Nostr Web Client

Concerned:

While setting up my blockstream jade onto a new Electrum wallet, I noticed that I couldn't complete the jade final pin setup without an internet connection. Having used Electrum exclusively for years and never venturing to setup a hardware wallet on top of the software before, I found this really odd.

The jade is bluetooth disabled, set to USB only on local device. The failure came after the jade display of the seed phrase, the mandatory spot verification of the seed, and the electrum recognition of hardware and native segwit wallet. Clicking next, the jade wants to setup a final pin code which will be the means by which i login moving forward on this wallet. Upon entering and confirming the code offline, I receive an error notification after some time telling me that there was a failure connecting to a blockstream online address. Only after going online and entering my pin did it complete and allow me to finalize setup.

Should this be a concern? I'm not sophisticated enough in this tech to know if its necessary to do this with a hardware wallet that should be no-radio. #asknostr

Reply to this note

Please Login to reply.

Discussion

nostr.build 2y ago

From what I understand, Jade uses a ‘virtual secure element’, basically meaning it uses a remote server (an oracle) to store part of your seed, encrypted. Guessing it is wanting to connect with this server for that.. You should be able to create your own ‘oracle server’ also. nostr:npub1sqaxzwvh5fhgw9q3d7v658ucapvfeds3dcd2587fcwyesn7dnwuqt2r45v ?

nakad.ai🔱🦁🛡️🏯📿 2y ago

Depends on your security model. You don't have to use the oracle.

https://help.blockstream.com/hc/en-us/articles/20144489592857-Use-Jade-as-a-stateless-signing-device

Dr. Bitcoin, MD 2y ago

Not sure. You definitely need to connect to internet if you are using the 2 of 2 multisig where @blockstream holds one of your keys…

Bass 2y ago

Unless i am radically misunderstanding multisig, Im pretty sure i opted specifically for regular wallet with hardware device. My understanding of multi sig, though never implementing or testing is that it requires several passwords. My jade held my keys. To use the jade, simply required the 6 digit pin code to access the wallet. No other keys were used

Dr. Bitcoin, MD 2y ago

Nah, you’re not misunderstanding. I use Blockstream green on iOS and that’s the only real choice (multisig vs. Single sig).

I don’t know much about the jade RNG…but if it’s virtualized somehow that’s 1) important to do right and 2) beyond me

nakad.ai🔱🦁🛡️🏯📿 2y ago

Use jade as a stateless signing device.

https://help.blockstream.com/hc/en-us/articles/20144489592857-Use-Jade-as-a-stateless-signing-device

nakad.ai🔱🦁🛡️🏯📿 2y ago

When using Jade as a hardware wallet with PIN, your seed is encrypted in cooperation with a blind oracle. This requires Jade to communicate with a companion device to perform the decryption. Using Jade as a stateless signing device does not require any PIN entry or communication with a companion device.

Bass 2y ago

Is there an option to host your own oracle server?

nakad.ai🔱🦁🛡️🏯📿 2y ago

Yes.

https://help.blockstream.com/hc/en-us/articles/12800132096793

Bass 2y ago

Jades decryption is odd to me. When I save a customers password in the database, we dont need to decrypt it to give them access into their account. Login process takes their password value, encrypts it, and checks with our database copy of their encrypted password to verify they match without a decrypt process, and through a match, they login. The fact that the seed itself is able to be decrypted tells me that they are using non SHA256 encryption, that their oracle server can potentially be holding those keys that are "decryptable" at their convenience. If they arent using SHA256 encryption universally, which is incapable of being decrypted, is there good reason to believe they would only be able/willing to decrypt part of your credentials?

Bass 2y ago

Here is an article explaining why the Blockstream Jade (not being used as stateless) requires online access to complete setup. Apparently, there is a way to run your own oracle pin server, but havent figured that out yet.

nostr:nevent1qqsqufenzh0v58h5hrllz2zxtk66n9ly8jsfqs2as5yvr4p2v93zakcpp4mhxue69uhkummn9ekx7mqzyrlu548q0r7e3p98ghtsavq4ns9c48na8qayjp48fp9c86lkzqwa2qcyqqqqqqg6sg6ne