Okay, so according to the news, the FBI has recovered the bulk of the Bitcoins paid as ransomware by the Colonial Pipeline Company, by acquiring the private key to the address where those Bitcoins were stored.
No news source I’ve seen has offered anything approaching an answer to the question: How did the FBI get ahold of that private key? Did the criminal masterminds behind the ransomware attack just leave it, unencrypted, on a hard drive or a piece of paper in a place where the FBI was likely to look?
At first I thought the most likely answer was that the FBI must have traded something for that key — say some sort of immunity (either from prosecution or, maybe, from something like a beating). But on second thought, it occurs to me that maybe hiding a private key from the FBI is trickier than it sounds.
I know plenty of good ways to hide private keys from thieves. You can write your key on a piece of paper (or better yet, etch it in metal) and store it in a safe deposit box. Or, for extra security (say if you’re worried about bank employees accessing those boxes), put half of it in one safe deposit box and the other in another, at a different bank. Or, if you’re worried about one of those banks being reduced to rubble in an earthquake or a terrorist attack (in which case no criminal could get your key, but neither could you), you can break the key into three parts, store parts A and B at Bank One, parts B and C at Bank Two, and parts A and C at Bank Three. Any one bank can disappear and you can still recover your entire key.
That secures your keys and makes them safe from criminals, but it does not make them safe from the FBI, which has the power to issue subpoenas to all of your banks and recover the contents of your safe deposit boxes. So maybe hiding your keys from the FBI is harder than it appears.
So let me try again: After etching them on metal, store parts A and B at Location One, parts B and C at Location Two, and parts A and C at Location Three, where you expect to have access to all of these locations (and only really need access to two of them) but none is particularly tied to you — i.e. not your house, not your car, not your safe deposit box. Maybe underground locations in the woods, though that feels a little sketchy to me. And then of course you might want to keep some sort of written record of those locations, which the FBI can find when they search your house or safe deposit box, whereupon they might wonder what’s so interesting about those locations that you felt the need to keep track of them….
You might think the safest thing is to memorize your key (or a mnemonic English phrase from which the key can be derived) and leave no record of it anywhere except in your own brain. That’s fine until dementia starts to set in, or until you’re hit by a bus (in which case your heirs are out of luck, though you might or might not care about that). Or you can leave written clues to the mnemonic that only you will be able to decipher, like “Word 9: The secret nickname I had for the girl I had a crush on in third grade”. This is of course also subject to the dementia problem.
So. Suppose you’re a master criminal, storing your ill-gotten gains as Bitcoins, which you want easy access to at all times for yourself (and maybe your heirs), but you want to keep completely inaccessible from law enforcement agencies with unlimited subpoena power. What’s your plan?
Update: More recent news reports indicate that the coins were seized from a custodial account — based in the United States, no less. In other words, my sarcastic reference above to “criminal masterminds” was not nearly as sarcastic as it should have been. It’s not that these guys failed to think of a clever scheme for hiding their keys; it’s that they never even bothered to try. The more interesting question, then, is how does Bitcoin fall 10% on the “news” that if you let someone else hold your private keys, you can lose your Bitcoins. (“Not your keys, not your coins”, as the saying goes.) The best answer I have (not just for this event but for a lot of Bitcoin volatility in general) is that anything even slightly unsettling leads to a small drop in prices, whereupon heavily leveraged investors fail to meet their margin calls, which leads to big selloffs. But that’s not a full answer until someone fleshes out the part where more sophisticated investors fail to jump in and take advantage of this buying opportunity. So maybe the dip, despite the coincidental timing, had nothing to do with the seizure.
This is, indeed, a difficult question. I don’t think there is a foolproof solution, because given adequate funding, time and motivation you can pretty much almost always find someone to toss into an unpleasant jail and tell them they don’t get out until they give you what you want. Or of course, employ the $5 wrench.
