Bitcoin and Security Software Wallets

Let's talk a little about wallets in cryptocurrencies. By “cryptocurrency”, I, first of all, will mean Bitcoin. In other cryptocurrencies, the situation is similar and if you are interested in the details, you can dig yourself.

Despite the ongoing HYIP around cryptocurrency and blockchain as a technology, in my opinion, very few people talk about the security of these solutions. Everyone concentrates on the various advantages that blockchain technology provides, discuss mining and jumps on cryptocurrency rates, while security is crucial, especially when it comes to money or distributed property registries. All information for the article is taken from open sources, such as https://bitcoin.org , https://en.bitcoin.it/wiki , https://bitcointalk.org , https://github.com and others.
')
Below is a shallow review of cryptocurrency wallets and their security. The more I immersed myself in this topic while writing an article, the more I was surprised that there are so few hacks in the world and the withdrawal of funds from users of the same Bitcoin. But first things first.

What is a purse in cryptocurrencies

We will understand a little with terminology. By wallets in cryptocurrencies understand simultaneously:

• a set of keys to access money;
• programs that control these keys and allow you to conduct transactions on a cryptocurrency network.

In order not to be confused when we talk about keying, I will use the term “private key”. Although we all understand that in a key pair there is also an open one, as well as the fact that there can be several pairs.

We will talk about the wallet exactly as a means of managing, storing and conducting transactions. Without a wallet, you cannot receive, save or spend your bitcoins or funds in another cryptocurrency. Wallet - your personal interface to the cryptocurrency network, similar to a bank account for fiat currency.

In fact, the security of storing your funds in a cryptocurrency depends very much on the wallet you use. And the security of the wallet itself is largely based on the security of operations with private keys.

All wallets are divided into “hot” and “cold”. “Hot” is a cryptocurrency wallet, from which you can spend money at any time. A “cold” wallet acts in exactly the opposite way. It is not intended for regular sending of cryptocurrencies, but nevertheless, funds for it can be obtained at any time. The simplest “cold” wallet is a piece of paper that has a private key on your wallet.

A “hot” Bitcoin wallet is the application, website or device that manages your private keys. The most popular are, of course, applications, both mobile and desktop, as well as websites. Let's take a closer look at each of these types and see what threats the use of one or another wallet conceals.

Since there are a lot of wallets, I decided to study only those presented at https://bitcoin.org/ . As software wallets for the personal computer there are presented:

Wallets Requirements

The first thing to notice is the recommendations of the site bitcoin.org regarding the security of using one or another wallet. When downloading, you will be shown 6 requirements and information about which requirements each of these wallets are met and which are not. Most of these requirements are directly or indirectly related to information security, and therefore to the security of your funds.

These are the requirements as well as the levels of compliance with these requirements.

Control over your money

• Full control. No one can freeze your account or lose your money. However, you should remember that the responsibility for the security and backup of your private key lies entirely with you.
• Joint control. The wallet requires each transaction to be authorized by both you and a third party. Normally, you can regain full control of your funds using an initial backup or a previously signed transaction sent via email.
• Hosting control. A wallet gives you access to your funds. However, it stores an encrypted copy of your private key. This means that your funds may be stolen if you do not use a strong password or if the service is compromised.
• The money is controlled by a third party. This means that you must trust this service, and hope that it will not lose your funds as a result of the incident on its side. At the moment, most online wallets do not insure deposits like a bank, and many services have had security problems in the past.

Once again, I note that this information is not hidden, but is accessible to all. There is even a Russian translation, although not entirely correct in some places.

So, I don’t know about you, but I don’t like the last two levels of control at all. The story of a strong password sounds generally very bad. And it's not even the fact that users have big problems with creating, entering and memorizing truly strong passwords, but the fact that key loggers have not gone away.

And if to be completely realistic, it is unlikely that someone reads these warnings. And if he reads, not everyone understands how many security problems there are.

Transaction verification

• Complete A purse is a full node, which checks the validity and conducts operations in the network. When verifying payments, trust to a third party is not required. Full nodes provide the highest level of security and are important for network security. However, they need more disk space (over 145 GB), bandwidth and more time for initial synchronization.
• Simplified or decentralized. The wallet uses a random server from the server list. This means that you must trust these servers when checking payments. This is not as safe as using a wallet that is a full-fledged host.
• Centralized. The default wallet relies on a centralized server. So, you must 100% trust this third party in matters of hiding or counterfeiting payments.

The use of full-fledged nodes by all network participants, in my opinion, is simultaneously one of the pillars and, at the same time, one of the main drawbacks of the blockchain technology. Since the number of transactions in both relative and absolute values ​​is constantly increasing, the size of the wallet itself will also constantly increase. And few people will want to store several TB of data for a couple of transactions per day.

Alternative solutions have obvious security problems. The server list, in the case of decentralized verification, must be well protected. And as if the next virus did not leave only one infected server in this list.

And I don’t even want to talk about one hundred percent confidence in the third party.

