24 July 2020
If you’re new to blockchain and cryptocurrency, you’ve probably heard that you need a crypto wallet. But you may wonder why a wallet is needed and how it can be used to make transactions.
The short answer is that crypto wallets use hashing and public/private key cryptography to make sure your funds can only be accessed by you. This is far more secure than, for instance, using a username and password to access an online bank account.
This article will explain how crypto wallets work. It will provide a crash course on hashing, public/private key cryptography, and the basic functions of a crypto wallet.
Online Bank Accounts
Before we explain how crypto wallets work, let’s begin by reviewing how an online bank account works.
If you have an account with an online bank, the bank issues you an account number. And the account associated with this number can be accessed using your username and password.
You set up the username and password when you first sign up for the account. Both the username and a hash of the password are stored on the bank’s server.
Before we go any further, let’s consider what hashing is.
Hashing is a cryptographic system used to prove that a message has not been tampered with.
For example, let’s say that I send you a message stating, “give $100 of my money to Joe.” If you are the custodian of some funds that I own, I might want this message delivered to you.
But there is a danger in sending this message. What if a hacker named “Jack” intercepts it and changes it to “send $500 of my money to Jack”? The hacker could easily steal my funds this way.
To prevent this, I can run my message through a hashing algorithm, a series of steps that convert it into a string of gibberish that uniquely represents my message. This string is called a hash.
Once I have derived the hash, I can send you two separate messages. The first message is the original, plain-text version. The second message is the hash of the first one.
When you’ve received both messages, you can hash the first message to see if it matches the second one. This way, you can prove that the message has or has not been tampered with.
If the message has been tampered with, it will produce a completely different hash.
For example, let’s say that I send you the message “give $100 of my money to Joe.” I then run this message through the SHA-256 hashing algorithm and get the following hash:
I send you this hash in a separate message.
When you run the original message through SHA-256, you get this hash:
Since these two hashes are identical, you know the message has not been tampered with.
On the other hand, let’s say the message you receive is “send $500 of my money to Jack.” In this case, you run the message through SHA-256 and get this hash:
Since this hash is completely different from the one I gave you, you know that an imposter has altered the message.
You can try this yourself using a hash generator.
Of course, we’re assuming the hacker can’t intercept both messages. If the hacker can do that, he can send both a fake message and fake hash.
But in the case of your bank password, we can be reasonably sure that the hacker can’t do that. This is because communication between your PC and the bank is secured using public/private key cryptography.
We’ll explain public/private key cryptography more in a later section. For now, just assume that your bank password cannot be intercepted as it is being sent to the server.
Thanks to the use of hashing, the online bank can verify your identity by asking for your password. When you send it the password, it can calculate the hash and compare it to the one stored on the server. If the two hashes match, it can conclude you are the person who created the account.
Problems With Online Bank Accounts
Although this system allows online bank accounts to be secure most of the time, it does have a significant security flaw.
If a hacker can get a hold of your password hash, he can guess random strings of characters until he finds one that matches the hash. For simple passwords, this can be done easily using hash cracking software. Once the attacker does this, he will know what your password is.
Most users can’t remember multiple passwords. So they may use the same password for multiple websites.
Thus, even if your bank cannot be hacked, all the attacker needs to do is penetrate a less secure network that you also use. If you use the same password on that site, he can learn your bank password from that site.
One solution to this problem is for users to create more complex passwords whose hashes are difficult and costly to crack. But this also makes the passwords easy to forget.
Another solution is to use a password manager such as LastPass. But this creates a situation where the password manager’s servers are filled with valuable data, making it a prime target for hackers.
Although this may be better than spreading the same password across multiple insecure websites, it’s still not ideal.
To solve this problem, crypto wallets use public/private key encryption both to issue accounts and to verify transactions. There are no usernames or passwords on crypto networks. So there are no hashes stored on servers that hackers can acquire.
Public/Private Key Cryptography
Public/Private Key Cryptography is a way to send private messages between two people. Here is how the system works.
Let’s say that Melissa and Alice want to set up a way to communicate with each other privately. Melissa uses software to generate a 256-bit string of characters called a private key. She then runs this string through something called an elliptic curve algorithm.
This is a special type of algorithm that has some strange mathematical properties. We won’t go into the math involved. But the bottom line is that running a private key through one of these algorithms produces a separate string of characters called a public key.
Now Alice has both a private and public key. Melissa repeats these steps, deriving her own private and public key pair.
It just so happens that any message encrypted using a private key can only be decrypted using the corresponding public key.
So if Alice encrypts a message with Melissa’s public key, it can only be decrypted with Melissa’s private key. And if Melissa encrypts a message with Alice’s public key, it can only be decrypted with Alice’s private key.
This means that Melissa and Alice can use each other’s public keys to send secret messages to each other – as long as they never share their private keys with anyone.
