Public and Private Keys - how they are used by Steem, making all of this possible? You can find answer here 😊

in #security8 years ago (edited)

padlock_inside.jpg

In my previous post, I made an introduction to this topic:

If you didn't read it, you should do so before reading this article, to make sure, that you understand the role of public and private keys on Steem. Here we are going to explore how all of this works... and to be honest, I am really excited, that I am writing post about it :)

Cryptography of public and private keys - Look how simple it is! :)

In a certain way, you generate a pair of keys (key A, and key B), which will have properties, that:

  • everything encrypted with key A, can be only decrypted with key B
  • everything encrypted with key B, can be only decrypted with key A

For convenience, you do not refer to them by A/B names, but you treat one of this key as a public key, and the second one as a private key:


FeminineDistortedHaddock (1).gif
Fragment of: Public Key Cryptography - Computerphile

To use system like this, you want to make sure, that:

  • you are the only person with access to your private key
  • everyone can easily find your corresponding public key

Where my public and private keys from Steem are stored?

Public Keys

Public keys of every user are kept in the Steem blockchain. You can find your public keys on https://steemit.com/@<your_login>/permissions. Those are mine public keys, and I am not afraid showing you this, because those are my public keys :)

Selection_999(196).png

If you would like to find out, what are public keys of Ned Scott (CEO of Steemit Inc.), then you can use another website which shows more details from Steem blockchain: http://steemd.com/@ned

Selection_999(194).png

Private Keys

Selection_999(196).png

You should know, that:


Steemit does not store your private keys on any server.
Steem blockchain does not store your private keys either.

But at the same time, that is true, that you can find your private keys on https://steemit.com/@<your_login>/permissions. So how this works?

For now, just please remember that your keys are generated from your password on the fly every time you provide it, and some of them are stored in localstorage of your browser. One of my next articles will go into details how this is done.

Let's go back to the topic

Two cases where Pair Of Keys can be extremely useful

Public and Private keys can be used in two scenarios:

Encryption

You can encrypt a message, with mine public key, and send this encrypted message to me. Because only I know my private key, only I will be able to decrypt the message.

Right now there is no private messaging feature on Steemit, but encryption of such communication can be done with exactly this mechanism.

Signing

You can encrypt some message (like a transaction), with your private key, and every person who has access to your public keys (so basically everyone...) will have certainty, that only person who poses your private key (hopefully that's only you) could encrypt (authorize) this message.

To make a life of people easier, probably you would publish two messages:

  • original message
  • encrypted version of original message (which could be treated as your digital signature)

Everyone who would like to verify you identity could then try to decrypt your encrypted version of original message with you public key... and check whether this will produce exactly the same message like original, which you also published.

Summary

Of course, I simplified few things, but the whole concept is described pretty well. I needed to write this article to make a background for my next article, where we will go even deeper :)

Right now we know that without revealing your private keys, everyone can check that you possess your private key, and therefore a transaction/post/comment made by you and signed by your private can be validated by everyone, especially by the witnesses which add valid transactions to each block of Steem blockchain.

Because on Steem you have 4 pair of keys (posting, active, owner, memo), witnesses can validate, that particular transaction broadcasted by your browser was signed by a proper key.

I hope that after my last article, you do not use your Master Password anymore, and you use on Steemit only your private posting key (as it was described why and how to do it).


This article belongs to series of articles which describes security on Steemit:

  1. What is the difference between a password and a private key(s) on Steemit? How to make your account more secure, by using them correctly.
  2. Public and Private Keys - how they are used by Steem, making all of these possible? (this article)
  3. Public and Private Keys - how they are working under the hood
  4. How passwords are stored by Steemit in your browser, and why it is secure.
  5. How to set own password, which is not generated by Steemit
  6. How to setup multisig/multiple authorities for your account
  7. ...

Make sure to follow my account, if you don't want to miss any of these :)

Sort:  

Witam kolegę z Polski! Przydatne informacje, dzięki! :)

Thank you for clarifying this all to me. I was unsure as to what all the keys were for. Since it seemed as if I was never gonna need to know I ignored them.

I had zero idea about it. Had to go through the previous post to understand it all. This is a very helpful post. Thank you very much! :)

TOTALLY newbie question:

How to properly use those keys?
and where i could use that?

This is definitely a handy feature to know about. I started using the key for posting only on my mobile devices for added security. It allows me to view, upvote, comment and post, but you can't do anything else. My devices are secure with passwords of course, but still a good idea to be careful in case someone gets a hold of your device before your password is required again.

Thanks for this detailed info!

Recommendable post :-)

Finally a good explanation, thank you @noisy for enlightening me :) resteeming!

Excellent and well detailed info! Much appreciated. I've read a few stories of people giving out the wrong one and losing their investments. Ouch!

I'm not even sure if I got a 'password' in the beginning? All I know is I've got all my private keys tested and stored safely.