with everything Ludwig said, and the questions he asked, and i
> also agree that we should start with functionality first, and then
> worry about speed.
>
> Also we could implement SIM card similar PIN/PUK mechanism.
>
> 2011/6/23 Ludwig Maes <ludwi...@gmail.com>:
2011/6/23 Ludwig Maes <ludwi...@gmail.com>:
I agree with everything Ludwig said, and the questions he asked, and i
also agree that we should start with functionality first, and then
worry about speed.
Also we could implement SIM card similar PIN/PUK mechanism.
2011/6/23 Ludwig Maes <ludwi...@gmail.com>:
wide range of SHA including SHA-256
wide range of ECC including secp256k1
card OS and platform unknown (I think the card manufacturer writes a
card specific OS, on top of which JavaCard or OpenPlatform can be
implemented)
has dedicated crypto coprocessor for RSA and ECC
if this is commercially available at reasonable price, and can be got
with javacard this one seems like a winner,
but was also in top3 results of google.
instead of these lets get crackin crazy ideas we should just enquire
with different companies what options and estimated prices are for
proposable volumes.
I am really curious about the button and flexible display smart cards, we should
A] find out how expensive SC + BUTTONs + DISPLAY cost to design,
develop, produce, massproduce by
1) looking up companies that advertise similar products (some we find
may just be middle companies between us and real company, handing
specifications and communications back and forth, costing more,
delaying progress) dont expect every company to display each product
they have on their website, these guys deal in high volumes with their
clients and their site is just a welcome invitation to pass by for
real business talk...
if it remotely looks like they can do this add them to the list of
companies to enquire with
2) cooperate on the wiki a letter for enquiry, helping them help us
find our way:
clearly state what our goals and needs are (bitcoin security,
market of (un)justly paranoids, need to seperate signing from general
purpouse computing, fixed crypto protocol of bitcoin => specific SC
needs secp256k1, SHA-256, long lifetime memory for wallet read write
cycles,...), open for suggestions, enquire how much "it would cost"
and allow them to describe the most important cost factors in bringing
such a SC to the market.
This part will probably take the most time, since at least I have
little experience in conveying my honestly true interest to managerial
types :D
pretend you sit at your desk at this kind of company and get a mail
from some hyped up bitcoin fans... possibly mentioning bitcoin is a
downer!
3)take a long good look to interpret any answers. the answer will be
something completely different than we expect because we dont know
that industry (if you look at everything we wrote to each other)
B]If no button+display SC is feasible. we should have no problem
buying a random javacard with enough memory to play with. They are not
that expensive.
I'll play around with java card SDK when i get home, I'll also start
looking into integration with bitcoinJ, and we should contact the
bitcoin (c/c++ version that everyone uses) developers when we have a
solid proposal for them to implement. As far as i understand, we could
develop support for smart cards with display/keypad as an separate
applet and integrate it with basic smart card applet. We should try to
be as modular as possible, so we can support different standards cards
etc...
2011/6/23 Ludwig Maes <ludwi...@gmail.com>:
youtube was quite effective in finding companies that built otp
display smartcards,
collaborate on a good letter, only send if we can all agree on the contents...
2011/6/23 Uglješa Jovanović <ions...@gmail.com>:
"> I looked at this card doesn't like like it supports the right ECC
> curve."
you mean the feitian one? or the DoD one?
the feitian one could use
any curve, as you say it can be implemented in software...
write would also be very desirable future, how else do you store
failed pin attempts etc? if "the fed" lays its hands on your card itll
try every possible pin combo (or smarter use timing attacks...), a
card could increase a counter before signing it after which it needs a
different PIN to let user confirm its really been so many signatures
ago and not an attack, to try detect statistical sidechannel attacks
(lots of attempts at signing without explanation (PIN))
what makes you think these cards are cheaper than javacards? is it a
significant difference?
