justin j. moses

@justinjmoses

Crypto for Adventurers. Part 1: Access

April 3rd 2019
via National Geographic

This guide is meant as a companion to your adventure in crypto. It follows the first article in the series which covered the promises and excitement of blockchain technologies in the context of its evolution over the past decade. If you’ve already delved into the space, I’m hopeful these articles will fill in some hidden gaps.

My journey in crypto has not been straightforward. I’ve been in tech the last few decades and yet I found the maze of services, offerings, platforms and tokens in blockchain frankly overwhelming.

I needed to build up a mental model of the entire puzzle, but I struggled to know where to start. Over time I learned about the evolution of the various blockchain generations enough to understand what they had in common and where they distinguished themselves. Yet I still had to infer the various camps within the crypto world and interpret articles from the context of that author’s perspective. 🤯

As a learn-by-tinkering kind of person, I found this incredibly daunting in the backdrop of the 2017-18 crypto craze.

Over time I started to build up a mental model that, while patchy, had shape and texture.

Here’s my attempt to short-circuit this mental model for you, fellow adventurer.

The first thing I needed was access. In crypto that means owning a wallet to send & receive cryptocurrency along with other blockchain actions.

Next was a way to acquire crypto — either as a gift, earnings or purchasing directly using regular old fiat currency.

Then I had to understand the various flavors of cryptocurrencies on offer. Bitcoin (BTC) was the currency of the Bitcoin blockchain and ether (ETH) of Ethereum but what about these “ERC20” tokens? Or Tether (USDT) on Omni? How were they useful and what could I do with them?

Fourth was the implications of using crypto. How safe was it? What best practices should I be following? What contingency plans did I have to follow?

And finally were the day to day transactions. I’d have to pay every time I wanted to transact on the blockchain? What are the different prices I can pay? How can I make a transaction get processed faster? How can I see what I’ve transacted? Can I see what others have done? Why do I need to keep “signing” actions?

So, let’s start at the first hurdle — wallets.

Most wallet applications are set up for experienced users, and leave newbies scratching their heads (if they even stick around that long). Forget convincing my parents to create a wallet — even I needed to wrap my head around it first.
via RangeLeather

Wallets are perhaps the most important — and most confusing — aspect of crypto. They are a huge obstacle to attracting more people to the space. Without them you can’t do anything — not even receive tokens — so getting users familiar with their workings is paramount.

Sadly most wallet applications are set up for experienced users, and leave newbies scratching their heads (if they even stick around that long). Forget convincing my parents to create a wallet — even I needed to wrap my head around it first.

The user interfaces of wallets are confusing, because they can actually do a lot of things on your behalf. First though — we need to discuss keys.

Where are my keys?
For most blockchains, your wallet will contain a hidden secret — a private key — basically a very long password that you keep secure. These wallet applications will either allow you to import an existing private key, or create a new one for you. They’ll strongly urge you to save a backup copy of it somewhere, either written on a piece of paper and stored securely or in a password vault (though as you can see below Electrum warns strongly against storing it digitally at all!).

Typically instead of a random collection of letters and numbers, the application will ask you to remember an ordered set of 12–24 words — a seed phrase or mnemonic — from which it can generate the private key.

Creating a new Bitcoin wallet using a seed phrase. This is the desktop wallet application Electrum.

Using the private key, the wallet will provide you with an address — effectively a string of characters — that is also referred to as your public key. That’s what you share with others when you want to receive tokens. You can think of your public key as a PO Box, and the private key your tool to open it.

As the backing of a wallet is simply public/private key encryption, there are a plethora of websites that can generate these pairs for you. I would advise against using them for anything other than demo purposes — who knows if the site administrators aren’t tracking the private keys they generate. (Recall from the previous article that all a malicious actor needs is your private key to transfer all of your funds to an address of their choosing.)

For sake of this article, I went to walletgenerator.net to create a new Bitcoin public/private pair:

An example public Bitcoin address (a public key) that is backed by a longer password (private key). (Example only, do not use this with real funds).

