Crypto Wallets: What are they and which are the safest?

(To Hugh Micci)

A feature advertised by has caused quite a stir lately Ledger, a well-known manufacturer of connected hardware wallets, which would allow the mining of the seed for purposes of backup.

I therefore consider it useful to have a brief overview of what i crypto wallet, how they work, and what are the different types that are on the market, with the related safety risks.

Un wallet, in the context of cryptocurrencies, is an application or device that allows users to manage, store and transfer their cryptocurrencies securely. It works like a digital wallet where users can keep their own cryptographic keys (private key and public key) needed to access and control their cryptocurrencies.

Normally a wallet allows you to import or generate the so-called "seed".

Il seed (seed phrase, also called "mnemonic") is a sequence of random words, generally consisting of 12 or 24 words, generated using a specific algorithm. The seed is generated at the beginning of the process of creating a wallet and represents a simplified form of representing private keys. This seed is usually generated using a function hashing cryptographically secure and can be thought of as a form of private key backup.

More precisely, the seed is a simplified and mnemonic representation of private keys, while the private key is the original and complete form of the cryptographic key.

A significant advantage of the seed is its ability to generate multiple private keys. Using the seed, it is possible to generate a series of derived private keys, or "child keys", which allow you to manage multiple addresses within a wallet. Also, the seed can be used for recovery of the wallet in case of loss or damage of the device.

Il seed it is in fact the access key to our cryptocurrencies. Anyone in possession of the seed can freely dispose of our funds deposited in the wallet.

Un wallet it also provides a user interface for making transactions, viewing the balance of cryptocurrencies and monitoring the transaction history.

There are two main types of wallet:

  • software wallet for mobile devices or computers

  • hardware wallet physical (which in turn are divided into connected or air gapped)

I don't even want to talk about online wallets because, due to the "not your keys, not your coin" principle, with them we actually lose control over our cryptocurrencies, completely delegating it to an external service.

I software wallet they are programs that are installed on the PC or on the telephone, and allow you to generate and store private keys, and to sign transactions.

I hardware wallet perform the same functions, with some differences:

  • generation and storage of private keys: the hardware wallet generates private keys securely and stores them inside the device itself. The device is designed to be resistant to external attacks aimed at extracting the private key from the wallet;

  • offline transaction signing: when you need to make a transaction, the hardware wallet allows you to sign transactions securely within the device.

Un hardware wallet it is definitely safer than the software wallet traditional, which are constantly connected to the internet and therefore much more exposed to attacks.

I hardware wallet in turn they are divided into two broad categories: those "connected" and those "air gapped".

I connected wallets they are designed to connect to a computer or mobile device via a physical connection, such as a USB port or Bluetooth, and exchange data over this connection.

I air-gapped walletInstead, they are devices that are completely isolated from the Internet and other network connections. Their main purpose is to ensure maximum security for your cryptocurrencies by keeping private keys offline and protected from external threats.

How do air-gapped wallets work?

The generation of private keys takes place in an absolutely analogous way to that of connected wallets. As far as signing offline transactions is concerned, the air-gapped wallet create transactions offline within the isolated device. Transaction information, such as the destination address and amount, is entered into the device via a secure method, such as using a QR code or SD card, and the transaction is signed with the offline private key.

Once signed, the transaction can be transferred to an internet-connected device via the same method used previously.

This is what makes i air-gapped wallet so safe: the transfer of information between the wallet and the network is disintermediated, via a QR code read with the camera or by inserting an SD Card.

Between the two systems, in my opinion, the QRCode is decidedly safer, as it is relatively simple to insert a malware which, once brought inside the hardware device, compromises it and allows the extraction of the private key, copying it on the same SD Card and, when this is introduced into the source PC, transmitting it to a server Command & Control.

This could theoretically be done anyway by inserting malicious code in the QR code, but technically it is much more difficult for two reasons:

  1. the QR code can contain much less information than an SD Card;

  2. the QR code is read by the device, which can therefore effectively reclaim what has been read. The SDCard, on the other hand, once inserted, could more easily execute code "without the knowledge" of the device.

Before reaching the conclusions, it is worth mentioning two more important points.

The first is that it is possible to use as air-gapped hardware wallet a PC installed from scratch, and never connected to the internet.

The second is that a weak point that has recurred over the years is the algorithm for generating the seed. This algorithm sometimes featured gods bugs, so it was less random than it should have been. To overcome this problem, today many hardware wallet provide an import functionality of the seed.

It is therefore possible to generate the seed (there are several systems, from algorithms that use ambient sounds recorded by the microphone to generate the necessary entropy, to those that involve rolling hundreds of dice) and then import it into the wallet.

Both the air-gapped wallet that connected hardware wallets offer a high level of security compared to a traditional software wallets which is constantly connected to the Internet. However, the air-gapped wallet (and in particular the one that communicates via QR Code) tends to offer greater security as it is completely isolated from the network and from potential external threats. Private key generation and transaction signing occur within the air-gapped device, which reduces the risk of private key compromise.

Il hardware wallet with USB connection it is more convenient to use. However, using a USB connection introduces a potential risk of attacks through malware or hardware device firmware vulnerabilities.

To conclude, therefore, if maximum security is your top priority and you are willing to sacrifice convenience, the air-gapped wallet it is the best choice. If you want a balance between security and ease of use, the hardware wallet with USB connection could be a suitable solution. If you bet everything on ease of use, and manage small amounts, then you can focus on a software wallet.

A heartfelt thanks to all members (and friends) of SICYNT (Italian Society for the dissemination of CYber culture and New Technologies) for the review and suggestions

Images: author