The Crypto User’s Guide to Cryptography

How to stay safe with keys, seed words, and passwords

By
&
Tom Blackstone
Gabe TurnerChief Editor
Last Updated on Apr 18, 2022
By Tom Blackstone & Gabe Turner on Apr 18, 2022
The content on this page is provided for informational purposes only. Security.org does not offer financial or investment advice, nor does it advise or encourage anyone to buy, sell, or trade cryptocurrency. It is advised that you conduct your own investigation as to the accuracy of any information contained herein as such information is provided “as is” for informational purposes only. Further, Security.org shall not be liable for any informational error or for any action taken in reliance on information contained herein.

You may know that cryptocurrencies use cryptography. But how exactly they use it might not be clear.

In this article, I’ll explain what cryptography is and how it is used in cryptocurrencies. And I’ll go over how you can use this knowledge to protect your crypto from being stolen. I’ll go over subjects like symmetric cryptography, asymmetric cryptography, hashing, seed words, and private keys.

I’ll touch on everything you need to know about cryptography to help protect your cryptocurrency account.

Let’s begin with a basic explanation of what cryptography is.

A Brief Introduction to Cryptography

The Cambridge Dictionary defines cryptography as “the practice of creating and understanding codes that keep information secret.”1 In other words, cryptography is the science of how to create and send secret messages to other people.

Did You Know: Today, cryptocurrencies use asymmetric cryptography to help ensure that users don’t need to reveal their decryption keys. But the earliest cryptographic systems were much simpler than the kind used in cryptocurrencies today, and much less secure.

The earliest cryptographic system was created by the Spartans in 400 BC. It used a device called a “scytale” to transpose letters in a message so that the message became unreadable. The recipient of the message could use his own scytale to decipher the message.2 This prevented enemies who intercepted the message from being able to read it. But if the enemy managed to capture a scytale, all of the secret messages could be decrypted.

According to Roman historian Seutonius, Julius Caesar used a similar system by shifting each letter by three positions in the alphabet.3 So “March south and attack” became “Pdufk vryxk dqg dxxdfn.” This system is called the “Caesar cipher” today, and it’s usually one of the first systems a cryptography student learns.

When you encrypt a message using the Caesar cipher, you need to know the number of positions to shift each letter. This number is called the “key” to the encryption method. In Caesar’s case, he used “3” as the key. The only requirement for this system to work is that both the sender and recipient have to know what the key is.

But this means that every person who uses the system must know the key, and if an attacker gets this key from any person in the system, all messages can be decrypted.

Symmetric cryptography and its flaws

These early systems were examples of symmetric cryptography. A symmetric cryptography system is a system with only one key. Both parties have to know the key in advance, or the system can’t be used.

If two parties live close to each other and want to exchange a key, they may be able to solve this problem by meeting face to face. But if they are communicating across a great distance, this may not work. And if they send the key across a network, it may be intercepted by an attacker, exposing every message they send to each other from then on.

FYI: If there are more than two parties using the system, the problem of how to distribute and secure copies of the key becomes even more difficult. In this case, if one person has their key stolen, it can reveal the secret messages of the entire group.

In order to overcome these problems, cryptographers invented asymmetric cryptography, which is the form of cryptography used in cryptocurrencies today.

Asymmetric cryptography

In an asymmetric cryptography system, each user has two keys instead of one: a private key and a public key. The public key can be given out to anyone who uses the system. The private key has to be kept a secret.

Any message encrypted with a private key can be decrypted only with the corresponding public key, and any message encrypted with a public key can be decrypted only with the corresponding private key.

This may sound abstract at this point, so let’s use an example to illustrate it.

Let’s say that Jill, Bob, Rick, and Tanya want to send secret messages to each other. Each member of the group takes the following steps:

  1. Generate a private key and a public key
  2. Give the public key to every other member of the group
  3. Keep their private key in a safe place where it won’t be lost and can’t be discovered

At the end of this process, each member will have four public keys: one for themselves and one for each other member of the group. And each member will have one private key. So Tanya’s list will look something like this:

Member Private key Public key
Me (Tanya) 5KZbRUQ1VVSditZvZQkhLjth
WcyXkSR1mZxKWF3WZ9QtPdzdvW1
1NUrV3WvcX2Ujszn
8ArXP36EgEtYSsAHEL
Jill Don’t know 1F6bhGPa3cZvjmW3k
yBQiebHALXNaCii7o
Bob Don’t know 1CqeMnhMb2C2PpKV
SBEzLH4Lczip9XgWyR
Rick Don’t know 1Krv21MAR9poU8Aj
EtYwnGivxSR74iCoGW

Now let’s say that Tanya wants to send a secret message to Rick. All she needs to do is look up Rick’s public key on this chart and encrypt the message with it. Looking at the chart, his public key is 1Krv21MAR9poU8AjEtYwnGivxSR74iCoGW. If she encrypts her message with this key, no one but Rick will be able to read it.

