A review of the Multisig Self-Custody Scenario #15
Comments
|
I thought of one other thing. This guide has a significant central point of failure: the Gordian Seed Tool. That tool handles two of the keys, meaning that theft could happen in any of the following scenarios:
I would highly recommend that a different application than Gordian be used on the active seed. Electrum maybe? This seems to be the weakest link in this guide. The other single point of failure is Apple, but it seems this was an intentional decision to trust Apple in order to simplify the guide for Apple users. |
|
@fresheneesz wrote:
Thank you! This is exactly the kind of detail we hoped to get from this early scenario draft. @shannona and I plan to respond point by point, and either revise the scenario, explain better, or offer a rationale. -- Christopher Allen |
Actually, I had really hoped that Unchained Capital would update Hermit for the SSKR 1.0, as your team contributed code to the SSKR project. We were somewhat forced to use Gordian Seed Tool for the creation of offline seeds as we didn't have many other choices (yet). Maybe you can persuade Chris Howe to upgrade it? Also related to Unchained, I was really hoping that we would have an update to Caravan for doing crypto-request QR URs and PSBTs. I'd love to have another scenario which is Caravan, Gordian Seed Tool, Passport, and maybe something like SeedSigner for offline keys (our summer interns are investigating adding QR UR support to it.) -- Christopher Allen |
|
Thanks very much for comments, @fresheneesz. As @christopher said, we were very appreciative of your comments, and at various times have taken the opportunity to better explain, to add rationalization, or to modify the text. Here's a run-down of about the first half of that, with more editing planned for next week week when I'm available again. First, a few comments on your overall take-away: I.
Yep. we cover this in our Adversarial appendix, but I've added some text to better explain why we ignore some current options:
II.
We obviously need to clarify this, because forgotten passwords absolutely do lead to loss of assets. We know of real cases where forgotten PINs for Ledgers or Trezors endangered millions of dollars in Bitcoin assets. In our scenario, loss of the Passport PIN causes the loss of the Passport data, and loss of your Apple PIN causes loss of the GST data. Now, you can get the Passport via another means if you have the backup (and password), but the loss of Apple login info can be absolute. This is particularly critical for situations where heirs may need to recover your funds. Without written passwords and PINs they cannot. But, I've certainly forgotten enough passwords and PINs over the years to consider it a threat even to my own holdings. The flipside of this is that the whole setup is carefully designed so that you never have a PIN/password and the thing it unlocks in the same place. (And if you think we messed that element up anywhere, please let us know.) So, better explanations were needed for all of that, and let me know if there's anything that you find incorrect or unbelievable.
III.
We definitely disagree on that. I think there's room for considered and fair argument on how great the security improvement is, but I'm pretty sure something is there. I think the buffer flow bug is a fine example: yes, a QR code can still buffer-overflow a badly written hardware wallet, but without an interactive possibility for back-and-forth the damage is much more limited and much harder to take advantage of. Take the example of the classic buffer overflow, when the Morris Worm attacked I've added some notes on this, to better explain our rationale behind our belief:
IV.
Yep, that's clearly a superior choice, since it's water-proof and fire-resistant. But we do also thinks there's a real cost in convenience every time we require an additional purchase (let alone the time required to etch or lay in tiles, as we've experimented with both), and the threat is always that we tell users to do too much and so they do nothing. In any case, we do have "metal storage" in our alternatives section, and based on your suggestion, we've highlighted it better:
V.
I'd be happy to get any specific recommendations you have for archival paper and India Ink, particularly if the paper can be used in a printer and if they're available online. We've also added notes to all the Storage reviews that the user should ensure the readability of all of his written data, which means he'll be looking at all that paper and assessing it ever year. And that even for tamper-evident bags, a user should open them every five years or so to take a look. Personally, my oldest tax records currently on hand, from 2013, printed off a cheap-o inkjet, still look crisp and new, so I suspect it's a minimal problem unless things are being left in the sun, but definitely one that should be considered from time to time as some people will do that. Thanks! VI.
Thanks, I've added your rec as a safer option. I've also added some notes on our philosophy:
VII.
