Beginners Guide: What is a wallet? How do my coins get stored? How does cryptocurrency work anyway?

[gray]

Part of the new Community Beginners Guide series.

Other guides in this series:

Beginners Guide: Intro. Quick overview of the series and purpose of the guides

Beginners Guide: XRP First Steps Simple first steps to acquiring XRP including 1) opening a wallet, 2) wallet funding/ buying XRP, and 3) sending the first XRP.

Beginners Guide: Desktop Wallet Step by step instructions in downloading and installing XRP CHAT WALLET, the creation and activation of new wallet and the first few steps to becoming a ripple user.

Disclaimer: This post is goes over what a wallet is, what the common different types of wallets are and their differences, and how wallets can be used at a basic level. It doesn't discuss Ripple-specific details of wallets, like re-keying an account. Also, it doesn't explain explicitly how to make a wallet. See other community guides for that information.

Difficulty level: LOW

One thing that many people who are new to Ripple, or cryptocurrency in general, do not understand is what a wallet actually is. I think this is one of the places that cryptos need to up their game in order to continue to gain adoption because the way things are named in cryptocurrency can easily create confusion about what is actually happening. 

First you need to undertand what a wallet is not.

• A wallet is not like a physical wallet. There is not a file that contains a copy of all of your coins.
• A wallet it not like a bank vault. There's not server or hard drive that has your wallet stored on it as a folder with coins inside it like a bank vault.

So, what is a wallet? A good real-world analogy is that a "wallet" in cryptocurrency is analogous to your seal or stamp plus your name. Think of cryptocurrencies like a community ledger board where no history is ever erased and anyone can come up to the board and tell everyone else that they have transferred some number of coins to someone else on the board. They way they do this it using their seal of authenticity. Everyone else can verify that that person is the one who wrote the message on the community ledger because their seal is on the message. And they know who the money came from and where it went to based on the name of the person sending and receiving it. If you wanted to know how much any person held then you would go through the entire ledger since the beginning of history and count up how much they have received and how much they have sent. This is how a wallet works in cryptocurrency. Except, in cryptocurrency, your seal (actually, the device you use to imprint your seal) is replaced by your "private" or "secret" key. It's like a seal in real life. If you lose exclusive access to the use of your seal, anyone who comes into possession of it can send a message in your name without others being able to know. In cryptocurrency, this means that anyone who has your private key can make a transaction using your coins without anyone else being able to know it's not you.

So, with this information, let's get a bit more technical. A "wallet" is literally just a secret key, which is just a number. It is displayed in a format that uses letters and numbers instead of just the numerals we normally use, because if it didn't then it would be very long to display. This is like your seal in our earlier analogy. From the secret key, you can derive the public address mathematically. The public address is like your name in the earlier analogy. It is also just a number, same as the secret key. This public address is where you or other people will send coins so that they go in your "wallet" (more accurately, so that others know your public address should now own them). However, from the public address, you cannot easily figure out the secret key (technically you could, but the amount of computational time it would take is astronomical, like, at the current power and using current algorithms, more than the time that the universe has existed until now). You can think of this like how on a seal you generally have an easily recognizable symbol or word that links the symbol to a person. However, even if you know that symbol and have seen the seal, it is not easy to duplicate the device used to create the seal, which is your secret key. Of course, in cryptocurrency, this is much more secure than a seal in real life because it's much harder to actually go backwards from a public address to a secret key than it is to duplicate a seal. So, if you know a secret key then you can do whatever you want with the funds that are sent to the public address that is linked to that secret key.

Why is this? Well, when you make a transaction, what you are doing at a very basic level is making a message that says

"I am the owner of <your public address>. I am giving <number of xrp> to <address you're sending to>."

