What's in your wallet? | Security, Storage, Keys & Future | Ep. 06
Aug 15, 2023Episode 6
Sugarcane
In this episode, we'll explore the world of hardware wallets like Ledger and Trezor, unravel the mysteries of seed phrases, and discuss why 'Not your keys, not your crypto' is more than just a slogan. We'll also look into exciting innovations that are making crypto more accessible without compromising on security.
🔒 Hardware Wallet Security: Hardware wallets such as Ledger and Trezor block unauthorized access by permitting only company-approved software, safeguarding private keys.
🌱 Seed Phrase Importance: Essential for recovery, seed phrases can be used across wallets, but mismanagement can turn a cold wallet hot.
🔑 Not Your Keys, Not Your Crypto: Trust in centralized exchanges is risky; personal key ownership on hardware wallets ensures optimal safety.
🚀 Innovation for Ease of Access: Technologies are emerging to enhance user experience without losing security, like email login while retaining private key control.
Disclaimer: 🚨 The information provided across all of Sugarcane's communication channels is for informational and entertainment purposes only. It should not be construed as financial or investment advice. Consult with a financial professional before making any investment decisions.
In this episode, we'll explore the world of hardware wallets like Ledger and Trezor, unravel the mysteries of seed phrases, and discuss why 'Not your keys, not your crypto' is more than just a slogan. We'll also look into exciting innovations that are making crypto more accessible without compromising on security.
🔒 Hardware Wallet Security: Hardware wallets such as Ledger and Trezor block unauthorized access by permitting only company-approved software, safeguarding private keys.
🌱 Seed Phrase Importance: Essential for recovery, seed phrases can be used across wallets, but mismanagement can turn a cold wallet hot.
🔑 Not Your Keys, Not Your Crypto: Trust in centralized exchanges is risky; personal key ownership on hardware wallets ensures optimal safety.
🚀 Innovation for Ease of Access: Technologies are emerging to enhance user experience without losing security, like email login while retaining private key control.
Disclaimer: 🚨 The information provided across all of Sugarcane's communication channels is for informational and entertainment purposes only. It should not be construed as financial or investment advice. Consult with a financial professional before making any investment decisions.
Rudy:
Welcome back everyone to the Sureking Podcast. I'm Rudy.
Sheldon:
Hey, I'm Stelton, the founder CEO of Sureking.
Rudy:
We're here for some more tasty tidbits of what's going on in crypto. Have that backdrop, that backdrop, tasty. So what is tastier than having a wallet full of cash?
Sheldon:
You're right. You're right A wallet full of Ethereum, exactly.
Rudy:
Exactly And like how do we even get that wallet? Where does it come from? It's digital. How do I know it's mine? It's not in my back pocket.
Sheldon:
Yeah, it's cryptography.
Rudy:
Cryptography, a topic of everything in crypto, where it comes from crypto, cryptography, cryptocurrency, and we're going to go over exactly what it means to have a wallet, how it's generated, what it means to you, some tips on keeping it safe and different ways of generating a wallet. And my first experience with a wallet was back in 2013-ish. It's actually download the whole blockchain application on your computer, wait hours or days to synchronize, generate a wallet on that and keep that safe. Nowadays it's a lot easier, much easier, and we can go right into a classic example of you know hardware versus software wallets and what it means to use like a metamask. I think that's a popular one And kind of, maybe what centralized exchanges do with your wallet. So for against all that Sheldon, how the hell is a wallet even made?
Sheldon:
Yeah, a very, very great question, just because that's like the backbone of what we're actually doing in crypto space.
Sheldon:
The kind of the very, very start of it is that on your computer or on your physical hardware device, if you have a hardware wallet, what it does?
Sheldon:
it generates a private key, right? So it creates this and the randomness in that device or after you're on your computer, basically generates a private key and then it's able to take a set of 12 to 18 to 24 words and map it back to that actual private key. So now you as a person get shown a screen that you probably see before if you're into the crypto space, where it shows you, let's say, 12 or 24 words that you have to write down, and once you write those words down, it kind of tests you again to just make sure you have the correct combination of those words, because those words are actually those words called seed phrase are used to generate the private key, and the private key is kind of the safe part that actually is used to create your address. Private keys are generally used as like kind of the basis of the address that you see on the Ethereum blockchain or Bitcoin blockchain.
Rudy:
Exactly That's why people in different companies, like Coin Base or MetaMask or whatever other wallets you're using, are so adamant on keeping your seed phrase safe and secure and not accessible to anyone but you, because if anyone gets access to that, they get access to everything. There's no going back, there's no recovering still your funds, all of it.
Sheldon:
Yeah, yes, like if you have a house right, like if you have like keys actual physical keys to your house. if you've lost them on the street and someone finds those keys, they now have access to your home. In the case of a house, you can have to change your locks, but in the case of cryptocurrency Ethereum, bitcoin, blockchains you can't actually change the lock because it relates to one specific house or one specific like private key in that case. So that's gonna have to be very, very secure where there are keys.
