-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SeedSigner as HWW #4179
Add SeedSigner as HWW #4179
Conversation
Thanks for the submission! Should this DIY project be in the hardware wallet category? In the past I have discussed the possibility of creating a separate category for DIY signing devices such as the SeedSigner, but that is a longer term option. There is also a current submission to add AirGap Vault which is a DIY signing solution using mobile phone hardware which we decided to submit in the regular mobile wallet category. However, I believe SeedSigner is different in that it
I believe the review should move forward in the hardware wallet category, but I welcome any other input from the community. |
The description, features, and checkbox matrix all look correct to me (though I defer to @SeedSigner for thoughts on the exact description text). I enthusiastically support adding SeedSigner to the hardware wallet list on the site. ACK. |
Minor grammar nit: I see no reason to hyphenate "via a QR-exchange process". Sentence could also just be simplified to: "...via QR codes." |
While we are suggesting description edits: Bitcoin should be capitalized in the description. On this site we (try to) follow the rule that Bitcoin protocol references are capitalized and the currency is not. |
I apologize for not checking in sooner, I have been coordinating with @omerskywalker on this PR. I appreciate your thoughtful consideration and agree that it makes sense to include it with hardware wallets. Also have no issue with the capitalization of B/bitcoin as suggested -- thank you again. |
ACK |
I've edited the description text with grammatical fixes for the capitalization errors and adjusted the wording for QR codes. Thank you guys for the suggestions. |
All of the currently listed hardware wallets are seed storage devices with an offline signing engine. SeedSigner is an offline signing engine without the seed storage. One of the current criteria for hardware wallet listing is
I believe that this criterion was originally added to help protect against seed exfiltration by malware (originally by USB) after a firmware update. This could also apply to malware leaking keys in signature nonces or perhaps via any PSBT transport. SeedSigner does not verify firmware signatures autonomously and in the strictest sense does not meet this requirement. Likewise, neither would other DIY/BYOD projects such as Specter-DIY or AirGap Vault. I have proposed a PR to create a new environment category for wallets in which the hardware platform is user supplied and to indicate that the hardware protection may not be as strong as other solutions. The new category is actually quite consistent with the purpose and the application of the existing categories. As a side note, when thinking about physical protection, I'm reminded that many of the devices that are currently listed have shown vulnerabilities to various levels of attacks with physical access to the device. It is important to note that there are currently no criteria dealing directly with physical attacks to the device. If PR #4194 is merged, I will propose updating the environment score in this PR to reflect the relaxed interpretation of the above requirement. |
I have reviewed the SeedSigner device based on the current wallet requirements criteria and my evaluation is below. The summary is that the device passes on security and overall design, excluding the criteria directly related to the storage and the protection of the seed which is not provided in this BYOD (bring-your-own-device) device. I have proposed a new environment category for DIY/BYOD "hardware wallets" which could apply to devices that may not provide secure seed storage. In addition, there is an administrative issue that needs to be addressed on the seedsigner.com site for listing. I will be glad to recommend SeedSigner for listing after the following items have been completed:
There are no current criteria relating directly to gathering entropy or seed generation, so the following opinions are simply observations made during the review. I personally have a concern over using the seed generation from image feature. I believe that this feature requires too much trust in assumptions about the user-chosen camera device as well as the user's operation of that device with no further instructions other than "click image" and "accept". Of the three entropy inputs to this feature, two of them, system clock and serial number, are definitely insufficient, requiring the image input to stand on its own for every seed generated. I am uncomfortable with that assumption. The exact hardware employed is unknown and the failure modes (and even the operational modes) cannot be characterized, and the knowledge of the user is unknown. There are no sanity checks in the code of the data received from the camera other than relying on the potentially novice user to believe it is acceptable. I'm all for combining multiple sources of entropy, however the Raspberry Pi hardware random number generator would be an astronomically better source than the serial number. I have expressed these concerns to the project. I cannot personally recommend using this feature. Likewise when using the dice feature, the user should be able to perform more than 50 (99 for 256 bits) rolls as this exact limit assumes nearly unbiased dice and nearly perfect user operation. All physical dice are biased. The question is not "if," but "how much?". It's unlikely that most dice are sufficiently biased to provide an exploitable vulnerability, but the point is we do not know. Extra rolls, while very simple and not very time consuming could mitigate mistakes made by novice users without exact instructions on how to use the feature. For example an uninformed user may throw multiple dice at a time and either intentionally or unintentionally enter them in a specific order that does not preserve the full entropy. As an aside, I'm a big fan of combining multiple independent sources of entropy in a way that is externally verifiable. In line with the original focus of SeedSinger, I've always thought that the device should be able to accept and combine multiple sources of entropy. My suggestion would be to accept seeds via words or QR codes like SeedSigner already does