Then, you use your private (secret) key to "digitally sign" the message. This is like applying your seal in the earlier analogy. Since your public address and secret key are linked, signing the message allows other people to verify that the person who has the private key linked to the address that the funds are coming from is really the one who made that message. The next time a new block is added to the blockchain, your message is looked at by the network, and if it determines that the signature is correct and that you have enough funds to make the transaction, your message will be added to the block and then added to the blockchain. From that point onwards, anyone who wants to can go and see/verify that the owner of that public address sent those coins to the other public address, and so that is how a wallet "holds value." There's not actually a piece of hard drive space or something that stores a unique "coin" file under your address, there is only the record of a number of coins being transferred from one account to the next in a trusted manner.

In order to actually use the secret key (wallet) to interact with the network, you use a piece of wallet software, not to be confused with the wallet itself. This wallet software (among other things) automatically performs this "digital signing" operation. This is not the same thing as a wallet. Wallet software does not actually store any value. It only allows you to use the value stored in the actual wallet (the secret key) and do things with it on the ripple network. You can import any valid secret key into any valid piece of wallet software and use it to make transactions from that wallet.

Now, you may have heard of something called a "paper wallet" or "cold wallet" or "hot wallet". What are these?

A paper wallet originally meant literally a wallet that you print onto a piece of paper. Since a wallet is just a secret key, the most basic form of a paper wallet is literally writing down by hand your secret key on a piece of paper. Now, to make things easier on the user, most paper wallets will include the secret key, the public address, and a QR code matching each. The QR code is just another way to encode or display the number that is easy for a computer to interpret if you take a picture of it.

Paper wallets are one type of "cold wallet," a cold wallet being any secret key that has never touched (been stored on) a computer that was connected to the internet at the time it was stored on that computer. A "hot wallet" is a wallet whose secret key has been stored on a computer that was connected to the internet. If you make a "cold" paper wallet, as long as you don't lose the paper wallet, don't physically show anyone else the private key, and don't type it into an internet-connected computer, you'll be the only one with access to it.  As soon as you type it into an internet-connected computer, that wallet is now "hot" and has, theoretically, a chance to be stolen if your computer or any other piece of the path it travels is infected with some kind of malware.

With this knowledge, the best practice is to have a "hot wallet" for XRP that you think you might want to spend in the short term, some small amount. Then you make a cold paper wallet and store any significant amount of XRP you buy in it. When you decide you want to sell it or use it months or years down the line, you enter the private key from the paper wallet or another way of storing it into any piece of ripple wallet software on a computer and internet connection you trust and send all the ripple to wherever you want it to go. Since this wallet is now "hot," you would ideally then make a new paper wallet and send any ripple you want to keep storing in it. Alternatively to entering the secret key into an internet connected computer and making the wallet hot, you can use what are called "offline transactions" to keep the wallet cold and still send ripple from it, which I could explain in more detail if you'd like.

Now, there are some other alternatives to paper wallets for cold wallet options. I would argue that a superior option to a paper wallet is a deterministic wallet that uses a good passphrase. A deterministic wallet basically means that you make a passphrase that you remember (or write down and store somewhere safe, much like a paper wallet) which can then be used to derive a single secret key and from that secret key a public address linked to it. Every time you enter the same passphrase into the piece of software you used, it will give you the same secret key and public address. Therefore, you don't have to store the private key anywhere since you will always have access to it as long as you know the password. The advantage of this is that you can make a very good but easy to remember password and use it to generate your wallet address and not actually have to store anything physical anywhere. A private key would be almost impossible for anyone to memorize reliably, but a good mnemonic password (described below) can offer superior security and is able to be easily memorized. To then use (spend) the funds in your wallet at some later date, you would go back to the same tool you used to generate the wallet, input your passphrase, and it would give you the same secret key which you could then use exactly like a paper wallet secret key by entering it into some wallet software and either making it hot or using offline transactions. If you use a good deterministic wallet generator and a good password, this is one of the most secure options available. Alternatively, if you use a bad password, you could be royally screwed. 

If you want to go the paper wallet route, you'd be using this tool: https://github.com/ihomp/ripply-paper-wallet 

If you want to go the deterministic route, you'd be using this tool: https://termhn.github.io/ripplewarpwallet 

Edited July 6, 2017 by gray

[Darksouldesign]

Great post. So, one more question. Assume I do in fact use ripplepaperwallets to generate my wallets, there is a "Generate New" button that of course does just that. So how does the Ripple linked software know and trust these keys/numbers, and how does the paperwallet software generate these numbers, is it purely random? If so, is it safe to do this because, as was stated above, the numbers are actually so massive, the chances of accidentally repeating them is almost nill?

