Friday, June 24, 2011

Why aren't bitcoin wallets encrypted?

Now that bitcoins are worth stealing, virus writers and scammers are busy trying to steal them.

The current bitcoin software that you can download and run on your computer makes no attempt to keep your bitcoins safe from malware infecting your computer. None. Nada. Zip.

Your wallet.dat file is sitting right there on your hard disk, unencrypted. A big, juicy target for viruses and malware.

So why didn't we encrypt it up the wazoo and require that you type six passwords to unlock it? Well, two major reasons:

First, losing your wallet or forgetting your password is (arguably) as big a threat as theft. There is a reason every online service has some 'recover/reset lost password' feature.

Second, encryption might give users a false sense of security. If you use a weak password then encryption doesn't help; bad guys can steal the encrypted wallet and, in a few seconds, try decrypting it with the most popular passwords. And if your machine has malware running on it, then it can easily install a keylogger and get your password when you type it in.

Bitcoin could start playing whack-a-mole with the bad guys-- they implement dumb keyloggers, so we implement an on-screen keyboard and you use your mouse to enter your password. So they implement a screen+keyboard+mouse logger, we come up with some complicated one-time-password scheme involving you printing out pieces of private keys the first time you start bitcoin. So the bad guys wait until you send some coins, and then modify the transaction after you've typed in the information from the piece of paper.

If your computer is infected, then it cannot be trusted, and there is no software in the world that can keep your bitcoins safe if they are stored on it.

However... wallet encryption is planned for the next version of bitcoin. It won't protect you from viruses, but it will stop your cousin from walking up to your computer and helping himself to all of your bitcoins while you're out walking the dog. And if you use a strong password you won't have to worry about somebody stealing a backed-up copy of your wallet and spending all your coins. I just hope users DO use strong passwords and DO NOT lose them.

The real solution is multi-device confirmation of big bitcoin transactions. You'd send coins starting on your computer, but the transaction wouldn't be valid until it was signed by another device, which would somehow contact you (NOT through your computer) and ask you for your OK before sending it along. The guts of bitcoin supports that (and a whole lot more), but it will take a fair bit of work to make it all fool-proof and easy to use.


jimrandomh said...

Yep, this all makes sense. I'm really looking forward to multi-device wallets; I'm reasonably careful with my computer, but I still feel like I'm taking a risk when I hold coins on my PC. It's a shame there wasn't more lead time before Bitcoin took off in the media, to implement things like this.

A related thing that would be nice to have, is time-delay wallets: you can send coins, but you have to publish the intent to send some number of blocks/hours before it goes through, and during that time you can cancel the request with the same key. So you'd lock up some of your coins as "savings", while keeping another portion ("checking") ready to spend immediately; and you'd have a computer or third-party service monitor the blockchain for you, and send a message whenever someone tries to unfreeze the "savings" coins.

Matt said...

Would the wallet encryption be optional in the standard client?

Xamuel said...

Hey Gavin,

The things you mention about false security are reasonable.

However, with the current setup, a person doesn't even *know* about the wallet.dat file unless they read the forums/wiki.

If you just download the client and run it, the wallet.dat file is never mentioned. Ever. The program acts like it does not exist.

Maybe something should be done about that.

Anonymous said...

If you understood how cryptography works, you would understand that NO amount of effort can keep ANYTHING safe from viruses. Encrypt it all you want. Once something is in your operating system's highest operating privilege, ANYTHING you do is compromised. Basically, you have to store it in memory some time eventually. Even if its obfuscated. Not hard to obfuscate if you have the source though.

Anonymous said...

Encrypting wallet.dat decreases the attack surface by orders of magnitude just by reducing the time that the keys are available from 100 % to <1 % (you only need to decrypt the file when making payments and creating new addresses). Not to mention practically erasing the risk of losing coins from simple hardware theft, or the requirement to target Bitcoin specifically.

I don't see how "false sense of security" is any kind of argument, anyway. I need to see a study first, which shows that increasing safety measures leads to more recklesness. Until then, it's a fallacy.

And losing one's password... Give me a break. I guess people should be prevented from using TrueCrypt, then, too?

