Ledger Recovery Key: Ledger Recover 2.0?!

[Pmalek]

I'm not comfortable and agree with your interpretation that I don't like the other smartcards like Satochip. I said, I don't have a use case for them for me personally and as wallets they lack a crucial and in my opinion mandatory own independent display that can't be manipulated by a host device. I'm ok though, if we still disagree. That's life.

That's just what I gathered based on your posts here. Not having a use case for something is pretty similar to not liking something. My personal opinion, of course. You don't have to hate it, you just don't find it as good as the solutions you use personally. If you did, you would likely find a use case for smartcards.

Some negative points you mentioned so far is the material. You don't like that it's plastic and not fire-resistant. Probably not water and acid-resistant either. For the cards to function, you need an app and additional hardware, and even a mobile phone. You want your hardware wallets/signers to have their own displays for transaction verification, something that is not the case with smartcards. These are all points you mentioned, making me think that this solution is not for you.

[satscraper]

I certainly don't like Ledger and their products and how they market their Recovery stuff as something great, because wallet's entropy should not be exfiltrated from hardware wallet's secure elements at all. There should be no firmware code that aids this.

Wow, I’ve probably expressed the similar thought ^{(just worded differently)} more than a few times, so I’m definitely on your side when it comes to “no firmware code” approach for assisting with SEED extraction. However, it seems to me that even Passport Core includes such code, as it has the ability to display SEED on its screen upon user request. I believe hardware wallets that offer the same functionality have also this part of code as well. What are your thoughts on this?

[Pmalek]

However, it seems to me that even Passport Core includes such code, as it has the ability to display SEED on its screen upon user request. I believe hardware wallets that offer the same functionality have also this part of code as well. What are your thoughts on this?

Each hardware wallet I own has that functionality. The seed and private keys are stored on the devices as they are needed to sign transactions, so I see no issues with displaying it on screen. What Cricktor is talking about (I think) is the exporting of the sensitive data and being able to send it around remotely for example. If anyone thought that couldn't be done because hardware wallet manufacturers always said that the keys will only remain on the devices, Ledger and their Ledger Recover extraction firmware is proof that it can with the right code.

[Lucius]

~snip~
While Ledger tries to paint a picture of a secure communication channel, nobody can easily verify it. With the right equipment you could "wiretap" the NFC communication, decompile firmware samples and so on and so forth. And as usual you have to trust the bros around the french lord of the rings. But why would you?

I called him that once, I don't know if anyone has done it before, but we obviously share the same opinion. Personally, what irritated me the most was his behavior regarding the major data leak from his company, which he characterized as insignificant. My personal opinion is that after everything that has happened with that company, there is nothing they can do to improve their reputation.

Fortunately for them, there are too many people who don't know the difference between Bitcoin and blockchain, let alone what it means to let unknown people keep your seed. I think I'm not far from the truth if I say that the French LOTR has a similar (if not the same) opinion about its clients as the famous CZ when he says that 99% of users will lose their coins if they keep them in non-custodial wallets.

[Cricktor]

Frankly, I don't remember if I read it somewhere here in the forum or more likely when it struck me when I saw some interview of Pascal Gauthier around the time when they first introduced their Ledger Recovery subscription service stupidity. This french dude showed off with probably at least one or more rings at virtually any of his fingers, had a quite arrogant stance and I perceived him equally evil as Tolkien's Sauron.

What a douche, I was so disgusted by his behavior and the idea of such a recovery subscription service that this nickname stuck in me whereever the spark came from, I genuinely don't remember. Anyway, whoever called him that way first, made a fitting point. Edit: a quick search reveals likely this post by Lucius as first calling Pascal like that. The honor is yours, Lucius! I bow to your wisdom.  

However, it seems to me that even Passport Core includes such code, as it has the ability to display SEED on its screen upon user request. I believe hardware wallets that offer the same functionality have also this part of code as well. What are your thoughts on this?

That's an interesting question, indeed. I thought that most decent hardware wallets would display the mnemonic recovery words (which are just a human-friendly representation of the wallet's initial entropy secret) only once when the entropy has been created and the user is tasked to back it up.

After backup, this secret shall be secured in the secure element and there's no need to extract it from there anymore. Further cryptographic operation should happen in the secure element and ideally not outside of it. I might be wrong with this assumption and I might have forgotten some details of different hardware wallets.

Before Ledger Recovery, Ledger wouldn't display you the mnemonic recovery words again. To verify your backup words you needed to install the verification app where you can enter the backup words and the app would tell you if your entered words match the wallet's stored entropy or anything uniquely derived from it.

To verify you don't need to have the entropy leave the secure element. Your input is processed to the entropy secret or anything closely and uniquely derived from it and stored and processed secret can be compared inside the secure element. The secure element only needs to answer if there's a match or not.

Hm, I've to check how my BitBox02 handles this. Can't remember it'll ever show me the wallet's recovery words again.

And yes, what Pmalek mentions and what I tried to highlight as a quite despicable part of firmware is code that's there to have the main secret leave the hardware device completely. Oh boy, this is a can of worms and we kicked it. Yes, I'm aware, my BitBox02 allows a backup on a microSD card. Is this equally wrong as Ledger's Recovery service crap? You judge!

