VivoPay Introduction to Key Management


VivoPay is a new crypto wallet for the new Harmony One blockchain. VivoPay is designed to be easy to use for people new to crypto. If you know how to use Square Cash or Venmo, you will be able to use VivoPay. And we have big plans: soon the VivoPay wallet will be able to execute highly efficient, privacy-preserving Zero Knowledge Proof (ZKP) smart contracts to give blockchain the scalability and privacy needed to compete with traditional financial institutions. (We also have created ZKP developer tools that work seamlessly with VivoPay. We’ll share more details soon)

This blog post is a primer on key management.

What is Key Management?

Users interact with blockchain mostly with two types of applications/sites: exchanges and wallets. Coinbase and Binance are examples of exchanges. Examples of wallets are Trust Wallet, MyEtherWallet, ZenGo, and Coinbase Wallet. You can find these wallets in the Apple App Store and Google Play Store.

While exchanges focus primarily on trading, wallets usually focus more on payments and running dApps (decentralized apps, apps running on a blockchain). People log in to exchanges with a username and password, just like people are used to when they log into their online bank. Wallets, however, work differently. The first shocker for new users is that wallets do not use usernames and passwords. Instead, wallets use cryptographic keys.

The first time a user opens a wallet, a new random pair of keys of created. One key is your public key, which is similar to a bank account number, and you can safely share the public key to people who need to pay you. The second key is your private key. As you have probably guessed, you’ll need to keep this key private, as this key is used to unlock transactions from your account.

You may wonder: if the key pairs are generated randomly, is it possible that my wallet generates exactly the same keys as the wallets of Bitcoin inventor Satoshi or Ethereum founder Vitalik? And if so, would I be able to spend the millions or even billions of dollars they have in their wallets? The surprising answers are: yes and yes. Yes, in theory it is possible to randomly generate the wallet of Satoshi or Vitalik. And yes, you will be able to spend their money. However, there is a reason blockchains use randomly generated key pairs instead of usernames and passwords. The reason is that the number of possible keys is so huge, the chance of randomly generating Satoshi’s keys is astronomically small. (The number of possible keys is aptly called the “key space”). In fact, the key space of Bitcoin is a 1 followed by 77 zeros. If you would want to generate all possible key combinations (one of those will be Satoshi’s), it will take more than half a billion years using the fastest computer available today.

Randomly generated key pairs are magnitudes more safer than username/password combinations. So why isn’t your bank using randomly generated key pairs?

User-friendliness of key pairs

There is a good reason your bank doesn’t use key pairs instead of username and password. The reason is that the keys are long and impossible to memorize. Here’s an example of an Ethereum private key: 8da4ef21b864d2cc526dbdb2a120bd2874c36c9d0a1fb7f8c63d7f7a8b41de8f and this is the other half of the key pair, the public key: 63FaC9201494f0bd17B9892B9fae4d52fe3BD377.

Technically, the public key is mathematically derived from the private key, so you only need to memorize the private key. Memorizing 64 random characters is obviously not something you can ask a user to do. And that is a problem. If a user can’t remember the equivalent of the username and password, how are they going to use the wallet?

The (obvious) answer is that the private key needs to be stored. It has to be stored securely, because anyone who has possession of the private key can spend the coins stored in the account. So wallets store the private key on disk and encrypt the key using… a password set by the user.

There’s good and bad news:

  • The bad news is: Passwords can be hacked, especially short passwords. If an attacker has access to the file that contains the password-encrypted private key, the attacker can cycle through all possible passwords alphabetically and will eventually find the password, and thus able to access your funds.
  • The good news is: Gaining access to the file is a hurdle.
  • More good news: first time users will usually not have a huge amount of money in their wallets, making them unlikely targets.

Most wallet developers have decided storing private keys in a password-encrypted file is good enough. (Though at VivoPay we think we can do better, more on that in a bit).

Backing up keys

What happens if you lose the device that contains the password-encrypted file with your private key? Well, if you haven’t memorized your private key (and you likely haven’t), you won’t have access to funds anymore.

A solution would be to write down the private key on paper, and store it somewhere secure. However, it’s easy to misspell a character or number. Besides, chances are you have multiple unique key pairs if you store different coins in your wallet (e.g. if you own Bitcoin, Ethereum, and Harmony One coins).

The ingenious solution some genius came up with consists of two parts:

  1. A wallet can generate a single generic key that mathematically (deterministically) derives an unlimited number of keys for many different blockchains (“one key to rule them all”). Now, you only have to write down one key instead of multiple. That’s a win.
  2. The single generic key can be encoded as a number of short seamingly random words. We all know how to spell words (or at least most of us do), so a typo can easily be recognized by a human (unlike a typo in private key 8da4ef21b…). This method of encoding keys is called a mnemonic phrase, mnemonic seed, seed phrase, or recovery phrase. A phrase is often 12, 18 or 24 random words. An example of a recovery phrase is: “dove lumber quote board young robust kit invite plastic regular skull history.” And yes, if you use this recovery phrase to restore a wallet in Trust Wallet or VivoPay, you will generate a valid key pair. In fact, both wallets will generate exactly the same key pair, meaning that both wallets can access the same funds. Note: it should be obvious but just in case: do not use the example recovery phrase above to create or restore a wallet. Your funds will not be safe. Instead, let the wallet generate a new key pair for you.

The concept of a recovery phrase is a huge improvement in user experience compared to before. However, the concept is still hard to explain to new users and I’ve seen firsthand how people have lost substantial amounts of coins because they didn’t understand the importance of the recovery phrase. And that is a user experience problem that needs to be solved.

Interested how VivoPay solved it? Read How we Created an Insanely Easy to Use Crypto Wallet.

Where to go next?

Also Read: The Best Hardrawe wallets
Get Best Software Deals Directly In Your Inbox

VivoPay Introduction to Key Management was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.