My guess is that the Public Key actually becomes "real" when i send XRP to it, and that the private key is somehow encrypted in the public key so that when i do "cash out" so to speak, the Ripple linked software is able to see that the numbers are linked and are correct?

Thanks again for taking the time to answer these questions. I a bit more of a knuckle dragger than a tech guy (ok, a LOT more of a knuckle dragger), but I do like to understand as much as possible with the amounts of money bouncing around in the crypto world, specially with my new found interest in the tech.

[gray]

54 minutes ago, Darksouldesign said:

Great post. So, one more question. Assume I do in fact use ripplepaperwallets to generate my wallets, there is a "Generate New" button that of course does just that. So how does the Ripple linked software know and trust these keys/numbers, and how does the paperwallet software generate these numbers, is it purely random? If so, is it safe to do this because, as was stated above, the numbers are actually so massive, the chances of accidentally repeating them is almost nill?

My guess is that the Public Key actually becomes "real" when i send XRP to it, and that the private key is somehow encrypted in the public key so that when i do "cash out" so to speak, the Ripple linked software is able to see that the numbers are linked and are correct?

Thanks again for taking the time to answer these questions. I a bit more of a knuckle dragger than a tech guy (ok, a LOT more of a knuckle dragger), but I do like to understand as much as possible with the amounts of money bouncing around in the crypto world, specially with my new found interest in the tech.

You pretty much hit the nail on the head. Basically, there is a specific form that a ripple address has to follow. It has to do with the beginning and ending bits (you'll notice that all ripple addresses start with an r and all ripple secret addresses start with an s). There are also a few other qualifications. A private key is a random number (other than the beginning and ending bits as described above) that is a randomly (or deterministically "random" -- I'll talk about what I mean below) number. In order to derive the public key (which is then turned into the actual ripple public address), Elliptic Curve Cryptography is used. Basically what happens is that you a specific, agreed upon graph of an ellyptic curve with pre-determined and agreed upon parameters (everyone in the ripple network uses the same ones). Somewhere on that curve is a point called G, which is the "generator point." This is one of the agreed upon parameters. You then take the random "private key" and "multiply" it by the Generator Point. This isn't exactly what you would think of as multiplication, but basically you define an operation that is "adding" two points on an elliptic curve which will give you a third point on the curve. You then repeat this process over and over to add G to itself many times, aka multiplication. You end up with another point on the graph of the curve. This is the public key. It is easy to perform the "add" operation many times, but it is very hard to do the reverse. Given the end point and the starting point, it's very hard to figure out how what number you multiplied the Generator Point by (the private key) to get to the ending point (the public key). This is a simplified explanation of what's actually happening, but that's the basic idea. 

In addition, there is another interesting characteristic of this process, that allows what is called an ECDSA or an Elliptic Curve Digital Signing Algorithm. This is how the ripple network knows and can verify that a certain message was created by the person who owns the private key of a specific public key. Basically like we said before, each person has a public key and a private key. Using the ECDSA, you can easily verify that someone with the private key that was used to derive a specific public key (the multiplier used to get to a specific point on the curve) was used in a transformation algorithm that is applied to a message (another number). So you know that the private key that was used to generate a public key was used to sign the message.

If you want a more detailed explanation of all of this, check out this series of blog posts: http://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-a-gentle-introduction/

With the paper wallet generator, it's using a cryptographically-secure pseudo-random number generator (CSPRNG) that has been standardized by modern browsers and audited by many people to ensure it's actually cryptographically-secure entropy in order to generate the private key. This CSPRNG provides the entropy (randomness) to derive the secret key from, and therefore the public key from there.

