Steem Basics: Understanding Private Keys

in #steem6 years ago (edited)

Steem Basics Private Keys v4.jpg

In a previous post we discussed how we are in the process of splitting Condenser (the open source software that powers steemit.com) into two separate applications that will work together seamlessly. One application will handle all the financial functions (wallet) that require a higher level of security, and the other application will handle all the social functions that require a relatively lower level of security. The end result will be two applications that are more secure and optimized for their specific functions.

Private Key Management

This “separation of concerns” is similar in concept to the different types of keys every Steem account holder is given when they create an account. These keys “unlock” different levels of control over an account. One of the advantages of the split will be that it will enable us to create a more intuitive user experience with respect to the use of your keys. For that reason we thought we would take this opportunity to educate any users who are still confused by the private key system on what these keys do and how they can be used safely.

Posting Key

In today’s post we want to focus primarily on the Posting Key and Master Password as these help explain the overall design of Steem’s private key system. Steem’s private keys are “hierarchical” which means that each one enables the key holder to perform a wider variety of activities with the associated account. The “Posting Key” is at the bottom of the hierarchy because it can do the least. It can only be used to perform social activities like posting, commenting, upvoting and downvoting. While these activities are common, they do not require a high level of security, because they do not authorize any operations which can negatively impact token balances.

If you prefer watching to reading, check out this video in which Steemit’s Content Director (@andrarchy) explains Steem’s Private Key system:

Screen Shot 2019-02-20 at 1.55.11 PM.png

To retrieve your Posting Key, go to the permissions tab inside your Steemit wallet. Your public Posting Key will be at the top of the page and alongside it you will see a button that says “SHOW PRIVATE KEY.” When you click on that button you will be prompted to input your Active Key or Master Password. Once you do so, your private Posting Key will be displayed. At this point you might want to consider saving this key to a password manager like LastPass or Dashlane for safe storage.

Permissions v2.png

A user’s keys are vulnerable any time they are entered into an application. A malicious actor could create a fake interface at a domain that is a common misspelling of steemit.com and that requests you input your private keys (phishing). A malicious browser plugin can also gain access to keys stored in your computer’s memory or your web browser’s cookies. Having a Posting Key ensures that the key that is used the most–and is therefore most likely to be acquired by a malicious actor–conveys the least authority. Even if a hacker does get this key, the only things they can do with the account are the social activities (as opposed to financial).

Key Hierarchy v2.jpg

Because the Posting Key has the fewest authorities, there is no harm in always attempting to use the Posting Key if you are not confident about which key should be used. In other words, if all of this sounds confusing, all you need to remember is that the safest option is to only use your Posting Key. If a key with higher authority is required to perform the action, you will be informed by the interface that the Posting Key is insufficient and that another key is required.

In the vast majority of such cases, you will then use your Active Key. But remember to be more cautious in those circumstances. That being said, the Posting Key can certainly be abused too, so users should always be vigilant. We will continue to release posts like this to educate users about how they can protect themselves within the Steem ecosystem.

Master Password

While a hacker acquiring a Posting Key might be unpleasant for the account holder, as long as the rightful account owner still has their Master Password (or their Owner Key), they can always change all the other keys and regain total control over their account.

Password v. Key

One might wonder why the Master Password isn’t also called a “key.” That’s because all of the keys are actually derived from this single password. That’s why it’s called the “Master” password. It is also called the “seed” because it is the first password that is created, and it is from that the rest of the keys spring forth. That’s why it can be used to perform any function on Steem, from social activities to financial activities. Its convenience has led many to use this password for everything, but this is the precise opposite of its intended use.

Since keys can be used to do any activity in Steem apps like steemit.com, the Master Password should be securely stored in a password manager (like LastPass or Dashlane), or offline entirely, and only used for highly-trusted applications, minimizing the risk it could be acquired by a malicious actor. Remember, if you use your private keys right, you be unlikely to use the Master Password ever, therefore sacrificing some convenience for the benefit of security is a worthwhile tradeoff.

Steem Connect and Keychain

Users should always be careful when signing into any site that requests any of their private keys. We at Steemit, Inc. can only speak to the security of steemit.com. Otherwise, we recommend only signing into websites through SteemConnect which is an open-source, universal, login layer for Steem Apps, built by a community developer (@fabien) in collaboration with Steemit, Inc. Think of it as “Facebook Connect” for Steem apps.

