Secure Keys
Practical Key Management for the Bitcoin Protocol

February 15, 2020
Practical Key Management for the Bitcoin Protocol

Do you want to keep your digital-currency assets safe? This short guide is for you. In it, we lay out what we’ve learned from our experiences securing cloud wallets for large enterprises. Cybercrime is growing faster than ever, but next-generation security measures are within reach.

The Bitcoin Protocol (also known as the blockchain), is a public ledger where all transactions are stored and secured through something called proof Of work. So much for the public ledger, but what is it that keeps each single transaction secure? The answer lies in asymmetric encryption.

What is asymmetric encryption?

Asymmetric cryptography, or asymmetric encryption, is one of the core principles of any public blockchain system (the other being proof of work).

- Proof Of Work is the main security concept of the blockchain, where a piece of data must be generated to verify the ongoing records, and this piece of data takes lots of work to make, but very little to verify
- Asymmetric encryption is the main security concept of a transaction, and we will cover it in more detail in this article.

The security of the basic layer of Bitcoin depends on the hashing power of the network, and the decentralization of the mining process. We’ll detail this in a different article, but here we outline the security of blockchain transactions, and so we are talking about asymmetric encryption.

Bitcoin Transaction alice and bob

Picture Alice and Bob. When Alice wants to pay Bob, she must generate a transaction sending some of her bitcoin to Bob’s wallet address, then, using her private key she must sign the transaction, showing to the world that she and no one else is the owner of those bitcoins. The transaction is then sent to the network where miners will include it in a block of the public ledger.

What is a secret key?

Bitcoin uses ECDSA (elliptic curve digital signature algorithm) encryption. Other cryptocurrencies might use different algorithms, and Bitcoin itself will likely add more encryption protocols in the future.

ECDSA consists of a set of operations performed on an elliptic curve. Every operation result is just a point on that curve, and a point is just a combination of ‘X’ and ‘Y’ values. The private key is a very large number that can be used to generate the public key, which is a point on the curve. The public key, in turn, can be used to generate the Bitcoin address of the wallet.

The private key is a very large number. It’s so large, that we encode it with numerals and letters (i.e. in hexadecimal).

The private key is a very large number

As an example a private key looks like this:

18e14a7b6a307f426a94f8114701e7c8e774e7f9a47e2c2035db29a206321725

The resulting public key coordinates (remember there are X and Y values, separated by an “x” in the string below) would be:

0250863ad64a87ae8a2fe83c1af1a8403 x b53f53e486d8511dad8a04887e5b2352

These coordinates can be transformed into the bitcoin address,

1PMycacnJaSqwwJqjawXBErnLsZ7RkXUAs

You can read the details about how this takes place here. While this is a strong security protocol, threats abound where large assets are at stake.

Threats to the Secret Key

The security of the secret key requires that two things happen simultaneously:

  1. The secret key must always be kept confidential. If an attacker gets to know the number of the secret key, he will be able to steal your bitcoin.
  2. The secret key must be available. If you lose the secret key, there is no way you can recover your funds.

While these requirements appear to be simple, the implications are large. If you keep this number saved on your computer’s hard disk, it will likely be stolen. In fact, compromising a desktop computer is very easily done. One way to mitigate this type of attack is to encrypt the encryption key itself using a mnemonic password (symmetric encryption).

This means that the key exists on your hard disk in an encrypted form. If an attacker were able to get the key, they could not access the funds without the encryption password. But, at some point, when you need to use the key to sign a transaction, your software will ask you for the password. As soon as you type the password to use it, your computer will store the unencrypted key in its memory (RAM) for a short period of time. During this short time, the key is once again available for attackers. At this moment, if your computer is compromised, your funds are likely as good as lost.

In addition, if you forget the extra password, or lose the encrypted secret key, you will lose all your funds. So, you should save the password somewhere (for example written on a piece of paper stored in a lockbox), and backup the key on a separate disk, possibly offline.

In order to increase the privacy and security of your bitcoin, it is good practice to create a new key every time you receive or spend your funds. This practice itself has security implications: for example, a backup must be completed periodically. If your hard drive fails, and you haven’t updated your backup, then you will lose part of your funds.

HD Wallet: Hierarchical Deterministic Keys

If you’ve used Bitcoin recently, then you’re likely familiar with HD Wallets. The concept of HD Wallets was first proposed in 2012 by Pieter Wuille on BIP32, and it is basically a way to generate multiple secret keys starting from a “seed” number (which is itself a secret key, called extended key cause it contains some metadata about the derivation). Since the set of keys generated from the seed is deterministic, you can forget the keys, and focus on the seed for the backup. The benefit of this approach is that your keys can always be re-generated.

