冷钱包,又称硬件钱包。
Cold wallet, also known as hardware wallet.
相当于把私钥存在一个芯片上,不联网,被视为“绝对安全”的存储币的方式。
The equivalent of having a private key on a chip, unconnected, is considered to be &ldquao; absolutely safe & rdquao; the way the currency is stored.
这里一度成为区块链世界的最后一片安全净土。
Once upon a time, it was the last safe and clean ground in the world of the block chain.
而最近,几乎所有的硬件钱包,都被破解。
And recently, almost all the hardware wallets were broken.
黑客只需要接触手机两分钟,不管你是否屏蔽,就可以轻易转走所有的币。
Hackers only need two minutes to contact a cell phone, whether or not you block it, and can easily move all the money.
随着钱包热兴起,很多新厂商加入这一战场,但它们对安全的理解往往不到位。这大大增加了安全隐患。
As wallets rise, many new manufacturers join the battlefield, but their understanding of security is often inadequate. This significantly increases security risks.
冷钱包还值得信赖吗?
Is the cold wallet still trustworthy?
区块链的世界,到底是否存在绝对的安全?
Is there absolute security in the world of block chains?
01不安全的钱包
01 Unsafe wallet
你知道吗?其实大部分的钱包,都可以被破解。
You know, most of the wallets can actually be broken.
包括冷钱包。
Including cold wallets.
大数据安全公司知道创宇先进技术部总监胡铭德告诉一本区块链记者,他所在的团队,就通过技术手段,当众破解了两个国内外知名的硬件钱包。
Big Data Security knew that the Inspector General of the Advanced Technology Ministry, Hu Zongde, had told a block chain journalist that his team, by technical means, had publicly cracked two well-known hardware wallets in the country and abroad.
第一个,是在今年年初获得8000万美金融资的法国Ledger钱包。
The first is the French Ledger purse, which was financed early this year with $80 million.
“Ledger钱包在设计上有一个安全芯片和一个非安全芯片,我们通过强制升级非安全芯片的方式,在不拆除外壳的前提下,就能一步步取得钱包的PIN码。”胡铭德说。
& ldquo; Ledger's wallet is designed with a safety chip and a non-safe chip, and we can get the wallet's PIN code step by step by way of mandatory upgrade of the non-safe chip without removing the shell.
PIN码相当于钱包的密码,有了它,就可以打开钱包,把钱转走。
The PIN code is equivalent to the wallet's password. With it, you can open the wallet and transfer the money.
除了Ledger,知道创宇团队还发现,其实大部分基于手机平台(MTK)的比特币钱包,都可以被破解。
In addition to Ledger, the team knew that most of the Bitcoin wallets based on mobile phone platforms (MTKs) could be broken.
“几乎所有手机上的钱包,都能破解。”胡铭德称,不管是手机APP的软钱包,还是硬钱包。
& & ldquo; almost all wallets on your phone can be broken. & & rdquao; Humong says it's APP's soft wallet or hard wallet.
比如,他们在对国内多款MTK钱包进行测试时发现,通过导出钱包固件,不仅可以看到多个币种的缓存信息,还可以找到生成助记词的各种库。
For example, when they tested the country's multiple MTK wallets, they found that by exporting the wallet solids, they could not only see cache information in multiple currencies, but also find various libraries that generate the notes.
胡铭德指出,这是一个很通用的USB漏洞。黑客可以很轻松地植入恶意软件,盗走交易口令和私钥信息。
Hu Jingde points out that this is a common USB gap. Hackers can easily implant malware and steal trade passwords and private key information.
“只要接触手机2分钟,黑客就能搞出数据,不管你是否有屏蔽保护口令。”胡铭德称这个漏洞,极其严重。
& ldquo; two minutes of contact with a cell phone, hackers can generate data, regardless of whether you have a shielded password. & rdquo; Humong called this bug extremely serious.
在他看来,这才是最危险的——包括小米、魅族在内的大部分国产手机品牌的中低档机,“都用的是MTK芯片方案”。
In his view, that was the most dangerous — — the low- and medium-tailor of most national brands of mobile phones, including millet, & & ldquao; all with MTK chips and & rdquao;
这就意味着,绝大多数硬钱包和软钱包,都不安全。
This means that the vast majority of hard and soft wallets are not safe.
02冷钱包
02 Cold Wallet
保守估计,现在市面上有上百家厂商的钱包产品。它们可分为两类,一类是软件钱包,一类是硬件钱包,即冷钱包。
Conservatively, there are now hundreds of manufacturers’ wallets on the market. They can be divided into two categories: software wallets and hardware wallets, i.e. cold wallets.
软件钱包大家好理解,即手机下载的钱包APP,可直接使用。
The software wallet is understood to be directly accessible, i.e., the wallet APP that is downloaded from a mobile phone.
