How Exactly Does Ledger Generate the 24 Random Words? Risks Inside

4.7/5 - (3 votes)

Ledger hardware wallets are a go-to choice for many crypto enthusiasts looking to store their digital assets securely. Their technology revolves around the generation of a 24-word recovery phrase, a critical component in the security of the wallet.

Let’s dive into the inner workings of Ledger’s security, explore how the 24-word recovery phrase is created, and understand how it protects your cryptocurrencies.

The 24-Word Recovery Phrase

The Ledger wallet generates a 24-word recovery phrase based on the Bitcoin Improvement Proposal 39 (BIP39) standard.

This standard defines a list of 2048 words, from which the recovery phrase words are selected. A secure 256-bit random number is generated and a checksum is calculated, then the resulting 264-bit combination is divided into 24 chunks, each chunk corresponding to a word from the BIP39 word list.

This recovery phrase effectively acts as the “master key” to your wallet. If you lose access to your Ledger device, the recovery phrase can restore your assets on a new device.

Therefore, securing this recovery phrase is of paramount importance.

Is It Truly Random?

Nothing is truly random in computing.

A crucial element in this process is the randomness of the 256-bit number, which Ledger ensures using a hardware-based random number generator (RNG).

This RNG is certified to meet high security standards, guaranteeing that the generation process is truly random and not limited to a predictable subset of numbers.

The RNG undergoes various tests to ensure its output is random and unbiased, providing an extra layer of security.

How Does Ledger Generate The 24 Random Words Exactly?

The Ledger hardware wallet generates a 24-word recovery phrase based on the BIP39 (Bitcoin Improvement Proposal 39) standard. This standard defines a list of 2048 words, from which the recovery phrase words are selected.

πŸ’‘ TLDR; The process for generating a 24-word recovery phrase involves generating a random 256-bit number and calculating a checksum. This combination is then divided into 24 chunks, and each chunk corresponds to a word from the BIP39 word list.

Here’s a bit more detail on the process:

  1. Generate a random 256-bit number: This can be done using a secure random number generator. The quality of this randomness is very important; it’s essentially the private key.
  2. Calculate a checksum: The checksum is the first 8 bits of the SHA-256 hash of the 256-bit number generated in the previous step. This adds an additional 8 bits to our total, giving us a 264-bit number.
  3. Divide into chunks: The 264-bit number (256-bit random number + 8-bit checksum) is divided into 24 chunks, each 11 bits long.
  4. Map to words: Each 11-bit number (which will be a number between 0 and 2047) is used as an index to pick a word from the BIP39 word list.

These 24 words are your recovery phrase. If you lose access to your Ledger wallet (e.g., the device is lost, stolen, or damaged), you can use this recovery phrase to restore your crypto assets on a new device.

Note that you must store this recovery phrase securely and privately. If someone else gets access to these 24 words, they could potentially gain control over your cryptocurrencies.

You should also never enter your 24-word recovery phrase into any computer or smartphone, as these devices can be compromised by malware.

The only safe place to enter your recovery phrase is into a Ledger device or another trustworthy hardware wallet.

Is Generating the Random Words Secure?

Yes, generating a 24-word recovery phrase using the method defined by BIP39, as done by Ledger hardware wallets, is considered very secure due to several reasons:

  1. High entropy: The 24 words are generated from a 256-bit random number, which has a very high level of entropy. This means there are 2^256 possible combinations, an astronomically large number that would take an impractical amount of time to brute force.
  2. Secure random number generation: Ledger hardware wallets use a hardware-based random number generator to ensure the highest level of randomness.
  3. Offline generation and storage: Ledger generates and stores the recovery phrase entirely offline, making it impossible for online hackers to steal it during the generation process.
  4. Checksum: The inclusion of a checksum adds another layer of security by ensuring the integrity of the recovery phrase.
  5. Physical security: The Ledger hardware wallet is designed with physical security measures to prevent tampering.

Note that this focuses on the generation of random words, not on Ledger in general.

How Do I Know Ledger’s Random Generator Is Unbiased so an Attacker Cannot Reduce the Search Space?

You don’t.

You’re correct to ask this question as the security of cryptographic systems like Ledger heavily depends on the quality of the randomness used. If the random number generator is predictable or biased, it could be a potential security vulnerability.

However, for hardware wallets like Ledger, they use a secure hardware-based random number generator (RNG). This RNG is tested and certified to meet high security standards (for example, the AIS-31 class PTG.2 compliant true random number generator, which is used in Ledger’s Secure Element chip).