You could use SSS to spread the ability to recover the key across a group of several people all of whom are in different jurisdictions, but I think at that point you’ve created as much of a problem for yourself (and even moreso for your heirs) as for the FBI: before you recover the key you have to know the names, locations and contact information for a sufficient subset of the secret-holding group, and you have to keep those channels of communication secure. And that’s assuming a relatively rule-abiding adversary like the FBI: if you’re trying to hide from the FSB, you’d better hope that none of the secret-holders ever take a commercial flight that crosses into the wrong airspace…
Dr_M (#1): What if we posit (by way of an intellectual exercise) that you’re dealing with an adversary who will not bargain with you in any way (i.e. won’t offer you immunity for your key; won’t threaten you with a wrench, etc.) but IS looking to prosecute you through (let’s say) the U.S. judicial system, and has access to all the powers of that system (including subpoenas). Your goal is simply to secure your keys in such a way that you can access them but your adversary can’t. Does this make the problem any easier?
I’d go with steganography. One of my images, well-known to me but probably a mystery to the FBI, would get the low-order bits of, say, the red channel set to the bits of my key. I’d make sure the image was one that had a pretty random set of pixels to start with!
By the way, my guess is that the key was “acquired” because it was actually held by a third party such as Coinbase and that the bad guys didn’t hold the bitcoins raw (just a guess, I’ve barely heard about the facts of the case).
Jens B Fiederer (#3): Yes, this is brilliant. But I still worry about what happens after the dementia starts to set in, and you can’t remember which of your 10,000 art files contains the keys.
#3 seems something like the old fashioned book code. You store the message as a series of page numbers and word or character numbers in a specific edition of a book. Is the private key a 256 bit number, maybe presented as a 64 character hexadecimal string? We are looking for a safe way to store and retrieve a 64 character string of 0-9 and A-F?
Book codes can be broken without knowing the book, but if used for this apparently random string I don’t know if they can.
What if the FBI owned a bitcoin exchange and advertised it on a secret dark web encrypted texting service? They kept the texting service up for many years, at first just using it to catch narco traffickers. Then just recently, they started claiming that their exchange was very very private, and offered better exchange rates for bitcoins to dollars, no questions asked. They might be able to hook the Ransomware bandits that way. Have you seen this sting operation announced yesterday? https://www.wsj.com/articles/fbi-sting-using-anom-platform-leads-to-global-roundup-of-suspects-11623165556
Why not deposit it in an off-shore safety deposit box in a jurisdiction that doesn’t follow US subpoenas. You’d probably have to live their too–the US could (maybe) hold you in contempt indefinitely until you comply with the subpoena.
This reminds me of the 3- or 5-flag theories of avoiding taxation.
One of the standard answers is a duress filesystem. The disk in question has blocks of encrypted data, and blocks of actual random data. There are several passwords for decrypting parts of the disk, depending on what you want to access or reveal, but importantly you can’t prove that you’ve revealed everything. There will always be some blocks of random data left that “might” conceal something of value. Suitable only if your data is more valuable than your life, since a motivated adversary then can’t be convinced to stop pressuring you.
Jon Leonard: And where do you store the passwords?
I agree Jens’ suggestion is a good one. Aside from remembering the file or files that has the key (and that it was the red channel, not the green one!), I would have an additional concern. It sounds like I need the system to be workable 20 years from the time I save the key. After 19 years, maybe the FBI will have access to a super AI that can easily detect the presence of keys in various file formats. Generally, I would worry any digital presentation is somehow crackable.
The dementia requirement is tough. You could end up forgetting the method itself, or even that you had bitcoins stashed away, but let’s assume it means minimizing the burden on my memory.
Like Patrick, I also thought to store the key in a different country, but I don’t think I have to live there. I don’t even need to store it physically, and that is also less secure, because there would be a record of me traveling there. All I need is for someone to tell me the code, say, over the phone. So I would hire an agent to recite the key when given a particular phrase. I wouldn’t want them to have the actual key, so it would be in encrypted form, but I would store the meta-key to decrypt *that* along with the code-phrase. The FBI would not know what to do with the two things in my notes. The information on the agent itself would go in my contact list. I would pick one in a country where I already have friends or business contacts, or add some dummy contacts, so the agent won’t jump out at someone perusing my contact list. I would use an established company with some longevity, and maybe use 3 different ones, to increase the chance they would be available 20 years later. I myself would need something to remind me who to contact, but that can be done with some notes on the contact with a detail from the heist that only I would know – it’s not unusual for me to have notes on my contacts, so I would just have to phrase it in a way that would jog my memory, without signaling anyone else. Not necessarily easy, but doable.
