2/27/2023 - Technology and Innovation

Cryptoactives: Storage and security

By Nicolas Donsini

Cryptoactives: Storage and security

Understanding the operation of a wallet

The first point to take into account when talking about storage is to understand the functioning of a wallet.

It is a very usual mistake (and unfortunately little developed by the ecosystem communicators), believing that our portfolios store the assets we have in possession, it is necessary to bear in mind that this technology does not work that way.

In bitcoins, for example, we use public key encryption to create a pair of keys that controls access to bitcoins. The key pair consists of a private and—derived key of the latter — a unique public key. The public key is used to receive bitcoins, and the private key is used to sign transactions and spend those bitcoins.

There is a mathematical relationship between public and private keys that allow the private key to be used to generate signatures. These signatures can be validated against the public key without the need to reveal the private key.

When bitcoins are spent the current owner of bitcoins presents its public key and signature (different each time, but created from the same private key) in a transaction to spend those bitcoins. Through the presentation of the public key and signature, all participants in the Bitcoin network can verify and accept the transaction as valid, confirming that the person who transfers the bitcoins has them at the time of the transfer.

In most portfolio implementations private and public keys are stored together as key pairs for convenience. However, the public key can be calculated from the private key, so storing only the private key is also possible.

The private key is a number, usually randomly elected. From the private key we use elliptical curve multiplication, a unique cryptographic function, to generate the public key. From the public key we use a unique cryptographic hash function to generate the bitcoin address.

But let's get away with some tecnicisms, because it's not the goal of the article.

The concept that needs to be clear is that our wallets (hot wallets, cold wallets, with or without custody), do NOT store our assets, which store and hold are our key pair, essentially our private key.

This pair of keys explained in a simple way will allow us to use our UTXOS, Unspent transaction outputs (unexpected output transition).

Each UTXO we turn into an entry (salt we're going to spend) is actually the exit of a previous transaction that gave us access to those BTC. That is, every balance in Bitcoin has a UTXO associated with it, and this UTXO has associated a block script.

The Bitcoin transaction validation engine depends on two types of programs to validate transactions: a locking script and a unlocking script.

A blocking program (locking script) is an obstruction placed on an output, which specifies the conditions that must be met to spend that exit in the future.

A unlocking program (unlocking script) is a program that "resuelve," or satisfies, the conditions established by an output and a locking program and allows the output to be spent.

Unlock programs are part of each transaction entry, and most of the time it contains a digital signature produced by the user's wallet from its private key.

Every bitcoin client must validate transactions by running blocking and unlocking scripts simultaneously.

For each transaction entry the software will first bring the UTXO referenced by the input. This UTXO contains a block script setting the required conditions to send it. The validation software will then take the content unlock program at the input that is trying to spend this UTXO and run both programs.

This block script is a kind of digital candado that we should open so that we can use the balance of this UTXO. The blocking programs in Bitcoin are varied, but the most common is what is used within the P2PKH (Pay to Public Key Hash) type transactions. This lock program indicates that the key to open it is a cryptographic key in which we want to show two things:

- That we own the private and public key that generated the Bitcoin address where the balance is (UTXO).

- What we have in our power the valid digital signature that certifies that these keys are ours.

So in order to unlock this program, what we should do is take the direction of Bitcoin along with our private key and generate the public key of that direction. In the end, we print our digital signature and with all that data checked, the balance of this direction is unlocked so that we can use it. That is, we will accept the transaction and put it in the mempool waiting for the miners.

On the contrary, if we fail to do this procedure, simply the transaction is rejected by us and we cannot use the balance. This process is called the unlock script. Of course this cryptographic process is automatic and transparent for users of a wallet, the whole process carries out the wallet itself.

Summarizing and evading again tecnisisms, our wallets store our keys, and these keys allow us to spend our available balance, which is registered in the blockchain we are interacting with.

What types of wallets are there, which is safer?

We will differentiate two large groups and some sub groups.

The two large groups that we will differentiate in this article are the CON CUSTODIA wallets and the SEM CUSTODIA wallets

-Billethers with custody:

The wallets with custody, as your name indicates, are kept by someone other than us. The clear example of this type of portfolios is that they offer us centralized Exchanges, being the indiscuted market leader, Binance.

The main feature is that we do not have the guard of our keys, these are protected by the platform we are using, which gives us access to the wallet, but only within the platform.

A classic phrase in the ecosystem is that of "Not your keys, not your coins", if it is not your keys, it is not your coins.

This is a reality, since we do not have absolute control over our assets and have been seen in the past the dangerous that can be when it operates on dubious transparency platforms, in which we deposit our trust and one day to the other may disappear being the only ones with the control of our funds (FTX case).