HD Wallets use a set of words to generate the secret keys so its easier to organize a backup

In order to make the seed key mnemonic (that is, easy to memorize), BIP39 (by Trezor developers) defined a method to encode the seed key into a set of words. In short:

For example the set of words:

truck crawl believe sudden rabbit any critic please parrot ranch potato alone

represent the extended secret key:

xprv9s21ZrQH143K2Vbn9W6ScmGu36kawo8G5UGs6CH7WuqUSb7732ZzjNray5xva36Na2uYNDMuvnqBsHnUN9zANXy2GYhnpPJy3PvpsHrJq73

and these words can generate the following keys:

AddressPrivate Key
17yZYJHHruRkyM53UW2gcWoi2frsXPx457KzaDcPaoef3NVkv9faMNhYYCjxhNGGHVcbgZi4MJeNCXsB9R5cGh
1JoYcvjVgfTB85ENZxKK7wCf2fC7mhbnBpL1tn4ktK3Witw2CQa5e7QUTjU6zsXwGL3T8DoYtT3jHwCzE4WPei
1J2ZBpxuy15gRV43B42un6oZ4G6N9XUi1zL2MZ2yTvMQosehj7LzTKm5anLq9eEaEXCace3NtRvbTFkhCP2KcZ
17DMccj4sCbMRBeGdapBbcVNyMsdSFsiWyL5dNfdrgQpES9XXAaBMAaFnMwinUaHuBRi3ya1oYv9qiL3ZNcaaJ
15KS5AdD17Ny7AohaomUz1LW6NN6rndnWJL4zoEMHJG7YsbC4eA1xMyEc5T7etKbm4U9YRptQ8PLSNaXbw5mPf

The mnemonic seed (the set of words) is therefore a representation of the extended public key, and it becomes the essential thing to backup.

How to properly backup the seed?

Cryptosteel cassette

Now that you have a set of 12 or 24 words which represent all your keys, your mission is still the same as before: make sure nobody else gets to know them, and make sure you don’t forget them.

If you’re printing them on a piece of paper, remember that printers and computers have cache memory, and sometimes this cache memory is stored for a long time, making it a potential target during and after the print.

You should always keep the seed offline, written on a piece of paper using a pen. You can also use a tool like Cryptosteel, which is a very robust backup tool. Compared to the paper, it doesn’t risk losing its ink’s color, and it’s fire- and water-resistant, and therefore it can be safely hidden outdoors without the risk of the record’s degrading.

There are also some homemade alternatives, such as laser printing and engraving. If you use a digital machine (such as a CNC) to build your backup, make sure the project is secure and properly deleted from memory, as you run the risk of having the same issues as you could have with printers. Also, remember that if you outsource this printing then you’re also communicating the secret to a third party, which is never a good idea.

In a HD Wallet, the mnemonic seed is what you need to keep safe.

Managing the Keys of a HD Wallet with Hardware Wallets.

Now that you have a good backup plan, you still need to keep your keys on your computer in some way, in order to sign transactions. And here is where an attacker can try to find a weak point.

As I mentioned before, keys must always be kept encrypted, but they have to be decrypted in order to be used and stored in memory. This decryption stage is where a hardware wallet, such as Trezor or Ledger, can be helpful.

Hardware Wallets are designed so that an attacker who has compromised your computer cannot access your keys. Your computer is still responsible for the creation of the transaction, which is sent to the hardware via serial communication, where it is signed and returned to the computer. In other words, your computer generates the transaction, but requires verification from your keys, which are on a separate device entirely. It’s like having wireless car keys in your pocket that allow the car to be started with the touch of a button. In this way, the keys are segregated from your computer using the hardware wallet.

There are still two further issues to address:

  • One of the possible vectors of attack is the destination (or change) address replacement. There are actually malware programs that infect your machine and hide, silently waiting for you to copy into the clipboard a valid bitcoin address. At this point, they replace your intended recipient’s address with the attacker’s address. If you don’t double-check the destination address in your hardware wallet’s screen, you can end up signing a valid transaction to the attacker’s address instead of the right recipient.

  • Hardware wallets also contain your seed (and, thus, all of your keys). This is especially a problem for Trezor, as the ledger uses a chip called the Secure Element that relies on secrecy for all of its security. An attacker who can get at your physical device can quite easily extract the seed. To mitigate such an attack, it is a good idea to set a passphrase in addition to the seed.