This ensures that the generation process is truly random and not limited to a predictable subset of numbers. To achieve this randomness, the RNGs use physical processes, like electronic noise, which are inherently random.

The RNG also undergoes various tests to ensure its output is random and it does not have any bias. These tests are generally part of the certification process conducted by independent third parties.

That being said, as an end-user, it’s not feasible to test the RNG directly.

Instead, you place trust in the hardware wallet manufacturer and the security certifications they have obtained. For added transparency, some hardware wallet manufacturers, including Ledger, have undergone third-party security audits.

In the Worst Case: What Could Happen If The Random Generator Was Biased?

If there were to be a bias or defect in the random number generator (RNG) used by Ledger, it could theoretically make some wallets more susceptible to attacks. However, the severity of the impact would depend on the nature and extent of the bias.

If the bias resulted in a significantly reduced range of possible seed phrases, an attacker could feasibly perform a brute-force attack to guess the recovery phrases. This could potentially lead to wallets being compromised.

The probability of this happening is quite low given the astronomical number of possible 24-word phrases even with some bias, but it’s not zero.

In the highly unlikely event that a bias or defect is found, Ledger would probably issue an immediate update to fix the problem. They would also likely advise users to move their assets to new wallets with new recovery phrases generated after the fix.

However, it’s worth reiterating that Ledger uses a hardware-based RNG that meets high security standards and has been extensively tested and certified. The chance of such a catastrophic failure is extremely small.

Additionally, if you’re ever concerned about the randomness of your recovery phrase, you can create your own recovery phrase using dice and the BIP39 word list as I mentioned in the previous answer, but you should be aware that it’s quite a complex process and it’s easy to make mistakes if you’re not careful. πŸ‘‡

Can I Use My Own Words?

While you can theoretically generate your own recovery phrase, it’s not recommended due to several factors.

  • Firstly, humans are notoriously bad at creating truly random sequences, which could inadvertently make your recovery phrase more predictable.
  • Secondly, there’s a specific process to ensure the correct calculation of the checksum – the last word of your recovery phrase.

Hence, it’s typically safer to let Ledger generate the recovery phrase.

Show Me How I Can Create My Own Randomness with a Dice!

You can generate your own recovery phrase using dice and the BIP39 word list, but the process is not as straightforward as it might seem. It involves several steps and calculations.

Here’s a simplified version of the process:

  1. Roll the dice: You’ll need to roll a six-sided dice 99 times. This will give you a sequence of numbers between 1 and 6. Record each result carefully.
  2. Convert to binary: Convert each dice roll to its binary equivalent (where 1=0001, 2=0010, 3=0011, 4=0100, 5=0101, 6=0110). This will give you a binary number that is 396 bits long (99 dice rolls * 4 bits per roll).
  3. Trim to 256 bits: As you need a 256-bit number, you can take the first 256 bits of your 396-bit number.
  4. Calculate checksum: Calculate the SHA-256 hash of your 256-bit number and take the first 8 bits as your checksum. Add this to the end of your 256-bit number to give you a 264-bit number.
  5. Split into chunks: Divide your 264-bit number into 24 chunks, each 11 bits long.
  6. Map to BIP39 words: Each 11-bit chunk will be a number between 0 and 2047, which you can use to select a word from the BIP39 word list.

Once you’ve done all this, you’ll have a 24-word recovery phrase to import into your Ledger device.

However, keep in mind that this is a complex process and it’s easy to make mistakes if you’re not familiar with these types of calculations.

If you generate an incorrect recovery phrase and then use it to set up your Ledger, you may not be able to recover your funds. If you’re not comfortable with this process, it’s safer to let the Ledger generate the recovery phrase for you.

Security Risks and Protections

The most significant risk to a Ledger hardware wallet comes from someone gaining access to your 24-word recovery phrase.

Additional risks include weak passphrases (if used), flaws in wallet software or hardware, insecure random number generation, and sophisticated attacks like side-channel attacks or phishing.

However, Ledger has stringent measures in place to mitigate these risks. In theory, private keys never leave the Ledger device, protecting them from potential malware on your computer.

🧨 Attention: The most recent discussion around Ledger’s firmware update has shown that, in theory, a malicious firmware update could extract the keys from the device. So keep this in mind when considering updating your firmware! Firmware updates are digitally signed to prevent tampering, and the device checks the integrity of its firmware on each boot.

Personally, I wouldn’t update to the new firmware and would even consider switching devices to more open-source providers.

