So I wanted to deep dive on the old NONCE attack on hardware wallets, specifically whether the COLDCARD Mk4 leverages each of it's True Random Number Generators (TRNG) on both secure elements to generate random numbers and combine them using XOR.
Checking out this blog post... and HOLY SHIT, my respect for COLDCARD's security just skyrocketed. They don’t just use both secure elements but they also throw in the Microprocessor’s TRNG and XOR them together, with all of them chatting over a few millimeters of copper via encrypted comms. And that’s just scratching the surface!
No wonder NVK (npub1az9…m8y8) loses his mind when people use Raspberry Pis as hardware wallets.
This is the blog post:
https://blog.coinkite.com/understanding-mk4-security-model
It's worth a read if you want a wow moment 🙂
thejohn
npub1hy…ww8ln
2024-11-22 05:58:35
Author Public Key
npub1hyzknmraw54wgx3feeq0expyazgf5ead7p8hd290xrkfcwjuz88stww8lnPublished at
2024-11-22 05:58:35Event JSON
{
"id": "f65cd593fe89b387b367d0b925eb26ee72f234465ace7261496deb5a28796559",
"pubkey": "b90569ec7d752ae41a29ce40fc9824e8909a67adf04f76a8af30ec9c3a5c11cf",
"created_at": 1732255115,
"kind": 1,
"tags": [
[
"p",
"e88a691e98d9987c964521dff60025f60700378a4879180dcbbb4a5027850411",
"",
"mention"
]
],
"content": "So I wanted to deep dive on the old NONCE attack on hardware wallets, specifically whether the COLDCARD Mk4 leverages each of it's True Random Number Generators (TRNG) on both secure elements to generate random numbers and combine them using XOR.\n\nChecking out this blog post... and HOLY SHIT, my respect for COLDCARD's security just skyrocketed. They don’t just use both secure elements but they also throw in the Microprocessor’s TRNG and XOR them together, with all of them chatting over a few millimeters of copper via encrypted comms. And that’s just scratching the surface!\n\nNo wonder nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 loses his mind when people use Raspberry Pis as hardware wallets.\n\nThis is the blog post:\nhttps://blog.coinkite.com/understanding-mk4-security-model\n\nIt's worth a read if you want a wow moment 🙂",
"sig": "94286de835c67bf62c46a150dee5e7f5a374e2fdebc74aedf69c5b20774c736f47ec49ca9372d9e9e171c731e8d723b53c1c2980ba934217849c1a4138c75084"
}