By the way, supporters of cryptocurrency love in this case to pay attention to the fact that the banking system is arranged in a similar way. Of course it is. Only banks are governed by numerous standards, and if a new problem / vulnerability has arisen, insurance will protect your funds. Therefore, cryptocurrency services still have room to grow.

Transparency

• Full transparency. The source code of the wallet is open, and the assembly procedure is fixed. Any developer in the world can audit the code and make sure that the executable code does not hide any secrets.
• Basic transparency. The developers have published the source code of the wallet. Any developer in the world can conduct code auditing. However, you must trust the developers when you install or update your wallet software.
  
• Remote application. The wallet is loaded from a remote service. So, when you use a wallet, you must trust the developers in matters of theft or loss of your funds as a result of the incident. Using a browser extension or a mobile application can reduce these risks.

Source codes are generally a sore point. Since this topic is very close to the Habr audience, let's dwell on it in more detail.

Most of all I like the phrase “Any developer in the world can conduct code auditing”. Yeah, well. First, the developer should know well the specific programming language in which the particular wallet is written. And it immediately cuts off a large chunk from “any developer in the world.”

Secondly, not every developer is at the same time a specialist in information security or has experience in writing secure code. I will give a commonplace example:

memset(password, 0, sizeof(password)) 

Open the articles from the developers of PVS-studio and remember what mistakes the developers sometimes make. And even those developers who are well versed in security issues (for example, Boring article about checking OpenSSL ).

Therefore, a full-fledged audit of the entire wallet code can be done by a very limited number of developers. Most of them already have a lot of interesting tasks besides this audit. Even if one of them is interested in this task, then it will be executed only for a specific commit in git. So, it is not easy to evaluate the security of a code at a specific point in time.

What the guys from the Bitcoin site imply under the fixed assembly procedure was not clearly understood. With the assembly has its own problems. For example, how to understand that the assembly or update you received is compiled from the correct source codes. Let's be realistic - to collect a purse from the source code will be one. The best thing you can do is check the hash from the freshly downloaded installer with the hash that is listed on the official website. And he hopes that the site has not been compromised, and it is the correct hash that lies there, and also to trust the developers and collectors of the wallet, as well as the site administrators.

In order to completely finish the question about the source codes, I decided to look into the sources of Bitcoin Core myself, which, by all indicators that have already been described, and those described further, occupies a leading position. Code samples and conclusions that I drew from a quick look at the source, see below.

Bonus about transparency

There is another interesting aspect that I discovered quite by accident. Suppose you decide to use a Bitcoin Armory wallet that modestly positions itself as a BEST BITCOIN WALLET. In the description you will find - “Bitcoin private keys”. Scoring the name of the wallet in Google, you will find that the wallet has 2 sites. The first one https://www.bitcoinarmory.com is commercial with beautiful words, in the top of the issue. The second one, https://btcarmory.com, is more technical; a link from https://bitcoin.org/ will lead you to it.

So, on the technical site, on the main page in the news, you will find a warning:



A commercial site does not write such nonsense =) You do not need to worry about such silly reasons.

Environmental security

• Two-factor authentication. The wallet can be loaded in an insecure environment. However, the service requires two-factor authentication. So, to steal your funds, you need access to multiple devices or accounts.
• Safe environment. The wallet runs on a mobile device, where applications are usually isolated. This provides good protection against malware, although mobile devices are more likely to be lost or stolen. Encrypting a mobile device and backing up a wallet can reduce this risk.
• Vulnerable environment. The wallet can be downloaded to computers that are potentially vulnerable to malware. If you increase the security of your computer using a complex password, transfer most of your funds to offline storage or activate two-factor authentication, your bitcoins will be harder to steal.

I like the terms in which these requirements are described. It looks like the developers decided to immediately hint that your funds will definitely be stolen. The only question is how much effort and time it will require =)

Let's stop here, too, a little more.

Using strong two-factor authentication can really help solve many information security problems.

The key word here is “reliable.” And also correctly implemented. And with this, everything is not always good. For example, blockchain.info will offer you good old SMS as the second factor. Nobody is interested in the same NIST recommendations in Special Publication 800-63B:

• [Out of band verification] using SMS is deprecated, it will not be allowed.

In more detail about the correct two-factor authentication we will talk in the following article in which we will consider hardware cryptocurrencies in more detail.

We will not dwell on the security of computers and mobile devices in detail. It is enough to read any of the reports of Kaspersky Lab or other serious players on the security market to draw your own conclusions.

The following two items are not directly related to the safety of your funds. Therefore, I will not dwell on them in detail, but I will bring them here to complete the picture.

Confidentiality

• Improved. The wallet makes it difficult to track your balances and payments by rotating the addresses used. You should use a new bitcoin address each time you request payment. When receiving or sending payments, the wallet does not transfer information about them to other nodes of the network. Wallet allows you to configure and use Tor as a proxy to prevent attackers or Internet service providers from associating your payments with your IP address.
• Basic The wallet makes it difficult to track your balances and payments by rotating the addresses used. You should use a new bitcoin address each time you request payment. The wallet uses central servers that are able to link your payments together and remember your IP address. Wallet allows you to configure and use Tor as a proxy to prevent attackers or Internet service providers from associating your payments with your IP address.
• Weak. A wallet allows anyone to keep track of your balance and payments, because it reuses the same addresses. Reveals limited information to other members. Other hosts can remember your IP address and subsequently link all payments that you received or sent. Tor is not supported.