But spoiling a little as the article continues, based on my experience, I can guarantee that there is not a single path or an absolute truth, all alternatives have their pro and cons for the user and the exchange are no exception.

and if that goes a little against the founding principles of this technology. But also the exchanges (serious and recognized), have great security systems on the platform, intuitive and rapid interphases, extensive control of the listed projects, and even facilities to operate in the DEFI sector (known as CEDEFI) greatly reducing the risks it can take.

In all ways it is important to take into account that they are the same exchanges that recommend not having all of their assets within the platforms, and recommend division among other alternatives to reduce risk in the face of any eventuality.

When operating with guard wallets is of paramount importance to have a correct cyber hygiene: keep our devices safe, do not use public internet connections, use the greatest amount of security factors provided by the platforms (in addition to the well-known email and sms checks, it is very important to use other authentication systems in two factors,2fa, such as google authenticator or even external hardware such as eubikey), use usual emails

The most critical point in exchages, partly by maximalists who prioritize decentralization and pseudo anonymity, but also by those who seek to use technology to commit illicit acts, are the AML policies that include KYC (know your customer or know your client and anti money laundering or anti money laundering).

It is a multi-step process designed to prevent the creation and fraudulent use of accounts. The goal of KYC and AML policies is to understand the nature of customers' activities, to qualify that their source of funds is legitimate and to evaluate the risks of money laundering associated with them.

Without Kyc it is very difficult for researchers to embody the criminals' portfolios in what blockchain forensics corresponds to, are measures of great importance to combat crime and in my personal opinion to achieve massive adoption.

Still in DEFI we cannot observe correct use of policies AML or KYC implementation, fortunately, is already working on alternatives that respect the principles of this technology, which seek decentralization and protect the user.

As a positive aspect, we can highlight:

  • important security factors depending on the platform to use
  • easy recovery of the account and funds if we lose or forget the credentials of the account (since we do not have the responsibility to safeguard the private keys)
  • Intuitive, fast and user friendly interfaces that start in the ecosystem
  • Customer Service Services
  • variety of products
  • filter and research of the projects listed, greatly reducing the possibility of fraud
  • Policies Aml and kyc processes that help fight illicit acts in the ecosystem

among its negative aspects:

  • We don't have private keys, so we don't have full control of our assets.
  • Confidence is deposited in a third party, we are subject to the drive of it
  • There is the possibility of suspension of withdrawals or freezes of accounts, also maintenance that does not allow to operate when necessary
  • Kyc, personal data must be provided to the platform

-Billethers without custody:

As we mentioned earlier, whatever type of wallet without custody we use, the main thing is that we have the responsibility about our keys.

Wallets are currently used DETERMINISTSThey are wallets that contain private keys that arise from a common seed, using a one-way hash function.

Seed is a randomly generated number that combines with other data, such as an index number to derive private keys.

In a deterministic portfolio, the seed is sufficient to recover all derived keys, it is also sufficient for a portfolio or import export, which allows for easy migration of all user keys between different portfolio implementations.

The mnemotechnical codes are English words that represent a random number used as a seed to obtain a deterministic portfolio. The word sequence is enough to recreate the seed and then recreate the wallet and all the derived keys. A portfolio application that implements deterministic wallets with nemotechnical code will show the user a sequence of 12 to 24 words when creating the wallet for the first time. This string of words is the backup and can be used to recover and re-create all keys of the same or any compatible wallet application. The mnemotechnic code words makes it easy for users to perform backups of their wallets, as they are easy to read and translate correctly, compared to a random sequence of numbers.

It is important to understand this concept:

The seed phrase or seed phrase mentions a set of 12 to 24 words, which aim to offer us an easy and easy way to support our cryptocurrency portfolio. In this way, if for any cause if you were to lose control over it, we could recover it only by using these words in the order that originally gave us.

But this seed phrase is not our private key, the seed phrases are a kind of coding of the private keys of our wallet, but in a much more friendly and managed way.

In a few words, our seed or seed is the one that will ultimately allow us to generate our private key, hence the public key and hence the direction.

Undoubtedly, one of the most significant improvements in portfolios was the implementation of seed phrases, since these are much easier to manage and memorize than private keys.

And what we should keep in most wallets without modern custody, is precisely our seed phrase, with the advantages and disadvantages that it leads to the user.

Portfolios without custody are required to interact in the DEFIy sector.

In a technology in full development, with regulations in a very premature state, the defi sector (decentralized finance, or decentralized finance) is leading, offering many opportunities and proposals, but also some headaches if we do not have the necessary knowledge.

The interfaces are less friendly, social network scam attempts abound, projects that promise and do not meet, wrinkles, exploits, flash loans attacks, authorization of malicious contracts are some of the scenarios that we can find ourselves within the sector and that have generated losses of hundreds of millions of dollars in assets in recent years.