When using a deterministic wallet generator, it's not using any actual (or pseudo) randomness. It's using what are called hash functions. The way hash functions work is that you put in an input of any size (in this case your passcode) and it will give an output of a specific size of seeming randomness. This output will always be the same for the same input, and will be unique to that input (again, there are collisions but they are very very rare). However, the point is to make it very hard to reverse this process and take the hash and derive the original input, even if you know the steps the hash function is taking to transform it the first time, much like how it's hard to derive a private key from a public key. You use the output of this hash function as the input of the "entropy" portion of the function that generates a private key. So, it's replacing the random number generator.

So, as long as the public address is valid (is a point along the agreed-upon elliptic curve and has valid forward and end flag bits), the network will allow transfer of currency to the "owner" of that public address, even if nobody actually knows what the private key for that address is. If you typo an address and it's still valid based on the above parameters, even if nobody actually owns that address, the network has no way of knowing that and those coins will be lost forever unless someone happens to generate the private key that owns that public key. 

In the Ripple network specifically, in order for the network to make a reference to a new public key in the blockchain and actually send coins to it, it must already be holding XRP or a minimum of (currently) 20 XRP must be sent to that public address in the first transaction in order to "activate" it. There are various reasons for this, but basically, if you try to send, say, 10XRP to a random valid public address that has never been activated before, that address will not actually be funded with the XRP because it hasn't been activated yet. If you send 100 XRP to a random valid public address, then it would activate that address and fund it with the 100XRP you sent.

Edited July 5, 2017 by gray

[Darksouldesign]

Awesome, thanks again for taking the time to explain this. I have been investing a fair amount, and there has been this little doubt in the back of my brain wondering how this all works, and how can this all be so secure. Ive gotten a pretty good basic grasp of blockchain tech, and how/why that is so secure, and I understand that the "weaknesses" are really on the user side, and the exchange side; the exchange side has a whole lot of money tied up in security for their servers plus a full time staff watchdogging it, so being better educated on why, and how to stay secure on my end was sort of the final piece.

Thanks again, this knowledge is greatly appreciated.

[PunishmentOfLuxury]

6 hours ago, gray said:

Except, in cryptocurrency, your seal (actually, the device you use to imprint your seal) is replaced by your "private" or "secret" key. It's like a seal in real life. If you lose exclusive access to the use of your seal, anyone else can send a message in your name without others being able to know. In cryptocurrency, this means that anyone else can make a transaction using your coins without anyone else being able to know it's not you.

Excellent posts. One small nitpick: Only someone who comes into possession of your secret key (seal) can transact your coins, not literally 'anyone else'.

[gray]

31 minutes ago, PunishmentOfLuxury said:

Excellent posts. One small nitpick: Only someone who comes into possession of your secret key (seal) can transact your coins, not literally 'anyone else'.

Good point. That's what I was going for, but it wasn't very clear. Fixed!

[Turandot]

"In order to actually use the secret key (wallet) to interact with the network, you use a piece of wallet software, not to be confused with the wallet itself. This wallet software (among other things) automatically performs this "digital signing" operation. This is not the same thing as a wallet. Wallet software does not actually store any value. It only allows you to use the value stored in the actual wallet (the secret key) and do things with it on the ripple network. You can import any valid secret key into any valid piece of wallet software and use it to make transactions from that wallet." 

- And what is this software ? If I store my XRP on paper wallets I need this software to send XRP somwhere to trade it on USD ? Right ?

Edited July 19, 2017 by Turandot

[gray]

5 hours ago, Turandot said:

"In order to actually use the secret key (wallet) to interact with the network, you use a piece of wallet software, not to be confused with the wallet itself. This wallet software (among other things) automatically performs this "digital signing" operation. This is not the same thing as a wallet. Wallet software does not actually store any value. It only allows you to use the value stored in the actual wallet (the secret key) and do things with it on the ripple network. You can import any valid secret key into any valid piece of wallet software and use it to make transactions from that wallet." 

- And what is this software ? If I store my XRP on paper wallets I need this software to send XRP somwhere to trade it on USD ? Right ?

