How is Blockstream Jade's PIN secure?

[libertyconquest]

I think I understand the purpose of a blind oracle: to not have our encryption key stored in Jade so that an attacker can't perform a physical key extraction by manipulating the hardware.

The oracle serves as a form of "secure element" and helps keep Jade fully open-source by being in an external server.

We can get the secret key to unlock the wallet using an Elliptic Curve Diffie-Hellman (ECDH) key exchange, which is only available after we set the PIN correctly.

However, I don't understand how is the PIN itself secured.

Question: Wouldn't the PIN be subject to the type of key extraction the oracle is supposed to protect us from, since it is not stored in a secure element?

If yes, sounds like getting the PIN would be just an additional step, but once the attacker has it, he is capable of obtaining the secret key by performing the ECDH himself, which doesn't sound much safer.

Can someone explain to me what I'm getting wrong here?

Thanks!

------------------------ edit -----------------------------

Got answered here: https://bitcoin.stackexchange.com/questions/124464/how-is-blockstream-jades-pin-secure/124470#124470

there is a client secret key on the jade, and the client secret + the PIN are used in the key exchange. if the key exchange authentication phase fails too many times (wrong PIN) then the server secret is wiped (and the client secret on the jade). so the protocol provides blind oracle server-enforced wiping of the seed.

you can not test if the PIN is correct except via engaging in this client-server protocol with the oracle server.

on successful completion of the DH exchange, the resulting decryption key is used to decrypt encrypted seed stored on the jade.

Thanks for explaining, Adam (assuming it was the real Adam Back)!

This makes sense to me. Since I've posted here, I was also reading Jade's source code to try to understand the process.
Based on the way this function (https://github.com/Blockstream/Jade/blob/1ea73360a2d74265b619416e53a4592b488eb38f/main/process/pinclient.c#L477C27-L477C48) works, I believe that:
- There is a client secret on Jade, which is signed, encrypted and sent to the server along with the HMAC'ed PIN in a payload.
- The server then uses both to produce an AES key and returns it to client.
- The client combines the server's AES key with the PIN to generate a final AES key, which is used to encrypt the seed to be stored on the off-chip flash storage.

Thus, there are four parts of the puzzle to decrypt the seed:
(1) A secret key stored on Jade. \
                                                    These two get combined and are sent to the server signed, encrypted and hashed.
(2) A PIN entered by the user.    /
(3) The server's AES key, produced by (1) and (2).
(4) A final AES key produced with (2) + (3).

Since (2) is not stored on Jade, we can only produce (3) and (4) by guessing the PIN against the server, which may get our data erased if we make three mistakes.
I'm a beginner on all this, but this process sounds good to me.

[satscraper]

I'm a beginner on all this, but this process sounds good to me.

Yeah, sounds fine and you may get more precise details from their help article. But following  part of their security model still alerts me:

What  if communication of companion app with their blind-oracle-server fails ^{(due to some reason, let's say the server is out of order)}? The obvious answer for me - it will result in the abortive attempt to use Jade at this moment. But what if I'm in urgent need to make the transaction? It seems to me this  question is worth to think about

[libertyconquest]

What  if communication of companion app with their blind-oracle-server fails ^{(due to some reason, let's say the server is out of order)}? The obvious answer for me - it will result in the abortive attempt to use Jade at this moment. But what if I'm in urgent need to make the transaction? It seems to me this  question is worth to think about

The package comes with a blank QRCode template which you can fill after you generate your seed. Jade has a built-in software to help you fill each segment of the QRCode.

The PIN is needed to unlock an encrypted wallet, but if the server is offline, I believe you can recover the seed from the QRCode and sign transactions just fine without contacting the server.

I feel like the PIN is just to avoid the need of having the QRCode with you all the time.

The oracle server is also open source, so you could also host your own if prefer.

[satscraper]

What  if communication of companion app with their blind-oracle-server fails ^{(due to some reason, let's say the server is out of order)}? The obvious answer for me - it will result in the abortive attempt to use Jade at this moment. But what if I'm in urgent need to make the transaction? It seems to me this  question is worth to think about

The package comes with a blank QRCode template which you can fill after you generate your seed. Jade has a built-in software to help you fill each segment of the QRCode.

The PIN is needed to unlock an encrypted wallet, but if the server is offline, I believe you can recover the seed from the QRCode and sign transactions just fine without contacting the server.

I feel like the PIN is just to avoid the need of having the QRCode with you all the time.

The oracle server is also open source, so you could also host your own if prefer.

Wow, yeah, you are right!. I have found the official explanation of such case on their help page:

Smart approach to safety, indeed. If there were no Foundations devices and I have no their  Passport 2 wallet to hold my stash  I would probably turn my attention  to Bockstream Jade .

[NotATether]

The PIN is needed to unlock an encrypted wallet, but if the server is offline, I believe you can recover the seed from the QRCode and sign transactions just fine without contacting the server.

I feel like the PIN is just to avoid the need of having the QRCode with you all the time.

The oracle server is also open source, so you could also host your own if prefer.

This can also be implemented without an oracle server by using just a single secret + the PIN to create an AES key that decrypts the seed. The important part to this though is making only a limited number of tries possible before the key is wiped, but it would theoretically allow you to unlock the hardware wallet without the need to connect to a network.

You can also make your own computer an oracle server (Exactly how I don't know), but it would have the above benefit plus you don't have to trust anyone else's server.