By Professor Kim Hyoung-Joong at the Graduate School of Information Security at Korea University
Blockchain hacking is not impossible, but it’s really not easy. Have you ever heard that the Bitcoin blockchain was hacked and seriously lost its function, even temporarily? If that had happened, Bitcoin would have already been destroyed. Hacking a good blockchain is almost possible, but only in fiction. However, it is not easy to argue this when there are claims that hacking is possible due to the large difference in perception of the scope of hacking. However, there are often reports that cryptocurrency has been stolen. Cryptocurrency theft news can be misinterpreted as blockchain hacking in the broad sense.
There are two main ways to steal cryptocurrency. One way is for the hackers to steal private keys that they can use to move coins from coin owners. The other way is for a hacker to steal a password to open a coin owner’s wallet.
Here, readers should first know what a private key is and what a wallet password is too. To do that, you have to understand that it’s a private key. This contrasts with persons transferring money from a bank account where they must show identification and stamp a pre-registered seal to prove to the bank teller that they are the owner of the money. Then, the teller determines the authenticity of the seal. If a signature was used instead of a seal, the staff would check the signature.
On the other hand, cryptocurrencies can move coins without intermediaries. There is no intermediary bank in the cryptocurrency ecosystem. Therefore, there is no teller and no third party to verify that you are the owner of the account by checking the signature. That is why cryptocurrencies use a private key instead of a seal or signature. The length of the private key is a whopping 256 bits.
It’s hard to memorize a private key. What happens when you choose an ordinary number instead? Some will choose a normal private key, to avoid the headache of dealing with the long private key. If this results in people choosing the same private key, this is like they have the same public property of coins amongst them-clearly a heart-stopping risk that can’t be shaken off! Choosing an ordinary private key is even more serious than choosing “12345” or “QWERTY” as the password.
Therefore, anyone who chooses an ordinary private key has exposed themselves to the possibility of allowing the coins to be taken at any time. So, it is best to generate a random number to avoid duplication so that the same private key is never generated. Generating 256-bit random numbers has a very low probability of overlapping random numbers. It’s really low right now. However, one day, there will be many overlapping random numbers, and when that happens, the length of the private key can be increased to 384 bits or 512 bits.
There is a way to check whether a private key is duplicated. First, create a public key with a randomly generated private key and use that to create a wallet address. You can then search for the wallet address. Something like EtherScan helps you track records of moving Ether from one wallet address to another. If the same wallet address is found when searching, it is very likely that the private key has already been selected by someone. There is a reason why we backed off a bit by saying “there is a very high probability that he was chosen” rather than saying “he was chosen” definitively. This is because both the private and public keys are 256 bits long, but the wallet address is 160 bits long.
It is easy to create a public key from a given private key. However, it is difficult to find a secret key in reverse from a given public key. If the length of the private key is about 256 bits long, it is not difficult, but mathematically impossible. Therefore, a function that creates a public key from a secret key is called a one-way function. One day, it will be easier to find a secret key from a 256-bit long public key. In that case, the key length can also be increased to 384 bits or 512 bits. When a quantum computer is created, it is dangerous to create a discrete logarithmic public key as it is now. So scientists are creating mathematically more secure key generation methods.
It is too harsh to remember a 256-bit long private key created by generating a random number. It’s hard to remember even a 32-bit internet address, so we’re using domain addresses. Fortunately, there is an app that gives you an Internet address when you enter a domain name. So even if you forget your Internet address, you only need to know the domain name. But there’s no such thing as a critical need to know an Internet address, so you don’t have to struggle to remember.
However, if you want to move coins, you must remember the private key. So there’s something that acts like a domain name so that you don’t have to remember the complex 265 bits number. That’s what we call a mnemonic consisting of 12 so-called English words. The private key generator first generates a 128-bit random number and adds a 4-bit parity to it to create a 132-bit random number, and then creates 12 English words based on this number and gives them to the wallet owner, ordering them to remember it. People who have made wallets may have written down 12 English words somewhere without knowing their meaning.
A private key is created using the mnemonic. Therefore, you should keep the 12 words well, but also remember the order at the same time. Of course, even if you remember only 12 words and don’t know the order, you can figure out the secret key, but in the worst case, you have to do 479,001,600 calculations. One important fact here is that if the mnemonic is leaked, the coin can immediately fall into the hands of others.
