Jump to content

wallets


_harry_

Recommended Posts

I just read a tweet about hardware wallets. Recently Toast wallet added support to USB thumb drive. What is the difference between Toast wallet and the rest? At the end the tokens are in the ledger not in the hardware isn't it?

 

Link to comment
Share on other sites

you are right, the tokens are always stored in the blockchain. the hardware wallets store your ripple-adress and your key and have programms to send your token from your adress to another (for example to an exchange).

sorry, can't tell the difference between the hardware wallets.

Edited by Tobi
Link to comment
Share on other sites

How are you going to secure your secret keys on the USB stick?

How are you going to ensure that you can recover the keys if the USB stick is stolen/lost/corrupted?

Will you be able to create and sign transactions using only the USB stick?

The above are only a few of the problems that hardware wallets attempt to solve.

Link to comment
Share on other sites

12 hours ago, _harry_ said:

I just wonder what is the difference from Toast wallet to the rest

 

The biggest difference is: With Toast on a USB stick, you still need to load all of the secret data (keys) from it into a computer's memory in order to be able to use the wallet. There are many security reasons why you might not want to do that.

A real hardware wallet doesn't transmit the secret key to any device, it uses its on-board computer to sign transactions and only sends the completed transactions to the PC.

A good hardware wallet also has a screen and buttons on the wallet to allow the user to verify that the transaction that it's signing is the correct one.

Link to comment
Share on other sites

On 11/10/2018 at 1:42 PM, at3n said:

The biggest difference is: With Toast on a USB stick, you still need to load all of the secret data (keys) from it into a computer's memory in order to be able to use the wallet. There are many security reasons why you might not want to do that.

A real hardware wallet doesn't transmit the secret key to any device, it uses its on-board computer to sign transactions and only sends the completed transactions to the PC.

A good hardware wallet also has a screen and buttons on the wallet to allow the user to verify that the transaction that it's signing is the correct one.

Toast Wallet has an offline air-gap transaction signing and submission system for those who want to use it. Simply install or run Toast on an offline device and create a transaction as normal then follow the prompts to submit the transaction to the network via a QR code. Using Toast in this way (i.e. with a dedicated offline device such as an old phone or laptop that you never connect to the internet) mimics a hardware wallet in most respects. It's worth pointing out that air-gaped transactions are technically more secure than connecting a hardware wallet to an online device via USB.

Link to comment
Share on other sites

12 minutes ago, ToastWallet said:

Toast Wallet has an offline air-gap transaction signing and submission system for those who want to use it. Simply install or run Toast on an offline device and create a transaction as normal then follow the prompts to submit the transaction to the network via a QR code. Using Toast in this way (i.e. with a dedicated offline device such as an old phone or laptop that you never connect to the internet) mimics a hardware wallet in most respects. It's worth pointing out that air-gaped transactions are technically more secure than connecting a hardware wallet to an online device via USB.

I have used that system ( air gapped Toast QR code transaction submission) successfully and believe it is secure.  It was also simple and easy to do.  Well done Toast wallet crew.

Link to comment
Share on other sites

23 minutes ago, ToastWallet said:

Toast Wallet has an offline air-gap transaction signing and submission system for those who want to use it. Simply install or run Toast on an offline device and create a transaction as normal then follow the prompts to submit the transaction to the network via a QR code. Using Toast in this way (i.e. with a dedicated offline device such as an old phone or laptop that you never connect to the internet) mimics a hardware wallet in most respects. It's worth pointing out that air-gaped transactions are technically more secure than connecting a hardware wallet to an online device via USB.

First, I think it's really great that the Toast wallet team has developed this feature!

Wrt that statement in bold ... in itself that might be true, but I have this question: as many (maybe most) security breaches have an internal origin, do you also say that if someone has physical access to an offline device that's got Toast installed on it, that would be less of a security risk than if that same person would have physical access to a hardware wallet?

Link to comment
Share on other sites

5 minutes ago, Rey said:

First, I think it's really great that the Toast wallet team has developed this feature!

Wrt that statement in bold ... in itself that might be true, but I have this question: as many (maybe most) security breaches have an internal origin, do you also say that if someone has physical access to an offline device that's got Toast installed on it, that would be less of a security risk than if that same person would have physical access to a hardware wallet?

Toast only decrypts your keys for a split second when you actually need to sign a transaction. This is the reason you need to put your passphrase in to send a transaction.

To answer your question: it depends on almost too many factors to count. I'll address a couple of scenarios below:

If you are using a PC / laptop as your offline device then a skilled adversary with repeat physical access to the device could probably install a keylogger or other monitoring software on your device which, in combination with taking a copy of your wallet data from the disk could expose your keys. This would likely require them to have physical access to the disk. I.e. pull the disk out and patch the OS etc.

However if your scenario is a snatch-and-grab where someone steals your offline device, be it a hardware wallet or a PC or phone running Toast then I couldn't pick a winner, I suspect they would all be impossible to crack provided you used a sufficiently strong passphrase.

An old iPhone with iOS 11 is probably the most secure offline device you could use Toast Wallet on due to the high barrier to installing third party software or patches via any means. These are also notoriously difficult to log in to when booted after power down, especially if you use an alphanumeric passcode for the lockscreen.

In my view the majority of theft risk comes from malware installed on Internet connected devices. Any sort of air gap is sufficient to thwart that. The great thing about public key cryptography is you can submit a signed transaction via the most infected PC imaginable and never compromise the security of the wallet that signed it.

Link to comment
Share on other sites

1 hour ago, ToastWallet said:

Toast only decrypts your keys for a split second when you actually need to sign a transaction. This is the reason you need to put your passphrase in to send a transaction.

To answer your question: it depends on almost too many factors to count. I'll address a couple of scenarios below:

If you are using a PC / laptop as your offline device then a skilled adversary with repeat physical access to the device could probably install a keylogger or other monitoring software on your device which, in combination with taking a copy of your wallet data from the disk could expose your keys. This would likely require them to have physical access to the disk. I.e. pull the disk out and patch the OS etc.

However if your scenario is a snatch-and-grab where someone steals your offline device, be it a hardware wallet or a PC or phone running Toast then I couldn't pick a winner, I suspect they would all be impossible to crack provided you used a sufficiently strong passphrase.

An old iPhone with iOS 11 is probably the most secure offline device you could use Toast Wallet on due to the high barrier to installing third party software or patches via any means. These are also notoriously difficult to log in to when booted after power down, especially if you use an alphanumeric passcode for the lockscreen.

In my view the majority of theft risk comes from malware installed on Internet connected devices. Any sort of air gap is sufficient to thwart that. The great thing about public key cryptography is you can submit a signed transaction via the most infected PC imaginable and never compromise the security of the wallet that signed it.

Thanks for sharing, appreciate it!

Edited by Rey
Fixed Out Of Likes
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...