How to protect your account with a public key

From Nxtwiki
Jump to: navigation, search

Protect your account with a public key

When sending NXT to a new account using the new account's address the resulting account is protected only by 64 bit account id which is somewhat weak and not by the 256 public key which provides ultimate protection.

The risk is that someone can brute force a passphrase that maps into the same account id so that both accounts are indistinguishable so that the attacker can spend the funds in this address.

More specifically, the reason why this one-time extra step is necessary is because the 8-byte account ID is much shorter than the 32-byte public key it is derived from. There are many secret passphrase/public key pairs that reduce to the same account ID (2^192 keys). But once a particular public key is associated with an account ID by storing it in the blockchain, no other secret passphrase that generates a different public key can access that account.

To protect against this a simple step has to be taken to record the account public key in the blockchain. Recording the public key in the blockchain protects against the attack described above.

Option 1 - submit an outgoing transaction from the new account

Any type of outgoing transaction will do, since the user is signing this transaction with his passphrase and by doing so records the public key in the blockchain. This transaction can for example be sending NXT or sending a message.

Note: your account must contain enough NXT to pay the transaction fee, so you have to fund it with some NXT first.

Option 2 - another account can announce the public key of the new account to the blockchain

Any type of transaction in which the recipient is the new account will do. The sender needs to specify the new account public key as the "recipientPublicKey" parameter for the transaction API or using the wallet "Recipient Public Key" field. Most exchanges which support NXT, already supports this public key announcement function.

Public.key.PNG

To find your account public key, simply login to your account using your passphrase (not using your NXT address). If the account is not registered on the blockchain yet, the public key will be displayed on the dashboard.

For registered accounts you can find the public key by clicking on the "Account Balance" tile from the dashboard.