In other words, you should probably have a passphrase added to the mnemonic seed (the random set of words) which alter in an unique way the derivation of all of your secret keys, which sign your valid transaction. You may want to keep a copy of the seed in the woods somewhere, too. Does that sound complicated? This approach alone also happens to leave all of the security in the hands of one individual, which is often unacceptable for larger organizations. The need for multiple checks and balances is one reason we advocate multisignature scripts.

Multisignature or Complex Scripts

If you’re an organization, you should consider the use of multisignature (“multisig”) or other more-advanced spending schemes.

Multisig is a way to lock funds into an address that can only be unlocked with more than one signature. For example, if your company has three executives, you might want to lock the funds into a two-of-three-signatures (a “2of3 signature”) address. This way, it’s impossible for a single person to steal the funds, or to have an attacker steal funds through a single security breach.

There are also more advanced mechanisms you can implement, such as a 2of3 signature plus a time-locked fourth, emergency signature. The fourth signature might be stored in a safety box in a bank. Under normal conditions, the funds are moved to a new scheme before the emergency signature can be used.

This complex spending scheme is useful especially against physical-security attacks, whether external or internal. No single target cannot be used to steal the funds.

Imagine if you were running a cryptocurrency exchange, and you needed to safely store bitcoins valuing several billion dollars. You’re a target.

If you and your family want to sleep at night, you should strongly consider locking the vast majority of these funds into a script that you cannot control, and which, in an emergency situation, automatically reacts to the threat. These measures, in addition to a strong physical security system (such as guards, etc), will ensure you have a robust and reliable network of security measures, with no single point of failure.

Plausible Deniability in Blockchain Security

XKCD Security

When you add a passphrase to an HD Wallet the resulting keys are different. But more importantly, every different passphrase returns a different set of keys.

Every passphrase appended to a HD Wallet is valid and return a differet set of keys.

This possibility has an important implication.

Imagine you’re travelling with your hardware wallet and 10 Bitcoin, when an attacker threatens you with violence and forces you to reveal the passphrase. Thankfully, when you were at home, you put 0.5 Bitcoin into the passphrase, “Alice in wonderland” (NOTE: this is a seriously bad passphrase), and 9.5 Bitcoin into the addresses with the passphrase “Bob in wonderland.”

You could reveal the Alice-passphrase, sacrificing 0.5 Bitcoin, saving your life as well as most of your wealth.

In order to setup your passphrase, you can follow the Ledger and Trezor guides.

Shamir’s Secret sharing

Shamir’s Secret Sharing (SSS) can be used to split the seed into M pieces, so that only N of M parts are needed to reconstruct the secret. This allows you to store parts of the seed in multiple places, so you can give them to different trusted people, friends, or relatives.

Unfortunately, SSS is not as effective of a practice as it might appear, and implementing it wrong is very easy. We agree with Jameson Lopp’s analysis, and we would recommend that you avoid custom implementations until the industry agrees to a consolidated approach.

Plan your inheritance as Soon as Possible

We’re all going to die one day. Passing your keys to your heirs might be a complicated process.

In the long run we are all dead
John Maynard Keynes

His economics may not have lived to see the long run, either, but Keynes’ point is still valid. In reality, there are several solutions to passing on your keys, but you need to plan in advance and setup everything so that, when that day comes, things can move forward without you. Obviously, you are going to need help from someone else that you trust. Imagine you have 10 Bitcoin, and you want to pass 5 to your daughter Alice and 5 to your son Bob.

You can already tell Alice a passphrase and Bob another passphrase. They have to be aware of what it is they are being told, and they have to make sure:

  • They don’t foget it
  • They don’t share it

At this point, you can safely give to your notary two copies of the seed to give to Alice and Bob. The seeds can be the same or different. It doesn’t matter. The notary will have to pass the seeds to your heirs once you have passed away.

You can move the funds in advance to your children’s wallets, or use two sets of 2of2 multisigs, so that you are always in control until your children’s wallets are reconstructed.

Conclusion

Trusted Third Parties are Security Holes
2001, Nick Szabo

It’s pretty clear that managing Bitcoin keys can be very hard. We’re used to leaving our wealth in the hands of a trusted third party (such as a bank), but that’s a security risk, and Bitcoin was invented precisely to eliminate this risk. Nevertheless, exchanges get hacked frequently, and the risk of losing your money is high. If you plan to use cryptocurrencies, you should start learning how to keep them securely.