Yes. There are many of these available. You can see a list of some of them on this page:  https://www.xrpchat.com/links/ if you scroll down to "Wallets" (the first one is just a paper wallet generator, but the rest are wallet generators and wallet software). Gatehub is also a piece of wallet software if you import your secret key into your account.

[BroHamBone]

saved for future ref.  is there a button to tag a post for later? 

[WillGetThere]

@gray , all sorry for my negligence, what if I have created a wallet on gatehub - how is it safer to store crypto there compared to an exchange (lets presume i use two-f identification)? One can, theoretically, hack either of gatehub or an exchange. Right??

I understand what a cold wallet is and why it is safer though.

Please respond.

 

[Trisky]

On 5-7-2017 at 11:43 PM, gray said:

Beginners Guide: XRP First Steps Simple first steps to acquiring XRP including 1) opening a wallet, 2) wallet funding/ buying XRP, and 3) sending the first XRP.

Link results in:

 

[Guest]

 

 

@WillGetThere The difference is in the wallet type and who owns the XRPs.   On an exchange your XRPs are really promissory notes from the exchange.  On Gatehub you can create a Ripple wallet that is stored on the Ripple Ledger in the cloud.  The XRPs in such a wallet are owned/controlled by the secret key holder....  you.

There are some vagaries in this that I don't fully understand yet...  I'm fairly new to this.  For instance ..  do Gatehub have your key too?  Can a rogue employee empty your wallet and disappear?  I dunno yet

From Gatehub:

"All secret keys and passwords are hashed and encrypted using industry standard algorithms with high cost factors to protect against brute-force attacks.

We would like to emphasize our employees DO NOT have access to your passwords and secret keys. If you forget your GateHub password..... "

https://support.gatehub.net/hc/en-us/articles/115003233225-Encryption

As far as hacking goes....  yeah anything online is at risk.  Cold wallet is not.  Presumably the exchanges have good security but you can't be sure they will not be hacked.

Edited August 6, 2017 by Guest
Remove the FUD I inadvertently created. :)

[karlos]

7 minutes ago, Tinyaccount said:

@Ripplezzzz the link is dead form my browser.  Was it to a internal network?   Anyone able to see it?

 

@WillGetThere The difference is in the wallet type and who owns the XRPs.   On an exchange your XRPs are really promissory notes from the exchange.  On Gatehub you can create a Ripple wallet that is stored on the Ripple Ledger in the cloud.  The XRPs in such a wallet are owned/controlled by the secret key holder....  you.

There are some vagaries in this that I don't fully understand yet...  I'm fairly new to this.  For instance ..  do Gatehub have your key too?  Can a rogue employee empty your wallet and disappear?  I dunno yet.

As far as hacking goes....  yeah anything online is at risk.  Cold wallet is not.  Presumably the exchanges have good security but you can't be sure they will not be hacked.

The guides have been hidden until the ripple-lib issue is resolved.

[RecentChange]

On 06/07/2017 at 7:43 AM, gray said:

If you want to go the deterministic route, you'd be using this tool: https://termhn.github.io/ripplewarpwallet 

Can I use the paper wallet and store the resulting secret key and the QR codes form ripplewarpwallet as a screenshot & text file  and encrypt these on a Usb + backup Usb

Is that enough to get my wallet back up when I decide to sell them?

[Guest]

26 minutes ago, strikerjax said:

Can I use the paper wallet and store the resulting secret key and the QR codes form ripplewarpwallet as a screenshot & text file  and encrypt these on a Usb + backup Usb

The key to ownership and operation of a Ripple wallet is the secret key.  If you have that you can recreate a wallet anytime or 'import' it into Gatehub or whatever.

So whatever way you store your key is fine so long as it's never stolen, and that when you need it you can read your key.

So yes that works.

Its important to note here that crypto coins are very different than other forms of money.....  never before has a selfie at your desk put you at risk of having all your money stolen.  Think about it...  just a simple photo alone of your secret key is enough for anyone anywhere in the world to be stealing your wealth in moments.   That is a new thing in the world...  it might take a few terrible incidents before people really understand those implications.

Edited August 18, 2017 by Guest