πŸ’‘ Reddit: DO NOT Update your Ledger, and consider moving to a different cold wallet

How Are Private Keys Generated From 24 Words? What Are Possible Attack Vectors Here?

The generation of private keys from the recovery phrase (the 24 random words) is governed by the BIP39 (Bitcoin Improvement Proposal 39) and BIP32/BIP44 standards.

The process generally follows these steps:

  1. Seed Generation: The 24-word recovery phrase is fed into the PBKDF2 function with HMAC-SHA512 as the pseudorandom function (PRF), along with a salt. The salt is the string “mnemonic” concatenated with a user-supplied passphrase (if any). This process generates a 512-bit seed.
  2. Hierarchical Deterministic (HD) Key Generation: This seed is then used in an HD wallet key generation algorithm (defined in BIP32) to generate a master private key and a master chain code.
  3. Child Key Derivation: BIP44 further defines how to derive child keys from the master private key for different accounts, coins, etc., following a specific path format.

In terms of attack vectors, if the process is implemented correctly, the most significant risk comes from someone else getting access to the 24-word recovery phrase, as they could then derive the private keys. Therefore, it’s crucial to keep the recovery phrase secure and private.

Additional risks could include:

  • Weak passphrase (if used): BIP39 allows an optional passphrase to be added as salt during the seed generation process. If this passphrase is weak or easily guessable, it could be a potential attack vector.
  • Flaws in the wallet software or hardware: If there are bugs or security vulnerabilities in the wallet software or hardware, these could potentially be exploited to reveal the recovery phrase or the derived private keys.
  • Insecure random number generation: As discussed before, if the RNG used to generate the recovery phrase is flawed or biased, it could make the recovery phrase easier to guess.
  • Side-channel attacks: Sophisticated attackers might use side-channel attacks to discover the private keys. These attacks involve analyzing information gained from the physical implementation of the wallet, like power consumption or electromagnetic leaks.
  • Malware and phishing attacks: If a user is tricked into entering their recovery phrase into a computer or smartphone that is infected with malware, or into a phishing website, an attacker could steal the recovery phrase.

Again, for these reasons, it’s recommended to use a reputable hardware wallet, keep the recovery phrase securely stored offline, check the integrity of your device, keep the firmware updated, and be vigilant about potential phishing attempts or scams.

Could a Malicious Software Program on my Computer or a Rogue Ledger Employee Steal My Private Keys?

Yes. No computer system is 100% secure. Not that it is likely but a malicious program or a hacker, possibly infiltrating Ledger as a “byzantine employee”, could theoretically steal your private keys from the hardware wallet, especially if you installed a malicious firmware update on your hardware wallet. Theoretically, your device could already be infected with such malicious firmware!

However, when used properly, a Ledger hardware wallet is designed to prevent both of these scenarios:

  1. Malicious software: The Ledger device is designed to be a secure element that protects your private keys. Private keys should never leave the Ledger device (in normal operation). When a transaction occurs, the transaction data is sent to the Ledger device, the device signs the transaction internally, and only the signed transaction (not the private key used to sign it) is sent back to the computer. Therefore, even if your computer is infected with malware, it should not be able to access the private keys stored on your Ledger device.
  2. Ledger employees: Ledger devices generate and store the private keys locally, and these keys never leave the device. This means that Ledger (the company) and its employees don’t have access to your private keys. Additionally, Ledger is designed so that firmware updates are signed by Ledger and the device checks these signatures, preventing a rogue employee from creating a malicious firmware update.

The most significant threat is someone getting hold of your 24-word recovery phrase. With that, they could restore your wallet and access your private keys. This is why it’s crucial to keep your recovery phrase secure and private.

Another potential vulnerability would be in the supply chain – for instance, if someone tampered with the device before you received it. To mitigate this risk, Ledger devices come with a secure element that checks the integrity of the device at each boot, and Ledger provides security guidelines to ensure the device you received is genuine.

Too Long Didn’t Read (TLDR)

Ledger’s hardware wallets, thanks to their sophisticated design and robust security measures, offer a secure method for storing cryptocurrencies.

Their 24-word recovery phrase, generated with high entropy and true randomness, ensures the security of your private keys.

Despite potential attack vectors, Ledger’s safeguards keep your assets secure as long as you keep your recovery phrase safe.

Always remember to check for updates regularly, verify the integrity of your device, and stay vigilant against phishing attempts or scams.

Phishing attacks, scams, and losing your passphrases are the most common sources of coin loss, as reported by many hardware wallet providers.

πŸ’‘ Recommended: Bitcoin Whitepaper Cheat Sheet (PDF Download)