Users who do not want to input their private keys into Steem-powered websites can use the the Keychain extension created by the @steemmonsters team. Keychain stores Steem keys in a browser extension which can automatically provide the appropriate keys when prompted by a Steem app, thereby foregoing the need for users to expose their keys by copy-and-pasting them into a website.

steemconnect keychain.jpg

Summary

The goal of this post was to focus primarily on the Posting Key and Master Password because understanding these two items delivers the most insight into the overall design of the system. The Posting Key is at the very bottom of the hierarchy because it grants the least authority, but it is also the key Steemians should be using the most since it governs social functions. The Master Password, on the other hand, is at the very top of the hierarchy because it grants the most authority and is almost never necessary.

We will cover the rest of the keys in future posts, so if you found this informative, be sure to follow @steemitblog and please share this post with anyone who is trying to gain a better understanding of the private key system.

The Steemit Team

Sort:  

Great post. What is the memo key for and where does it fit in the security hierarchy?

Posted using Partiko iOS

I don't care i don't care what you think about me I'm not born to impress you

I am new here. Can you put me through on how this works?

You will receive all the information in the video

Muy buena pregunta, estoy interesado también en esa clave que no entendí como usarla.

A lo que leí, es básicamente para poder desencriptar mensajes que te fueron enviados, pero con baja autoridad.

Loading...

Blog yazmak için ne yapmam gerekiyor

It seems that I did not understand the lesson well

sgdshdfjfgkghlhjkjk;jk;j

Halloo..... please help me to get some points
Thanks

This is crazy I upvoted you hours ago. maybe I didn't press post button hard enough the comment for you end up below danielndt or maybe it is because I was messing around with my setting, but my post of 11 hours ago was meant for you apshamilton.

I see you post under mine. The changes are confusing but for the better eventually I think. I use SteemPeak and Partiko rather than Steemit in any case.

Confusing plus I am going to just take it slow let all the info soak in thanks for your reply and advise. I will be following you.

Adakah yang bisa memberi tahu saya gimana cara kerjanya?

Good and advantage posting

The write up nice. It eleborate more about the security keys.

New here, can anyone show me around???

I agree about the Memo key and where it fits or is it a security risk. I feel vulnerable with all the changes going on with the wallet security. If you read my blog the other day I was frustrated and angery enough to get what I could and get lost. I need some one line solutions and I could settle down and hash my way through it, until then the old hawgwild is on a short leave, (Doctors orders; don't get to stressed out).

hola soy nuevo alguien me puede explicar como comenzar en la actividad, y que paginas serian mas productivas para unirme a la comunidad steem

Nice information thanks You So much https://techbegins.com

Hi. I am steemit new dist ibo tar

hey bro what you doing??

What is Memo in Steemit

Memos (in steemit specifically ) are the short messages attached with the crypto transaction (that is steemit tokens).

What Memo key is used for:

Memo key is used to decrypt private transfer memos or in simple words to create and read memos.

Where it fits in the security hierarchy:

Well it comes under master and owner key but separately, I mean separate diagram for it because it doesn't cover active key and posting key. This (Memo key) is exceptionally different (than active and posting keys) and specifically used for on Memos (short messages). It useless now and can be ignored like hardly few people use it. see here :
steem-keys-and-passwords-full-guide

Bunun olayı ne

Di private key

What is this?

ちょっと外れ値なのでメモキー。メモ キーができる唯一のことは、ブロックチェーンを介して送信されるプライベート メッセージの暗号化と復号化です。これはいつか強力な機能になる可能性がありますが、今日では一般的に使用されていません。暗号化を解除したいプライベート メッセージを受信した場合は、いつものように必要最小限の権限を持つキーを使用する必要があります。この場合はメモ キーです。
暗号化されたメッセージを送信する・表示する。との事。
メモキーは暗号化・複合化に対してのキーであるから、セキュリティ階層にはあまり適合しないのでは?外れた場所にあるキー的な

How to use it

I dont know

excelente

when i try to view my private posting key it wont let me, i click reveal, log in, and then im logged in but it is still hidden, how do i fix this?

Magic Dice has rewarded your post with a 3% upvote. Thanks for playing Magic Dice.

Very nice tutorial! So glad to see this coming from the Steemit blog, simple to understand information like this is exactly what new users need. I agree with Crim, we need this in one easy to find location with some other FAQ. Nice progress!

Easy for you to say, I still feel vulnerable with things being changed fast.

This is really well put together! Well done~ I'm going to carry it through into some of the new user communities. I hope to see this rolled into the FAQ here or into however you refresh the introductory new user experience for front ends with the upcoming split~

Thanks Crim! That's the idea!