Anyway, a seed is created from the mnemonic, and after that, a private key is created and a public key is generated from the private key. The public key is also 256 bits long, so a 160-bit wallet address is created to reduce the length and increase security. Here, the wallet address acts like a bank account number. When B, the recipient of the coin, sends B’s wallet address to A, the sender of the coin, A transfers A’s coin to B’s wallet with A’s secret key. When C sends C’s wallet address to ask B to send a coin, B unlocks B’s coin with B’s private key and sends it to C’s wallet. So the private key should not be stolen. Here’s why it’s important to protect your private key.
You have probably heard a lot of stories up to this point. This time, let’s learn about the password of the wallet. Before that, we need to clear up one misunderstanding and move on. There are no coins in the wallet. The wallet only contains the private key. Coins are just digital numbers that cannot be touched or seen and exist only as records on the blockchain. In a cryptocurrency world where there are no bank teller employees, your wallet is the bank and you are the teller. The reason why the wallet is important is that there is a private key in it, and since the wallet is a bank if the wallet can be opened, then the coin related to the wallet address becomes the hacker’s.
However, to open the wallet, you need to know the password of the wallet. Wallet passwords are generally short, and most can be easily inferred by knowing the wallet owner’s surrounding information. Therefore, it may be faster to find out the wallet password without trying to find out the private key with difficulty. So to strengthen wallet security, you have to make passwords difficult. But it’s hard to remember if you make the password difficult.
So, there are many people who leave their coins to cryptocurrency exchanges because they are troubled and anxious. In fact, most people don’t realize that customers have to make their own wallets after they first purchase coins on the exchange. If a customer wants to purchase a coin on the exchange for the first time, the exchange first creates the customer’s private key, uses it to create a wallet, and then the exchange stores the private key. So the owner of the coin is the customer, but in reality, the exchange keeps the customer’s private key.
When a customer purchases a coin, it is correct that the coin moves from the blockchain to the blockchain. However, the exchange does not move the customer’s coins. To change a coin address, it needs to pay a fee called a gas fee, so to save the cost, coins are moved only from the inside of the exchange to the ledger, but not actually moved from the block chain to the block chain. Nevertheless, it seems that the customer’s wallet contains coins on the ledger.
If the exchange is trustworthy, there is no need to worry about the customer’s private key being stored by the exchange. A good exchange does not steal coins. Because first, the exchange is a reliable exchange, and second, if the exchange embezzles, the penalties are heavy. However, accidents in which internal employees of the exchange illegally steal many coins using the secret keys of customers kept by the exchange sometimes occur. This is the basis for misunderstanding that the blockchain has been hacked.If a corporation owns many coins, it is desirable to use a coin custody service. There may be objections to whether it is necessary to use the consignment service even at the cost of storage. So, I would like to briefly explain the necessity of a consignment service.
Consignment services may be advantageous from the perspective of corporate accounting or internal control. A corporation must undergo an external audit or an accounting audit. If it is cash, you can open the safe and show it, but there is no way to check it with your own eyes because coins are intangible.
If a corporation needs to buy and sell coins as an investment object, it is advantageous to use a consignment service. Corporations can perform its own investment work, but it has to put in manpower that is low in expertise and far from its main job. In Korea, entrusted service companies are not willing to engage in investment operations other than the custodial, and they are wary of financial authorities. However, it is difficult for these companies to make a profit by entrusting them alone, and it is hard for domestic companies with tied hands to compete with foreign companies. Corporations may also be hesitant to store their coins while paying a storage fee. Therefore, the trustee service company should be able to make investments or loans using the deposited coins by paying interest on the company’s coin deposits.
In conclusion, regarding coins, you should keep your mnemonic or private key well. The same goes for wallet passwords. Just as you should have complicated passwords when you sign up for the Internet, so should be the case for your wallet passwords. In the case of a corporation, it is necessary to consider using a consignment service. Trustee service providers need to consider not only the low-profit custody business but also consider reporting as a virtual asset business operator, such as Delio, which lends cryptocurrencies with cryptocurrencies as collateral.
저작권자 © Korea IT Times 무단전재 및 재배포 금지