Wallet Cryptography 101

Steve Swing Substratum CTO

@sswing

WalletsCold Storage

https://coldti.com/

WalletsPaper

https://upload.wikimedia.org/wikipedia/commons/c/c6/A_paper_printable_Bitcoin_wallet_consisting_of_one_bitcoin_address_for_receiving_and_the_

corresponding_private_key_for_spending.png

WalletsMycelium Entropy

https://mycelium.com/mycelium-entropy.html

WalletsLedger Nano S

https://www.ledgerwallet.com/images/products/lns/ledger-nano-s-fold-large.png

WalletsLedgerBlue

https://www.ledgerwallet.com/images/products/lwb/ledger-blue-front-back-large.png

WalletsTrezor

https://shop.trezor.io/static/img/product/T1.jpg?v=1 https://shop.trezor.io/static/img/product/T1_white2.jpg

WalletsKeepKey

https://www.keepkey.com/wp-content/uploads/2014/08/12121301/shapeshift-large.jpg

Software Wallets• Bisq (Bitcoin Square)

WalletsElectrum

https://en.bitcoin.it/wiki/File:Capture-Electrum.png

Mobile Wallets

Wallets• A cryptocurrency wallet does not store coins or tokens

like a fiat currency wallet or coin purse

• Cryptocurrency is stored in transactions or in SmartContracts on the blockchain

• Wallets are a mechanism to keep track of private and public keys

• Privacy and secrecy of private keys is critical to avoid loss

More Like Debit Card• Just as debit cards are a means to access fiat currency in

an electronic account…

• Cryptocurrency wallets provide access to coins and tokens for transactions

• You must prove you have the private key

Wallets

• Paper - at risk for fire, flood, deterioration

• Brain - at risk due to death or mental incapacitation

• Software - at risk via unauthorized electronic access

• Hardware - recovery mnemonic phrase is lost or leaked

Downsides

Terminology• Public & Private Key Pairs

• Private keys decrypt data or messages encrypted with the corresponding public key

• Public keys verify signatures made by signing data with the corresponding private key

• HMAC - Hash-based Message Authentication Code

• SHA - Secure Hashing Algorithm

• SHA-1, SHA-2, SHA-3, SHA-256, SHA-384, SHA-512 (bits)

Bitcoin Improvement Proposals (BIP)

• https://github.com/bitcoin/bips/

• BIP0032 - Hierarchical Deterministic Wallets

• BIP0038 - Passphrase-protected private key

• BIP0039 - Mnemonic code for generating deterministic keys

• BIP0044 - Multi-Account Hierarchy for Deterministic Wallets

BIP32 - Hierarchical Deterministic Wallets

BIP39 - Mnemonic Phrase• Encodes ENTropy in multiples of 32 bits

• ENT - 128-256 bits

• Checksum (CS) = ENT/32

• Mnemonic Sentence (MS) = (ENT + CS) / 11

• ENT+CS grouped into 11-bit groups encoding a number 0-2047 serving as an index into a wordlist

• Wordlists: https://github.com/bitcoin/bips/blob/master/bip-0039/bip-0039-wordlists.md

ENT CS ENT+CS MS128 4 132 12160 5 165 15192 6 198 18224 7 231 21256 8 264 24

BIP39 Visualized

asset nose alarm toward marriage skull hole shoe drive feel trap joke vicious hollow trumpet case clap bullet bag merge proud cup mimic outside

Mnemonic Phrase(24 words)

BIP39 Visualized

0db2cc17730885959b2e33434a9b9d3c2f38d9fa611929c3c44645bacc6b6334

00001101101 10010110011 00000101110 11100110000 10001000010 11001010110 01101100101 11000110011 01000011010 01010100110 11100111010 01111000010 11110011100 01101100111 11101001100 00100011001 00101001110 00011110001 00010001100 10001011011 10101100110 00110101101 10001100110 100

11101100

256 bits of entropy

+8 bits checksum

264 bits

BIP39 Visualized0db → 0000 1101 10112cc → 0010 1100 1100177 → 0001 0111 0111308 → 0011 0000 1000859 → 1000 0101 100159b → 0101 1001 10112e3 → 0010 1110 0011343 → 0011 0100 00114a9 → 0100 1010 1001b9d → 1011 1001 11013c2 → 0011 1100 0010f38 → 1111 0011 1000d9f → 1101 1001 1111a61 → 1010 0110 0001192 → 0001 1001 00109c3 → 1001 1100 0011c44 → 1100 0100 0100645 → 0110 0100 0101 bac → 1011 1010 1100c6b → 1100 0110 1011633 → 0110 0011 00114ec → 0100 1110 1100

