Physical Wallet Security With NFC

Protocol
1

I’ll start to research if other communities have investigated if this is possible, but has anyone come across concepts for securing a cryptocurrency wallet that require you to have an NFC chip in close proximity to your computer to act as the second private key (the first being your pass phrase) for a multi-signature address?

Conceptually, I’m imagining that you’d hold some sort of token/device with a NFC chip close to your computer, if you want to do anything that would enable the transfer of funds from an address you control, and the wallet client would then retrieve the private key from that device, prompt you for your pass phrase. Only after both checks were passed, would you be able to make your transfer.

This would satisfy a number of outstanding concerns around the wallet client:

[ul][li]Reduces the chance that you could be attacked through a hidden keylogger[/li]
[li]If kept physically secure, it should make attacks significantly more difficulty [/li]
[li]Allows for a user to have a less-secure (but more memorable) pass phrase because it cannot alone be used to brute-force access to the address[/li][/ul]

Items that would still need to be considered:

[ul][li]What happens if the token/device with the NFC chip isn’t available any longer? (Lost, stolen, etc.)[/li]
[li]Could it be spoofed? (Malware already on the device that “listens” for the handshake and stores off the data for future use)[/li]
[li]How durable and long-lasting is a NFC device?[/li]
[li]Ease of resetting the data on a NFC chip[/li]
[li]Data size of the private key, or any other embedded information, cannot be larger than ~716 bytes (at least for the current generation of NFC chips)[/li][/ul]

If anyone has studied this concept before, I’m very interested in what you found out. If there’s enough interest, perhaps there’s a good fit to bring this type of access device to Peercoin holders first, as part of a customized version of the Peercoin-Qt wallet.

2

Hi!
Great idea!
I have simmilar thoughts about the security and passwords: please see this topic.

The problem with physicaly token is that someone must produce them and controll them, and cryptos are different idea - self control.
Comparing to bank you got token synchronised with online bank account. If you lost it you get another one. Go to bank, show ID, pay, got it. Bank controls it.

That’s why I imagine other way:
- the crypto network itself would have not only wallets clients connected to, but also token applications.

How should this work:

  1. I hit transfer funds
  2. my wallet client sends info through the network to my application with token
  3. my token app on cellphone displays a token key (if possible screen of this token should be visible only for the token app, so that other application on cellphone wouldn’t steal it
  4. enter password + token (or only token if enough) and go :slight_smile:

About the keylogger thing another idea:
not to type password using physical key, which invisible for the operating system, but display a random keyboard within the client (random=not “qwerty”) and type password using mouse.

It’s possible that these conceptc need a general change in concepct and are not possible in this simple way.
For example wallets are files actually. And I guess attacker does not need my client - justa file. So even if my wallet client protects against automated attack, the attacke can copy may wallet and using another client - break a password using for example dicktionary attack.

That’s way my another concept is wallet should be part of crypto-network, not file on a computer. So that a wallet could be not a static file, but a state, that could be connected to token changing each few seconds.

By the way if a wallet would be part of the network if u simply lost your device, using address and password you could connect to the network and get your money back. Currently if you loos you cellphone with wallet, you simply lost it that’s it.
Comparing to VISA, if you lost it, you go to bank, block the old one, get a new one showing ID :slight_smile:

Maybe bank institution are bad sometimes and producing money with governments, but are more safe from the user point of view, and if this won’t change, people won’t accept cryptocurrency in general.

3

Interested in this one. Modern NFC chips like NTAG316 are programmable. With that you would be able to load your private key or your password to release the private key. Will get a few of them soon including some software to play with on a mobile device.

I’m sure I’ve read something about this and cryptos before when I dived into this months ago. I can’t find it quickly, but with a bit more time googling around I’m sure something comes up. The bitcoin guys must have thought of this long before us!