Generate Private Keys From Ledger Seed

HomeEssentialHow Do Hardware Wallets like the Ledger Nano S Work?
  1. Generate Private Keys From Ledger Seed Online
  2. Generate Private Keys From Ledger Seed Video
  3. Generate Private Keys From Ledger Seeds

Jun 16, 2018  Indirectly you do: your hexadecimal private key is derived from the secret you do know, and your. Called the family seed. A few (like the Ledger Nano) use a list of words, called a mnemonic. (There is a third, less secure method: a plain passphrase). The three methods to generate and store account secrets, keys and derive your account. How does the ledger nano X generate its private keys (the seed words from which the master private key is derived, I guess?)? Where does the entropy come from? Where can I find any documentation? I tried the official website but didn't find anything there?

One of the most common questions new crypto-enthusiasts have is how hadware wallets like the Ledger Nano S can possibly be the most secure way to store cryptocurrency? What if the device gets stolen or destroyed?

In this post we'll try to explain how such a device works in a technical (but hopefully human-readable) way, detailing how it does what it does and how it can be this flexible and yet this secure.

Before we dive into explanations, it's recommended you read this short post about cryptocurrency wallets, so that the terminology used in the rest of the article becomes clear.

BIP

When the blockchain appeared as the technology behind Bitcoin, and a group of programmers / scientists wanted to propose a new feature, they had to formalize and present that idea in a way that's readable and understandable by all participants of the bitcoin network. Such formal proposals were called Bitcoin Improvement Proposals or BIPs. All BIPs are publicly discussed before being implemented into the blockchain.

By setting up a good foundation for new ideas, this allowed other blockchains to adopt the good ideas that they liked and discard the ones they didn't.

This is where things get a little more technical and complex. We promise it'll be worth it by the end of this post – keep reading!

One such good idea was BIP 39. BIP 39 uses math to figure out how to use a set of 24 regular words to get a seed – a big random number from which further keys for crypto wallets are later generated.

Curiosity: If you're interested in taking a look at the lists of supported words, see here.

BIP 39 also defines a way to secure these 24 words with an additional passphrase which counts as word 25. If no passphrase is selected, an empty one is used, so it's essentially always 24 words + passphrase (empty or not).

Curiosity: This passphrase differs from passwords you're used to in various interfaces in that it doesn't produce an error message if the wrong one is used. Any passphrase in combination with 24 words produces a valid seed, which is useful in plausible deniability scenarios – an extortion-protection mechanism we'll explain later.

Generate

This generated seed number is used to generate a root key – an unguessable combination of letters and numbers – for each cryptocurrency you're interested in. Every blockchain has its own method of generating the root key from the seed, and in the example of bitcoin that's BIP 32 which results in a key like this one: xprv9s21ZrQH143K3QTDL4LXw2F7HEK3wJUD2nW2nRk4stbPy6cq3jPPqjiChkVvvNKmPGJxWUtg6LnF5kejMRNNU3TGtRBeJgk33yuGBxrMPHi.

This key is then used to generate several private keys which then become cryptocurrency wallets for a given blockchain.

Confused? /key-generator-adobe-audition-cs6.html.

It all boils down to this: BIP 39 is used to pick a certain combination of words, which may or may not be passphrase-protected, which are then used to generate wallets with a formula such as the one described in BIP 32. https://farmtree487.weebly.com/blog/download-nectar-toolbar-for-mac.

So what does all this have to do with a device like the Ledger?

Ledger

When you first turn a Ledger device on, it'll generate the aforementioned 256-bit seed. This seed number will be used to calculate 24 words which are then shown on the device's screen.

The user should then write these 24 words down on a piece of paper which comes in the box with the Ledger, and keep that paper safe, away from the Ledger itself.

In addition to that, the Ledger requires the use of a PIN which can have 4 to 8 digits. If, after setting it up, the PIN is wrongly inputted 3 times in a row, the Ledger will self-destruct all data on it.

Should the Ledger ever get destroyed, stolen, or lost, the original owner of the device can use the words from the piece of paper to restore its contents – either on a backup Ledger, or in a software wallet like MyEtherWallet, thus regaining all funds and addresses. This is possible because all you need to regenerate the root key are those 24 words and the passphrase (if set).