and perform a SeedXOR on the input to create a new seed. Input seeds could easily come from multiple sources such as other hardware wallets, mobile apps, desktop apps, or physical methods such as dice, coins, and cards. The entire operation can be externally verified with paper and pencil or a small portion of the seed can be independently spot checked. I would like to be clear that I'm not advocating for or against using SeedXOR for it's original seed backup purpose; I'm advocating for a novel approach to combining entropy. Enough time on my soapbox. Let's get back to the review. Note that as a signing project, only the SeedSinger signing device was evaluated. Wallet software that runs externally to the SeedSigner device was not evaluated in this review. Sparrow Wallet, Specter Desktop, and BlueWallet were used during this review, but were not evaluated. With the exception of the environment score mentioned above, I concur with the scoring in eb383bc SeedSignerFirmware v0.7.0Review Version 2024041301The wallet list is based on the personal evaluation of the maintainer(s) and These requirements are meant to be updated and strengthened over time. Basic requirements:
Optional criteria (some could become requirements):
|
I appreciate the time and thought that was put into this evaluation. We will activate HSTS on seedsigner.com and I will advise when this is has been completed. On the issue of a separate category for DIY/BYOD, though I worry that a separate category tends to sideline these kinds of devices (which in my opinion are viable alternatives that are more in line with the core ethos of bitcoin) in favor of devices that are exclusively manufactured and distributed by centralized, for-profit companies, the DIY/BYOD descriptor for this other category is factually accurate and makes sense. I would however express concern about the (exclusive) use of the term "wallet". In my view, the core characteristic of a "wallet" is that its purpose is to store something of value -- in the conventional sense, a "wallet" stores physical currency, credit cards, personal credentials, etc. One of the primary strengths of SeedSigner is that it embraces an amnesiac/stateless approach whereby the device itself intentionally doesn't store anything of critical value (i.e. PKs), making the term "wallet" not appropriate. Early on in the project's life, I opted to focus on the term "signer" because of our separation of the function of key storage from key signing. A significant component of the larger SeedSigner approach is eschewing the idea of secure digital key storage (a never-ending cat-and-mouse game, the details of which are opaque and beyond the technical comprehension of most people, and still requires analog backup of key material), thus encouraging users to focus their attention on other approaches to securing private keys, namely use of a BIP39 passphrase, or better yet, multi-signature wallets (SeedSigner brings the marginal cost of creating and using multiple keys effectively to zero). I don't know if it makes sense to acknowledge the wallet / signer distinction within your categorization scheme, but wanted to point this out because I think it is worth noting. Thank you again for the time and effort you have put into this evaluation. |
Thanks for looking into the HSTS. Since we have some confusing issues with terminology on the site with terms such as categories, features, and scores, I thought I would try to clarify how this new “environment score” will show up on the site. We have an unfortunate situation in that we have concepts that are named differently in “the code” to how they are presented to users. I’ll try to ignore both sets of naming and clarify in English what will be shown with this new classification. First of all, there is a wizard and a filter which allows selecting from two mobile operating systems, three desktop operating systems, or hardware. That’s not changing. The PR is to list SeedSigner in the hardware list. When a hardware list is selected, SeedSigner will show up in a table with some columns. One of those columns is labelled Environment. All currently listed wallets have a dark green icon in that column. SeedSigner will have a light green icon. The dark green icon is labeled (at the bottom of the table) Good. The light green icon is labeled Acceptable. When existing hardware wallets are selected the following is displayed (along with the other information): Very secure environmentThis wallet is loaded from a secure specialized environment provided by the device. This provides very strong protection against computer vulnerabilities and malware since no software can be installed on this environment. When SeedSigner is selected the following is displayed instead: User sourced environmentThis wallet is loaded on a device sourced by the user. This can provide reasonable protection against malware as long as you source your hardware correctly and secure it sufficiently. That’s the only difference. As for the hardware wallet terminology, as I’ve frequently mentioned before:
Back in 2019, during the last major revamp of the bitcoin.org wallet pages, it was discussed whether nomenclature should be changed to to de-emphasize the wallet terminology across the board. I seem to remember that it was decided that doing so at that time would actually be too confusing since all of the vendors and projects listed used the wallet terminology themselves. Perhaps it is time to create an issue to resume those discussions. |
@omerskywalker #4194 has been merged. You can now update the environment score if you wish without failing the CI. |
|
@omerskywalker Thanks for the update. The build failed because I did not update the test schema. It's my problem, not yours. I will fix that soon. |
Thanks for the quick reply @crwatkins - I will resubmit once the test schema has been updated to allow for the newly created value. |
Once #4237 is merged, this PR should be able to be merged. I recommend SeedSigner for listing. |
All checks have passed for this PR - @crwatkins could we proceed with the merge? Thank you for your support on this. |
@omerskywalker Thanks! After a brief period to allow for comments on the review, @Cobra-Bitcoin will likely merge. |
This PR adds SeedSigner as a HWW to Bitcoin.org Wallets section