Pro Tip: If you’re thinking about buying crypto in the U.S. for the first time, be sure to check out our in-depth guide on How to Buy Crypto Safely in the U.S.

If Tanya wants to send the message to Jill instead, she’ll encrypt the message with Jill’s public key, 1F6bhGPa3cZvjmW3kyBQiebHALXNaCii7o. Whomever she wants to send the message to, she’ll use that person’s public key to encrypt the message.

Now let’s take a different example. Let’s say that Tanya wants to send a message to the whole group, but she doesn’t want to keep it a secret. Instead, she wants everyone in the group to know for certain that she sent the message. In this case, she can encrypt the message with her own private key (5KZbRUQ1VVSditZvZQkhLjthWcyXkSR1mZxKWF3WZ9QtPdzdvW1) and send it to everyone in the group.

Each member will be able to decrypt the message using Tanya’s public key, which is 1NUrV3WvcX2Ujszn8ArXP36EgEtYSsAHEL. And once they decrypt it using this key, they will know that only Tanya could have sent the message.

Dealing with interceptions

So what happens if a thief intercepts the messages where members distributed their keys (the messages from step #2 above)? It doesn’t matter, because no private keys were ever transmitted. The thief will have access only to each person’s public key. So he can listen to the public messages posted in the group, but he can’t read any private messages or impersonate any member, since he doesn’t have any member’s private key.

Did You Know: If an attacker steals your public key, this only allows her to read the messages you’ve signed. It doesn’t allow her to impersonate you or forge your cryptographic signature. So if an attacker gets your public key on a crypto network, he or she can’t use it to steal your crypto.

What if one member’s key gets stolen?

And what happens if a bad actor manages to get one member’s private key? Let’s say the thief breaks into Tanya’s house and steals this chart. Now he has all four of the public keys, plus Tanya’s private key.

In this case, he can read any private message that Tanya is a recipient of, and he can impersonate Tanya to other members. But he can’t read private messages sent to Bob, Rick, or Jill, and he can’t impersonate anyone other than Jill.

Asymmetric cryptography fixes a lot of the problems with previous cryptographic systems. It allows keys to be distributed securely, and it minimizes damage to the group if one person’s key gets compromised.

Before we move on to how asymmetric cryptography is used in cryptocurrency, there is one more concept of cryptography we need to discuss: hashing.

Hash functions and hashing

Hashing is a system that was created to ensure that messages get to the recipient without being tampered with. When you run a message through a hash function, it produces a string of characters that uniquely identifies that message. This string of characters is called a “hash.” If even one character of the message is changed, the entire hash will change.

For example, let’s say that Joe wants to send a message to his banker that says “Send $100 to Ned.” He might worry that Evil Hacker Guy will intercept the message and change it to “Send $100 to Evil Hacker Guy.” In order to avoid this problem, he can take the following steps:

  1. Run the message “Send $100 to Ned” through a hash function, producing a hash of the message
  2. Send the hash to the banker
  3. A few days later, send the original message

When the banker receives the message a few days later, he can run it through the same hash function that Joe used. If Evil Hacker Guy has intercepted it and changed even a single character, the resulting hash will be completely different from the one received in the mail. But if the two hashes match, the banker will know that the message has not been tampered with.

FYI: Wondering if that new coin you heard about is a scam? Visit our resource on How to Determine if a Coin is Safe.

For example, using SHAS-256 hash function, the sentence “Send $100 to Ned,” produces the following hash:

7DB3FC54FC719B773DCE93C83C7430DDDA1CD233E9E67737C4519429A289F7F2

But the sentence, “Send $100 to Evil Hacker Guy,” produces this hash:

00D61C09407C769845A9640A68CEBF83956206825D5EDA0B17F1172819BB629A

So the banker will know immediately that the message has been tampered with.

All right, now that we’ve got that primer out of the way, let’s discuss how cryptography works in cryptocurrencies.

How Cryptocurrencies Use Cryptography

In this section, I’ll walk you step-by-step through the process of how a blockchain network uses cryptography to help ensure that only the owner of a coin can spend it. In the following section, I’ll explain how you can use this knowledge to help prevent your crypto from being stolen.

