Owner Key vs Master Password / Offline Private Key Derivation from Master Password / Public Key Derivation from Private Key
Repository
https://github.com/steemit/steem
What Will I Learn?
- Difference between Owner Key and Master Password
- Private Key Derivation from Master Password (Offline)
- Public Key Derivation from Private Key (Offline)
Requirements
- Steem Official Python library (https://github.com/steemit/steem-python) or
- Steem Beem Python library (https://github.com/holgern/beem) by holger80
- How to install the above library and run Python codes. But even for those who don't know, I'll make an explanation in details, so still it may be worth to read if you're interested in the concept.
Tutorial Scripts are compatible with both libraries for convenience.
Difficulty
- Basic (to follow)
- Intermediate (conceptually)
Tutorial Contents
Owner Key vs Master Password
One common misunderstanding of Steem (private) keys and master password is the difference between Owner Key and Master Password.
The recently launched official Steemit Wallet page (https://wallet.steemit.co) also uses a bit confusing term "master key" as follows:
Ambiguous wording "The owner key is the master key" on https://wallet.steemit.co
This may sound like the owner key is the same as the master password, which is NOT. Moreover, technically there is no such a thing, master key. It's just a metaphorical expression to indicate that the owner key is the highest-level private key.
There may be some reasons behind the confusion between owner key and master password.
- The owner key can still change the master password.
- There was no easy way to see your private owner key. (before the introduction of https://wallet.steemit.co) Of course there have been some unofficial sites and tools that you can check your private owner key, but not many people know that and not many feel safe to enter their master password to see their private owner key.
steemit.com doesn't provide a way to see the private owner key.
Fundamental differences between Owner Key and Master Password
- Master password is NOT a (private) key of (public/private key system). As the name suggests, it is a password. There is no such a thing like public master key, for instance.
- All private keys (and thereby all public keys) can be derived from the master password.
- Any private key cannot be derived from the owner key.
While the owner key is the highest-level private key, that doesn't mean other private keys (posting, active, memo) can be derived from the owner key. Each key is completely independent in terms of the PKI key pair. The fact that some higher-level key has more (i.e., inclusive) privileges than a lower-level key is completely different story. It is just a matter of implementation.
Private Key Derivation from Master Password (Offline)
Another common misunderstanding is that the internet connection is needed to get the private keys from the master password. But this is not true. One reason why some people may think the internet connection is needed is that steempy (CLI of steem Python library) or beempy (CLI of beem Python library) requires the internet connection when they import accounts. You can check this if you disconnect the internet and then try
steempy importaccount [accountname] or beempy importaccount [accountname] depending on the library you're using.
However, the reason why they need to be online is that they verify the public key with Steem blockchain to figure out whose key it is. That's how when you type steempy listaccounts, it shows the account name.
+------------------+---------+-------------------------------------------------------+
| Name | Type | Available Key |
+------------------+---------+-------------------------------------------------------+
| blockchainstudio | active | STM7twwbBgfpw7taJ6CoGe7Xp4qeXjdEVUzJgszSoqjqnnLByP8JW |
| blockchainstudio | posting | STM7mWpvHgJCXX62nXnSwW74GSBf2PYqzRWzdSxMP8G23ZQoV68q9 |
+------------------+---------+-------------------------------------------------------+
a typical output of `steempy/beempy listaccounts
But private key derivation itself (from the master password) can be done offline
Basically, the master password (together with your account name) is a seed to generate all private keys (public keys are derived from private keys). Try the following script with disconnecting the internet if you don't believe me :)
try: from beemgraphenebase.account import PasswordKey
except:
from steem.steem import Steem
from steembase.account import PasswordKey
import getpass
roles = ["posting", "active", "memo", "owner"]
print("Warning! This will show your private keys on the screen if you enter your master password correctly.")
print("To show that key derivations can be done offline, it will not check whether the password is correct.")
account = input("Enter account name: ")
password = getpass.getpass("Enter master password: ")
for role in roles:
print("%s key" % role)
pk = PasswordKey(account, password, role=role)
print(" public: %s" % pk.get_public())
print(" private: %s" % pk.get_private())
https://github.com/economicstudio/steemtutorial/blob/master/showkeys.py
It doesn't echo your master password. Don't worry. Of course, it shows your private keys (as it warned) on the screen, so you need to execute this on a safe computer. If you don't feel safe, then just read the next paragraph :)
$ python showkeys.py
Warning! This will show your private keys on the screen if you enter your master password correctly.
To show that key derivations can be done offline, it will not check whether the password is correct.
Enter account name: blockchainstudio
Enter master password:
posting key
public: STM85THF8tgJpGDkpzfNKT6zE25iWHnhkg4pJDEEDqiKXL6fYqUgL
private: 5JZDBCRM8Fyci7dJQ8c2mC9b8FsXd8aGeQH2X5EeN3Ki3dpAL5r
active key
public: STM5pxmDyb4urZFsUX7LxjQDuaVJ2TL4w7C9hfsVejhhCm6LJ1Hmg
private: 5JArscMjtf3S2uKyL6i286piohE2dhh8Kvmyh4wSFZoaoKJPDfJ
memo key
public: STM8LhNWYfbDbyG8TWQUMPid4DfexANQNg4q2LDWb7EF2i123Do7L
private: 5JuMLWnyhBRcxkeRmY18EKFEC7avU68jGR2scjyyTXDWpKKwmhf
owner key
public: STM8KXYhzrrdfbCShuN2PWVWAEXSwmGFnCKCYAWVYSqTMBD2KVpqw
private: 5JvLoxtWQ9SeGfmb7ZPrYgGzCNGJ9eqMjwCUtmkuyEd3DXkd6zu
Example output of
showkeys.pyscript
Wait a sec, why am I showing my private keys? Of course, they're fake :) In principle, you can actually enter any fake combination of account name and master password. Of course, in that case, the generated private keys are also incorrect one. Garbage In Garbage Out :)
Of course, if public keys happen to match some real public keys, you're extremely lucky! Then you can control that account, but the chance is virtually none. All cryptocurrencies are based on this belief.
If you enter account/password correctly, it gives the correct private/public keys. You can verify them on steemit.com, wallet.steem.co, steemd.com.
Due to the output, you may think that public keys are also directly derived from the master password, which is not true.
Public Key Derivation from Private Key (Offline)
A public key can be derived from a private key.
If you're familiar with PKI (Public Key Infrastructure) which is basically the cryptography that almost all cryptocurrencies are using, then you know that keys are a pair: public key and private key. And mathematically, a public key can be derived from a private key. For instance, Bitcoin address is a sort-of public key. When you enter your private key for that address, the wallet shows your address (public key), even if you didn't enter the address! This is because the public key is derived from the private key.
Let's confirm this with Steem blockchain! Again, no internet connection is needed.
try: from beemgraphenebase.account import PrivateKey
except:
from steem.steem import Steem
from steembase.account import PrivateKey
import getpass
wif = getpass.getpass("Enter any private key: ")
print("public key: %s" % PrivateKey(wif).pubkey)
https://github.com/economicstudio/steemtutorial/blob/master/derivepubkey.py
Feel free to type your real private key (it will not echo). Then it shows your public key.
$ python derivepubkey.py
Enter any private key:
public key: STM7mWpvHgJCXX62nXnSwW74GSBf2PYqzRWzdSxMP8G23ZQoV68q9
example output with a real private posting key of @blockchainstudio You can double check the public key on https://steemd.com/@blockchainstudio
Hope this tutorial clarify the confusion between owner key and master password, and also help understanding the underlying public key cryptography in almost all blockchains.
Thank you for your contribution @blockchainstudio.
After reviewing your tutorial we suggest the following points listed below:
Very interesting tutorial for the whole steemit community. Thanks for explaining the concepts of passwords, it is important for users to know what each one is and what it is for.
We suggest that in the next tutorial put more images. The images helps the tutorial gets less massive for the reader.
In code sections always put comments, it helps a lot less experienced readers.
Improved the structure of your contribution, thanks for following our suggestions in the previous tutorial.
Thank you for your work in developing this tutorial.
Looking forward to your upcoming tutorials.
Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Chat with us on Discord.
[utopian-moderator]
Hi @portugalcoin Thank you for your review. Yes I think it's an important and confusing concept. Hope this helps for community. Thank you again!
Thank you for your review, @portugalcoin! Keep up the good work!
zorba님의 [2019/3/10] 가장 빠른 해외 소식! 해외 스티미언 소모임 회원들의 글을 소개해드립니다.
@blockchainstudio님 곰돌이가 1.2배로 보팅해드리고 가요~! 영차~
짱짱맨 호출에 응답하였습니다.
한글요약: 많은 분들이 owner key와 master password를 혼동하십니다. 사실 여기엔 몇가지 이유가 있습니다. 일단 owner key로 패스워드 변경이 가능한데다가 기존에 steemit.com에서는 private owner key를 볼 방법이 없었습니다. 물론 보여주는 사이트도 있지만 거기에 마스터 패스워드 넣는 것은 당연히 꺼림칙하죠. 또다른 오해와 기타 부연 설명을 실제 코드와 함께 쓸 글인데 차라리 기회될때 한글판을 따로 써보는게 나을 지 모르겠습니다. 이 글은 댓글로 다 적기가 조금 힘드네요ㅠㅠ
ps. 오히려 전 지금 Steem keychain 써보고 놀라는 중입니다ㅎㅎ 이 글 steemconnect 대신 steem keychain으로 steempeak에서 썼습니다. 처음에 몇번 해당 트랜잭션에 대해선 다시 묻기 안하기 눌러줘야 하는 거 빼면 나름 잘 동작하는 것 같습니다. 속도가 약간 느린 것 같기도 한데 키체인의 문제인지 스팀픽의 문제인지는 모르겠네요. 프로젝트가 잘 되면 좋겠습니다.
일반인인 전 뭔지 잘 모르겠지만 응원합니다.^_^
Posted using Partiko iOS
Congratulations @blockchainstudio! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
Click here to view your Board
If you no longer want to receive notifications, reply to this comment with the word
STOPHi @blockchainstudio!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server
utopian-io님의 Top of Utopian.io: February 28 - March 10
Hey, @blockchainstudio!
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!
Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!