Blockstream Jade uses oracle-enforced PIN protection to encrypt your Jade's recovery phrase. This unique security model functions as a virtual secure element to provide extra protection for your funds and comes with several key benefits.
Security Model Explained
During the Jade initialization process, users will be asked to create a unique PIN. This PIN is used in combination with a blind oracle managed by Blockstream to encrypt Jade's key material - at which point there becomes three secrets needed to decrypt your recovery phrase and spend funds:
- User-generated unique PIN
- Jade secret
- Oracle secret
When users are ready to unlock Jade, they will be prompted to enter their PIN. The companion app (e.g. Green) will then establish an encrypted channel with the blind oracle, allowing for the server secret to be sent to Jade - thus decrypting Jade's secret and allowing you to spend bitcoin.
The blind oracle is truly blind, it does not know anything about you or your wallet data and it can be accessed over TOR. It doesn't even know your actual PIN!
To learn more about how this process works, visit our FAQ.
Note: Jade is only unlocked successfully if the correct PIN is entered. To prevent against brute-forcing, the oracle and Jade will delete their keys if the wrong PIN is entered three times. At this point, user's will need to restore Jade with their recovery phrase.
Benefits of Oracle-Enforced PIN Protection
Due to the process described above, your recovery phrase is very strongly encrypted on your device. This comes with some powerful benefits:
- Attackers with access to your Jade cannot steal your funds, as they would need to compromise both your local encrypted flash and the remote PIN oracle.
- Jade remains fully open-source by not requiring a secure element and utilizing a PIN oracle instead.
However this model is not without tradeoffs, as well as users may need communication with Blockstream's blind oracle. To avoid needing communication with Blockstream's oracle, users can:
- Run their own PIN oracle.
- Unlock Jade using their recovery phrase directly, by scanning a SeedQR for example.
Encryption Process
During initialization, Jade prompts the user to choose a unique PIN. This PIN is used in combination with a blind PIN oracle to encrypt your Jade’s key material. The companion app you connect your Jade to then passes messages between Jade and the PIN oracle, but it is blind to the data communicated since it is encrypted. The Jade itself does not communicate with the blind PIN oracle.
To prevent physical attacks on a stolen Jade from extracting / stealing coins, the seed is encrypted with random keys split between the Jade device and a lock-out oracle.
To describe this process in more detail: once the PIN is chosen, an ephemeral Elliptic Curve Diffie Hellman exchange (ECDH) exchange occurs with the remote oracle. An ECDH key exchange allows two separate entities with no previous knowledge of each other to generate a shared secret over public insecure channels. Using a known public key of the blind PIN oracle, an ECDH key exchange occurs, and the communications channel can be fully encrypted. Once the encrypted channel is established, the Jade and the remote oracle work together to create an AES256 key.
When creating a new wallet recovery phrase, entropy is gathered from the pool and the resulting key material used for the recovery phrase is encrypted using the AES256 key. This data can only be decrypted when the user inputs the correct PIN on the Jade and establishes a connection with the remote PIN oracle, mediated by the companion app (e.g. Blockstream Green). Since the oracle only has a part of the AES256 key, it is blinded to any of your wallet’s keys and the PIN used on the Jade. All data at rest is encrypted on the oracle.
Note: If the PIN is entered incorrectly 3 times, the oracle and Jade both delete the secret requiring a restore of the recovery phrase.
The newly-encrypted key material is then stored on the encrypted off-chip flash of the Jade and protected by Secure Boot. Secure Boot is a technology that prevents unsigned boot firmware from running on your Jade, such as a compromised firmware image from an attacker. It ensures that only firmware you intend to run is used to boot the device.
Your Blockstream Jade now has a strongly-encrypted recovery phrase. An attacker would need to compromise both the local encrypted flash on the Jade and the remote PIN oracle in order to access the recovery phrase.