Displaying the wallet's recovery words again on demand feels kind of wrong to me, too.

[Pmalek]

And yes, what Pmalek mentions and what I tried to highlight as a quite despicable part of firmware is code that's there to have the main secret leave the hardware device completely. Oh boy, this is a can of worms and we kicked it. Yes, I'm aware, my BitBox02 allows a backup on a microSD card. Is this equally wrong as Ledger's Recovery service crap? You judge!

Displaying the wallet's recovery words again on demand feels kind of wrong to me, too.

As long as it's an optional feature that is not forced on you, then each user can decide whether or not to use it. Ideally, Bitbox shouldn't have it either. A separate seed extraction firmware can easily be developed by developers if they wanted to. At least Bitbox doesn't send this data remotely over the internet to other parties for "safe-keeping" (that we know of). It's a local digital backup. If the feature gets merged into the firmware that everyone uses, then end-users don't really have a choice. The code is forced on them. The option is there and can be activated anytime by the click of a button or a switch. It's far from ideal.

[satscraper]

And yes, what Pmalek mentions and what I tried to highlight as a quite despicable part of firmware is code that's there to have the main secret leave the hardware device completely. Oh boy, this is a can of worms and we kicked it. Yes, I'm aware, my BitBox02 allows a backup on a microSD card. Is this equally wrong as Ledger's Recovery service crap? You judge!

Displaying the wallet's recovery words again on demand feels kind of wrong to me, too.

As long as it's an optional feature that is not forced on you,

@Pmalek, whether this feature is optional or not is beside the point. The reality is that its presence introduces a potential vulnerability i.e. essentially the "door" for the SEED phrase to leak from the SE ^{and display in this case}. In my opinion, this compromises the security, as the truly secure environment must ensure that SEED phrase is 100% sealed and inaccessible at all times after it was generated by wallet and saved by user.

 

[Pmalek]

@Pmalek, whether this feature is optional or not is beside the point. The reality is that its presence introduces a potential vulnerability i.e. essentially the "door" for the SEED phrase to leak from the SE ^{and display in this case}. In my opinion, this compromises the security, as the truly secure environment must ensure that SEED phrase is 100% sealed and inaccessible at all times after it was generated by wallet and saved by user.

We are saying the same thing but in different ways.
I have no objections to what you are saying and my opinion is also that the feature shouldn't be there. My suggestion for creating a secondary firmware ensures that those who don't want any seed-extraction option are kept safe from any potential vulnerabilities that may be discovered in the future. No seed extraction code in my firmware means I won't suffer any consequences if something goes wrong with it. The users who are ok with the tradeoffs would then be the only ones whose security would be impacted in case of vulnerabilities with seed extraction. 

[Cricktor]

Having the option of a more secure version of a firmware would be nice, one that e.g. won't display the mnemonic recovery words again, because this requires to retrieve the secret from the secure element, where it's hopefully securely stored, and process it to transform this wallet's secret into its BIP39 recovery words representation.

Maintaining such a dual version firmware code base costs resources and likely most of the customers won't like to pay more to compensate this.

But I must say, I can live with such a feature as long as the firmware is open-source and allows reproducible builds. Because only then we can inspect and verify what exactly the firmware does with our precious secrets.

Such verifiability is not present with Ledger and therefore I don't use Ledger crap (and nobody should). As always: YMMV!

[Pmalek]

Ledger Recovery Key can now be purchased from the company's official online store for $39 or €39.

Ledger has released some more information about the product.
- Ledger Recovery Key will be included for free for every purchase of a Ledger Stax or Flex.
- Existing Stax and Flex owners can order the card for free with discounted shipping.
- A bundle with three cards is 15% off.
- Ledger claims the Recovery Key is water resistant up to 1 meter for 30 minutes.

[ABCbits]

Ledger Recovery Key can now be purchased from the company's official online store for $39 or €39.

Ledger has released some more information about the product.
- Ledger Recovery Key will be included for free for every purchase of a Ledger Stax or Flex.
- Existing Stax and Flex owners can order the card for free with discounted shipping.
- A bundle with three cards is 15% off.
- Ledger claims the Recovery Key is water resistant up to 1 meter for 30 minutes.

The price is fairly high. At similar price, you can get Trezor Model One (normal price at $49) instead. As for fact they would give this key to new/existing Flax and Stax owner, i'm not sure whether to interpret that they make lots of profit from Flax/Stax, this key or both of them.

[Pmalek]

The price is fairly high. At similar price, you can get Trezor Model One (normal price at $49) instead.

It only makes sense to compare the price of Ledger Recovery Key with other similar products and not hardware wallets. Although I get your point.

Let's see.
- The Keycard is €25 if you buy only one card. A 2-card set is €45 and a 3-card set is €60.
- The Tapsigner has different designs. Prices range from $7 to $20.
- The Seedkeeper costs €25.

That makes Ledger's Recovery Key the most expensive smartcard product among those mentioned.