但硬件钱包是什么?
But what's a hardware wallet?
比特币是存在区块链上的,而私钥,是你拥有和有权管理比特币的证明。
Bitcoin is on the chain of blocks, and the private key is proof that you own and have the right to administer bitcoin.
硬件钱包的工作原理,就是将私钥存在一个芯片上,与网络隔离,即插即用。它的外形,有点像U盘。
The working principle of a hardware wallet is to keep a private key on a chip, isolated from the network, i.e. plug it in. It's a little bit like a flash drive.
在业内,硬件钱包被普遍认为是最安全的数字货币存储手段。人们的理由主要有三点:
In the industry, hardware wallets are widely recognized as the safest digital money storage tool.
硬件钱包中的私钥不能被导出。因为不联网,杜绝了黑客攻击。
The private key in the hardware wallet cannot be exported.
易备份。设备在初始化配置时会生成助记词,作为私钥的备份,当你的设备丢失或损坏以后,可以购买新的设备,然后通过助记词来恢复私钥。
Easy to back up. When you initialize the configuration, the device generates the helper word, which is the backup of the private key, and when your device is lost or damaged, you can buy the new device and then restore the private key with the helper word.
可实现多币种同时管理——绝大多数的硬件钱包,除了管理比特币,还可以管理莱特币、以太坊、比特现金等数字货币。
It is possible to manage — &mdash simultaneously in multiple currencies; the vast majority of hardware wallets, in addition to Bitcoin, can also manage the digital currencies of Leitco, Etheria, Bit cash, etc.
目前,国内人气较高的硬件钱包产品,像Ledger Nano S、Trezor、KeepKey等,基本都来自国外,价格在1000元左右。
Currently, highly humanized hardware wallet products, such as Ledger Nano S, Trezzor, KeepKey and others, are mostly from abroad at a price of around $1,000.
而因为看好这一领域,很多国内外区块链创业者,都在打造更多的硬件钱包。
And as a result of looking at this area, many domestic and international block-chain entrepreneurs are building more hardware wallets.
“但是,其中大多数厂家对安全理解不到位,导致了很多设计架构问题。”胡铭德告诉一本区块链记者。
& & ldquo; however, most of the plants lack an adequate understanding of safety, which leads to a lot of design problems. & & rdquo; Hu Jingde told a block chain reporter.
交易所被大量盗币、软件钱包不时失窃,硬件钱包,因此被视为最后一道护城河。
The exchange was considered to be the last moat because of the large amount of currency stolen, the occasional theft of software wallets and hardware wallets.
这道护城河一旦失守,意味着什么?
What does this moat mean when it's lost?
事实上,硬件钱包不是第一次被破解,也不会是最后一次被破解。
In fact, the wallet was not broken for the first time, nor was it broken for the last time.
2017年,在美国拉斯维加斯举行的世界黑客大会DEF CON 25上,国外某安全团队,就向观众演示了如何破解比特币硬件钱包。
In 2017, at the World Hacking Congress DEF CON 25 in Las Vegas, United States, a security team from abroad demonstrated to the audience how to crack Bitcoin's hardware wallet.
其中就包括最古老的比特币钱包Trezor。
This includes the oldest bitcoin wallet, Trezor.
Trezor使用了STMicroelectronics(意法半导体)生产的非安全芯片。黑客在拿到Trezor后,通过拆除其外壳,就可以利用漏洞,转走比特币。
Trezor uses the non-safe chips produced by STMicroelectronics (means semiconductor). After getting Trezor, hackers can take advantage of the loopholes and move bitcoin by removing their shell.
这个过程最快只需要15秒。
This process takes 15 seconds as soon as possible.
也是在2017年,一个名为“Large Bitcoin Collider”的组织,组织黑客暴力破解比特币硬件钱包。Large Bitcoin Collider这个名字,就是直接取自欧洲粒子物理研究所的大型强子对撞机的名字,意为用强大的计算能力,去猜出钱包的密钥。
Also in 2017, an organization called & ldquo; Large Bitcoin Collider” organized hacker violence to crack Bitcoin's hardware wallet. The name Large Bitcoin Collider was taken directly from the European Institute of Particle Physics' large powerful collider, meaning that the key to the wallet was to be guessed with great computing power.
该组织将破解过程称为“挖宝”:一旦成功,钱包内的比特币,将由参与者共同分享。
The organization calls the decomposition process & ldquao; digs treasures & rdquao; once successful, bitcoin in the wallet will be shared by the participants.
在近8个月的尝试中,Large Bitcoin Collider生成了3000万亿条密钥,其中有十多个钱包的密钥被“猜对了”,钱包被打开,其中三个钱包内装有比特币。
In almost eight months of attempt, Large Bitcoin Collider generated 30 trillion keys, of which more than a dozen were &ldquao; guessed correctly & & rdquao; and wallets were opened, three of which contained bitcoin.