Rudy:
Yep, what you can do is, if someone does find it, you'll probably only know if they take everything from you. But if, for some reason, you have a suspicion, you're compromised. if you're able to get to your wallet and send everything off into a different wallet that you've created, that's the best way you can do it. So now that we see that there's a seed phrase that's generating private key, which is what your public keys are derived of. So how is that linked? So how does the public key that I can share with everyone, how's that? okay to share, but not the private key?
Sheldon:
Yeah, because it's certainly like the graphic principle where the private key can generate a public key, so something you can show to people.
Sheldon:
But people can actually reverse. They can't go from the public key back to the private key. And so if you see, in Ethereum, for example, you see a string of like letters hexadecimal letters and numbers that's about like 42 characters long. It starts in zero X, typically so zero X and then some 40 strings of like letters and numbers. That's typically what you can actually show to people, just because they don't actually have access to the funds, but they know where they can send the funds to, right? so in the case of Ethereum, the way that the public key is generated is based on a sort of hashing algorithm. It takes the public key and it hashes it. It basically applies some type of transformation on that private key and outcomes a number or outcomes a hexadecimal number in that 40 key public key that people can use to send assets to And every time I share that key where people can send their Ethereum to or whatever they want to to that address and then I would have control over it.
Rudy:
And every time I sign a transaction, what is happening in that step where the private key is telling the public key that What is actually happening, what is happening to approve a transaction while it's talking to what?
Sheldon:
Yeah. so the signing process is really just you proving ownership of that particular address. So if I, sheldon, want to send you, rudy again the previous last week's episode I think I said five if you're here, five ether, if I want to send you five ether, i basically have to prove that I, sheldon, have control over the address that says there's five ether balance in it. And so what happens is that, like, i use my private key and do this process called signing, where essentially I take the private key and it takes the action that I want to take. So, for example, in the case of me moving money, that's a transfer, i want to send you five ether.
Sheldon:
I take those two things, the action and the private key, and I hash those. So basically, i again apply a transformation, apply a operation, a mathematical operation on that data to produce what's called the transaction hash. And that hash basically can say that I, sheldon, approve this action to occur And you can show that with this transaction hash, that this address, this transaction hash can only be generated by the person who controls this particular address. And that's how you can actually prove ownership of that action. And then, once I send that transaction to a miner, as we learned last week to add that transaction into a block. that's in how I can actually prove that I own it and then I actually want to take that action.
Rudy:
And it's a important point to remember is that you are showing proof that you own that public key, that you're allowing this transaction. The thing is, since it's a blockchain, everything is public, meaning that public key is public, not just to you, but to the world. You can go on websites like ether scan, type in a public key and see every transaction that he has ever made. The thing is, you know, blockchain is pseudo anonymous, meaning it's partially anonymous. So that public key nobody nobody knows that. You probably own it, but as soon as I share that public key to somebody now, that person knows my entire history. So when doing transactions, it's important to keep that in mind.
Rudy:
Folks that use an address that you do not mind exposing to your friends, family or the world choose your parties. It's a good safety standard, and there are new protocols. That's on the way for more privacy focused transactions, meaning you can create transactions publicly, but no one can actually see how much you own or have. They can just computationally prove that you have done a transaction, and you do have the right to say that you're promising. But that's all the episode to. So some more safety tips, though. So there's things I keep hearing like cold and hot wallets. Yeah, the differences between those.
Sheldon:
Yeah, so a hot wallet is kind of the thought of something that's connected to the internet or it's on a device is connected to the internet, alright, so in the case of MetaMask, if you've downloaded the MetaMask browser extension, so that's something that sits in your browser with a Chrome Brave Safari, you have a browser little fox icon that sits in your browser.
Sheldon:
You can click on that and that shows an address, a wallet, and that's typically referred to as a hot wallet because something that's connected to a device, that's connected internet and it's very easily accessible. But there's also devices that are also unconnected or disconnected. So like there's ledgers from this company that produces a USB style stick, like a USB size stick. Another company called Trezor produces a kind of a bigger square device that is also disconnected from the internet, but the private keys in both of the ledger and the Trezor case are physically stuck to the device. They actually can't be transitioned. We actually come to learn that that's actually not technically true but like the details of it is that like the physical device is the one that holds the private keys, not a device that's actually connected to the internet all the time.
Rudy:
Exactly And that, yeah, and that points to important to remember the private key lives on the device and can leave your device with the authorization of yourself saying I want this key off a device into a program which is of something called a social recovery program. This is another thing. So we're talking about don't lose your keys. If you lose it, you're done forever. There's no chance of getting it back. Well, there are people building out interesting services where they have social recovery meaning.
Rudy:
I trust Sheldon, i trust my brother. I'm going to give both of them our access to my wallet. Neither of them can actually do anything with my wallet individually, but if they work together, they can actually move my funds for me in case I ever lose my crypto wallets. It's something you definitely want to keep with trusted parties. You don't want to do social recovery with people. That you kind of skeptical about Ledger's case was they had a trusted party where you can hand in, like, can you show your ID and you get your private key back if you ever need it, if you ever lost it. That's the case we're talking about.