This system can also be used to verify that a message came from a particular person. For example, Alice can encrypt a message with her private key and send it to Melissa. If Melissa can decrypt the message using Alice’s public key, Melissa knows the message came from Alice.
As we mentioned earlier, online banks use public/private key cryptography to securely communicate with a user’s PC. This is why hackers usually can’t intercept passwords as they are being sent to the server.
But this is all that banks use it for.
Bank account numbers are not public keys or hashes of public keys. For this reason, usernames and passwords are required for online bank accounts.
How Crypto Wallets Work
When you download a crypto wallet and use it to make transactions, here is what happens.
When you first download a wallet, it generates a set of words called seed words. You write these words down on a piece of paper and store them somewhere safe. If your device crashes, these seed words can be used to recover your crypto account.
If you lose these seed words, you lose access to your account forever. If another person ever gets your seed words, that person has full access to the account forever.
These seed words are used to generate a private key. The private key is then used to generate a public key.
The next step is to enter a password. The password is used to encrypt your private key. This is an extra security precaution in case your device gets hacked.
Hackers don’t go after individual users nearly as often as they do big targets such as online banks or popular websites. But still, it isn’t impossible for an individual user’s PC to be hacked. Password protecting your private key makes it harder for such a hacker to obtain it.
A hash of your password is stored on your device. If a hacker gets both the encrypted private key and the hash of your password, he may be able to use hash cracking software to decrypt your private key and gain access to your account.
So if you own a lot of crypto, you may want to use a strong password – even if this means you have to write down the password to keep from forgetting it. This will make the hash challenging to crack.
Alternatively, you may want to use a hardware wallet such as a Ledger or Trezor. These devices store your private key outside of your PC.
If you use a hardware wallet, you can disconnect the wallet every time you finish a transaction. In this case, the only way the thief can get your private key when the hardware wallet is disconnected is if he physically steals it.
Regardless, storing your password on your own device is usually much more secure than storing it on a website – since most individual users will not be considered prime targets by hackers.
If you forget your password, you can create a new one using your seed words. If you’ve lost your seed words, you’re out of luck.
Once you’ve entered a password, the wallet runs your public key through a hashing algorithm. This produces another string of characters called an address.
If you want someone to send you crypto (such as your crypto brokerage, for example), the address is the “account number” you give out.
If you are using an Ethereum Web3-enabled browser such as Brave Browser or extension such as Metamask, the merchant you are accessing may run scripts that automatically detect your address. In this case, you may be able to approve transactions with only a click or two.
Otherwise, you may need to cut and paste your address when requesting funds.
If you cut and paste and send the funds to the wrong address, you lose your crypto.
How Wallet Transactions Work
Here is how the nodes or “miners” on Bitcoin, Ethereum, and other blockchain networks verify transactions.
Let’s say you’ve downloaded a wallet and created an address. Now you want to receive coins. You go to your brokerage’s website and tell them to transfer 0.01 BTC to your address.
The brokerage broadcasts a transaction to the Bitcoin network. The nodes receive the transaction, but they’ve never seen your address before.
Still, the address passes all of the checks that show that it may have been created by a Bitcoin wallet. So the nodes update the ledger showing that 0.01 BTC minus transaction fees have been transferred to your address.
Your wallet checks the blockchain and verifies that 0.01 BTC has been transferred. It updates your display to show the new balance.
Now let’s say you want to send the BTC to another site (to another brokerage, for example). You cut and paste the new site’s address into your wallet.
Your wallet broadcasts the transaction to the Bitcoin network. This transaction provides three pieces of data:
- A transaction message: “send this much BTC from this address to this other address.”
- The public key associated with the sending address
- A copy of the transaction message, but hashed and encrypted with your private key
When the nodes receive the message, they perform the following steps:
- Derive the address from the public key you provided, and check that it matches the address you provided
- Check that the address has enough funds to be sent
- Decrypt the copy of the message using the public key you provided, revealing a hash of the copy
- Hash the original message you provided
- Check the hash of the original message to make sure it is identical to the decrypted hash of the copy
If the two hashes match, it proves that the copy of the message was encrypted by whoever originally created the address. In this case, that’s you.
In other words, the nodes can verify for sure that the owner of the account is the one sending the transaction message.
Of course, this assumes that no one has your private key except you. So it’s important to always protect your private key and make sure that no one else can obtain it.
This is why cryptocurrency wallets are more secure than online bank accounts or any other type of website that uses usernames and passwords. It is also why you need a cryptocurrency wallet in order to use cryptocurrency.
As more investors and users become crypto owners, the issue of how crypto wallets work becomes increasingly important. This article has explained some of the most fundamental features of crypto wallets – including its use of hashing and public/private key cryptography.