HD wallet soul inspection: which wallets can stand the test?
—Written by | Cobo Vault Manager
I believe that all students who have used the "decentralized wallet" are familiar with mnemonic words.
Whether it is a hardware wallet or a software wallet, there are two ways to create a wallet:
Create mnemonic words: the wallet randomly generates a set of mnemonic words, and users need to copy and backup
Import mnemonic words: users import a set of existing mnemonic words into the wallet to restore assets
Then how does the mnemonic become our master private key, and then generate all sub-private keys in HD?
it's actually really easy. A set of mnemonics, after 2048 rounds of HMAC-SHA512 algorithm, generates a master private key, and then derives a set of HD wallets.
Therefore, there is a one-to-one correspondence between the mnemonic phrase and the master private key, and a set of mnemonic phrases corresponds to a master private key, that is, corresponds to an HD wallet.
Have you ever thought about a very scary question here:
For example, here are 12 mnemonics in the hands of the shopkeeper:
cat tonight sadness walnut fan captain sure assume gorilla caution story pull
For convenience, we call this set of words [cat mnemonic]
However, when the shopkeeper imported the [cat mnemonic phrase] into the wallet, the first word trembling hand input became dog, so the mnemonic phrase became:
dog tonight sadness walnut fan captain sure assume gorilla caution story pull
For convenience, we call this set of words [dog mnemonic words]
This is when the tragedy begins.
As a pure 24K hoarding party, the shopkeeper worked hard to save money and recharged all his beliefs to the address under [dog mnemonic].
Then one day, it may be because the mobile phone or hardware wallet is broken, or the wallet app may be deleted due to shaking hands. In short, for various reasons, it is necessary to take out the mnemonic to restore the assets.
At this time, the shopkeeper took out the dusty set of [cat mnemonic phrase] and imported it into the wallet.
As mentioned earlier, a set of mnemonics is in one-to-one correspondence with an HD wallet. At this time, the address recovered by using the [cat mnemonic phrase] is different from the address of the [dog mnemonic phrase]. In other words, under [cat mnemonic], there are no assets.
Because a mnemonic word dog was entered by mistake, all the assets and beliefs of the shopkeeper were lost.
Is it scary?
In fact, the witty Bitcoin developers have thought of all this long ago. They define a standard protocol for mnemonics, and verify whether all mnemonics are valid or not.
Before talking about the "verification principle", the shopkeeper first popularizes a basic knowledge about mnemonics.
BIP39 defines the standard for mnemonic words, which contains a vocabulary of 2048 words (reference link 1). As long as all wallets follow BIP39, the generated mnemonics are obtained from this 2048-word vocabulary, and all the words of [cat mnemonic] are no exception.
Each word in the 2048 vocabulary is marked with a serial number, from "0" to "2047". The largest sequence number "2047" is exactly 11 digits "11111111111" in binary representation. Therefore, for each word in the vocabulary, we can correspond to an 11-bit binary number according to its serial number. For those that are less than 11 digits after binary conversion, we add "0" in front of its binary number until it meets 11 digits.
For example, cat is the 287th word, the serial number is "286", and its corresponding 11-digit binary number is "100011110". We make up 11 digits and express it as "00100011110".
Next, let's look at the specific "verification" steps:
Step 1: According to the method above, we find the 11-bit binary number corresponding to the 12 words of [cat mnemonic] according to the 2048 vocabulary.
Step 2: We string together the 11-bit binary numbers corresponding to these 12 words to get a 132-bit binary number:
001000111101110010010010111101111111101101100101001011000100010001110110100000000110111101100100101001001001011101011010010101101010
Step 3: We split this 132-bit binary number into two parts, 128 bits on the left and 4 bits on the right.
Left 128 bits: 00100011110111001001001011110111111101101100101001011000100010001110110100000000110111011001001010010010010111010 1101001010110
Right 4 digits (check value): 1010
Step 4: We start to verify the validity of this set of mnemonics.
The principle of judging validity: the first 4 bits of the SHA256 result of the 128-bit binary number on the left must be equal to the 4-bit binary number on the right.