It's important to say this again: the same root key will always be generated from the same combination of 24 words, and the same addresses will be generated from that root key. Therefore, to reclaim all wallets generated with a BIP 39 word phrase, all you need is the one single combination of 24 words inserted into hardware or software supporting that generation method.

Plausible Deniability

We mentioned extortion-protection previously, so let's explain it in this section.

The Ledger won't ask you for your passphrase when you turn it on, but it will ask you for your PIN. The passphrase can't be set when setting up the device for the first time, either – only in Settings can you subsequently add it.

This lets you attach a separate PIN to a passphrase in order to have two (or more). Each PIN will be bound to its own passphrase, and because of the aforementioned fact that 24 words + passphrase always produce a valid seed (there's no “Incorrect password” warning), it's easy to define a decoy PIN to give to someone who's forcing you to give it up.

In such an instance, inputting the secondary decoy PIN will not destroy the Ledger's data, but will open wallets corresponding to that passphrase when added to your 24 words. The robber won't know you haven't given him the real PIN, and he'll gain access to bogus addresses. For added effect, add some trivial amounts of cryptocurrency to the addresses to make them seem real – zero-balance addresses won't be as convincing.

The Probability of Guessing Keys

Many people wonder how easy it would be to just guess the 24 words and gain access to someone's wallet that way, especially considering BIP 39 isn't even using the whole dictionary, but only 2048 words.

There are 2^256 or 115792089237316195423570985008687907853269984665640564039457584007913129639936 possible combinations for the 24 words. If we assume that we have an impossible computer which is capable of guessing 100 trillion combinations a second, to try them all we'd need:

That's around 36717430000000000000536992568032848736216424136408984408 years, and that's only if you have a computer more powerful than anything that's ever even been imagined by mankind.

What if you know all the words, but not the order? In that case, the number of possible combinations is 24! (24 factorial).

An equally powerful computer would thus take:

That's 196.6 years.

So even if you knew all the words in someone's combination, but just needed to guess the order, you'd need 200 years of using a computer that's unimaginably powerful even by today's standards. If you don't know which words you need to guess, the number is multiplied by 2048 for every missing word. So not knowing just one of them in this case would increase the time required to guess all combinations to 400,000 years.

Conclusion

The Ledger is an exceptionally safe way of storing your cryptocurrency. It vastly outperforms any kind of USB-based storage where you just save your key into a file and put it away.

The device has its own processor which calculates the keys, which means your root key never leaves the device – this keeps it safe from potential viruses or auto-transacting malware installed on the computer you're using it with. In addition to that, the Ledger demands an extra hardware confirmation of any transaction – you need to press a button on the device whenever sending funds, or else it doesn't work. There's no sneaky funds siphoning with the Ledger.

If you lose or destroy your Ledger, it's trivial to get all the funds back by just punching in the 24 words obtained when first setting the device up. These words should be kept safe and away from prying eyes.

You can use our web shop to buy the Bitfalls-branded Ledger at a price that's lower than retail. It's also possible to buy Ledger with extra options like cryptocurrency already on it, or an hour of Skype consultations alongside the purchase during which we'll explain everything about the device and help you set it up.

For any and all questions, there's also our email. Get in touch!


Ledger recently announced the launch of the Ledger Nano X. This new product is built around a new hardware architecture, while taking advantage of our versatile security Operating System BOLOS.
The Ledger Nano X features Bluetooth Low Energy (BLE) connectivity enabling it to be used with Android or iOS devices without the need of a cable. While this feature greatly improves the user experience, it raised some concerns about the security of the wireless connection. We would like to address these.
In short:

  • Only public data is transported by Bluetooth; critical data (such as private keys and seed) never leave the device.
  • Even if the Bluetooth connection would be hacked, the security of the Ledger Nano X relies on the Secure Element (SE) which will request your consent for any action.
  • The Ledger Nano X Bluetooth implementation uses a state-of-the-art Bluetooth protocol. This Bluetooth protocol ensures authentication by using pairing. This is numeric comparison based and confidentiality is ensured using AES-based encryption.
  • If ever, you’re not comfortable using your Nano X with a wireless connection, you can disable the Bluetooth and use the USB type-C cable.