You can see the public address of the above wallet is 12XUgG5jsEH5pyYU1vwbQ3cY8eQbfVY1f which was generated from the longer private key of 5J4Q1mc41vBt7qVuecBJm4r5s2ZoQujSyLwUSEFGKn1SJJeo3AL

I did the same for Ethereum, using vanity-eth.tk to generate the following:

An example public Ethereum address, backed by a private key. (Example only, do not use this with real funds).

You can see the address and private key is hexadecimal (0–9 & A-F) in Ethereum, where in Bitcoin it is alphanumeric (0–9 & A-Z). In both cases, the private key could have been created from a 12–24 word seed phrase, but these websites didn’t provide that functionality.

Additionally, here’s an example of an EOS public/private pair from nadejde.github.io/eos-token-sale. EOS keys are also alphanumeric:

An EOS public/private pair, EOS also uses alphanumeric keys. (Example only, do not use this with real funds).

Putting the crypt in crypto
Most blockchains use public/private key encryption. You share your public key with the sender when you want to receive funds. Your private key is never shared — you use it only with wallet applications in order to sign transactions.

All blockchains employ some kind of encryption (hence the abbreviation “crypto” from cryptography) to ensure the actions processed are indeed submitted by those who requested it¹.

¹ A fun rabbit hole is public/private key encryption, here’s a start if you’re that way inclined.

The application you use to manage your wallet is super confusingly, also referred to as your wallet. Effectively it’s just software that can perform transactions on the blockchain on your behalf; most popular ones are largely interchangeable. What’s imperative however is how secure it is against malware. That is, how well does it stand up to malicious software designed to capture private keys and transmit them whenever you are online?

Regardless of how secure your wallet is, there are still ways you can be vulnerable to attack. Last year there was a famous piece of malware on Windows that would mutate your clipboard contents on paste whenever it detected a high-value Bitcoin address; it would effectively replace your clipboard contents with an address that looked similar yet controlled by the author of the malware, thereby tricking you into sending them funds! 😲 We’ll discuss these more in the upcoming implications part of this series.

The private key is what your wallet application uses to sign transactions² — basically it encrypts each action you perform (such as sending someone some tokens) in a transaction with your private key. It then publishes this along with your address (your public key) to some blockchain node (any one of the thousands online around the world) that ensures that it was indeed encrypted with the private key pair of the wallet address you provided it with. Assuming all is good the node then propagates to its peers, one of which eventually includes it in the next block (through mining), and processes your transaction. Phew. Don’t worry if you didn’t get all that — we’ll also cover this in more detail later in the series.

² OK so technically with a HD wallet your private key just generates many public/private pairs. More on that in a bit.

dApp that wallet
This is what a common Ethereum wallet looks like — it’s a Chrome extension called MetaMask. Here I’m accessing the Ethereum dApp (decentralized application) synthetix.exchange and it wants to interact with my wallet. As Ethereum dApps run on the web (a la “web 3.0”), having a browser extension or desktop application to interface with provides a level of ease. The dApp asks my wallet to sign actions via JavaScript, and my wallet will check with me before encrypting the transaction with my private key, never sharing the actual key with the app.

Using MetaMask (an Ethereum wallet provided as a Chrome extension) in a browser-based Ethereum dApp. Here I am simply allowing the dApp to communicate with the wallet, not transacting.

And here’s a similar action performed on the EOS blockchain, using Scatter — the popular EOS wallet desktop application — to connect to the eostoolkit.io dApp.

Using Scatter (an EOS wallet provided as a desktop application) in a browser-based EOS dApp. Here I am simply allowing the dApp to communicate with the wallet, not transacting.

Disaster recovery
What’s really powerful about your private key is that it’s enough to restore an entire modern wallet. Let’s say you lose your laptop, with Electrum or MetaMask on it. When you eventually run the wallet application again on a new computer, both will offer you the option to import an existing wallet. You can do this either by adding in the private key or the seed phrase you either stored on paper somewhere or in a private password vault.

From your private key, the public key is deterministically generated³ — so you don’t even have to remember it. In fact, modern wallets allow you to create virtually limitless number of addresses based off the one private key. In fact, due to the way it is encrypted, no one can determine that any of these addresses are related the other. Under the hood, what’s actually happening is that for every new address you create, a new private key is created that is based off a set formula (so if recreated from scratch the same keys will be generated in order).