This method could work even if the agent is in-country, but the danger there is if their offices get raided and my information subsequently gets entered into a law-enforcement database, where it can be cross-referenced with my notes and thus potentially discovered. So I would prefer an out-of-country agent.
What if the hack were an “inside job”?
At some point, then, if you can’t trust storage (because the government can read it), and you can’t trust your memory, you need to trust other people. Something of a challenge if you’re engaging in a criminal enterprise, but something like Shamir’s Secret Sharing could work as a backup for your keys. Still, something encrypted can amplify the amount that you can effectively remember.
Technological solutions are sreganography and deniability, both already described by other commenters.
Potential legal solutions:
– befriend a foreign ambassador and ask him to keep the key at his home or workplace
– become a foreign ambassador
– move to N Korea
– become a foreign spy. If you get arrested – simply wait till you get exchanged
– use a long sentence from your communications with your lawyer as a key- cannot be subpoenaed and you can always get its copy from the lawyer.
I agree. This is a much harder problem to solve than most people realize or give credit for. Cracking a private key is, as far as I know, effectively impossible. However, breaking into the places where one might store a private key is quite possible. These days almost all Bitcoin and other cryptocurrency keys are stored as mnemonics, but I still wouldn’t trust my memory of 12, 13, 24, or 25 words with millions of dollars worth of cryptocurrency. I wouldn’t even trust it with a few buck, to be honest, especially because one rarely needs to recall that key so memory is likely to fade.
The solution of sharding your key is the “obvious” choice. I’ll point out, however, that the way you have simply split it up in your post is a big no-no. There are much better ways of sharding private keys available which don’t cause some fraction of the original key to be revealed on their own (ie, in your scenario, someone who finds part A could guess at other parts much more effectively…in fact, this would probably be within the FBI’s power to do with a split key…keys are as complex as they are for a reason!). Anyway, see here: https://github.com/oed/seedsplit for an implementation of Shamir’s Secret Sharing that’s very useful for this sort of thing.
But even if you do proper sharding of private keys, it’s pretty difficult to hide from law enforcement. The best way I can think of to do it is to custody the shards with people in different places around the world who know what/how important the shards are, but who don’t know each other and may not even know the owner of the shard (ie, the person providing them with the shard is a proxy, with a different proxy used for each person). A competent criminal organization could probably pull this off, and done well I think it would be extremely hard to crack. The tradeoff, however, is the difficulty of regaining access to the reconstituted private key. This is where most people, particularly a criminal organization, probably look at this solution and decide it’s not worth the effort.
David (#14): Thanks for this. I keep coming back to the question of how it interacts with the onset of dementia, but maybe that’s not so serious a problem. You can leave yourself a detailed note explaining exactly what you did, including the order of the finite field and the degree of the polynomial you used in the Shamir algorithm. This can be kept on paper and on your computer, in multiple places, where it won’t be a bit of help to anybody who doesn’t know who you distributed the keys to.
You do need a way of remembering who has the keys, but that’s at least no more of a problem with the Shamir method than it is with any of the less sophisticated (and less secure) methods that I mentioned in the post.
It is extremely hard for me to engage with any problem that assumes I have severe dementia…it sounds so much like a “what would you do if you were dead?” problem. The “hit by a bus” situation is more accessible to my frame of mind, and I can’t think of anything better there than to share some information with my heirs before that happens…pretty much anything in that vein is more a question of how much I trust my heirs than mathematically interesting.
When is the movie about this scenario coming out? Something along Dan Brown lines perhaps.