Let's check the result of [cat mnemonic].
Put the left 128-bit binary number into an online SHA256 calculator (refer to link 2)
(Do not use online tools to verify mnemonic phrases with coins!!!)
It can be seen that the first 4 digits of the SHA256 result are exactly the 4 digits "1010" on the right of the 132-bit binary number.
This means that [cat mnemonic phrase] has passed the verification and is a set of valid mnemonic phrases, and then it can enter the subsequent master private key generation process.
Then let's do an exercise right away to see if the [dog mnemonic] that mistyped a word can pass the verification:
Step 1: [dog mnemonic] 12 words corresponding to the 11-bit binary number of the vocabulary are as follows:
Step 2: String the 11-bit binary numbers corresponding to these 12 words together to get a 132-bit binary number:
010000001001110010010010111101111111101101100101001011000100010001110110100000000110111101100100101001001001011101011010010101101010
Step 3: Split this 132-bit binary number into two parts, 128 bits on the left and 4 bits on the right:
Left 128 bits: 01000000100111001001001011110111111101101100101001011000100010001110110100000000110111011001001010010010010111010 1101001010110
Right 4 digits (check value): 1010
Step 4: Put the 128-bit binary number on the left side of [dog mnemonic] into the SHA256 calculator.
(Do not use online tools to verify mnemonic phrases with coins!!!)
It can be seen that the first 4 digits of the SHA256 result are "0010", which is inconsistent with the right 4 digits "1010" of the 132-bit binary number.
In this way, this group of [dog mnemonic words] cannot pass the verification, and the wallet app developed in accordance with the standard BIP39 protocol will remind users to check their own mnemonic words. At this time, the user will find an error and change the "dog" to the correct "cat" to pass the verification and complete the creation of the wallet, which can also avoid the tragedy.
Finally, let's check the homework to see if the well-known HD wallets at home and abroad will check out the errors of the mnemonic words according to the standard BIP39 protocol when inputting a set of invalid mnemonic words?
Because the purpose of checking can be achieved only by entering a set of invalid mnemonics, so for the sake of convenience, we do not enter complicated mnemonics, and directly input 12 cats (this is a set of invalid mnemonics). The inspection results are as follows:
The first company: imToken successfully passed the test!
The second: Huobi Wallet successfully passed the test!
The third: Trust Wallet successfully passed the test!
The fourth: BRD successfully passed the test!
The fifth company: BitPay successfully passed the test!
The sixth company: imKey successfully passed the test!
Seventh House: Cobo Wallet and Cobo Vault, successfully passed the test!
The eighth company: Bitpie wallet, no mnemonic verification, invalid mnemonic can generate wallet, no mnemonic error prompt.
Ninth: Hardware wallet Bitshield. Bitshield’s mnemonic is entered on the mobile phone. When entering 12 mnemonics, there will be confusing words, but there will be no words when entering 24 mnemonics, so we input 24 cats (this is also an invalid mnemonic ) tried it, and the result is that there is no mnemonic error
Finally, I would like to remind everyone of a hardware wallet risk point:
When the shopkeeper checked the operation of verifying the mnemonic words, he found that some hardware wallets completed the input of mnemonic words on the mobile phone.
The reason why we use a hardware wallet is to store the mnemonic/private key off-line. Entering the mnemonic on a networked device completely loses the meaning of the hardware wallet.
One solution here is to scramble the word order and add confusing words on the mobile phone when importing mnemonics into the hardware wallet. The working principle of confusing words is: for example, our mnemonic is 11 abandon+about ( This is a set of effective mnemonics), when we enter the mnemonic on the mobile phone, the cold end will prompt:
Please enter the third mnemonic on your mobile phone (enter abandon)
Please enter cat on your phone
Please enter the 12th mnemonic on your mobile phone (enter about)
Please enter dog on your phone
…
Please enter the 6th mnemonic on your mobile phone (enter abandon)
Please enter the region on your phone
cat, dog, region are confusing words
But is it really useful to confuse words + disrupt word order import?
Reference link:
Reference link:
