Bryant Nielson | October 20, 2023
The cryptographic keys underpinning blockchain act as the guardian seals restricting access to transactions and data. Generating sufficiently strong, secure keys constitutes foundational blockchain security. This guide will unveil the genesis of key creation, components that seed their randomness, different types of keys, and best practices for crafting master keys upholding the highest cryptographic assurance.
The ultimate source of security stems from generating proper entropy, the randomness seeding key generation. Ideal entropy exhibits unpredictability, inability to be replicated, uniform distribution without patterns, and extraction that minimizes predictability even knowing some outputs. Sources should interact with chaotic physical systems to produce entropy difficult or impossible to model mathematically.
On computers, randomness typically derives from atmospheric noise, mouse movements, keyboard strokes, and hardware interrupts across components like hard drives, network interfaces, and I/O channels. Operating systems gather this environmental input, distilling it through hashing to extract entropy for /dev/random seeds. Keys should pull entropy directly from /dev/random rather than the buffered /dev/urandom.
For blockchain, 256-bit keys offer robust security. Bitcoin utilizes ECDSA public-private key pairs on the secp256k1 elliptic curve. The private key is a randomly generated 32-byte number. From this, the public key is derived using elliptic curve point multiplication. Randomness in the private key propagates creating an essentially arbitrary public key.
Ethereum keys also utilize 256-bit entropy. Private keys can be created from raw entropy bytes, or derived as the hash of a passphrase for convenience. For mnemonic seeds, key generation uses a 512-bit entropy input processed through a CSPRNG expanding into a master HD wallet seed phrase. From this foundation, hierarchies of public and private child keys can be computed.
When generating keys, best practices include:
– Pulling directly from operating system entropy sources like /dev/random rather than PRNGs.
– Refining entropy via proven extraction functions like SHA-256 hashing.
– For private keys, choosing secret number ranges with maximum entropy (2^256 possibilities for 256-bit keys).
– Deriving public keys from private keys through cryptographically secure elliptic curve math.
– Destroying any intermediate results during key generation.
– Avoiding flawed or unvetted algorithms that may have backdoors.
– Using APIs that zero memory after key generation.
– Storing only public keys on servers; private keys should only exist on secured devices.
– Placing keys generated on servers into HSMs or encrypted storage immediately.
Adhering to these practices ensures the strongest genesis for cryptographic keys. Robust randomness and entropy — complex and unpredictable — begets security no adversary can unravel or replicate. Handled properly, blockchain keys maintain assured integrity across their entire lifecycle.
Yet no matter how air tight generation protocols, ultimately keys are only as secure as how users safeguard them thereafter. Even the strongest keys quickly become compromised through poor storage hygiene, lax access policies, and unsafe handling practices. The next article will explore how to protect the master seals of blockchain after their genesis.