Let’s discuss in more detail how it works and why it does not impact the security model of this hardware wallet.

The new architecture is a bit different from the Ledger Nano S one while staying quite similar at the same time.
It features 2 chips:

  • A new state-of-the-art Secure Element (ST33J2M0)
  • A dual-core MCUs with wireless support (STM32WB55)

The STM32 MCU is in charge of the connection between the smartphone/desktop and the Secure Element and simply acts as a proxy.
The Secure Element is in charge of getting user inputs and driving the screen where critical information is displayed. Of course, it is also in charge of the security of the product. It stores the seed and the private keys and implements all cryptographic operations to manage your cryptocurrencies.

Impact on our security model

Bluetooth connection is only used as a transport layer for public information. The secret keys or seed are never exposed to the BLE stack and never, ever leave the Secure Element.
For instance, when you make a transaction, the transaction is prepared on the smartphone or desktop Ledger Live application and then sent using Bluetooth or USB to the MCU (STM32) which directly relays it to the Secure Element. You are then prompted to verify the amount and the address of the recipient, which are displayed on the screen. If everything is correct you can approve the transaction by pressing both buttons.
If ever your smartphone/computer were compromised, if ever the Bluetooth link was compromised, if ever the STM32 MCU was compromised, the Secure Element ultimately prompts you to verify the transaction information. The screen will show you the true transaction details. No transaction signature is issued without your explicit consent.

Our use of BLE

Nevertheless, the Bluetooth stack may transport your public keys or addresses and this could raise privacy concerns. That is why we implemented a state-of-the-art Bluetooth protocol.
A BLE connection is a 2-phase protocol.

  • Key Exchange
  • Use of the BLE channel

First of all, both parties (Ledger Nano X and smartphone) generate their own key pairs using a Random Generator.
After this, there is a pairing phase where, after user approval, the Ledger Nano X and the smartphone go through an Elliptic Curve Diffie Hellman key exchange. This phase is critical since it is the phase where the Ledger Nano X trusts the smartphone to which it pairs and vice versa. In order to avoid Man-In-the-Middle attacks (MiTM), which are the common attacks on BLE, the Bluetooth protocol has specific configurations.
We implemented the state-of-the-art security configuration to avoid MiTM attacks: Numeric Comparison. When the common secret is generated, both the Ledger Nano X and smartphone display a numeric code and the user verifies if they are the same. This numeric code is computed using AES-CMAC from public keys of both parties and random nonces. This avoids collision attacks and downgrade attacks, while enforcing the authentication of public keys. If this is the case, both parties consider each other as legitimate and can then communicate, guaranteeing authentication and confidentiality.
Once this key exchange protocol is completed, a secure channel can be established between the smartphone and the Ledger Nano X, featuring an AES-based encryption scheme.
On older versions of Android, the Numeric Comparison may not be featured. In this case, the Secure Element warns the user with a message and a MiTM attack could be implemented. This attack would require an attacker, located nearby, to firstly pair a rogue device with the Ledger Nano X and also with the smartphone. Then he could intercept and forward every packet. This would allow spying on the communication between the Ledger Nano X and the smartphone or even sending commands to the Secure Element. However, the user would still be asked to verify and consent for any transaction.

Generate Private Keys From Ledger Seed Online

Security Audit

Generate Private Keys From Ledger Seed Video

Our BLE stack is implemented through the ST stack. The Ledger Donjon, our security team, has evaluated the security of this implementation regarding the latest attacks such as Invalid Point attacks.

Good old USB cable

Nonetheless, if you do not feel comfortable using a wireless connection on your Ledger Nano X, you can simply deactivate the Bluetooth connectivity and use the USB type-C connector with your computer to enjoy the remaining features of the Ledger Nano X.
The Ledger Nano X can currently be pre-ordered. Click on the banner underneath for more information.

Generate Private Keys From Ledger Seeds

This website uses cookies for functionality, analytics and advertising purposes as described in our Privacy and Cookie Policy. If you agree to our use of cookies, please continue to use our site.