Even if you use cryptocurrency completely legally (although what is legal in relation to cryptocurrency is a big question), then additional privacy will not hurt you. And to disclose your balance and spending, so generally no one wants. Your co.

Commission

• Full control over the commission. The wallet will allow you to change the commission after sending funds using RBF or CPFP. This wallet also gives recommendations on commission depending on the current state of the network for conducting a transaction on time and without overpayments.
• Dynamic commissions. The wallet makes recommendations for commission depending on the current state of the network, which you can override. This means that the wallet will help you in choosing the appropriate commission to conduct a transaction on time without overpayment, but at the same time gives you full control to set the commission if you want.
• Static commissions. The purse does not give any proposals for the commission, given the current state of the network. This means that your transactions may take a longer amount of time if the commission is too low, or you may pay too high a commission.

Let's sum up

All requirements sound very reasonable. Moreover, this list could be further expanded to improve security.

Having carefully studied all these requirements, you want to find a wallet that would satisfy them to the maximum. And here comes the most interesting. There is not a single wallet on https://bitcoin.org that meets all requirements.

At best, you can choose Bitcoin Core or Bitcoin Knots, for which there will be such a picture:


Or you will use Electrum, for which such a picture:


Using green creates a false impression of complete satisfaction. Full match — bold green. This design was clearly chosen deliberately, which means that the creators of the portal decided to slightly manipulate an ordinary user. Not good at it.

This could have been finished. I think everyone has already presented how securely private keys are stored in cryptocurrency wallets. But we on Habré.

Working with private keys on the example of Bitcoin Core

Let's go a little further and see how the storage and work with private keys takes place using the example of software clients. As we already found out, malware can access the private keys of your wallet. The question is how easy or hard it really is.

First of all, let's see how Bitcoin Core does it. This process is well described in the Bitcoin wiki itself. As you saw in the screenshot above, this client is noted as one of the most advanced and satisfying most requirements.

The private keys of your wallet are stored along with other information in the wallet.dat file in bitkeys format. This file may or may not be encrypted =) By default, of course, nothing is encrypted. You are a competent user and you will find the right button. Only private key information is encrypted using the AES-256-CBC algorithm. In this case, the so-called master key - a random number is used as the encryption key. With this, the master key itself is encrypted on the key obtained from the code phrase using SHA-512 and the OpenSSL function - EVP_BytesToKey. The number of encryption rounds is determined by the speed of the computer at which the initial encryption occurs.

After that, your wallet is used by the client as usual. This state is called “locked”. If at some point you need to access the private keys of the wallet, then you must enter the passphrase in the client's GUI or use the walletpassphrase command in RPC. In this case, the private keys will be decrypted, and the wallet will go into the “unlocked” state. In the first case, it will be in this state only as long as necessary for the implementation of a particular operation. In the second case, the time after which the wallet will return to the locked state is determined by the second parameter in the RPC request!

The code looks like this:

 int64_t nSleepTime = request.params[1].get_int64(); pwallet->nRelockTime = GetTime() + nSleepTime; RPCRunLater(strprintf("lockwallet(%s)", pwallet->GetName()), boost::bind(LockWallet, pwallet), nSleepTime); 

It looks very cute. An ordinary wallet user is unlikely to start a server, unless it misses a file. But the attacker ...

With the GUI and storing the same passphrase in memory, everything is also not very simple. The guys have implemented a special class for storing such data - SecureString. Implemented in general, not bad, rake using memset successfully bypassed. But they keep it in memory longer than they should.

For example, so does our GUI (slightly corrected for clarity, curious to see askpassphrasedialog.cpp: 154):

  case Unlock: if(!model->setWalletLocked(false, passphrase)) { QMessageBox::critical(this, tr("Wallet unlock failed"), tr("The passphrase entered for the wallet decryption was incorrect.")); } else { QDialog::accept(); // Success } break; } return; 

In the beginning, we will do accept (), and only then our oldpass will go out of scope and it will be cleared. It is clear that a more secure code will not turn out as beautiful as a less secure one. But we here like with money work?

In my opinion, this perfectly confirms my concern about the open source of the wallet. Open source is not equal to security.

PS

I will try to anticipate the first comments and immediately answer them:

• Yes, you can create a certain set of rules for using a cryptograph that will significantly increase the level of security of your funds. Usability while of course it will suffer greatly.
• Yes, there are customers who are much safer than others. The problem is that the rest also exist and are recommended by the official site.

The purpose of the article is to draw the attention of the community to the problems that need to be solved, and not to turn someone against new technologies.

I have nothing against cryptocurrency or blockchain technology. On the contrary, I do it all by hand (this is my personal opinion, which is not in any way the official position of the company on whose blog the article is posted). But since we are starting to work with a new technology, we need to do it technically competently and not to forget about information security.