Recently, in the chain node community, the topic of hardware wallets has once again been brought to the forefront, and among them the most concerned is still its security discussion. On the morning of November 19th, Cobo hardware director Liu Lixin (Cobo vault treasurer) and BITHD director Guoguo guest chain node ChainNode AMA started discussions on the significance of open source hardware wallets, the security value of security chips, and the future development of wallet products. intense discussions.
In this issue of AMA, Guozi pointed out in a flash: For hardware wallets, open source is the “premise” for a simple reason. Every hardware wallet needs to be “self-certified and innocent”, and if you do n’t open source, it ’s completely impossible. Self-certification innocence.
And Liu Lixin emphasized: wallets are not absolutely safe. Compared with other coin deposit schemes, a qualified hardware wallet minimizes the possibility of successful attacks. An unqualified hardware wallet (such as not using a security chip) is not necessarily much safer than a software wallet.
In addition, the two big coffees gave a lot of high-quality answers to the questions about open source and security chips, so let's review them together.
For hardware wallets, open source is the "premise"
In the traditional computing field, open source proponents have always emphasized the point that open source is more secure, as Linus's law states: As long as there are enough eyes, all bugs are shallow.
The same holds true for hardware wallets. However, there are also high thresholds in the field. Most users may not laboriously burn or debug source code. At this time, can wallet open source provide only psychological comfort without substantial help? Regarding this, Guozi gave this answer:
For hardware wallets, open source is the "premise". The reason is very simple. Every hardware wallet needs to be "self-certified and innocent". Without open source, there is no way to self-certify. Why do users need a hardware wallet? Because you want to keep your assets safely in your own hands, you don't need to trust a third party.
At the point of "self-certification and innocence", Trezor, Ledger, and BITHD actually work very hard. BITHD and Trezor are also the same, because the hardware design + firmware source is all open source, any interested third party can be based on github Content to be your own BITHD and Trezor; this is also self-certification innocence; even Ledger, except for the very small code in the security chip + security chip (this part requires you to choose and write a small amount of code yourself), you can still Making a hardware wallet like Ledger yourself is also an effort in self-certification and innocence. An important point of open source wallets is that any third party can DIY out an identical wallet by providing the open source information provided to prove the "innocence" of the wallet itself mentioned by Guo. In addition, another advantage of open source is that it makes cheaper for more teams in the community to make more types of hardware wallets. This is actually the meaning of open source itself.
If the child said, the open source of the hardware wallet here includes all open source hardware design, all open source firmware source code, and full open source version history. In daily use, users will encounter the chip manufacturer's code in the security chip, but not the code of the wallet manufacturer. At this time, will it meet the requirements of full open source? Fruit added:
If it is a two-chip model like Ledger, the main chip + crypto chip model, the main chip contains all firmware logic (and all open source), and the crypto chip contains private key signature related logic (this part is closed source). Although it cannot be considered as open source in the strict sense, it is actually quite close, because you can refer to this solution to make your own version of Ledger. You can choose the same main chip to run the Ledger's firmware code, and then choose the one you think is appropriate. Password chip, write this part of the code you need, and finally be able to make your own version of the hardware wallet.
There is no absolute security. When the cost of an attack is far less than the benefits, it can be regarded as security.
In the final analysis, the open source of the wallet serves to protect the security of the assets. For the holders of currency, the biggest concern is whether the open source of the wallet can bring absolute security to the assets? The main security challenges facing open source hardware wallets are nothing more than the wallet's secret backdoor (internal attack) and hacking (external attack). Regarding these two points, Guozi said:
First, there are no "absolute" things in the world, and so is security. Generally speaking, when the cost of an attack is far less than the benefits, it can be considered safe.
In response to the above two risks, the first point is that open source hardware wallets can prove the innocence of the wallet itself through code and firmware open source, eliminating any backdoor. If you use a non-open source wallet, you will always face the threat of backdoors. Second, because BITHD is a hardware cold wallet that is not connected to the Internet, remote attacks by hackers have become almost impossible. Obtaining a wallet for a physical attack requires a huge cost. In addition, BITHD has a password account function. When you enable the password account function in BITHD, even if the hacker pays a huge cost to obtain your mnemonic, the attack cannot be completed without knowing your custom password .
Regarding the security of hardware wallets, Liu Lixin added:
There is no such thing as absolute security. Compared with other coin deposit schemes, a qualified hardware wallet minimizes the possibility of successful attacks. An unqualified hardware wallet (such as not using a security chip) is not necessarily much safer than a software wallet. In addition, compared to the security of the hardware wallet, the possibility of losing coins due to human reasons is greater. For example, how to save the most important mnemonics.
Some users have also suggested that after the hardware wallet is open sourced, asset security can be improved from a code perspective. So can the same open source of the hardware wallet code guarantee the security of the hardware such as chips? In this regard, Liu Lixin said:
The security of the hardware part, the core part here is the security of the security chip-one form of attack (supply chain attack) is that hackers tamper with the product before the user receives the product, and disable the security chip Or bypassed. The security chip is no longer working properly, and all related cryptographic operations have not occurred inside the security chip. In order to avoid such attacks, the Cobo vault has designed the authenticity verification link to ensure that the security chip works properly. As long as the security chip is not disabled or bypassed, the security chip then verifies the security of the upper-layer application.
The core protection object of the security chip is the true randomness of the private key, and this random number is the key core behind the encryption algorithm. Just as Liu Lixin's introduction on the Cobo wallet: the use of security chips, the verification link of the official website, the structural design of the anti-tampering trigger, the passphrase function, the metal mnemonic board and other functions, it has provided sufficient security for user assets and will not be subject to the supply chain Threats such as attacks and bypass attacks, even if the attacker gets your vault, they just get a brick.
The above are some answers given by Liu Lixin and Guozi in this AMA on the open source and security chip of the wallet. Open source has become the future trend of hardware wallets-the exploration of asset security. We have never stopped.
For a detailed review of this issue of AMA: https://www.chainnode.com/ama/399418