Blockchain Getting Started | Security Getting Started Notes (1)
Although more and more people are involved in the blockchain industry, because many people have not touched the blockchain before, and have no relevant security knowledge, the security awareness is weak, which makes it easy for attackers. There is space to drill. In the face of numerous security issues in the blockchain, Slow Fog has launched a blockchain security entry notes series to introduce ten blockchain security related terms, so that novices can adapt to the security of the blockchain crisis.
Wallet is a tool for managing private keys. Digital currency wallets come in many forms, but they usually contain a software client that allows users to check, store, and trade their digital currency through their wallet. It is the infrastructure and an important entry point into the blockchain world. According to SlowMist Hacked, the total amount of wallet blackouts caused by “fishing” and “third-party hijacking” in 2018 was US$69,160,985. It is fundamental, except that some wallets themselves are not comprehensive enough for attack defense. The main thing is that the security of the wallet holders is not strong.
Cold Wallet is an offline wallet that is disconnected from the Internet and is a wallet that stores digital currency offline. The user generates a digital currency address and private key on an offline wallet and saves it. A cold wallet stores digital currency without any network, so it is difficult for a hacker to enter the wallet to obtain a private key, but it is not absolutely secure. Insecure random numbers can also cause this cold wallet to be unsafe. In addition, hardware damage and loss may also cause loss of digital currency, so a backup of the key is required.
Hot Wallet is an online wallet that requires a network connection and is more convenient to use. However, since the hot wallet generally needs to be used online, the personal electronic device may be hacked to steal the wallet file, capture the wallet password or crack the encrypted private key, and the centralized management wallet is not absolutely safe. Therefore, when using a centralized exchange or wallet, it is best to set different passwords on different platforms and open secondary authentication to ensure the security of your assets.
The Public Key is paired with the private key and is combined with the private key to form a key pair, which is stored in the wallet. The public key is generated by the private key, but the private key cannot be reversed by the public key. The public key can get the address of the wallet through a series of algorithm operations, so it can be used as a voucher for the wallet address.
A private key (Private Key) is a string of data generated by a random algorithm. It can calculate the public key through an asymmetric encryption algorithm, and the public key can calculate the address of the coin. The private key is very important, as a password, except for the owner of the address, it is hidden. The blockchain asset is actually in the blockchain. The owner actually only has the private key and has absolute control over the assets of the blockchain through the private key. Therefore, the core problem of blockchain asset security lies in the storage of the private key. The owner must be safely kept. Compared with the traditional username and password form, the biggest advantage of using public and private key transactions is to improve the security and integrity of data transfer. Because of the corresponding relationship, the user basically does not have to worry about the data being transmitted. The possibility of being intercepted or modified by a hacker. At the same time, because the private key encryption must be decrypted by the public key it generates, the sender does not have to worry about the data being forged by others.
Since the private key is a long list of meaningless characters, it is more difficult to remember, so the Mnemonic appears. The mnemonic uses a fixed algorithm to convert the private key into more than a dozen common English words. The mnemonic and private keys are interoperable and can be converted to each other. It is only a friendly format for the private key of the blockchain digital wallet. So here is the emphasis: the mnemonic is the private key! Because of its plaintext, it is not recommended to save it electronically, but to copy it on physical media, which complements Keystore as a dual backup.
Keystore is mainly used in the Ethereum wallet app (bitcoin is similar to the Ethereum Keystore mechanism: BIP38). It encrypts the private key through the wallet password. Unlike the mnemonic, it can be saved as text or JSON. Format storage. In other words, the Keystore needs to be decrypted with the wallet password to be equivalent to the private key. Therefore, Keystore needs to use the wallet password to import the wallet. When a hacker steals a Keystore, it is possible to hack the Keystore password to unlock the Keystore without a password. Therefore, it is recommended that the user be slightly more complicated when setting the password, such as taking special characters, at least 8 or more, and storing it securely. .
Image from imToken Fans Event Sharing
Due to the bundling of blockchain technology, the blockchain digital wallet has a higher safety factor than other digital wallets. The most critical ones are two points: anti-theft and anti-lost. Compared to the diversification of the reasons for the money-for-money incident, there are five main reasons for the currency loss incident: no backup, lost backup, forgotten password, backup error, and lost or damaged equipment. Therefore, when we back up a blockchain digital wallet, we must make multiple and multiple backups of the private key, mnemonic, and Keystore, and kill the risk of losing money in the cradle. Finally, we will provide you with a wallet security “Ten Principles” from imToken:
Source: Slow fog technology
- Do not use unbacked wallets
- Do not use mail to transfer or store private keys
- Do not use WeChat collection or cloud backup to store private keys
- Do not take a screenshot or take a photo to save the private key
- Do not use WeChat, QQ transmission private key
- Don't tell the person around you the private key
- Don't send the private key to the group
- Do not use an unknown source wallet app from a third party
- Do not use Apple IDs provided by others
- Do not import private keys into unknown third-party websites