³ How you say? Hierarchical Deterministic (HD) wallets to the rescue. Here’s a really thorough deep dive for the morbidly curious.

Creating a new MetaMask wallet. I install with a new phrase, create a second account (or public key), remove the wallet, then restore from the seed phrase and create a second account again. Note how the public keys are exactly the same in both instances.

So, from your private key alone you have all the public keys you’ve ever used. And, since every transaction that has ever occurred is stored on the blockchain, your wallet can load up the history easily by querying the blockchain for all activity related to your addresses.

Keeping it cool
When you use an application like MetaMask (a browser extension) or a desktop app like Scatter, you are storing the private key on your machine. If your machine is ever connected to the internet, then the wallet is referred to as hot. If you’d prefer to keep your private key blocked from the internet entirely, you would use a cold storage wallet. These range from simply writing down your seed phrase on paper to a USB device that can sign transactions on you behalf but has no way to reveal the private key. The latter are referred to as hardware wallets.

A Trezor — one type of cold storage wallet.

A cold storage hardware wallet is more secure than a hot wallet like MetaMask by virtue of the fact that the device is prevented from ever sharing the keys to the kingdom. The device itself, along with a PIN and optional passphrase, is what you’ll need to sign transactions. The host computer that you plug your device into will still connect to the internet to broadcast transactions to the target blockchain (say when you want to send someone some bitcoin or ether), but the wallet is still considered cold as by design as no one, not even malicious software, can get the private key off the device.

When you first use a cold storage wallet, you’ll be given a seed phrase to write down and store somewhere physically secure. If you ever lose the actual device, you’ll need to use that seed phrase — either when setting up a new cold storage wallet, or using a hot wallet. As you can imagine, your seed phrase is precious — more precious than your hardware wallet; if you lose your hardware wallet it’s at least secured by a PIN and passphrase — your seed phrase on the other hand is fair game. Be very careful where and how you store it.

Unlike MetaMask and Electrum which are targeted to the Ethereum and Bitcoin blockchains respectively, most hardware wallets like Trezor and Ledger support multiple blockchains — so the one device can hold cryptocurrencies from a number of different chains. Particularly useful so you don’t need to walk around with a keychain full of different devices.

An example dashboard from Ledger. Note the different cryptocurrencies in the bottom left.

Finally, one last item to mention are multisignature (multisig) wallets. In short, a private key can be split into pieces and distributed to others for added security — think about a safe deposit box accessed with three keys, each controlled by a different person. This is obviously a pretty severe restriction to day-to-day transactions, yet it’s a precaution you’d consider if you take your security very seriously. It could also potentially mitigate something like this from ever happening — creating a succession plan for your funds when one day you’re unable to.

Creating a 3-of-5 multi-signature Bitcoin wallet in Electrum.

Takeaways

  1. Most blockchains use public/private key encryption. Think of it as PO Box address you share and a key to keep it private.
  2. A wallet can refer to a public/private key pair or an application that both stores your private key securely, and signs transactions on your behalf with that key.
  3. Most modern wallets are deterministic (HD), and hence can create any number of addresses from the one private key. Without your private key, no one can tell that these addresses are associated together (for all intents and purposes they are completely unrelated).
  4. All you need to recover a modern wallet is either your private key or seed phrase. From that all of your public addresses can be regenerated and transaction history loaded from the blockchain.
  5. Cold storage wallets are those wallets not connected to the internet. They are considered safer than hot wallets as the attack vector does not include malware.
  6. A hardware wallet is typically a USB-powered cold storage wallet that can sign transactions but has no way of recovering the private key. It is typically connected to a host computer that is online, but the device itself provides an impenetrable barrier to malware.
  7. Multisig wallets allow you to split a wallet’s single key into numerous parts and set a minimum number of parts required to transact. They provide even more security at the cost of convenience.

That’s it for now, in Part 2 we’ll cover how to acquire your crypto. Please follow me for updates.

More by justin j. moses

More Related Stories