Couple of years ago, on recommendation of PBG, I opened an account and invested couple hundred bucks into SP (and even made a post); sorry to say - very very confusing site(s). For www.steemit.com I have user name and all my keys; for Steem Chat I have another user name AND password. To get to my wallet I have to print one of the keys! But the worst thing it is impossible to find Support or Help on your site, to ask questions (not addressed to in FAQ), e.g. how do I assign a password (rather than key), to acess my wallet? what is the address to use, to access Hive blockchain, to see the results of the recent fork? Can anybody contact me via [email protected] ? Thanks.

Superb video. Having things like this to send new users to when they ask about the keys, or even linking to from the FAQ in different dApps will be really helpful!

Shame I can't flag people who comment on YouTube though.

lol, why'd you make me look?!

Secangkir kopi .bukanlah air minum biasa yang hanya mampu menghilangkan dahaga.tapi dia bagaikan obat bius yg bisa menghilangkan stres

Great video! This really breaks it down so it's useful to newbies but many users that have been here for a long time might have an 'aha' moment too :-)

Thanks for commenting, things are getting better in #Steemit and at #Steem network especially in the area of communication, information, advertising, and projecting Steem to the far ends of the planet earth!

Thanks @steemitblog for the reminder cum information.

I'd hope everyone uses a password manager if some sort as you need unique passwords for each site anyway. Something like Lastpass also reduces risk as it will only supply the password for the real site and not for a fake one.

I never got this one:
Master Password (or their Owner Key).
Are these two different names for the same thing or I'm missing something?

Yes I was confused by this as well for a long time but I'm pretty sure that yes Master/Owner key is the same, then you have the active and the posting key.

@oldtimer, @direwolf: No, they are not the same.
Owner Key is derived from the Master Password in a same way as Posting Key.

Let's say user bob is setting his new Master Password.
It will look like this: P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R.
Steem blockchain however, doesn't know anything about Master Password as such.
It uses keys, such as Posting Key, Active Key, Owner Key that are derived from the Master Password.
In such case bob will have:
Private Owner Key:
5JiD4BEytbFWMGeN3Zk9JfFFgFCTvfcDhDGReG7jt2DREY8JzMa
Private Active Key:
5K6p5g2ob577bA53qgLMGDGY3L3D7M4ccaY2qFSJppgEvJkeLFn
Private Posting Key:
5KW5yYgmPf7bRn6BFEWboLr9bj4QtmVJMNAm2SiErDN5BCGtWH5
How I know it? There's a cli_wallet functionality that lets you derive key pairs from the Master Password. It's used for convenience, as you need to securely store one, instead all four.
To derive Owner Key from Master Password, bob would need to use:
get_private_key_from_password bob owner P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R
Same for every role.

In fact you don't need to have Master Password at all. Your private keys can be generated and changed independently.

What is a cli-wallet and where can I find it?

There's a cli_wallet functionality that lets you derive key pairs from the Master Password. It's used for convenience, as you need to securely store one, instead all four.
To derive Owner Key from Master Password, bob would need to use:
get_private_key_from_password bob owner P5Hzer2h4R4Lkkjr455T4msnJyjwwmrjLLDYNATMAukM2yehVE6R

cli_wallet is a command line tool, a part of https://github.com/steemit/steem
You can either build it yourself or extract it from a docker image.

Thanks for the info. And where is the master password? Never seen it. I only got the four keys.

You get Master Password at the time of account creation through Steemit site (which I believe is what you got yours). You don't need it as long as you have all your private keys, or at least your private owner key, so you can set all the others.

Is there a scenario, where the private owner key is not enough and where you need the master password? e.g. account recovery?

No. Steem blockchain doesn't know about your Master Password.
Master Password is like a Master Key, that allows you to open doors on all levels of the building. You can use that one or separate keys. Separate key for the highest level in the building is enough to open it.
Also, if you change the lock in that door, Master Key will no longer be able to open it.

Ok. Now I know what's my error. I thought that I have the 4 private keys active, memo, posting and owner. I thought my password is missing. But: I do have the password and only the three private keys active, memo and posting. I don't know my owner private key, because it is not shown in the Steemit wallet. I think it is genarated automatically if I enter my password in Steemit.

Ist there a way to get the private owner key?

To oldtimer(74) Another old timer with some steem power and experience and you don't know either that's puzzling a minnow like me does not have a chance it seems. I wish I could give you the answer. Another fear of mine is bungling around and making the same mistake 3 or so times and lock myself out of my own blog and wallet sites. I thought I was locked out an hour ago, luckily I recorded all these keys and codes on paper 3 months ago. I had to try 3 of them and finally the type fest ended. whoever is implementing these changes would slow down so us Minnows can have some fun Please