Securing your crypto with plausible deniability and BIP-39 passphrases
Introduction
At the early stages of bitcoin, there were no simple methods for remembering your Bitcoin wallet keys, nor were there any mnemonic words to help you create paper backups. To solve this problem, two standards, namely BIP-32 and BIP-39, were created. Those are now widely used and are also the subject of this blog’s discussion.
Along the way, the idea of BIP-32 was proposed and eventually generally adopted, and it was referred to as hierarchical deterministic wallets. Later on, an extension known as BIP-39 was put forward.
What is BIP 39?
BIP-39 defines a mechanism for encoding a random list of bytes (a seed) to a list of human-readable words that is easy to memorize and write down. In comparison to raw binary or hexadecimal representations of the seed, it makes it easy to read, thereby permitting a far better management and storage of the seed by humans.
The BIP-32 standard, also known as hierarchical deterministic wallets, defines how to derive or generate a keypair out of a seed that will then hold your crypto assets. This is done by using something called a “derivation path”. Every derivation path derives a different key pair, which means you can use one seed to generate and manage multiple separate accounts.
When you first initialize AirGap Vault and click the generate button, it takes you to the next page where your mnemonic is generated using your video, audio, touch, and device acceleration to derive random entropy. During this process, your secure seed is created and displayed as a mnemonic is created.
Those 24 words are a human-readable representation of the seed that is used to derive all your accounts.
Always make sure you keep a secure backup of your 24 words. We created a paper template for you with a non-see-through pattern on the backside so you can write your words down in a proper manner. Get the PDF here and print it out.
AirGap Social Recovery
When you are worried about losing your recovery seed, consider making use of AirGap Social Recovery. It lets you create secret shares which you then can distribute to contacts you trust. You can recover a lost secret if you have a set number of these secret shares. Find out more about it in our blog.
Advantages of BIP39
Human readable: Private keys are usually displayed as a seemingly random list of characters. BIP-39 allows us to have an easily readable human representation. As an example, let’s look at the following mnemonic: “page library glow curious sight music erupt limit miss father tobacco rifle” The hexadecimal representation of this mnemonic is “9ef0218f1afc8323d33c0f8dca778cdc”. While this is a lot shorter, it’s a lot harder for us humans to recognize patterns in this representation.
Multiple Accounts: With BIP-39 it is possible to manage multiple separate accounts that originate from the same seed. If we take the mnemonic above as an example again, if we apply the standard derivation path for Bitcoin, which is “m/84'/0'/0'/0/0”, we get the derived private key of “L2vtxWcU7MXfBKfjWfgquw9awc1RWRskoVSCcpZ4TTuTg71BMuCq”. If we change the derivation path just a little bit, let’s say to “m/84'/0'/0'/0/1”, we get a completely different private key: “KzrUPDsMLbbXFnL9GdAQtqfvZurv6Aaut7YwDDPqGyp718ASFY5k”. Those two private keys are completely separate and it’s not possible to link them together.
BIP 39 has another interesting feature that can provide an additional layer of security to your funds, and AirGap has integrated this functionality into its solution.
Plausible deniability is a security feature that allows you to create a “hidden” account without anybody knowing that it exists. To do this, an additional passphrase is used when creating an account. This can be useful to protect you if you are threatened and compelled to provide your mnemonic, or simply as an additional security measure in case, you lose your mnemonic.
If you want to set up plausible deniability for your mnemonic, you should add both a normal account (without a BIP-39 passphrase, also called “decoy” account), and another account with a BIP-39 passphrase. You then put a small number of coins on the “decoy” account and put the majority of your funds on your hidden account.
When an attacker gets a hold of your mnemonic, he will immediately see the funds on your decoy account, because it doesn’t require any passphrases. At this point, he will probably be satisfied and move on. You should still always monitor your decoy account and as soon as the balance decreases for no reason, you should immediately move your funds to a new mnemonic.
Setting up plausible deniability will give you an extra layer of security to store large amounts of funds.
Security benefits of Passphrase and Plausible Deniability
- If someone had access to your physical copy of the recovery seed, they would not be able to access your passphrase-protected wallet unless they also had the passphrase.
- Passphrases are completely free. When using your recovery seed, you can generate as many passphrases as you want in combination with it. Because of the ease with which you can create a new wallet, you can benefit from an extra advantage of hidden wallets, which is plausible deniability.
How to set up a passphrase in AirGap Vault
We strive to provide our users with the most secure and innovative technology, which is why AirGap has integrated this feature into its Vault.
If you want to generate an account with a passphrase, follow these steps.
- After setting up a secret in AirGap, Click the ADD ACCOUNT button. (image 1)
- Select any coin you want to use to generate the new account with a passphrase. (image 2)
- Toggle the Advanced Mode button and input your passphrase. (image 3)
- Click the create and tick the “I understand” button. (image 3)
- Click ok and a new account will now be generated. This account looks and behaves just like any other account, but to use it, you will need to provide the BIP-39 passphrase again. (image 4)
Things you should note while setting up a passphrase
- Your passphrase is case-sensitive and can include special characters. Lowercase and uppercase characters are distinguished.
- Your passphrase is not stored anywhere. You take responsibility for keeping it safe, whether that means creating a physical backup or simply remembering it. If you lose your BIP-39 passphrase, you will lose access to your funds.
- The mnemonic and BIP-39 passphrases are both needed to recover your account. Make sure you properly back up both of them. Don’t back them up in the same location though, because an attacker will have immediate access to your hidden wallet if he has both.
- Always add funds to your “hidden” or “decoy” account so attackers will think they have access to your wallet and stop looking.
- You should closely monitor any balance changes on your standard or “decoy” account. If the balance ever decreases, you will immediately know that someone has access to your mnemonic and you should move your funds to a new mnemonic immediately.
- If an attacker has access to your mnemonic, he can try to brute force your passphrase. Depending on how strong your passphrase is, this takes between a couple of seconds and thousands of years. Choose a passphrase that is at least 10 characters long. The longer the better.
Download
AirGap Wallet
📱 iOS — App Store
📱 Android — Google Play (GitHub APK)
AirGap Vault
📱 iOS — App Store
📱 Android — Google Play (GitHub APK)
