Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
Jade may be small, but it packs a ton of tech to make sure your Bitcoin keys are secure.
By Grubles
The ability to self-custody assets is an important aspect of Bitcoin and the Liquid Network. Holding your own keys has become quite popular thanks to the honorable efforts of Bitcoin-focused educators. Due to this, a flourishing market of hardware wallet devices has emerged over time, using many different techniques for securing usersâ precious private keys.
Jade is Blockstreamâs take on hardware wallets and is unique in its approach of using inexpensive commonplace hardware, developer-friendly FOSS firmware, and open source infrastructure to separate security-related components. So, what innovations have we introduced in Jade? In this multi-part blog series, we jump straight into the lower-level mechanisms that protect your bitcoin and Liquid Network assets. Thereâs too much to fit into a single post!
This first post touches on how Blockstream Jade derives randomness from its internal sensors and other sources (so your private keys are truly unique), how Jade prevents certain subtle attacks that can lead to loss of funds, and how we leverage a blind server to securely lock out a potential thief given a number of failed PIN attempts.
Bitcoin Core-Inspired Randomness
Private keys require strong randomness to avoid loss of funds. Attackers can grind private keys and search for weakly-generated ones, hoping to steal funds that land on the corresponding addresses. Jade uses a multi-faceted approach to ensure your private keys have sufficient randomness to prevent this type of attack.
While Jade is running, entropy is generated from various independent sources and sensors:
- User input
- CPU counters
- Battery state
- Ambient temperature
- Built-in cryptographic-strength hardware number generator
- Entropy from the Blockstream Green companion app
The built-in hardware cryptographic random number generator (CRNG) derives entropy from various sources, one of which is the included radio (used for Bluetooth). When the radio is disabled with the optional ânoradioâ firmware (selectable in the Green companion app), the CRNG loses that source and, therefore, has reduced entropy. To mitigate this, we use an ESP32 API call named âbootloader_random_enable()â to sample raw radio noise only during boot, which is then added to the entropy pool along with the sources mentioned above.
Blind PINÂ Server
When a Jade is first initialized, many different components work together to ensure that your private key data is truly random, encrypted, and stored securely:
- Entropy pool
- Blind PINÂ server
- Encrypted flash storage
- Secure boot
At first boot, a Jade prompts the user to choose a unique PIN. This PIN is used in combination with a blind PIN server to encrypt your Jadeâs key material. The Blockstream Green companion app passes messages between the Jade and the PIN server, but is blind to the data communicated since it is encrypted. The Jade itself does not communicate with the blind PINÂ server.
To prevent physical attacks on a stolen Jade from extracting / stealing coins, the seed is encrypted with random keys split between the Jade device and a lock-out server.
This process works in more detail as follows: once the PIN is chosen, an ephemeral Elliptic Curve Diffie Hellman exchange (ECDH) exchange occurs with the remote server. An ECDH key exchange allows two separate entities with no previous knowledge of each other to generate a shared secret over public insecure channels. Using a known public key of the blind PIN server, an ECDH key exchange occurs, and the communications channel can be fully encrypted. Once the encrypted channel is established, the Jade and the remote server work together to create an AES256Â key.
When creating a new wallet recovery phrase, entropy is gathered from the pool described earlier and the resulting key material used for the recovery phrase is encrypted using the AES256 key. This data can only be decrypted when the user inputs the correct PIN on the Jade and establishes a connection with the remote PIN server, mediated by the companion app (e.g. Green). Since the server only has a part of the AES256 key, it is blinded to any of your walletâs keys and the PIN used on the Jade. All data at rest is encrypted on the server.
The newly-encrypted key material is then stored on the encrypted off-chip flash of the Jade and protected by Secure Boot. Secure Boot is a technology that prevents unsigned boot firmware from running on your Jade, such as a compromised firmware image from an attacker. It ensures that only firmware you intend to run is used to boot the device.
To conclude, the Jade now has a strongly-encrypted recovery phrase. An attacker would need to compromise both the local encrypted flash on the Jade and the remote PIN server in order to access the recovery phrase.
Anti-Exfil
Building off the entropy pool weâve generated using the various inputs the Jade provides, this feature prevents a nasty undetectable attack that compromised hardware wallets can launch against their own users. Weâve blogged in-depth previously about this attack and mitigation if youâd like to read more. To summarize, a compromised hardware wallet can slowly leak the userâs private key(s) through the signatures it creates, despite the private key being generated with strong randomness.
To understand how the attack and mitigation works, we need a very short overview on how signatures work in Bitcoin.
With ECDSA, the digital signature algorithm used in Bitcoin (along with Schnorr now), a random private key is combined with a nonce, which is a one-time value intended to add randomness to the signature to ultimately produce a transaction signature that can be validated by other usersâ Bitcoin full nodes. Anyone can guess your private key based on your signatures without this random nonce, which is as bad as it sounds!
Compromised hardware wallets could create a nonce that appears random but is not. The nonces could be known to an attacker ahead of time. Even worse, the hardware wallet could leak parts of the userâs master private key into individual nonces, which would allow the attacker to guess every private key given a sufficient number of signatures.
Anti-Exfil uses âsign-to-contractâ to ask Jade to use its signature nonce while cryptographically committing to some random data proposed by the (assumed uncompromised) host computer. The random dataâs hash is then combined with the signature nonce to produce the signature.
By use of this protocol, the nonce is re-randomized, thus preventing the attack. Weâve implemented Anti-Exfil into the Jade firmware as of version 0.1.24 (April 14, 2021).
More Jade to Follow
This concludes the first part of our tech overview series on Blockstream Jade. Keep an eye on our Engineering Blog (and take a look at the other posts there!) for the next post in the series.
If you want to get your hands on a Jade, we offer them on our Blockstream Store for only $45.99. Pay with on-chain BTC, Lightning, or use the Liquid Network and pay with L-BTC and USDt (and get a 10% discount). Join the Jade Telegram group to chat about all things Jade and hardware wallets too!
Blockstream Jade Tech Overview Part 1 was originally published in Blockstream Engineering Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.