I fully agree the security protocol should be worked out first, so
that different people can implement them. first versions seldom hit
the target though.
except for your experience with the card, will it be able to sign
using the secp256k1? if not will a new production line of processors
be started? what makes you think that the first version for a small
community of bitcoin users are going to be willing to pay that? I
think most will want to use smartcards since the proposer2card
protocol will likely change a lot in the first few versions...
first functionality then speed no? and those who are willing to pay
for faster more capable smartcards let them, they can load the same
applets.
what chip is in the fips 201 hspd12 cards? whats the card OS? whats
the card platform? does it support javacard, openplatform, ...? what
vendor specific hardware implemented functions does it provide? how
many were deployed? in belgium the population of 11 million is equiped
with smart card identity cards (javacards, the security architect of
beID published opensource the javacard applet so that other
nations/organizations can simply copy pasta it with their own keys and
CRLs etcetera)
we should do thorough market research, and ask price quotes and spec sheets.
for example the javacards with oncard buttons and flexible display
sounded like really expensive to me, but then again, who knows?
I would kill for a small "gameboy 0.01" capable smart card :D let
alone one which doesnt delegate displaying crucial information to a
device you might not trust (future real life bitcoin shop scenario)
2011/6/23 Smartcard Guy <smartc...@gmail.com>:
Trust is laid on the provider of the card (we do not develop IC's and
will have to trust the smart card companies operating system, there
reputation is at stake, and if they betray client trust, they would
loose 99.999999% of their clients, we are the 0.00000000000001%, these
companies are audited, as well as their operating system, if they put
backdoors in smartcards, no bank would use smart cards... developing
microcontrollers is not cheap, they will not develop a new core to
screw us, or so we hope...)
If its not a simple memory card but a smart card, the applet developer
can choose the behaviour, we simply do not implement an interface
method that gives the keys out.
Hashing and signing happen on smart card.
Can you point me to a specification that states the card controls the display?
Or alternatively point me to javacard standard API calls that print to display?
How standardized are the displays and PIN keyboard? we would like to
display bitcoin adresses, left right keys would be usefull
After implementing the first version with normal reader and normal
smartcard, Id seriously consider the display+button cards,
The customized live linux distribution shouldn't be too hard to make.
look at the users (A is normal and wants computer backup B is paranoid
and doesnt want backup, at most clone to other card by public key
exchange of cards)
1 generate on pc [optionally send to card]
2 generate on card [optionally send to pc]
A is happy with both (you cant smell in which direction the keys go so
it doesnt bother, you have to connect the smartcard either way if you
are A)
B is happy with 2 and chooses not to send to pc, but not with 1 which
forces him to trust his pc and the live cd (albeit not long)
in security choose the option most users are compatible with, B is not
compatible with 1 due to security reasons. we dont loose A but can
loose B in this decision.
2011/6/24 Uglješa Jovanović <ions...@gmail.com>:
So this is the live distro use case:
1. Download the distro from a trusted source, check the md5 sum
or
1. When ordering a key card, you get a bundled key card and usb with
live distro you can trust immideately
2. Create keys, initialize the card with those keys, encrypt them and
store them to the usb the live distro is running on
3. Put the usb in a safe
4. Put the safe in a nuclear fallout shelter :)
I think the backup of the keys is really important because with the
scenario where you generate the keys on card, if you lose the card you
and the bitcoin network lose those bitcoins for ever
This is a issue (losing bitcoins) that i think (If bitcoins live for
that long) will become important at some time generally for the
bitcoin system, but it's out of our scope
This is a dangerous misconception. if the card does not read the
unsigned cleartext to display to user, and does not hash it itself, it
could be signing the hash of a completely different transaction. I
repeat DISPLAYING and HASHING and SIGNING must BOTH be done ON CARD or
TRUSTED TERMINAL. The threat model is that the computer is not a
trusted terminal. perhaps a secure pinpad is, and a SC with own
display and buttons has even more potential to be so. (Please do not
confuse this with trying to reinvent wheel, this is not trying to
reinvent minicomputer/cellphone/..., the purpouse of crypto smartcards
is secure computation, not flexible multitasking run-it-all). Think
about it, do you sign things you cant read? Do you sign blank cheques?
I we allow the proposal software to save the card from the "work" of
hashing (c'mon theyre built for it, dont project your computers slow
bitcoin hashing rate (~10^~5 per second) to incredibly slow hashing on
smart card, each transaction would only take a few SHA256 hashes or
so).
If you continue this development with hashing done on the compromised
computer (threat model, if you assume opposite, you dont even need
smart cards), I WILL keep reminding bitcoin users of a flawed
implementation, and WILL provide a patch of your future proposal
software to prove it.