3 nybbles

BIP39 Visualized0000 1101 10110010 1100 11000001 0111 01110011 0000 10001000 0101 10010101 1001 10110010 1110 00110011 0100 00110100 1010 10011011 1001 11010011 1100 00101111 0011 10001101 1001 11111010 0110 00010001 1001 00101001 1100 00111100 0100 01000110 0100 0101 1011 1010 11001100 0110 10110110 0011 00110100 1110 1100

12-bits

} 22 rows (12 * 22 = 264)

BIP39 Visualized0000 1101 1011001 0110 0110000 0101 1101110 0110 0001000 1000 0101100 1010 1100110 1100 1011100 0110 0110100 0011 0100101 0100 1101110 0111 0100111 1000 0101111 0011 1000110 1100 1111110 1001 1000010 0011 0010010 1001 1100001 1110 0010001 0001 1001000 1011 0111010 1100 1100011 0101 1011000 1100 1101001 1101 100

11-bits

} 24 rows (11 * 24 = 264)

BIP39 Visualized000011011011001011001100000101110111001100001000100001011001010110011011001011100011001101000011010010101001101110011101001111000010111100111000110110011111101001100001000110010010100111000011110001000100011001000101101110101100110001101011011000110011010011101100

11-bits

BIP39 Visualized00001101101 → 10910010110011 → 120300000101110 → 4611100110000 → 184010001000010 → 109011001010110 → 162201101100101 → 86911000110011 → 158701000011010 → 53801010100110 → 67811100111010 → 185001111000010 → 96211110011100 → 194801101100111 → 87111101001100 → 186800100011001 → 28100101001110 → 33400011110001 → 24100010001100 → 14010001011011 → 111510101100110 → 138200110101101 → 42910001100110 → 112610011101100 → 1260

11-bits index

BIP39 Visualized00001101101 → 109 → asset10010110011 → 1203→ nose00000101110 → 46 → alarm11100110000 → 1840→ toward10001000010 → 1090→ marriage11001010110 → 1622→ skull01101100101 → 869 → hole11000110011 → 1587→ shoe01000011010 → 538 → drive01010100110 → 678 → feel11100111010 → 1850→ trap01111000010 → 962 → joke11110011100 → 1948→ vicious01101100111 → 871 → hollow11101001100 → 1868→ trumpet00100011001 → 281 → case00101001110 → 334 → clap00011110001 → 241 → bullet00010001100 → 140 → bag10001011011 → 1115→ merge10101100110 → 1382→ proud00110101101 → 429 → cup10001100110 → 1126→ mimic10011101100 → 1260→ outside

11-bits index word

BIP44 - Multi-Account Hierarchy for Deterministic Wallets

• Defines 5 levels in BIP32 Path

• m / purpose' / coin_type' / account' / change / address_index

• ' (prime) — indicates a hardened derivation path (0x80000000)

• purpose — e.g. 44’ (0x8000002C)

• coin type — e.g. ETH = 60' (see https://github.com/satoshilabs/slips/blob/master/slip-0044.md for full list) note 60’ (0x8000003C)

• account — from 0 to ’n’ (hardened) 231-232-1 (0x80000000 - 0xFFFFFFFF)

• change — 0 = external, 1 = internal (applies to BTC et. al.)

• address index — from 0 to ‘k’ (k = 231-1) (0x00000000 - 0x7FFFFFFF)

MyEtherWallet

MyEtherWallet

MyEtherWalletPurpose

MyEtherWalletCoin Type

MyEtherWalletAccount

MetaMask

Wallet Safety

• Internet Safety Applies

• Extreme care of password hygiene, privacy, and security

• Unique passwords

• MFA or 2FA

• Social engineering exploits, Phishing, Scams, Nefarious trickery and chicanery

Wallet Safety

• Keep software up-to-date

• OS

• Browser

• Security patches

• Shared access with family and friends

Wallet Safety• Keep your mnemonic recovery phrase secret

• Don't photograph your mnemonic recovery phrase

• Store your mnemonic recovery phrase carefully

• Fade proof ink

• Waterproof

• Fireproof

• Insect proof

• Test your mnemonic recovery phrase

Offline Usage• Airgapped Hardware

• USB/Flash/Memory card storage

• Docker Image

• Virtual machine

• Electron App

• Local stand-alone html pages

Offline Examples• Docker: MyEtherWallet

• Electron: BIP39 Page

Diversification• Multiple hardware wallets

• Multiple hardware wallet initializations

• Maintain assets on several different wallet types

Considerations• Survivor access

• Leave instructions in safe deposit box

• On file with estate attorney

• Keep access instructions up to date when things change

Questions• @sswing

• https://github.com/steveswing

• Ohio Linux Fest 2pm Saturday 10/13/2018

• https://substratum.net

• @SubstratumNet

• https://youtube.com/SubstratumNetwork