Your key pair and address

When you first set up a crypto wallet, it generates a private and public key for you. It then hashes your public key to produce another string of characters called an “address.”

If you want to send crypto to someone, you ask for the recipient’s address. Over time, you can develop a list of your friends’ and associates’ addresses, just like Tanya had a list of other members’ public keys in the example from the previous section.

Sending crypto

So let’s say that you want to send 100 ETH to your friend Joe. And let’s say that Joe’s address is 0x34c7ac346E5585e4f91311673aca7e2B8aC45Fae.

When you instruct your wallet to send this transaction, it broadcasts to the network validators a plaintext message that says (in code) “Please send 100 ETH to 0x34c7ac346E5585e4f91311673aca7e2B8aC45Fae.”

Along with this plaintext message, it sends two other pieces of information:

  1. A second copy of the message, hashed and encrypted with your private key
  2. A copy of your public key

When the validators receive the message, they respond by taking these steps:

  1. Hash your public key to determine your address
  2. Check your address to see if you have 100 ETH; if you don’t have enough ETH, reply with an “insufficient funds” message
  3. Use your public key to decrypt the second copy of the message, revealing the hash
  4. Hash the plaintext copy of the message
  5. Compare the decrypted hash with the hash they got from the plaintext message; if the two hashes match, mark the transaction as “valid”; otherwise, reject the transaction
  6. If the transaction is marked “valid,” deduct 100 ETH from your address balance and add it to the balance at 0x34c7ac346E5585e4f91311673aca7e2B8aC45Fae

That’s all there is to a cryptocurrency transaction.

In the previous section, we discussed an example where Tanya wanted to post a message that the whole group could read, and she wanted every member of the group to know that she sent it. So she encrypted the message with her own private key.

This is essentially what your wallet does when you send crypto to another person. It posts a public message that says “Send X amount of crypto to Y address,” and signs the message with your private key to prove that you sent it.

Remember: As with the earlier examples, a cryptocurrency transaction does not reveal your private key. So an attacker cannot intercept the key and use it to pose as you on the network. The attacker also cannot steal your private key from your friends’ computers, since you never need to reveal your private key to your friends.

A bad actor can possibly steal your public key and your address. But this will only allow her to know what transactions you are doing. This may clue her in as to how much crypto you own, and it may make you a target for further attacks. But by itself, stealing this info will not allow the attacker to steal your crypto.

So that’s how a transaction works when using a crypto.

There is essentially only one way an attacker can steal your crypto, and that is by stealing your private key. In the next section, we’ll discuss some ways that an attacker can do this, as well as how to help protect yourself from this threat.

How to Stay Safe When Using Cryptography

The system of asymmetric cryptography works under one assumption only: that your private key always stays a secret. Here are some ways to help make sure your private key remains private.

Consider how to secure your seed words

When you first set up a wallet, you’ll be given a list of “seed words.” This is a list of 12 to 24 words that can be used to derive an infinite number of key pairs.

In the early days of crypto, there were no seed words. So if a user had more than one address, they needed to backup and keep track of multiple keys. Today, you can back up all of your accounts by writing down a single set of words on a piece of paper and storing it in a safe place. If your PC crashes, you can restore these addresses by importing your seed words into a new wallet once you get a new computer.

Although this does make restoring your wallet much more convenient, it also creates a single point of failure. If an attacker gets access to your seed words, he can generate the private keys for all of your addresses. So the first step in protecting your crypto is to make sure that you can always get access to your seed words, but that no one else ever can.

Pro Tip: To make sure you don’t lose your seed words, consider backing them up on an actual piece of paper and storing the paper in a floodproof, fireproof safe (especially if you hold large amounts of crypto). Pieces of paper can’t “crash,” so they make especially good backups. You may also want to keep copies in other places for redundancy.

Your legal heir will need to know the location of your seed words in case you die. But in general, there is no reason for anyone else to know where they are. The more people who have your seed words or know where they are, the more likely it is that they will be exposed to a bad actor. So consider limiting knowledge of their location to only your very closest family members.

If possible, avoid keeping a plaintext copy of your seed words on your device. This includes screenshots. If you have a screenshot of your seed words on your device, an attacker who gets access to your device (through malware, for example) can get access to this screenshot and use it to derive your private keys.

Now let’s talk about the private keys themselves.

If possible, avoid copying your private keys.

Your wallet will hide your private key from you by default. So, in most cases, you won’t even notice that it’s being used.

