Recently, Kraken (the cryptocurrency exchange) published a 'security guide' for hardware wallets.
In this report, we're going to evaluate the practicality of Kraken's advice as well as the viability of even using a 'hardware' wallet in the first place.
In other words, we're going to look at the question of whether you need a hardware wallet to keep your funds secure.
(spoiler alert: our answer is no)
Brief Background: What is a 'Hardware Wallet'?
Surprising (and short) answer here is that there is no concrete definition for a hardware wallet in blockchain.
'Wait, are you serious or dumb?'
Yes to the first, no to the latter.
Why There is No Concrete Definition
Since there are no shortage of concept designs and implementations when it comes to 'hardware wallets' and there is also no respected authority / industry entity that exists to provide a commonly agreed-upon and accepted set of standards for hardware wallet production, management, functionality and necessary capabilities - the term 'hardware wallet' is arbitrary to a large extent.
We Can Safely Assume the Following About Hardware Wallets Though
- It is a physical device of some sort.
2. The purpose of the device is to enhance the security of blockchain wallets (namely, to store private keys ; curiously)
3. In some cases, the hardware wallet is only designed to 'store keys' (which really makes it a glorified external hard drive with way too much space at its disposal) - and it performs no cryptographic operations
4. Some hardware wallet claim to perform necessary key management tasks (much in the same way an HSM would) - while others make no such claims.
Let's Try Again: What is a Hardware Wallet?
Whether you think you know the answer to this question or not, you should probably stick around and read what we're about to write.
We won't insult your intelligence by pedaling the same definition of a 'hardware wallet' that you've probably already seen everywhere else (or give you the obvious, intuitive definition of a hardware wallet that you more than likely figured out yourself in a matter of seconds).
Separating the Idea of 'Wallet' From Hardware
As we've stated many times in the past, the term 'wallet' is a bit of a misnomer (as it pertains to Bitcoin and other UTXO based protocols; so that excludes Ethereum - a state-based protocol).
What does that mean?
On the protocol level, the only thing that the blockchain concerns itself with when it comes to assessing the validity of attempted transfers - is whether or not the funds being moved have already been spent (i.e., spent vs. unspent transactions ; UTXO = unspent transaction outputs).
Thus funds on Bitcoin always exist in a state of either being "spent" or "unspent". Once funds are spent, they can never be spent again by that same entity.
This is why 'refund addresses' are necessary because you either spend all of the funds assigned to your address or you spend none at all (that lightens the load on the protocol and also allows it to avoid being forced down the road of becoming an 'account/state-based' protocol like Ethereum).
Wallets Only Have Social Meaning
What is meant by that is that wallets (as you all know them) are only meaningful in a social sense so that we can all wrap our heads around sending transactions to one another a bit easier.
Fred: *Hey Bill, do you have that money you owe me from that bet that you lost on the Lakers game?
Fred: Come on Bill, I'm being serious. You duck out on payments all the time, dude.
Bill: Come on, Fred! Bron sat out that game and they rested Anthony Davis halfway through the forth! I didn't know it was going to be an 'off night', that's not fair!
Fred: Alright, alright...listen dude, just pay me like..$20 and cover my tab at the bars tonight and we're good.
Bill: Alright, fine. What's your Bitcoin address?
Fred: One second, let me send it to you
Let's Imagine That Fred is a Smart Guy
Rather than simply giving Bill some beat-up address that he hands to everyone that's ever requested a Bitcoin address that Fred has access to where they can send those funds - Fred generates a new private / public key pair (which is then hashed three times / two SHA256 + 1 ripemd160) to produce what will ultimately be known as his "public key".
Fred's Address Does Not Technically Exist Until He Receives Those Funds
The blockchain does not keep track of wallets.
Thus, when Fred generates his - there is no record of this even occurring on the blockchain.
In fact, if Fred wanted to (and had the means to do so) - he could generate thousands upon thousands of wallet addresses and they would all be equally valid.
Getting to the Main Point
If the idea of a 'wallet' is a misnomer, then a 'hardware wallet' must be a misnomer of equal proportions.
If this was your thought process - then you are correct in coming to this conclusion.
The importance of using a hardware device for cryptographic operations will be shelled out in greater depth in the following section.