This is a guest posting by Michael G. Solomon PhD CISSP PMP CISM
In a previous article, I talked about testing blockchain apps. Although you can test blockchain apps using non-live blockchains, eventually you have to assess how your app runs in a live environment. That means you have to use it, and pay for it, using real cryptocurrency. One of the advantages of using blockchain technology is in the ability to own cryptocurrency, such as bitcoin and ether. But there are many more virtual assets that you can own. In fact, blockchain apps can define or manage just about any type of digital asset. These digital representations of real assets are often called cryptoassets, getting their name from the fact that the blockchain, where they live, is essentially built using cryptography. So whether you’re using or testing blockchain apps on a live blockchain, you’ll need to have an account and some cryptoassets.
All cryptoassets belong to an account, and the only way to access them is with the account’s private key. You can keep your account keys safe in protected storage for blockchain accounts called a wallet. Regardless of what your cryptoassets represent, they are only as secure as your private keys, and those keys are only as secure as your wallet. Suppose you’re testing your new blockchain supply chain app. You fund your account with 5 bitcoin (about $44,000 at the time of this post.) You want to purchase an SUV, and see how the app handles the payment and delivery. If you’re testing on a live blockchain, you actually have to fund your account with real cryptocurrency. All it takes for you to lose all your money is for an attacker to find your account keys. The security of your cryptoassets, even when testing on a live blockchain, depends on the security of your wallet.
Let’s compare different wallet options and learn how to choose the best one for your cryptoassets.
Keys and Accessing Your Cryptoassets
Cryptoassets can represent physical items in the real world, or they can exist only on a blockchain, like CryptoKitties. When you create a blockchain account, you essentially create a pair of keys. Your private key is the key you should protect, as you’ll need it to create any transaction that affects your cryptoassets — if you want to spend your cryptocurrency, buy more of it, or transfer it to another account, you have to have your private key.
In blockchain technology, every transaction must be digitally signed by the account owner’s private key. That’s how you can always trust the origin of any transaction.
The other key that gets generated when you create a blockchain account is the public key. The public key is mathematically related to the private key but is functionally the opposite. If you encrypt data with the private key, you can decrypt that data only with the public key. So, if you want to provide proof that you created some transaction, encrypt it with your private key. Anyone who has your public key can decrypt the message and know that it came from you. Of course, this approach only provides integrity, not confidentiality.
Anyone who has your private key can access your blockchain cryptoassets and transfer them to another account. That’s much like someone stealing your credit card and your PIN. With that information, they can drain your account before you realize what is happening. The big difference, though, is that if your credit card gets stolen, the bank that issued that card will probably have a fraud division watching for bad actors and also have some protection if you report the theft quickly. There is no such protection in the blockchain world. If you lose your keys, you lose your stuff.
Protecting Your Keys in a Wallet
Since blockchain account private keys are so valuable, it makes sense to spend some effort keeping them safe. There are multiple types of wallets, and each one has its own pros and cons. In the end, your choices are based on a balance of security and convenience.
Choosing the right wallet depends on how much you value your cryptoassets. For blockchain accounts that don’t store anything of value, a convenient wallet is fine. However, another account for your 100 bitcoin would need a very secure wallet. (Bitcoin is around $8,700 at the time of this posting, so 100 bitcoin would be worth around $870,000 dollars.)
Types of wallets
There are three categories and two classifications of wallets. The category defines how the wallet stores your keys, and the classification determines where it stores our keys.
The three main categories of wallets are:
- Software wallet: A software program that stores private keys in data files
- Hardware wallet: A hardware device that stores private keys on a physical chip
- Paper wallet: A printed representation of a private key on a piece of paper
The two classifications are hot wallets and cold wallets. Hot wallets store keys online. Many software wallets, and especially web-based software wallets, store private keys online to make it easy to access from anywhere. This is convenient but not very secure. A cold wallet is one that stores your private keys offline, either in a local file or on a hardware device. Cold wallets are less convenient but generally more secure.
Software wallets are the most common. You can find software wallets that run on the web, on your computer running popular operating systems (Windows, macOS, and Linux) or on mobile devices (mostly iOS and Android). A software wallet requires that you authenticate yourself to use the software, then provides access to your private keys. Software wallets often focus on ease of use, as opposed to strong security. Many software wallets offer the option of hot or cold storage.
Storing your keys on a physical device makes your keys much more difficult to steal online. Of course, you have to make sure that you don’t lose the physical device and that no one else steals the device from you. In spite of the physical security issues, hardware wallets are generally more secure than software wallets. The biggest advantage is the physical isolation. If online hackers can’t get to your device, they can’t steal your keys. (Well, at least not easily.) Popular hardware wallets, like the and the Trezor, are generally priced under $100 and provide a straightforward user interface. Their functionality is limited, but they primarily exist to securely store private keys.
The last type of wallet is nothing more than a printed copy of your keys. Most paper wallets consist of the raw key and a QR code that represents the key. The QR code makes it easier to use the paper wallet: You just need a mobile device with a QR scanner to read your key when you need it. The advantage of a paper wallet is that no part of your key is stored digitally. However, that single piece of paper is your only way to use your keys. For that reason, most people have a backup copy stored somewhere.
Choosing the Best Wallet
With all the choices of wallets, which one is right for you? Unfortunately, there isn’t really any single “best” answer. It all depends on how much you value security versus convenience.
The most secure wallet is probably the paper wallet. However, the real security comes down to how well you protect that piece of paper. If you have several copies of your paper wallet lying around for anyone to see, it isn’t very secure. On the other hand, if you only have a single copy of your paper wallet and end up losing it, that isn’t very secure, either.
After the paper wallet, most people consider a hardware wallet to be the second most secure option. The physical separation of your keys provides a superior level of security. Your keys are protected and accessible when needed. Since there is always the potential that you’ll lose the physical device, most hardware wallet users make a backup copy of their keys and store them in another safe location. Today’s hardware wallets make your keys easy to manage and access. A hardware wallet is a good choice when security is most important.
The last option, software wallets, work best when your keys are for accounts that don’t control items of great value. Software wallets are by far the most convenient type of wallet, but at the cost of security. Software always provides new opportunities for attackers to compromise your data, including your blockchain keys.
So, is there a secure wallet? Maybe. If security really is a big concern, get a good hardware wallet, make and securely store a backup of your keys, and protect that wallet from theft or loss. If security is of the utmost concern, a paper wallet and a good dose of paranoia may be the way to go.
Article written by Michael Solomon PhD CISSP PMP CISM, Professor of Information Systems Security and Information Technology at University of the Cumberlands.