But if you want to see it, you can select “export private keys” from your wallet’s settings menu. You’ll be asked for your password (more on passwords in the next subsection). But once you’ve entered your password, the private key will display.

At this point, you can copy the private key and import it into a different wallet. This may be useful if you want to use a single account in a different wallet, where the other accounts in the wallet are derived from a different set of seed words. (Believe or not, these weird situations sometimes happen!)

But other than this circumstance, there really isn’t much reason to copy your private keys, since they can all be derived from your seed words anyway. So consider just leaving this “export private keys” setting alone unless you have need for it.

Needless to say, if anyone offers to “help” you and asks you to copy your private key, they are almost certainly trying to steal your cryptocurrency, so this is one of many crypto pitfalls to avoid.

If you are using a standard software wallet, your PC will have a copy of your seed words and all of your private keys on it. But these will be encrypted with a password. So let’s talk about wallet passwords.

Choose a strong password.

As long as you don’t give your private key or seed words to anyone, the only way an attacker can get access to your key is by gaining control of your PC.

Hopefully, this never happens. But just in case, wallets have an extra layer of protection in the form of a password. Your seed words are encrypted with your password, and your private keys can’t be displayed without entering your password first.

However, if an attacker has the encrypted file with your seed words in it, they can use hash-cracking software to try to guess random strings of characters until they successfully decrypt the file. If your password is weak, they might succeed.

FYI: The more complex you can make your password, the more electricity and time the attacker will have to spend cracking it. And at some point, the attacker will likely give up and go after some other victim who is easier to steal from. So one way of helping to protect your crypto is to make your password as complex as possible while still making it simple enough to remember.

Here are a few tips for making a hard to crack password:

  • Use both capital and lowercase letters.
  • Increase the length of the password.
  • Use special characters.
  • Avoid using personal information, such as your name or email address.

You can also use our How Secure Is My Password? tool to check how long it would take to crack your password.

If you want more tips on how to store cryptocurrency safely, we’ve provided a complete guide to investing in crypto safely.

Even if you have the strongest password, an extremely sophisticated piece of malware may be able to log your keystrokes and figure out your password. So in the next subsection, I’ll discuss an even more secure way to protect your private key.

Use a hardware wallet if you can.

A hardware wallet is a USB device that has no internet connection of its own but can generate and store a key pair. Depending on the particular model, it can cost between $50 and $250.

Using a hardware wallet is one of the strongest ways to protect your private key from thieves.

To make a crypto transaction using a hardware wallet, you have to connect the wallet to your PC or mobile device. The USB device sends a hashed, encrypted copy of the transaction message through the USB port, but the private key never enters your internet-connected device.

Because the private key is stored on a separate device, an attacker shouldn’t be able to get it, even if your PC is totally infested with malware.

A hardware wallet can still be physically stolen, though. Most models have a PIN code lock to slow attackers. But this will probably not prevent access forever. So if your hardware wallet ever comes up missing, you may want to consider importing your seed words into a software wallet and moving the funds out quickly.

Hardware wallets can be expensive, and they are also inconvenient if you are making frequent transactions, since they require you to plug in your device and enter a PIN code with each transfer. But they are great for long-term storage of large amounts of crypto.

Did You Know: Banks may soon be able to sell cryptocurrency. For more info on this and other U.S. crypto regulations, read our guide to Crypto Laws and Regulation in the U.S.

Final Thoughts

So that’s the end of this crash course on cryptography. I’ve gone over private and public keys, hash functions, addresses, seed words, and more.

As a final thought, I want to provide a warning: Cryptocurrencies rely upon asymmetric cryptography to secure transactions. So far, this system has proven to be uncrackable. But if quantum computers get fast enough, they may crack the system and make this form of cryptography useless.4 Luckily, this isn’t going to happen anytime soon.

Citations
  1. Cambridge Dictionary. (2022). cryptography.
    dictionary.cambridge.org/us/dictionary/english/cryptography

  2. Antigone Journal. (2021). ANCIENT CYBERSECURITY? DECIPHERING THE SPARTAN SCYTALE.
    https://antigonejournal.com/2021/06/deciphering-spartan-scytale/

  3. University of Chicago. (2013). The Life of Julius Caesar.
    penelope.uchicago.edu/Thayer/e/roman/texts/suetonius/12caesars/julius*.html

  4. Schneier. (2022, Feb 9). Breaking 256-bit Elliptic Curve Encryption with a Quantum Computer.
    schneier.com/blog/archives/2022/02/breaking-245-bit-elliptic-curve-encryption-with-a-quantum-computer.html