Blockchain networks are built upon the concept of the transaction, either for transferring money or to even setting up a smart contract. However, each transaction performed in the Blockchain has ...
With the rise in the number of Blockchain cryptocurrency users and the mass adoption of electronic wallets, the number of cyber-attacks that target this specific component of the Blockchain is rising too. Therefore, knowing the different types of Blockchain wallets will help the Blockchain security auditor to better locate the weakest part of the Blockchain to perform attack scenarios. So, what are the different types of Blockchain wallets?
The blockchain wallets could be found in 3 types:
Because of the security levels in the Blockchain, performing an attack against it will require both advanced skills and computation power. On the other side, wallets are the responsible component in the Blockchain environment to store the user’s private key with which the different transactions are signed. Therefore, taking control over those wallets will give the attacker the ability to withdraw the victim coins to any address he wants to.
Therefore, choosing the right type of Blockchain wallets is necessary to ensure a certain level of security for the client and avoid any attacks against them. So if you are interested in knowing more about those wallets just keep reading.
Before I start explaining what each wallets type does and how it works, I would like you to know that any of the previous types of wallets can be either a Single-sig or a Multisig wallet.
Single-sig wallets as the name describe are a category of wallets where only one private key is needed to sign the different user’s transactions. In contrast to Multisig wallets, where multiple signatures (multiple private keys) are needed to sign a single transaction.
As you can see the Multisig wallets would be the more secure because the attacker would need to find more than one private key to be able to sign a transaction. Usually, those keys are saved in different places, which makes it even harder for an attacker.
In addition, those wallets could be implemented in multiple forms. Here is a list of the different forms in which those wallets could be found:
At the very beginning of the blockchain wallets, the most popular wallets were the non-deterministic ones. Non-deterministic wallets are a type of wallets where the keys are generated in a random way. This means that no key has a relationship with the other. This way of creating the key is more secure as knowing one of them will not give any information about the other ones.
However, this creates a big headache for the wallet itself as it will require more operations to store and backup all the created keys. Storing those keys means implementing encryption and security mechanism to secure them. All these concepts mean, that if a private key is lost, there is no way the user can recover it.
Wallets were groupings of randomly generated private keys in the initial Bitcoin wallet (now known as Bitcoin Core). When you first start the Bitcoin Core client, it produces 100 random private keys and then generates more as needed, with each key being used only once.
In contrast to the non-deterministic wallets, all the keys generated in this type of wallet are connected to the same initial seed. Using that seed the wallets derive as many keys as it is needed. The best thing about those wallets is that they don’t need to store all the generated keys. Storing the initial seed is more than enough to restore all the keys.
The initial seeds are usually human-readable words and are defined in BIP39, which stands for “Bitcoin Improvement Protocol”.
To generate a private key take SHA256(string + n), where n is an ASCII-coded number that starts from 1 and increments as additional keys are needed.
To better recover the generated keys in the deterministic wallets a new concept was introduced called Hierarchical deterministic wallets. This concept is based on generating the private keys in a tree structure starting from a human seed.
BIP 0032 defines this wallet type, which is completely implemented in TREZOR, Electrum, and CarbonWallet. The seed is a 128-bit random integer that is provided to the user as a 12-word seed phrase made up of popular English terms. After 100,000 rounds of SHA256, the seed is utilized to slow off attacks against weak user-chosen strings.
In addition, HD wallets also allow users to generate public keys without having to access the private keys that go with them. This implies they can be used in a receive-only manner or on vulnerable servers. This option is the key difference between this type and the simple deterministic wallets. In addition, in the simple deterministic wallets, all the private keys are generated from the human seed, in contrast to the HD wallets where keys could also be generated from the older ones.
However, all the deterministic wallets are still less secure than the non-deterministic ones as knowing the human seed will give the attacker the ability to recover all the private keys.
The hashes of remembered passwords can also be used to generate the master private key. The fundamental concept is that this password is used to generate the private key, and if utilized with HD wallets, a whole HD wallet may be generated from a single remembered password. This is referred to as a “brain wallet.”