For this reason, before we operate with a portfolio without custody and immerse ourselves full in the DEFI sector or interact with decentralized exchanges or any type of dapp it is very important to acquire knowledge, inform and understand that will the ecosystem, not only the multiple benefits it generates in many sectors, but also the necessary precautions to operate safely and mainly with serious projects.

If we're gonna have our funds in a custody wallet, what's the best option?

Here we have to differentiate between hot wallets and cold wallets.

Hot wallets: They are linked to a web server. They can be used anywhere in the world as long as there is an Internet connection.

It is easy to understand the attractiveness of these wallets. On the one hand, they are usually free and can be downloaded from the Internet. They are also easy to use and are preferred for daily exchange. It is possible that someone who performs various operations throughout the day simply does not want to move funds inside and outside a cold wallet.

The disadvantage of the Hot wallets is that they are not as safe as the holster wallets. When permanently connected to the internet, some risks are mainly supported if the device is compromised to which they are connected.

Hot wallets differ according to their characteristics. Basically, there are three types: desktop, web and mobile wallets.

Display Notes:

Desktop cryptographic wallets have greater security capabilities than web-based wallets. However, technically, they are less secure than holster wallets. A cryptographic desktop wallet is downloaded to the computer

Web Notes:

Web wallets are executed directly through a web page browser. Normally, they do not include additional software that runs on your computer. Still, there are hybrid types.

Mobile notes:

Mobile cryptographic wallets work the same way as desktop wallets. They can be used with iOS or Android operating systems. The biggest benefit is that a mobile wallet is more portable than a desktop cryptographic wallet and if it remains on devices that are not connected to the internet can approach a little more of the cold wallets.

Cold wallets:

Calls “Cold wallets” are those that are not connected to the Internet.

We can differentiate between Billeteras of hardware and Paper wallets (called but not practiced)

As for Paper wallets, as its name indicates, it is the paper printed wallet that contains the private keys and directions to manage the cryptocurrencies, the paper wallets are ideal for storing and safeguarding funds that will not be used or moved in a long time.

Hardware wallets are, without a doubt, the most reliable option for security, since private keys are off the web on devices without connection. There are open source wallets and closed source wallets, there is an important competition on the market, some offer the possibility of interacting with more networks or currencies than others. The value varies greatly between the different options.

The biggest inconvenience is that it may result a little tedious when operating, as a longer and less practical process is required than with a hot wallet. They are most recommended to maintain long-term assets.

Centralized exchanges use both cold wallets and hot wallets for the keys they manage.

As positive aspects of custodyless wallets we can highlight:

  • We keep the personal hold of our keys, depend only on the user, it is not necessary nor depends on a third party
  • No time restrictions or amounts to operate, no maintenance
  • They are very safe while precautionary measures are taken, hardware wallets lead safely.
  • Allow to interact with different Dapps
  • Decentralized and pseudo-anonymous
  • No kyc (do not require personal information)

As negative aspects:

  • A little more complex interfaces for starters.
  • mostly, no user support.
  • interacting with Dapps can be risky without the correct knowledge
  • No policies AML

Conclusion:

If a single answer was expected, unfortunately that is not the result. Both custody wallets and custody-free wallets are safe options. You will be at the discretion of the user according to your degree of knowledge, the goal you have in mind and your way of operating, which option results you more or less practice.

For a user who only starts in the ecosystem surely a portfolio with custody in an exchange is the best option.

An experienced trader, who needs several tools to operate in addition to fast and accurate interfaces, will also do so through a portfolio with custody within a centralized exchange.

A user who interacts in DEFI or prioritizes decentralization and the pseudo anonymity of a dex, needs a hot wallet without custody.

A holder with a lot of assets will certainly invest in a custodyless holster wallet to keep them as safe as possible.

My advice is to divide between various options, so too, we will divide the risk.

But mainly, to be instructed regarding cyber hygiene. In addition to knowing how to identify the security problems that address the sector (something in what we may deepen in another opportunity). In this way, we will know how to keep our devices safe, we will know that it is 2fa and what options to choose from, we will use unique emails to the platforms, we will keep passwords safe and variable, we will not use public networks, we will learn how to prevent scams or phishing attempts, we will protect our private keys, and at a slightly more advanced level we can understand how a smart contracts audit works, how to identify a potential rugpull, how to revoke malware

Do you want to validate this article?

By validating, you are certifying that the published information is correct, helping us fight against misinformation.

Validated by 0 users
nicolas donsini

Nicolas Donsini

Hi, I'm Rodrigo Nicolas Donsini. Lawyer, specialized in blockchain technology and cybersecurity, with a master in its legal aspects by Blockchain school for management - Spain. Also amateur by the program with a dip in Python - UTN. Currently working for one of the most important Exchanges within the crypto ecosystem.

Linkedin

Total Views: 1

Comments