That's a good point. I was going to add in a procedure for signing it, but then I realized that all of the commits from myself and Christopher are actually Verified, so at least for now we can rely on that. (It might still be good to sign it, or possibly the whole SmartCustody guide, for full releases.)
VIII.
I don't know that we can provably say that A+B = seed and B+C = seed means that A+C = seed. If we've checked all three shares in the two combinations, then it seems extremely extremely likely that we're safe, but I wouldn't want to create a situation where somehow we found there was a bug and the last combo didn't combine correctly. So, since users could return any two of the three shares (and might only have two out of the three), I'd like that to be pre-tested. But, it's an excellent question that allows us to talk a bit about our philosophy.
More in a few days! Thank you for the comments and improvements! |
Ah interesting. Do you know worked on SSKR stuff? Was it Chris? I believe Caravan does work with PSBTs already. But as far as feature requests, it'd probably go a long way to write a couple feature requests on github issues, and wouldn't hurt to ping some people over here. As far as Chris, he's got his hands full at the moment, so not sure when he'd have time to look into this. But I let him know you mentioned him.
Ah i see, the "Passport Words" is really a password that protects the passport backups. Is that right? I missed that. Might be clearer to call it a "passport backup passphrase". Or if that conflicts too much with Passport terminology, maybe write "Passport words (backup passphrase)"? I thought the passphrase was to unlock the passport device. Is there any other non-device backup that's password protected that I missed? It would be very useful to add recovery steps: what to do in various recovery cases (you've lost a storage location, a key was compromised, you died and you heirs want to recover your coins). Take a look at the "Actions and Events" section in one of the Tordl guides for what I mean. I certainly could do a better job desscribing recovery scenarios, especially inheritance, but I think its a good idea to give clear steps to the user on how they should handle various uncommon or infrequent situations, since those are always going to be more prone to error. If instructions for this were there, it would have been much clearer to me exactly what's needed to restore funds. In any case, revising my understanding, here are the properties as I see it now: Security / Theft resistance:
The primary difference between my new understanding and what I thought the guide was saying is that my new understanding is that this setup is less resilient. Fewer storage locations can be lost while still preserving recoverability. Am I still misunderstanding something? If not, it seems like perhaps the guide could be improved by doing things the way I misundertood the guide to be: don't password protect the passport backups. It doesn't seem like password protecting the Passport backups gain you any security, and it seems you're losing a significant amount of loss protection by doing that.
Agreed. But QR doesn't have a monopoly on limiting interactivity. A connected line could also be programmed to be non-interactive (eg by hard wiring it to only be able to send data when a user manually presses a button). And while I agree a QR code situation does make it harder even for malicious firmware to communicate with the outside world, it certainly isn't impossible. For example, if there's any kind of controllable light source in front of the device and a camera in back of it, that's a potentially unbounded open channel. So while yes, its more limited, I would say its pretty debatable how significant that really is in terms of security. A properly built device that uses USB should be just as secure. That's not to claim that any particular device is properly built enough to have a comparable surface area to QR devices tho.
Similarly to the above, a connected usb plug can also build in this kind of speed limitation. QR isn't the innovation here, but more of an accident of how QR works. Faster things can always be made slower. In any case, we don't have to agree : ) And your elaboration there seems reasonable to me, especially since it notes that there are those that disagree.
It looks like the TerraSlate paper you recommend is acid-free as well. This reference to Rite in the Rain All-Weather paper says its acid free as well, tho most listings don't mention that. Here's some info on the benefits of acid-free paper. Both paper says they don't support inkjet printers btw, there's people complaining about that in reviews. In any case, as far as resilience, the paper types you're already recommending look like quite good archival paper already. I might swipe those recs for Tordl ; ) |
|
IX.
It does not. We've added a mention of how to improve dice-rolling randomness. X.
I've forgotten password, I've forgotten PINs, and when I die, there's no one around to remember them at all. So, we consider them pretty important. Without them, a user can pretty rapidly start losing access to devices, and if a few problems occur simultaneously, seeds. Without the passwords, only the sharded SSKR seed is available. Also, the user doesn't lose access to his seed when he breaks his phone. He restores it from Apple Cloud to his new phone provided he knows the password to his apple login and the PIN for one of his past devices. So that's actually the exact reason this is required. Anyway, this should be well-covered by the new "Writing Passwords" not previously. XI.
The Passport backups are probably the most fragile part of the setup because the backup words aren't going to be as easily remembered as a PIN. But the main point is redundancy and ease of use. If a user forgets his PIN, yes he can unzip his file and read it as long as he has the backup file and the backup words. But for an heir, that's not going to be nearly as easy to use, and greatly increases the chance of loss. I think that's the main thing that the procedure concentrates upon that might not be obvious: the ability for heirs to recover money in case of death or disability. We added a few mentions of this:
And:
To supplement the following assumption, already in there:
The point about PINs is a good one.
XII.
Yeah, that's fair. Mermaid, which does our diagrams, unfortunately doesn't have a good methodology for captioning them, so I made do. I've chosen a different methodology (basically p-align-center instead of h4) to create better differentiation. XIII.
Quite true. I've revised that comment:
XIV.
Good question! Added a note!
Removed the note about passwords, because yes that's doesn't seem relevant. XV.
Thanks, those are some fine examples and have been worked into the text.
|
|
Re: II
Yep. The PIN unlocks the Passport. There was some inconsistency in the naming within the scenario, which I suspect caused the confusion. Hopefully better now, standardized on "Passport Backup Words", with an explanation of what they are.
The Apple Cloud info from GST is only accessible from your current device (usually requiring some type of biometric login) or on a new device with a login to your Apple account and either proof of knowledge of a previous PIN or else Apple Recovery info you've set up.
I agree. There's a few larger scale additions we want to make to the guide. I've added this one. Re: Overall model
This is only sort of true, but it's hard to model because of the high number of variables, making it quickly grow to an n-dimensional chart. We largely consider losing a device and losing your home storage as the same, so losing your device AND a primary or secondary storage is very similar to losing two of your storage locations (home + one other), and yes, could result in loss.
Again, it depends. I had one version of the scenario that looked at losing your passcodes, and finally decided it didn't matter because your passcodes are all backed up. The bottom line is that of the three locations (Home + Primary + Secondary), you have to lose two to have likely asset loss. Even then, if you have things in the cloud and/or memory you might be able to recover. Re: III
I notice you say "QR" and we say "airgap", so that's probably one good point to mention. Otherwise, you say other methods could introduce these limitations, and we say airgap requires it. So that's probably another. Going to introduce some additional clarity on that, thanks! Re: V
Thanks, I've added your link on acid-free paper |
|
@imansayadi3 I've deleted your comment to this issue, as I was not able to puzzle out what parts were your comment vs quoted text from previous comments. Please don't use email to reply to Github comments unless you are careful to remove all the extra material (quotes, signatures, etc.) |
|
Thanks for the comments, @imansayadi3, they've add clarity to the document, helped us to better explain our thoughts and methodologies, and also corrected some issues here and there. I'm going to leave this open for a bit for any final responses, as I know the last set produced some more good additions. |
and others
I reviewed the procedure laid out in the simple path in Multisig Self-Custody Scenario. I didn't pay much attention to the optional steps.
My main takeaway is that the guide as written has the following primary properties:
In general, this seems like a reasonably secure guide. My primary complaint with the guide is the recommendation to write down pins and passwords. I don't think this gains the user anything significant, but it introduces significant additional paths for the user to be compromised (eg writing down their apple account credentials means someone might be able to compromised their apple account if the location that's stored in is compromised).
The other issues I found are either opportunities to reduce complexity or minor improvements / questions.
Feedback in no particular order:
I have an interest in self custody solutions, especially multisig ones. I think guides like this one are very important and hopefully using and sharing guides like this will one day become standard practice for people storing any significant amount of bitcoin. I wrote The Tordl Wallet Protocols and I work for Unchained Captial. I would be very appreciative of a review of Tordl by anyone involved in Blockchain Commons.
The text was updated successfully, but these errors were encountered: