It surprises us even today that people involved in cryptocurrencies, even with tens of thousands of dollars invested, aren’t familiar with even basic practices in computer security. Many are not compromised for reasons that are arbitrary and not due to their own ability to secure themselves. Unfortunately, some are not so lucky and I regularly hear about financial losses that are both significant and completely avoidable.
Recently we heard from a friend of mine who tells we he and another friend both lost 1 BTC each. At current prices, that’s about $9k. What happened is that the account of a mutual friend of theirs was somehow compromised. While the compromise of that account is not the subject of this post, it was also completely avoidable.
PGP, a tool to help you stay secure
PGP is a specification and it stands for “pretty good privacy”. It’s what’s referred to with public-key cryptography. Cryptocurrencies actually use
public-key cryptography so you are probably already familiar with the concepts of it even if you haven’t heard of the name before. Public-key cryptography involves to components: a private key and a public key. The private key is secret data that only you should know. The public key is
meant to be shared with the world. The interesting applications of public-key cryptography are:
Digital signatures. Sign a message with your private key. Anyone with a copy of your public key can verify that the message was created with the corresponding private key. Since you are the only person supposed to have a copy, this provides strong evidence that you created the message. Once this digital signature is made, there is no way to alter the authenticity or change the underlying message that has been signed.
Asymmetric encryption. Encrypt a message with the public key. This encrypted message can only be decrypted with the private key. This can be used to encrypt messages that are only intended to be read by a specific recipient.
How you can use PGP to stay secure
When making or responding to sensitive requests to prove it came from who you think it did. Picture a request like “Please send me 1 BTC, there is an ICO for a killer product and it ends in just a few hours. I will send you the money back with interest tomorrow.” This is very likely how my friends were compromised. They trusted this person and didn’t seem to think that his account could have been compromised. Had they asked for the request for the 1 BTC to be digitally signed, then they could have had a safe way of verifying that the request was really made by their friend and not someone else. While there are other ways to “verify” like talking to the person on the phone or video-chatting, these are imprecise and phone to user error. It would hardly be the first time someone was tricked into thinking they were speaking to their husband/friend/whatever over the phone because the voice on the other end was panicked and crying. Unlike these other methods, PGP is pretty binary. The message was signed or it wasn’t, and anyone in the world can verify this. There is little room for human error or ambiguity.
When sending sensitive data only meant for someone else to see. Picture sending someone your BTC address. Would you want others to know how much money is in your bank account? What if you are sending data to an intermediary, like a secretary, and that sensitive information is to be relayed to them at some undetermined time in the future? This is likely how ICOs work. Send some specified amount of money to an address, and we will encrypt the private data giving you access to funds with your Bitcoin public key and send it to you over email.
Real world examples of how to use it
When sending someone an invoice it could be encrypted with the public key. That way this sensitive information is only for their eyes even into the future.
When sending someone your Bitcoin address it can be encrypted with their public key and signed with your private key. Now others who intercept the message cannot see how much you own, and the recipient can know that this address actually belongs to you and could not have been intercepted and modified.
When sending someone your Monero address it can just be signed with your private key. Since all transactions in Monero are private, nobody is going to be able to see your balance anyway with your address.
Making requests for money. These requests are heavily prone to impersonation and and requiring a digital signature can ensure you are actually talking to who you think you are.
Non-repudiation. What if you have some sensitive deal and you want so ensure that they are bound by the promises they made? You have them digitally sign the message over something like email instead of promises in person or over the phone. You could get the promise in writing, but an even stronger guarantee to authenticity than a wet signature is a digital signature. Now you don’t need to worry about situations where they come back and say “I never said that” and risk inaction from legal authorities due to the unprovable nature of an agreement.
It’s better to become familiar with PGP before you need it. In the situations you actually do need it and don’t have it, it may be tempting to say “well, I’m 95% sure it’s them anyway.” Those kinds of oversights are what hackers exploit. If you are tricked or conned, I am pretty sure your final thought before you part with your hard-earned money is that you’re pretty sure it’s legit anyway.
When you do create your public/private keys, upload your public key to a key-server like http://pgp.mit.edu/ and put the public key or key fingerprint on your social media sites / email. You want your public key to be as pubic as possible.
for example, here you can find our PGP key to communicate securely and be sure that we are.