Multisig Vault
coinbase.comThe most powerful part of multi-sig is not that you can have arbitrarily many M of N, but that you can outsource complex policy in a trusted way. E.g., create policy that lower level employees can control a small percentage of a company's holdings, while higher level employees can control a higher percent. It allows you to implement flexibility that exists in the credit system, without giving up the trust/control that comes from the blockchain system. This is a very valuable upgrade to Coinbase's feature set. Great work guys!
Yeah it's pretty cool. At some point we'll see more enterprise software to take on some of the responsibilities to manage bitcoin funds like that. I think one or two such companies have already been VC funded.
The idea is that you can say create a fund with say 3 keys. One is given to the middle-manager, one is given to a senior manager, and one is given to a computer. The middle manager can go on and use up to 80% of the budget. He simply creates a transaction, signs it with his key, then sends it off. The computer sees it, and then does various fraud-type checks. It checks if the receiving address is a whitelisted partner address (e.g. a supplier) and if the amount falls within reason given payment history for example, and if the transaction doesn't use up more than 80% of the budget. It then co-signs it and the bitcoin is released.
For anything more, the computer simply won't sign it according to its programming. So the middle manager must go to the senior one to request permission to release earmarked funds.
It's just a simple example but you could move lots of the finance to a completely digital system, do immediate software-based accounting and program governance rules into the software, and spit out periodic transparency reports. Will be interesting to see when something like this gets integrated into existing ERP packages someday.
I don't get why you need BitCoin/multisig for this. As long as you are "giving a key" to a computer, this is no different than programming a computer to oversee the middle-manager's spending from a bank account.
I get that multi-sig and bitcoin can be good, but as long as you already have the decision-making and power setup of a corporation, this is a marginal benefit. I would see this technology being more useful for trust-type situations where you might want to give a lawyer, a beneficiary, and a guardian a key. Or any sort of situation where power is actually split between multiple entities - seems like the boss still has all the power in the situation described.
Keys are created and encrypted in the browser
Key hijack in 5... 4... 3...
Browser crypto isn't secure. One way to offset the risk is to use a browser plugin to perform the crypto operations, and even that isn't really a security guarantee.
When you combine an incentive to break crypto (money) with a straightforward route to breaking it (browser crypto), you get a pretty dangerous situation.
Though I agree with you this leads to risky security issues, the mere fact that a major Bitcoin exchange is allowing users to hold their own private keys really puts a smile on my face today.
It is completely unheard of in the financial industry (and usually technically impossible before cryptocurrencies) to have a bank give away their "middle man" access of people's money and empowering their customers with complete control over their finances.
Which makes me wonder... The keys are generated in-browser. What if the users computer is compromised, and a malware succeeds in capturing the keys + bip38 passphrase? I don't know if this product will be pain in the ass for coinbase, if the user funds start disappearing from these multisig addresses.
All the best luck for this product, though.
If the computer is infected, then yes it would be possible to steal both the private keys, and the passphrase. To avoid this attack scenario, we're investing pretty heavily in technologies such as CSP.
However, this can be mitigated with our group multisig vault, where separate users create their own keys. For malware to steal these, it would require infecting multiple computers.
Seems like the next step would be to allow the users to store their copies on a smart card instead of a PC.
Like the Trezor[1] hardware wallet.
Yes, but maintaining the encrypted copy on Coinbase's servers, to ensure that losing the card doesn't mean losing the wallet.
CSP?
Content Security Policy -- http://en.wikipedia.org/wiki/Content_Security_Policy
basically headers that can tell the browser not to execute stuff that leads to injection like inline javascript or inline styling, allows for whitelists of domains (so the browser won't run script src="http://hackercdn.com/malicious.js"), etc.
The only argument here is that crypto on internet connected (and potentially compromised) devices is insecure. There's nothing inherently more insecure about browser crypto.
Our multisig vault relies on BitcoinJS, which we had audited by an external consulting firm. We also don't allow multisig vault creation on browsers which don't support crypto.getRandomValues()
The only argument here is that crypto on internet connected (and potentially compromised) devices is insecure.
Actually, that's pretty far from the standard arguments: http://matasano.com/articles/javascript-cryptography/
That's pretty much the seminal work of why browser crypto is insecure.
The issue isn't whether the primitives you're using are secure. It's that the security of your primitives can be hijacked by any third-party javscript you load into the page. Any attacker that can gain a foothold into your javascript execution environment can trivially subvert your security.
Assuming your are using SSL, what exactly is the attack vector for getting a "foothold into your javascript execution" besides hacking Coinbase itself?
Also, any attacker who gains a foothold of your operating system execution environment can trivially subvert your security as well. Does that mean crypto is broken on PCs?
any attacker who gains a foothold of your operating system execution environment can trivially subvert your security as well. Does that mean crypto is broken on PCs?
Yes, of course your crypto is broken if an attacker has malware running on your device. The difference between that scenario and Coinbase is that your device only affects you. A break in Coinbase's security will affect hundreds of thousands of people.
Assuming your are using SSL, what exactly is the attack vector for getting a "foothold into your javascript execution" besides hacking Coinbase itself?
There are at least three vectors. First, XSS. If Coinbase ever has an XSS vuln which allows JS to execute in the same context as their crypto key generation, then that attacker can silently siphon keys as they're being generated. Once enough keys are under their control, they can transfer the BTC of every account they control to the attackers' own wallet.
Second attack vector: Third-party JS libraries. If Coinbase is loading JS from any external source, any rogue employee from that source can launch the above attack. This attack may seem unlikely, but greed makes people do strange things, and the amount of money able to be stolen from a successful attack on Coinbase will be in the range of millions, if enough users start using multisig vault.
The third attack vector, which a sibling comment mentioned, is a rogue browser extension. Several extensions request permissions on "all websites," and users happily approve them. Now, you can say "Those people deserve what they get," but that's unproductive victim blaming. The fact is that users already behave this way, and letting them lose thousands of dollars for approving some silly extension like "Cloud To Butt" isn't a good thing.
Banks do a pretty good job of defending people's money. If they lose people's money because they're attacked, the bank will still credit the money. Would Coinbase?
> First, XSS. If Coinbase ever has an XSS vuln which allows JS to execute in the same context as their crypto key generation, then that attacker can silently siphon keys as they're being generated
So a very very very specific XSS vulnerability that affects the key generation process. I'm pretty sure that can be solved by not allowing any user input during the generation.
> Second attack vector: Third-party JS libraries. If Coinbase is loading JS from any external source
So don't load any external JS libraries on the key-generating pages.
> The third attack vector, which a sibling comment mentioned, is a rogue browser extension.
That's ridiculous. If you download malware on any OS, and allow it to run, it can do whatever within whatever permissions you allowed. Malware has been stealing money and identities long before Bitcoin was invented. Users need to learn not to install crap.
That can also be solved at the browser level - a website should be able to request a secure extension-less mode.
> So don't load any external JS libraries on the key-generating pages.
And anywhere else. The local banks in my country are not doing this. And a wallet site shouldn't ether. Even the coinbase login screen pings olark.com all the time.
Oh, and if you look at their CSP report sending back home, the original-policy is quite scary.
"original-policy":"default-src https://www.coinbase.com https://*.olark.com; connect-src https://www.coinbase.com wss://ws.pusherapp.com https://api.mixpanel.com; font-src https://www.coinbase.com https://*.olark.com; frame-src https://www.coinbase.com https://*.wpstn.com https://h.online-metrix.net https://*.siftscience.com; img-src https://www.coinbase.com https://i2.wp.com https://secure.gravatar.com https://secure.etrust.org https://ssl.google-analytics.com data:; media-src https://www.coinbase.com https://*.olark.com; object-src https://www.coinbase.com https://*.olark.com; script-src https://www.coinbase.com 'unsafe-inline' 'unsafe-eval' https://stats.pusher.com https://cdn.siftscience.com https://*.newrelic.com https://*.google-analytics.com https://www.google.com https://www.youtube.com https://*.ytimg.com; style-src https://www.coinbase.com 'unsafe-inline'; report-uri https://www.coinbase.com/csp-report","referrer":"","violated... https://www.coinbase.com 'unsafe-inline' 'unsafe-eval' https://stats.pusher.com https://cdn.siftscience.com https://*.newrelic.com https://*.google-analytics.com https://www.google.com https://www.youtube.com https://*.ytimg.com"}}
A hypothetical extension-less mode isn't a bad idea. Unfortunately, it doesn't exist.
An XSS attack in an unrelated part of the webpage can escalate. If someone hijacks the session key of an admin, they get access to the admin panel. That access may or may not let them further escalate their privileges. If they manage to break into the box that serves the JS for the key generation page, then they can alter the JS however they want, including so subtly that no one will notice it's broken. Think this is unlikely? Privilege escalation attacks like this happen all the time. Again, the potential payout for a successful heist is in the range of millions, and due to bitcoin mixers, they're less likely to be caught.
Also, I bet at least one person reading this has the "Cloud To Butt" extension installed. It's not only untrained users who install that sort of thing.
Coinbase is insured, so in theory yes.
Really? Insured by who, and to pay out under what circumstances? What if every coin disappeared tomorrow?
what exactly is the attack vector for getting a "foothold into your javascript execution"?
Browser extensions? Those have been stealing BTC for a while.
> COINBASE KEY: The only key that Coinbase stores.
> SHARED KEY: Encrypted with your password and stored
> both by you and Coinbase.
Coinbase stores one private key that we can access, and one private key that is encrypted with the user's vault password on the front-end and sent to us encrypted for storage. The third key is the user's and we never see that.
We have no ability to access multisig vault funds without the user passphrase, which never touches our server.
Is there a way to sign a transaction offline but still run it through Coinbase? When it comes to decrypting private keys in the browser, unless the user inspects the javascript each and every time they use the site, there is no guarantee that it hasn't been silently replaced by code that steals keys.
Yes, you can sign a transaction offline using our multisig vault recovery tool, which is open source:
https://github.com/coinbase/multisig-tool
You can use it to generate a transaction payload which can be broadcast from a client of your choice, including Toshi, our open source bitcoin node:
Excellent! Thank you for putting forth the extra effort and thinking this through. Many comparable online solutions in the Bitcoin space do not offer similar offline tools, making them a non-starter for business use.
Yes. You can sign transactions completely independently from Coinbase, provided you have your private key, encrypted shared key, and passphrase (the two keys are provided on a sheet of paper which you print out during vault creation).
Different key. The other key is encrypted with BIP38 with your chosen password. I don't know how the actual interface works, if it is encrypted client-side or server-side. Anyway, on paper it sounds fantastic.
Yes, the shared key is generated and encrypted with your passphrase client-side, then sent to Coinbase. We never see the raw private key.
TL;DR: Store your bitcoin on Coinbase, without giving up control of your private keys.
coinbase-graig: is it possible with your current API to connect a third party service outside Coinbase to sign the transaction? say I want to do a retinal scan before the transaction is approved.
Yes, see https://www.coinbase.com/docs/api/multisig
Good question!
I wouldn't trust any third party to keep my bitcoins except for the money in transit. I have my local client and local wallet, and that's where I do my transactions from.
The whole point in multi-signature scheme is to remove need to trust Coinbase.
Your local client and local wallet are fine, until your keys are stolen by malware. Multisig scheme also attempts to fix that flaw.
EDIT: multisig scheme with user's key on Trezor. This way you are also protected fully from viruses stealing your local key.
Does this mean we'll be able to see balance on the blockchain in one place?
At the same time they use deterministic hierarchical keys. Means that you get series of different keys. I guess you can use only a single key, or number of different ones if you want to.
Yep.
Sorry if this is off topic. But I wonder how many websites like these the US government creates in an attempt to control their environment. Maybe I'm paranoid but what if (as an example) companies like Popcorn Time were shutdown and replaced with a government version? All the more reason open source is important.