Rudy:
Technically, it can be moved off of, but the security element is that when you have your ledger in your hand. It needs to be plugged into your computer physically or through a Bluetooth. There's many harbor wallets out there, folks. By the way. These are not the only examples. There's GERD Plus, there's like after at the mall, but there's too many to even name. There's a lot of them out there that you can use for yourself, so you find the one that's most suitable for what your comfort level is. But you have to actually press a button on the physical device to say I approve and sign this transaction, whereas in hot wallet it's just button on your laptop and give us a rundown on like those safety securities about that with malicious attackers.
Sheldon:
Yeah for sure. So, like in the case of MetaMask, one possible attack vector some way you can actually get hacked is that if you download malicious code onto your computer, the actual malicious code that's on your computer can actually read your MetaMask extension And that way they'd have the private keys and they can move the assets just the fact that they're on your computer. But in the case of, like a hardware art, a code wallet, a code storage wallet, it can actually download external software without the actual company who produced that software approving it. So, for example, right in the case of ledger, no new software can get onto that physical device without ledger the company actually approving it. Or no new first case of Trezor no new company, no other company or entity can access the physical device without Trezor approving it. So in both those scenarios the kind of security is based on the fact that no additional software can get onto that device without the company itself approving it And the company itself doesn't have access to your private keys.
Sheldon:
But they have the kind of right to block any other third party software from getting access to the device. It's kind of a way to secure yourself from getting access to it And the funny thing is that, like you can actually take a hardware wallet, you can actually get the private keys, but you can get the seed phrase from the hardware wallet. If you put that seed phrase into a MetaMask, technically you've just made your hardware device a hot wallet just because now it's in a MetaMask, and so you have basically two different places where those keys are stored. That's where you have to keep the keys separated and stored in different places.
Rudy:
That's an important thing to remember too, because your seed phrase is not something that's on the device, but it doesn't necessarily live on the device. It lives on the blockchain. Therefore, your recovery phrase, or private key, is generated by device. Yeah, but you can plug that into any wallet and that's where you can give access to your wallet again your public keys. So my ledger can create a recovery phrase, i can plug it into MetaMask and then they both have access to it, like Sheldon said. So it's a blockchain thing and it all lives on a blockchain. That's why it's super secure. You can actually generate a private key, memorize all the words, throw out all your devices and you are completely secure because as long as you have it in your head, you can access it again through any other wallet.
Sheldon:
Yeah, what's actually kind of a funny thing is that you could actually have the 12 or 24 words generated. You can write those words down or you can actually get a tattoo of them on your body, and if you delete the actual digital reference of that, you now have a completely cold wallet that is not connected to anything, because now it's just really just those 12 words that are on a piece of paper or tattooed to your body.
Rudy:
Exactly, that's a good point.
Rudy:
It's going to be like a moving private key, exactly because I remember there you create paper wallets, which would be the way to generate a wallet, but completely offline, never connected to the blockchain, but due to the cryptography of it, you can use a valid wallet that you can use and then it will sync with the blockchain as soon as you do some type of transaction online. And also I'm sure people have heard before, not your keys, not your crypto. This is when we speak about centralized exchanges like Coinbase, crackin, gemini Binance. These are the exchanges that hold your wallets. They hold your private keys. They are the ultimate owner of your funds, just like a bank, and if they want to pause your transactions, they can. If they want to get hacked and someone removes their funds, that can happen too, like FTX situation Crypto's fault. It's actually.
Rudy:
Crypto is very much pro keeping your keys for yourself on your own devices. Essentialized exchanges are useful for people who are who think this is maybe a technical challenge to keep your own crypto on your own device, but the host it for you. You can use it there Relatively safe, i would say. Trusted exchanges like Coinbase and Crackin, but they have their own security measures of trying to keep that safe as possible. But there is no higher level of safety than at this current moment than to having a hardware wallet that you need to physically have in your possession to confirm transactions. Even if the hacker gets access to your computer and sees how much sees your ledger live application on your computer and tries to type in all your funds, they can't do anything because that device is needed to confirm a transaction.
Sheldon:
There's a lot of new technology coming out to make the user experience easier. For example, in the sugarcane context we're building ways in which people can actually log in with the email and still have a private key, public key pair that we, the company, actually don't control or understand that It's. those allow you to actually still sign transactions without actually having to need to remember a 12 word phrase or have to actually write that down or have to deal with any of the complexity there. But again, right now it's like the most part, hardware wallets are pretty much the gold standard for safety. Paperwallets also kind of gold standard, but less, much more clunky. Again, there's more technology coming out to make the whole process easier as well.
Rudy:
Exactly, and as we come up with the sugarcane app, it's going to be, i feel, like a happy medium between you owning your own keys, but yeah having the ease of access everywhere.
Sheldon:
Yeah, for sure.
Rudy:
Awesome. That was a good one. So remember everyone keep your wallet safe. Private public key. Do not share private. Secure that somewhere safe, never share it. Public key is what you can share And you want to do your best to make sure you have complete and sole access to that private key. See you next week, everyone.