Cunicula said...

A common solution is placing voluntary limits on transaction volumes. (e.g. an account can't produce valid sends of more than X BTC/Day, unless these transactions are sent to address Y which (hopefully) the account holder controls).

dvide said...

I agree with Xamuel. It seems to me that the Bitcoin software should require you to manually 'open' a wallet (and manually create them), in the same way that Microsoft Word would require you to open a doc file. That is, Bitcoin should treat the wallet like a user's document rather than like a hidden settings file. That will make it immediately obvious to users that the wallet they create is very important, because opening that file is how they must access their bitcoins.

They will immediately realise that the file needs to be backed up somewhere safe, because they will understand that if the file is lost then their money is gone. I also think that if were changed, you should adopt a different file extension like *.bcw. Obviously support the older .dat files too. But that way, you can associate the file extension with the Bitcoin software. When you want to access the wallet, you could just double click it in your file system and it will launch the Bitcoin software itself, in the same way way a Office user would open a Word doc file on their computer (i.e. nobody launches Word and then goes to File>Open, they just launch their documents). So you should just be able to double click your savings.bcw file, or you current.bcw file, etc.

Obviously encryption can and should be added to this too.

Gavin Andresen said...

Mmmm, obviously....

This is where I say "patches welcome." If you have experience implementing passwords and backups in other security-sensitive C++ software (I don't), please help review and test the pending PULL request for wallet encryption.

TomCollins said...

I disagree with your logic "we can't protect you from everything, so why bother?"

I lock the door to my house even though someone could kick down the door or break a window and get in. I put my valuables in a safe even though someone could find a way to drill through the lock and get in.

Security doesn't need to be fullproof to be useful. Anything that slows someone down is worthwhile so long as it doesn't burden the user too much.

It's good that the Bitcoin client finally will give up on this philosophy and enter reality with basic encryption.

A said...

The current paradigm where the Bitcoin client only allows specification of a data directory is suboptimal. I use TrueCrypt, but I am forced to keep a ONE GIGABYTE encrypted volume because I cannot separate the database data from the 112kb wallet.dat file. The client should allow specification of separate data and wallet locations.

I agree with Anonymous that an encrypted wallet which only required decryption (i.e. password entry) for a send operation would greatly decrease the window of opportunity for malware stealing a password.

Keepass allows encryption/decryption to require both a password and a seperate keyfile, which can reside on a removable media. This option would increase the difficulty of the malware coder's task without significantly increasing the difficulty of the Bitcoin coder's task. :)

I am all for the KISS principle, but some level of wallet security will be necessary before there is more mass adoption of Bitcoin.

Gavin Andresen said...

Wallet encryption of private keys (so you enter the password before send, not at bitcoin startup) has been pulled, and, assuming no major problems are found, will be in the next version of bitcoin.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

I look forward to the encryption of the wallet private keys. This adds security, but not privacy.

Any consideration of an optional second level of encryption which additionally encrypts the entire wallet? One password would be used to decrypt the wallet for viewing, address creation, etc. A second password would be required to execute a send. This would not only prevent housemates from stealing one's bitcoins, but it would also prevent them from viewing one's wallet.

A wallet password would be the one entered the most often, so it would be at greatest risk of compromise. The send password would remain rarely used and thus more secure.

I'd feel a lot better knowing that my housemates can not easily inspect my wallet.

Gavin Andresen said...

RE: second level of encryption:

Not a high priority right now. If you don't want your housemates to know your bitcoin balance or what bitcoin transactions you're making, then don't run bitcoin when they're around and can "shoulder surf".

And choose a good login password for your computer, so they can't login as you and poke around in your files.

Lohoris said...

Well, if "your cousing" can "help himself to all of your bitcoins while you're out walking the dog", he can as well install a malicious program into your computer...

Apart from that detail, good post.

Dejan Milovanović said...

I didn't use my wallet since April and password was in my head. Yesterday, I wanted to make payment but password is not good. I don't know how, I was 100% sure in my password! Is there a help for me, I am very, very desperate!

Gavin Andresen said...

RE: recovering a wallet for which you've lost the passphrase:

I've read good things about this service: