Blockstream Jade Tech Overview Part 1
Jade may be small, but it packs a ton of tech to make sure your Bitcoin keys are secure.
Blockstream Jade

Blockstream Jade Tech Overview Part 1

Grubles

The ability to self-custody assets is an important aspect of Bitcoin and the Liquid Network. Holding your own keys has become quite popular thanks to the honorable efforts of Bitcoin-focused educators. Due to this, a flourishing market of hardware wallet devices has emerged over time, using many different techniques for securing users’ precious private keys.

Jade is Blockstream’s take on hardware wallets and is unique in its approach of using inexpensive commonplace hardware, developer-friendly FOSS firmware, and open source infrastructure to separate security-related components. So, what innovations have we introduced in Jade? In this multi-part blog series, we jump straight into the lower-level mechanisms that protect your bitcoin and Liquid Network assets. There’s too much to fit into a single post!

This first post touches on how Blockstream Jade derives randomness from its internal sensors and other sources (so your private keys are truly unique), how Jade prevents certain subtle attacks that can lead to loss of funds, and how we leverage a blind oracle to securely lock out a potential thief given a number of failed PIN attempts.

Bitcoin Core-Inspired Randomness

Private keys require strong randomness to avoid loss of funds. Attackers can grind private keys and search for weakly-generated ones, hoping to steal funds that land on the corresponding addresses. Jade uses a multi-faceted approach to ensure your private keys have sufficient randomness to prevent this type of attack.

While Jade is running, entropy is generated from various independent sources and sensors:

  • User input
  • CPU counters
  • Battery state
  • Ambient temperature
  • Built-in cryptographic-strength hardware number generator
  • Entropy from the Blockstream Green companion app

The built-in hardware cryptographic random number generator (CRNG) derives entropy from various sources, one of which is the included radio (used for Bluetooth). When the radio is disabled with the optional “noradio” firmware (selectable in the Green companion app), the CRNG loses that source and, therefore, has reduced entropy. To mitigate this, we use an ESP32 API call named “bootloader_random_enable()” to sample raw radio noise only during boot, which is then added to the entropy pool along with the sources mentioned above.

Blind Oracle

When a Jade is first initialized, many different components work together to ensure that your private key data is truly random, encrypted, and stored securely:

  • Entropy pool
  • oracle-enforced PIN
  • Encrypted flash storage
  • Secure boot

At first boot, a Jade prompts the user to choose a unique PIN. This PIN is used in combination with a remote blind oracle to encrypt your Jade’s key material. The Blockstream Green companion app passes messages between the Jade and the oracle, but is blind to the data communicated since it is encrypted. The Jade itself does not communicate with the blind oracle.

To prevent physical attacks on a stolen Jade from extracting / stealing coins, the seed is encrypted with random keys split between the Jade device and a lock-out oracle.

This process works in more detail as follows: once the PIN is chosen, an ephemeral Elliptic Curve Diffie Hellman exchange (ECDH) exchange occurs with the remote blind oracle. An ECDH key exchange allows two separate entities with no previous knowledge of each other to generate a shared secret over public insecure channels. Using a known public key of the remote blind oracle, an ECDH key exchange occurs, and the communications channel can be fully encrypted. Once the encrypted channel is established, the Jade and the remote oracle work together to create an AES256 key.

When creating a new wallet recovery phrase, entropy is gathered from the pool described earlier and the resulting key material used for the recovery phrase is encrypted using the AES256 key. This data can only be decrypted when the user inputs the correct PIN on the Jade and establishes a connection with the remote blind oracle, mediated by the companion app (e.g. Green). Since the oracle only has a part of the AES256 key, it is blinded to any of your wallet’s keys and the PIN used on the Jade. All data at rest is encrypted on the oracle.

The newly-encrypted key material is then stored on the encrypted off-chip flash of the Jade and protected by Secure Boot. Secure Boot is a technology that prevents unsigned boot firmware from running on your Jade, such as a compromised firmware image from an attacker. It ensures that only firmware you intend to run is used to boot the device.

To conclude, the Jade now has a strongly-encrypted recovery phrase. An attacker would need to compromise both the local encrypted flash on the Jade and the remote blind oracle in order to access the recovery phrase.

Anti-Exfil

Building off the entropy pool we’ve generated using the various inputs the Jade provides, this feature prevents a nasty undetectable attack that compromised hardware wallets can launch against their own users. We’ve blogged in-depth previously about this attack and mitigation if you’d like to read more. To summarize, a compromised hardware wallet can slowly leak the user’s private key(s) through the signatures it creates, despite the private key being generated with strong randomness.

To understand how the attack and mitigation works, we need a very short overview on how signatures work in Bitcoin.

With ECDSA, the digital signature algorithm used in Bitcoin (along with Schnorr now), a random private key is combined with a nonce, which is a one-time value intended to add randomness to the signature to ultimately produce a transaction signature that can be validated by other users’ Bitcoin full nodes. Anyone can guess your private key based on your signatures without this random nonce, which is as bad as it sounds!

Compromised hardware wallets could create a nonce that appears random but is not. The nonces could be known to an attacker ahead of time. Even worse, the hardware wallet could leak parts of the user’s master private key into individual nonces, which would allow the attacker to guess every private key given a sufficient number of signatures.

Anti-Exfil uses “sign-to-contract” to ask Jade to use its signature nonce while cryptographically committing to some random data proposed by the (assumed uncompromised) host computer. The random data’s hash is then combined with the signature nonce to produce the signature.

By use of this protocol, the nonce is re-randomized, thus preventing the attack. We’ve implemented Anti-Exfil into the Jade firmware as of version 0.1.24 (April 14, 2021).

More Jade to Follow

This concludes the first part of our tech overview series on Blockstream Jade. Keep an eye on the official Blockstream blog (and take a look at the other posts there!) for the next post in the series.

If you want to get your hands on a Jade, we offer them on our Blockstream Store for $64.99. Pay with on-chain BTC, Lightning, or use the Liquid Network and pay with L-BTC or USDt (and get a 10% discount). Join the Jade Telegram group to chat about all things Jade and hardware wallets, too!

Note: This blog was originally posted at
https://medium.com/blockstream/blockstream-jade-tech-overview-part-1-4c1234d16888

If you have specific preferences, please, mark the topic(s) you would like to read: