2 upvotes, 1 direct replies (showing 1)
View submission: Lightning Network Megathread
I haven't seen any actual work on this but in theory one of the more capable hardware wallets should be able to handle this. Keep a hw wallet/node dongle connected to your node at all times. Make it aware of the amounts going in and out and set some logic to only sign transactions that equal out. That way your node can handle transactions and channel balancing and it can't be emptied if the node is compromised.
If you want to use your node to pay you need to input a code into the device and so on. If the hardware lacks storage it can use the host to store encrypted data or even use the cloud.
Some issues I can forsee is if an attacker can force a compromised node to publish an old channel state or similar so it needs to handle most such things in an encrypted fashion. But layering encryption like that shouldn't be a problem.
Comment by tripledogdareya at 03/01/2018 at 18:03 UTC
5 upvotes, 1 direct replies
While these may be suitable for some use cases, the intentionally limited capabilities of hardware wallets prevent them from providing advanced anti-fraud capability. For instance, detecting anomalous routing would require an up-to-date view of the network. This either needs to come from a trusted source (which itself needs to be secured) or the wallet needs to be able to acquire it for itself. Start adding complex features to the waller, such as a network stack and LN client, and you add additional security footprint. These are less concrete capabilities, which will require more complex updates. Even the suggestion of external storage comes with security complications - from where is the data sourced, how is that data encrypted and authenticated, how are the data encryption keys protected?
Yes, moving keys to HSM is an excellent idea, but when performing autonomous signing you need strong controls around submission. HSMs alone are not sufficient nor suitable for this purpose.