Without a doubt if we were implementing a a custom applet i would want
to see us implement a simple bitcoin client that not only signed but
hashed as well, in fact I want to see us ultimately get to a simple
client where all wallet management and crypto happens on the card we
just don't have commodity hardware that will do what we need yet and a
variation will be needed for a point of sale solution like you
describe.
So my point was at least in v1, doing hashing on the card likely
represents additional work, additional performance implications and
doesn't improve the security in the scenario we were discussing. I
don't really care one way or another though, since it does help
address the more esoteric attack of a known trusted algorithm
implementation issue.
On 25 June 2011 18:31, Smartcard Guy <smartc...@gmail.com> wrote:
> Ludwig, I understand that if the card has a display or if we are using
> a secure pin entry device that what you say is true but I understand
> the group has agreed to start with commodity hardware which does not
> include this.
>
I thought the group agreed to the following compromises:
1) if finding a card without the crypto acceleration cheap and
available enough turns out to be too hard, ... then for development
purpouses (or patient bitcoin users) we will start developing for
smart card without the crypto coprocessor acceleration.
I.e. no compromise in security but in speed (from the user
perspective): choose security over speed. once we get it *working*
it's just a matter of finding a card with the silicon acceleration
(crypto coprocessor supporting the right hashes and ECDSA curve).
2) if it turns out that getting (custom, or already existant) smart
cards with display and pin buttons turns out to be too
hard/expensive/slow dev cycle, we can deprioritize this requirement
(display and buttons on smartcard) by trusting secure pinpad terminals
_on the condition_ that the existing standards for these SC readers
with display require the display to be controlled by the smartcard and
not the computer. (we have not done real market research on the
smartcard /w display+buttons, nor have we done real specification
research on wheither these terminal screens are controlled by USB side
or SC side) I am very curious about the answers to these questions.
If the terminal screens are controlled by the smart cards (i.e.
print() functions in the javacard applet, with proof in standards that
the terminal screen are forbidden to be controlled by USB or at least
under certain conditions, i.e. when a SC is present), then yes I of
course dont care if four development purpouses you trust your
computer, but the applet should still control the pinpad display when
present. But you should then provide a disclaimer in the code to warn
people who trust their computer screen that in using the smartcard
setup without dedicated display there is no extra theoretical
protection for them. (only security through obscurity, i.e. no open
security at all)
> Without a doubt if we were implementing a a custom applet i would want
> to see us implement a simple bitcoin client that not only signed but
> hashed as well, in fact I want to see us ultimately get to a simple
> client where all wallet management and crypto happens on the card we
> just don't have commodity hardware that will do what we need yet and a
> variation will be needed for a point of sale solution like you
> describe.
>
In our previous discussions we were worried about the ECDSA signing,
why? because nearly all smart cards provide the hashing functionality,
the smart cards you ordered for example does (check the datasheet pdf
on the link you posted, when we searched for SEC2 ECDSA capable cards,
all of the crypto cards supported some SHA hash, and often SHA256 was
included), its just a matter of calling the SHA256() functions already
present on the card. you are compromising security for what? a few
lines of calling already existant code? not even that: if you dont
write it in the applet, youll write it in the proposal software...
this makes no sense at all.
> So my point was at least in v1, doing hashing on the card likely
> represents additional work, additional performance implications and
> doesn't improve the security in the scenario we were discussing. I
> don't really care one way or another though, since it does help
> address the more esoteric attack of a known trusted algorithm
> implementation issue.
>
Yes doing additional work, not for us (well some code to receive the
tobesigned cleartext transaction, and to print address and amount to
display), not for the users, but for the smartcard (not so much in
time as space to receive the transaction (currently an average
transaction is about 1/4 KB), I would NOT do wallet management on the
card for initial versions, storing all previous transactions will take
a lot of space). That is unless you go down special smartcard/token
route with extra space or support for memory cards.
Assuming thus that the card does not contain a traditional wallet.dat:
The onus/responsibility of scanning the blockchain to stay up to date
and checking if enough is present on the input adresses the card
pronounced, is on the side of the proposal software.
2011/6/27 r2k-in-the-vortex <rkor...@gmail.com>: