Bitcoin: SecurityTour de Force and Nightmare!

What is Bitcoin?

● First “digital currency” to really take off.● Researchers have been working on digital

currency for more than 20 years.● The Problem: Prevent double Spending● Bitcoin’s approach is decentralized, previous

approaches required a central authority

Why Bitcoin?

● A means of exchange that works globally. Transactions are secure, cheap and final

● A store of value○ You can invest in bitcoin and hope its value goes up

(which has been the trend)

How does it work?

● “Coins” are really public-private key pairs, also called “Bitcoin Addresses” Example:○ 19Mz58UvPk1nidNLZBHGqJ8S3T2wHvvtRZ

● Coins are granted value via “transactions”● A Transaction is a digitally signed statement

transferring value from one “Coin” to another.

Send Me Bitcoin :-)

A Bitcoin Address

<Secret Value> ⇒ Public Key ⇒ SHA256 ⇒ RIPEMD160 ⇒ Base58 Encode ⇒ Bitcoin Address

● Base58 is like base64, but fewer characters, eliminate easily confused characters.

Do Addresses have value?

● Not when they are first created● They receive value from other addresses via

signed transactions:● “I hereby bequeath my value to 1M78ab…

Value is traced through a chain of transactions back to when the value was first minted (or mined in Bitcoin parlance)

Where do Coins come from?

● This is the breakthrough…● Transactions are gathered into blocks● A network of systems (a *large* network)

attempts to compute a “block” by generating hashes until one is created with a certain number of leading zeros

● This is called “proof of work”

Proof of Work (Mining)

● Each block references the hash of the previous block, creating a chain

● As more blocks are added to the chain, the ability to “forge” earlier blocks becomes infeasible

● As a reward, the first transaction in the block, called “coinbase” transfers newly minted coins to the block finder

A Block

blockhash = hash(nonce, merkleroot, prevhash)blockhash must have “enough” leading zerosTrial and Error by changing the nonce“Difficulty” (how many leading zeros needed) adjusted to cause new blocks to be created every 10 minutes on average.

The Decentralized Network

● In addition to the “miners” many people run bitcoin nodes. A peer-to-peers network

● Each node validates each transaction it sees before passing it on, miners validate transactions before putting them in blocks

● Each node validates each new block it sees

Where does value come from

● Not technical value but human value● Same place as Gold. People are willing to

pay for it.● Initially (2009) bitcoins had no value● But once mining became difficult, people

were willing to buy them with cash

How do you buy bitcoins

● From another person (localbitcoins.com)● From an exchange.● From an ATM

○ Liberty Teller at South Station, Harvard Square and now at the MIT Coop

Exchanges

● You create an account● You deposit cash (aka “fiat”)

○ You can also deposit bitcoin● So you have a cash balance and a bitcoin

balance● You trade with other usersExchange takes a cut on each transaction

You must Trust the Exchange

● Once you make a deposit, the exchange owner has your bitcoin and cash

● Just like a bank, all you have is a ledger entry

● Finding an exchange to trust is an issue

Welcome to the Nightmare

● The core technology of Bitcoin is rock solid○ It has to be, it is under continual attack!

● Two main areas of trouble● Protecting private keys

○ People are awful at this● Ancillary services such as exchanges

bitcoin-qt default wallet

● Stores bitcoin addresses (usually 100 or more) in a “wallet.dat” file.

● By default it is not encrypted● If I can read this file, I can steal your bitcoins● If a virus or a trojan can read this file, say

goodbye to your coins

Encrypted Wallet

● You can turn on encryption -- but you need to have a strong password

● If someone can crack your password, you lose.

● If you forget your password, you lose.● Lots of ways to lose!

Paper Wallet

● Generate a Public/Private key pair (and associated address).○ Print it on paper (preferably in an off-line way).

Deposit Bitcoin in it.○ Put it in a safe deposit box (you can do these steps

in either order)

Brain Wallets

● The private key is the hash of a password.● SERIOUS BAD IDEA YOU WILL BE

ROBBED, I WAS!1MEWY9QjBnqnhK1RMi35ZRcYTzd8jYaz8R

(but if done correctly can let you hide your coin!)

Deterministic Wallets

● Armory, Electrum● Have a single secret “seed” which is used to

generate all addresses● Backup the seed once and you are good

Watching only Wallets

● Based on deterministic wallets, Can store public keys (and therefore Bitcoin addresses)

● Can generate as many public keys as needed

● HAS NO PRIVATE INFORMATION● So you can accept bitcoin without risking

having it taken

How to Lose

● Remember: Bitcoin is like cash● If you destroy it, its gone● Transactions are not reversible● Change Addresses

○ Nasty implications when mixed with Paper Wallets, you can lose your coin!

○ Mt. Gox may have lost this way (one theory)

Buying Bitcoin is hard, why?

● Exchanges only accept cash (aka wire transfers).

● You cannot buy bitcoin with a credit card○ Because you can reverse a credit card transaction,

but not a bitcoin transaction. A lot of exchanges have been robbed this way

● AML/KYC laws (in US) make for a lot of hassle.

The Four Types of Folks

1. Normal People -- Your Parents2. Geeks -- at MIT -- Likely You!3. Speculators -- Invest in Bitcoin hoping to

profit4. Thieves -- Tend to run exchanges and other

services where they can run off with the coin

Speculators and Thieves

● Speculators are betting that Bitcoin will be successful and each “coin” will wind up much more valuable then it is today

● Thieves. Bitcoin takes up no space, so let’s say you run an exchange where people deposit Millions in bitcoin -- The temptation to take it is huge.

Recommendations

● Don’t “invest” more in Bitcoin then you are prepared to lose○ Either through devaluation or theft.○ So how good are you at protecting your systems?○ :-)

● Use Off-line Wallets, but *be careful*

Predictions

If Bitcoin is to succeed…Learn from the past. How do people manage a large amount of money, where to they put it…

A BANK!

More...

Banks have developed policies and procedures over the years (such as two party control) to manage the temptation to steal. Banks know how to protect money (but maybe not Bitcoin yet…)

The Normal People Need to be able to Use it!

Thank You!