Published on: 2014-03-25T13:50:02+00:00
In a series of email conversations and forum discussions in 2014, various vulnerabilities and security concerns related to Bitcoin addresses and the OpenSSL secp256k1 implementation were highlighted. Peter Todd emphasized the importance of not reusing addresses and recommended using n-of-m multisig instead of single-factor addresses for increased security. However, he acknowledged that many people do not follow these practices. To enhance security, Todd suggested incorporating side-channel resistant signing, specifically mentioning Oleg Andreev's blind signature scheme for ECDSA as a potential solution.Gregory Maxwell expressed his belief that not everyone follows good practices and advocated for the use of side-channel resistant signing. He mentioned Oleganza's blind signature scheme as a potential solution to address vulnerabilities associated with repeated payments to high-value addresses. However, Todd criticized amateur efforts like Coinbase and EasyWallet for potentially neglecting necessary precautions.The vulnerability of reusing Bitcoin addresses and using single-factor addresses was discussed in an email thread on March 5, 2014. Todd recommended not reusing addresses to avoid passing a threshold of approximately 200 signatures. He also suggested using n-of-m multisig instead of single-factor addresses to increase robustness. However, Todd acknowledged that behavioral changes required for following these recommendations might deter many people. Therefore, he emphasized the importance of incorporating side-channel resistant signing on top of these practices. He mentioned Oleg Andreev's blind signature scheme for ECDSA as a potential solution.A practical technique was published in March 2014, which could recover secp256k1 private keys after observing OpenSSL calculations of as few as 200 signatures. Mike Hearn advised hot wallet users to manage their wallets with dedicated hardware and start moving away from shared cloud services. He recommended architecting systems such that every transaction requires authorization from both online servers and a second hardened server. Additionally, customers could PGP-sign requests to independently verify their intent on both servers. Mircea Popescu's MPEx exchange was cited as an example of this model. Hearn also recommended using Tor and hidden services for connecting to machines placed in apartments, especially when only accepting Bitcoins from customers.Hearn wrote to the Bitcoin-development mailing list in March 2014 about the published technique that could recover secp256k1 private keys by observing OpenSSL calculations. The attack exploited L3 CPU cache timings using the FLUSH+RELOAD technique and targeted virtualized hosting environments where keys were reused. Hearn advised hot wallet users to manage their wallets with dedicated hardware and gradually move away from shared cloud services.In an email exchange between Jean-Paul Kogelman and Pieter, the topic of timing attacks and their prevention was discussed. Pieter mentioned some preliminary work he had done to make the implementation leak less but acknowledged that there was hardly any effort to prevent timing attacks, and it was not guaranteed to be constant time either.In a discussion on the Bitcoin-development mailing list, concerns were raised about the security of OpenSSL's secp256k1 implementation. Mike Hearn highlighted the lack of efforts to make it completely side channel free and the possibility of custom implementations not being fixed even if OpenSSL gets patched. Pieter Wuille noted the minimal effort in preventing timing attacks within the implementation, highlighting potential vulnerabilities and the need for improved security measures.Overall, these conversations and discussions emphasized the importance of not reusing Bitcoin addresses, utilizing n-of-m multisig, and incorporating side-channel resistant signing for enhanced security. The vulnerability of the OpenSSL secp256k1 implementation and the risks associated with shared cloud services were also highlighted, emphasizing the need for dedicated hardware and secure architectural designs.
Updated on: 2023-08-01T07:50:26.610336+00:00