Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Armory
Topic OP
Feature request: QR code comms for signing
by
Falkvinge
on 21/02/2014, 13:30:34 UTC
As seen in the howto I posted a few weeks ago, Armory is now my primary wallet for security reasons, as I've chosen to not trust third-party services any longer *cough* Gox *cough*. I believe my fellow Armorists share the concern of coin security, and have chosen Armory for that primary reason.

Once you have your private keys in a manner that they will never ever touch a computer that has been, is, or will be connected to the internet, you need to examine the communications paths with this offline computer from a defense-in-depth perspective.

The weak link today is in how the unsigned transactions go to the offline computer, get signed there, and are moved back to the online computer. Email or clipboard is obviously out of the question, as that would require connecting the cold storage to a network. So realistically, that means a file is stored on some medium, that medium is physically moved to the offline computer and connected there, the transaction is signed, and the medium is moved back. The only medium that is used this way today is a USB stick.

Here's the vulnerable point. USB sticks contain firmware that can be exploited and malware embedded. That, in turn, can be used as an attack vector against a target system's USB drivers. Assuming we trust Armory, which we kind of have to, we want to be sure that no communication can get piggybacked by covert malware onto Armory's communication between its online and offline counterparts.

As long as we're doing that communication on multi-gigabyte USB sticks, the potential for a covert side channel is enormous.

Therefore, seeing how security has been the foundation and priority in building Armory, I'd like to see the ability for the online and offline computers to communicate signed/unsigned transactions optically using QR codes, instead. Have the online computer display the unsigned transaction on-screen with a QR code, have the offline computer use its webcam to read it, and vice versa for the return comms.

That way, we can be much more certain that no covert side channel is being used to extract information from the offline computer. We still must trust Armory, but this was about eliminating the possibility of piggybacking covertly on the transfer of Armory's data, which can be achieved if Armory communicates optically instead of via files.

Comments?

Cheers,
Rick