Assuring Bitcoin security is a challenge. The most secure ways to store large amounts of bitcoins are also the least convenient. Even users with the patience to learn and practice the best security techniques discover that there are not many tools to help them do it. The easiest “cold storage” solutions available are still advanced tools with a learning curve beyond the reach of non-technical users. While the Bitcoin community hails “multi-sig” (see glossary) as the next Holy Grail of Bitcoin security, no one is quite sure how to access its capabilities without writing a custom application.
These problems do not exist in traditional banking services. Banking customers are not expected to understand cryptography, certificate authorities or hardware security modules (HSMs). Big banks have the resources to create, deploy and maintain security systems, and customers only have to look for the little “locked” symbol in their browser, or type in the six-digit code displayed on their keychain token. The average bank customer remains blissfully unaware of all the complexity going on behind the scenes.
I think one of the biggest issues facing Bitcoin right now is not the lack of a “killer app.” It is lack of insurance options.
However, in the world of Bitcoin, neither the users nor institutions know what to do to assure Bitcoin security, at least not yet. This is a new world in which the best practices have not been defined, and the necessary software and hardware tools do not yet exist. This should not be surprising—Bitcoin is still quite young and has had little time for these aspects of its ecosystem to evolve. But change is coming, and it will have to come if Bitcoin is going to make it into the mainstream of everyday life and commerce.
I think one of the biggest issues facing Bitcoin right now is not the lack of a “killer app.” It is lack of insurance options. Early adopters would like to believe that the majority of users will hold their own bitcoins, but I believe that is not a realistic option when life-changing quantities of digital currency are involved. We should not trust Grandma to personally secure her own retirement savings via complicated computer maneuvers.
More to the point, she should not trust herself or anyone else to hold it, unless she has strong protection against loss. Right now the best solution is for Grandma to avoid keeping her money in Bitcoin. That situation will change only when Bitcoin has a strong backbone of insured storage options, so that Grandma can confidently participate in this new technology.
So what does Bitcoin have to do to bridge the gap? Well, a few big companies have already been able to acquire insurance on their holdings. This is a huge first step, but it is no small feat to convince insurance companies to come along. Those companies who are entering the field have set premiums very high, because insurance companies cannot efficiently assess the risks.
Luckily, many of the problems with Bitcoin security already have long-established solutions in the world of financial and institutional security. Not only do these solutions protect digital assets from external threats, they guard against dishonest insiders in privileged positions. Merging Bitcoin with established security infrastructure will make it easier to both assess and mitigate the risks associated with a secure Bitcoin storage system.
• Hot Wallet: A wallet for which the signing authority is on an Internet-connected computer.
• Cold Wallet: A wallet on a device that has never had an Internet connection and never will.
• Full Cold Storage System: This gives you the ability to create a cold storage wallet on an offline computer, yet monitor the funds online. Funds are moved by taking a transaction to the offline computer to get it signed and bringing it back online to finalize it, with the signing keys never touching an Internet-connected computer at any step.
• Single-Signature Wallet: All funds in the wallet are associated with single identities on the network, and thus only one signing key is needed to move them. Anyone with access to the signing key is authorized to do what they would like.
• Multi-Signature Wallet: The network has multiple signing keys associated with the funds, and some threshold of signature needed to authorize transactions.
Presently, all the available secure Bitcoin storage methods use single-signature wallets. By definition, these methods all have a single point of failure, and the goal has been to make that single point as secure as possible. Vaulted cold storage systems combined with fragmented backups go a long way toward achieving this goal, but they have to be deployed on consumer PCs which are not security-hardened, and it is difficult for organizations to enforce segregation of duties on the employees managing the funds.
One critical advance needed by Bitcoin is to adopt the use of Hardware Security Modules (HSMs). The entire security of the Internet flows down from a small number of high-value cryptographic keys, each protected by HSMs. Commercial-grade HSMs cost tens of thousands of dollars and resist all kinds of physical and electronic tampering, including the destruction of key material if any abnormalities that resemble tampering are detected. HSMs can be programmed to enforce access control policies, usually paired with smartcards given to authorized users. These devices represent single points of failure for systems of immeasurable value, so the cost of this protection is usually irrelevant.
Transitioning from offline consumer PCs to offline HSMs for Bitcoin key management is a no-brainer for large institutions. But it might be awhile before we see HSM-based cold storage solutions for the broad commercial market, and their cost may always make them prohibitive for consumers.
Another important piece of this puzzle is the availability of well-defined operational security procedures. Documented procedures for configuring signing devices and distributing backups, along with strong access-control procedures with proper segregation of duties, should together form the foundation of operational security.
For instance, the institution may enforce a requirement that no signing devices can be accessed without at least three people present to ensure proper handling and documentation of an operation. This not only limits the opportunity for dishonest employees to steal funds, but also guarantees that proper security procedures are being exercised—such as verifying serial numbers on tamper seals, checking transaction data before signing, and guaranteeing that all sensitive devices and documents are properly secured after use. This approach also creates an auditable paper trail.
Operational security also includes well-defined authorization channels to ensure that employees do not execute the secure signing procedure for malicious/theft transactions. A super-secure wallet split
between seven HSMs in vaults managed by company employees could be bypassed if authorization to execute the signing process only requires an email from the CEO. In this case, an attacker only needs to access the CEO’s email account to authorize a transaction to steal the funds. Physical security is irrelevant if social-engineering attacks make the system vulnerable.
The most important advance in Bitcoin security is the proliferation of multi-signature storage systems. This is usually referred to as an “M-of-N” storage scheme. For instance, in 3-of-5 multi-signature storage, five devices will be designated as signing authorities for the funds and the network will require signatures from any three of them to move the money. This not only provides extra security, but also redundancy—any two of the devices can be lost or destroyed without losing access to the money being protected.
The versatility of the multi-sig procedures enabled by the Bitcoin protocol is astounding. It allows organizations to manage funds with varying calibrations of security, redundancy and convenience. Petty cash can be managed with 2-of-3 storage requiring hot wallet signatures of any pair of three company officers. Capital accounts for large purchases could be stored in a 3-of-5 using a combination of hot and cold wallets. Large investment funds holding $100 million or more could be stored using 5-of-7 offline HSMs kept in vaults around the world, each one requiring physical access by a different company executive. Yes, a company may find this burdensome, but it has the flexibility to make its Bitcoin storage every bit as secure as its insurance company, regulators or internal protocols require.
Multi-sig provides even more flexibility if you consider that some parties or devices could be giving multiple signing keys for asymmetric signing authority. For instance, the CEO of a company might have two keys of a 3-of-6 storage scheme, and four other officers could each hold one. Only two individuals are required if the CEO participates in the signing process, otherwise three individuals are needed.
Furthermore, an insurance company itself could hold a key for the funds it insures. In the event that multiple signers perish in a plane crash or simply lose access to their keys, the insurance company may be able to provide a critical signature to restore the insured funds instead of having to pay a claim.
In all cases, the devices can be configured and maintained completely independently, with no knowledge of security profiles of the other devices. The creation of wallets and all subsequent operations using them never requires direct communication or co-location of sensitive data. From start to finish there is never a single point of failure in the system. Combine multi-sig with HSMs and solid well-defined operational security procedures, and we might finally have a Bitcoin backbone that can be trusted not to lose your money Gox-style—and thus be ready for prime time on Main Street.