在成功地分享了这三个钱包中的比特币后,暴力破解行为结束了。
Following the successful sharing of the three wallets, the violent break-up ended.
Large Bitcoin Collider称,对他们来说,重要的并不是盗取比特币,也不是让比特币消亡,而是对新的比特币算法进行可能的尝试。
Large Bitcoin Collider stated that it was not the theft of bitcoin or the disappearance of bitcoin that was important to them, but rather a possible attempt at the new bitcoin algorithm.
据悉,在未来的量子计算机出现后,生成30000亿条密钥,可能只需要8个小时。光是想想这个,都让人不寒而栗。
It's known that when a future quantum computer appears, it'll only take eight hours to generate 30 billion keys. Thinking about it alone, it's chilling.
03安全无绝对?
03 is safe and absolute?
在区块链的世界里,绝对的安全,存在吗?
In a world of block chains, absolutely safe. Is it there?
如前文证明了的,硬件钱包,就不存在绝对的安全。
As has been demonstrated above, there is no absolute security in the hardware wallet.
那么,“代码即法律”的智能合约,又安全吗?
So, & ldquao; code is law & rdquao; smart contract, is it safe?
设想一下,你签了一个合同,虽然这个合同是开源的,但是你并不能完全看懂这个合同。这就是大多数人对于智能合约的无奈。
Imagine that you signed a contract, though it's open-source, but you don't fully understand it. That's what most people can't help with smart contracts.
虽然区块链技术能保证你的合同完全按照规则执行,但是合约层的代码漏洞,却不易被发现。
While block chain technology will ensure that your contract is carried out in full compliance with the rules, the code gaps in the contract layer are not easily detected.
而开源,就意味着谁都能看。换句话说,你签了一个看不懂的合同,你身后的黑客,却能看懂。
And open source means everyone can see. In other words, you sign a contract that you don't understand, and you hack behind you, but you can understand.
于是,黑客就成了区块链世界的第一大威胁。
As a result, hackers became the first threat in the block chain world.
一旦智能合约的漏洞被黑客发现,他们就会发动攻击。这样的例子不胜枚举。
As soon as hackers find out about the gaps in smart contracts, they attack. There's a lot of examples like this.
有数据显示,以太坊发展至今,黑客至少窃取了价值10亿美元的数字资产。
Data show that, to date, hackers have stolen at least $1 billion worth of digital assets.
再来看PoW和PoS,它们安全吗?
And look at PoW and Pos. Are they safe?
区块链的本质在于建立多方信任,而落到技术上,就是处在区块链中间层的共识算法。
The essence of the block chain lies in the building of multiple trust and, technically, in the consensus algorithm at the middle of the block chain.
现在最主流的共识算法,一种是以比特币为代表的挖矿机制(PoW),另一种是投票机制(PoS)。
The most dominant consensus algorithm now is the mining mechanism (PoW), represented by Bitcoin, and the voting mechanism (PoS).
简单地说,PoW的机制是谁的算力大就信任谁,PoS的机制是谁的比特币多就信任谁。
Simply put, the PoW mechanisms trust whoever counts and the PoS mechanisms trust whoever bitcoins more.
理论上讲,某个人或群体拥有比特币网络51%的算力,或者具有支配51%算力的能力,就能对比特币网络发起攻击。
Theoretically, an individual or group can launch an attack against a Bitcoin network by having 51 per cent of its computing power, or by having the capacity to control 51 per cent of its computing power.
如果这一天真的降临,比特币体系将被摧毁,或者被垄断。
If this day comes, the bitcoin system will be destroyed or monopolized.
在全球比特币算力进一步集中化的今天,算力排行前四的矿池,已经拥有了超过54%的算力。
Today, in a world where bitcoin power is further centralized, the four first pits of arithmetic have more than 54 per cent of their capacity.
一旦它们联手,发动对比特币的51%攻击,不是不可能。
Once they join forces, it is not impossible to launch 51 per cent of the attacks in Bitcoin.
照此推论,得出的结论,可能是悲观的。
It follows that the conclusions reached may be pessimistic.
小结
summing up
区块链世界存在绝对的安全吗?
Is there absolute security in the block chain world?
或许,我们可以换个角度,来思考这个问题。
Maybe we can think about it from a different angle.
安全永远不是绝对的,而是相对的。
Security is never absolute, but relative.
真实的世界本来是一个熵增的过程,它会不断变化,不断出错。
The real world was supposed to be an entropy process that would change and make mistakes.
而区块链的使命,则是延缓熵增的速度。
The mission of the block chain, on the other hand, is to slow the growth of entropy.
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论