In the world of blockchain and digital assets, security is paramount. Ethereum, one of the most popular decentralized platforms, has effectively addressed this concern with its unique public/private key mechanism. This blog post delves into the technicalities of this system, comparing its level of security to traditional username and password methods.
Public/Private Key Cryptography in Ethereum Wallets
The Ethereum platform employs Elliptic Curve Cryptography (ECC) as the basis for its public/private key pairs. The specific curve used in Ethereum is the secp256k1, which is also employed by Bitcoin. In essence, the private key is a randomly generated 256-bit number, while the public key is derived from it through a series of complex mathematical operations.
Private Key Generation
The first step in creating an Ethereum wallet is generating the private key. A cryptographically secure random number generator (RNG) produces a 256-bit number, which must fall within the range of 1 to n-1, where n is the order of the curve. Ensuring that the private key lies within this range guarantees that it is a valid key.
Public Key Derivation
Once the private key is generated, the public key can be derived. This is done by multiplying the private key with the base point (G) of the secp256k1 curve. The resulting point (x, y) on the curve represents the public key. In mathematical notation:
public_key = private_key * G
The public key is then represented in uncompressed (0x04 || x || y) or compressed (0x02 or 0x03 || x) form, depending on the most significant bit (MSB) of the y-coordinate.
Ethereum Address Generation
The Ethereum address is derived from the public key by applying the Keccak-256 hash function, which is Ethereum’s version of SHA-3. The last 20 bytes (40 hex characters) of the Keccak-256 hash represent the Ethereum address, prefixed with ‘0x’. This address is used to uniquely identify users on the Ethereum network and to receive or send Ethereum / ERC-20 Tokens (Cryptocurrencies) / ERC-721 Tokens (NFTs) / ERC-1155 Tokens (NFTs), and other tokens.
Security Advantages: Ethereum Wallets over Passwords
The public/private key system of Ethereum wallets offers several security advantages over traditional username and password combinations:
Decentralization: Unlike centralized systems that store usernames and passwords on servers, Ethereum’s decentralized nature distributes user data across the network. This eliminates single points of failure, reducing the risk of large-scale data breaches. To learn more about some of the larger data breaches that Decentralized Identities could have prevented, check out our blog on that here:
https://www.nyedis.com/post/how-decentralized-identity-could-have-prevented-3-billion-users-identities-being-stolen
Non-reversible: Public keys are derived from private keys, but it is computationally infeasible to deduce the private key from the public key. This ensures that even if a user’s public key is compromised, the attacker cannot gain access to the private key. The opposite of this would be a centralized Identity Management platform used for provisioning accounts across systems throughout the enterprise. They have to store all the passwords in a 2-way hash so that they can be decrypted for provisioning purposes. I’m pretty sure that everyone knows by now, that if you ever wanted to retrieve all the cleartext passwords from an IDM system, all you need to to is spin up a new connector to something like a text file or DB and provision all the accounts to it. Boom you have all the passwords now.
Brute-force resistance: With a 256-bit private key, there are approximately 2^256 possible combinations. Attempting to brute-force such a key would require an inconceivable amount of computational power and time, making it virtually impossible. To put this into perspective, if you were to spin up an AWS instance with 64 cores to try and brute force 1 private key, it would take an estimated 2.29 * 10^58 years. The universe is about 13.8 billion years old… So it’s not going to happen =)
Phishing resistance: Since users do not enter their private keys or passwords on websites, phishing attacks are far less effective. Instead, transactions are signed offline using the private key, and only the signed transaction is broadcasted to the network. FIDO is great for this, and I have a handful of Yubikeys that I have to tote around with me everywhere. But these are $50 a pop, and if I lose it, it’s a serious pain in the a$$ to reconnect a new one and I’m locked out of the system for at least a day. Ethereum wallets are free, generated instantly, and highly disposable.
Wrap-up
The public/private key mechanism employed by Ethereum wallets provides a robust security solution that outshines traditional username and password systems. By leveraging the power of cryptography and decentralization, Ethereum ensures user data remains secure and resistant to various forms of cyberattacks. As the blockchain ecosystem continues to evolve, the importance of strong security measures like these will only grow.