The logic is that once you have the private key memorized, you can access your bitcoin wallet from anywhere in the globe as long as you have internet connectivity. It’s extremely convenient if you need to flee quickly your coins will always be with you.
For example, to make a brain wallet, use Bitcoin wallet software to construct a new address, use a mnemonic method to memorize the seed phrase connected with the address, and then remove the wallet from your computer or smartphone.
However, this approach is vulnerable to brute-force assaults and password guessing, however, tactics like key stretching can be employed to slow down the attacker’s progress. In addition, the fact that this wallet relies on the human brain to store the private key (or the human seed) then the risk to forget it remains present.
As the name implies, the private key, in this case, is printed on a piece of paper and requires a physical mechanism to secure it. In some cases, those keys could be presented as a QR code and then printed. In addition, papers could get damaged with basically anything and should be stored very carefully, otherwise, the user could lose all his money.
Hardware wallets are usually small devices that hold your wallet information (private key …). It is a portable key that allows you to safely access your crypto assets from anywhere. In addition, the hardware wallets are commonly referred to as “cold storage” since they separate the private keys from the Internet, reducing the danger of the user’s funds being stolen in the event of a cyberattack.
Moreover, those devices are protected with a pin password, which means that even if the device is stolen, the thief cannot get the private keys. In addition, without having to register new accounts, a hardware wallet can “log you in” to a number of dApps. They may even be used to log in to common apps like Google and Facebook.
Furthermore, being stored in a device, keep the data safe from the damages that the time could do to paper wallet for example.
Unfortunately, those devices could be expensive and not easy to find in daily life. In addition, using them by people with less IT knowledge could be difficult. Moreover, those wallets could also support multiple types of coins and store all the required information for each one of them in the same place.
However, those devices could also be the source of a hack into your coins. As the price of those devices is very high people may tend to buy multiple ones with a lower price from different stores and end up with backdoored devices. Once you enter the details of your coin into the devices all your money would be stolen and transferred to the attacker’s address.
The online wallets are a walled created and managed with a web application. The idea here is that the whole security of the keys is delegated to the web application vendors. Usually, those wallets have a web interface connected to a backend that performs all the transfer, keys generation and storage, and more. All that the user should keep in his mind is the username and the password to log in to his personal space of this application.
Until now everything is cool as the web application helps you become independent from any device and help you get access to your money from any place in the world. However, if any cyber-attack target the web application or the webserver of the app, then all your keys will be stolen.
Due to the number of applications and services that a web application needs to correctly work, makes it more vulnerable to attacks and very difficult to correctly secure it. In addition, the users of such wallets could be targeted by phishing attacks that impersonate the web application they use to access their wallets. Therefore, with all those elements, it is really very difficult for a user to trust those web applications and use them in daily payments.
The mobile wallets combine the usability of the web application and the security of device wallets. Mobile wallets are simple mobile apps that store the keys locally and offer a bunch of both security features and manipulation services. In addition, those wallets usually support multiple cryptocurrencies which centralize all the required information to perform any transaction with any currency.
Moreover, due to the portability aspect of the smartphone, those wallets could help you access your money from any place in the world too.
Unfortunately, even those wallets are less secure, as the phone is always connected to the internet and could be hacked at any moment. Hacking the user’s phone means leaking the keys and transferring the funds. Moreover, users tend to take more time to install patches on their phones which may keep an app in danger between the discovery of a new vulnerability and the application of the required patch.
Choosing the right wallets to use in your daily life depends on multiple aspects that should be taken into consideration. The most important one in all of them is the security of your key. If the keys get lost or destructed or even stolen, then you are done, all your money will be lost.
The most secure wallets in my opinion are the device-based ones as they stay out of the internet and are secured with a pin. However, they are still expensive and not affordable by most people. In addition, the device wallets may require some technical knowledge to know how to use them which not always be possible for most users.
Using a mobile wallet is getting more and more the best solution as smartphones are getting more and more secure with controlled access to the internet.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
todayNovember 1, 2022
Blockchain technology was indeed built with security in mind. This means that it is supposed to be very secure compared to other technologies. However, Blockchain technology suffers from some weaknesses [...]