How to securely transact on the Nano network using an offline device
NOTE: Since this article was written, there is now a much more user-friendly offline-signing method available in the Nault.cc wallet.
A Nano wallet and its accounts are protected with a seed that controls a set of private keys. The level of security for the corresponding funds is determined by how secure the seed or keys are stored. There are many different approaches to storing these critical hexadecimal strings, including; password managers, hardware wallets, or written on paper and stored securely — The security implications of each method are explained in detail in this article.
Nano Wallets — Security and Convenience
Comparison of different Nano wallets with regards of security and convenience.
Offline storage is widely considered one of the most secure methods of protecting private keys. But how can we use these private keys to transact on an online network like Nano without exposing them? That’s where off-chain/offline-signing comes into play!
Offline-signing a very secure way of performing transactions because the data that is entering and leaving the offline device is nonsensitive and cannot be altered to compromise the funds.
Block Variants and Method
A Nano transaction comes in one of four different flavors. The block itself is always constructed in the same way as a “State Block,” but the input parameters will slightly differ. The webtool is designed to make this process both easy and flexible for the user, though it may seem a bit daunting at first.
- Open: The first transaction of an account
- Send: When funds are deducted from a Nano account
- Receive: When funds are added to a Nano account
- Change: When the representative is changed. (Note: this function can be performed with 1,2 or 3, but in the case of a dedicated Change block, zero Nano is transferred.)
In all cases, input data is retrieved from the network either manually via a block explorer or by direct network requests. The block is created from that data, which results in a Block Hash. The Block Hash sent to the offline machine (browser to the right side in the videos) where it’s signed, and a Signature is returned to finalize the block. It can then be published to the network as a valid transaction.
To send data securely to and from the offline machine, QR codes are used together with a webcam. It’s also possible to use an audio signal, which is shown in the last video.
- Address: Also called Account, is the Public ID where funds are sent To/From.
- Previous Hash: Usually, the latest recorded block, called Frontier, in the account’s chain and describes the latest known balance. This block always comes before the one you are creating.
- Pending Hash: Also called Delivered Hash. It’s a block that has been sent but not yet received by the final account.
- Representative: The account address that does the delegated voting.
- Current Balance: The balance reported by the Frontier or by the block that comes before the one you are creating.
- Amount: Value to be Sent or Received.
If you don’t have a webcam for the offline machine, there is also the possibility of transferring data using audio and speaker/mic via the Audio Messenger tool.