Getting Started with Signum:
Software, Accounts, Passphrases, and Security
New accounts are created within software wallets. The software interacts with Signum’s public ledger to facilitate the on-chain movement of Signa and other information from one account to another. Software is available for personal computers and mobile devices, and Windows, macOS, Linux, Docker, iOS, and Android.
Signum wallets do not contain Signa. Signa exists only on the distributed public ledger and is independent of any specific software installation. If equipment fails, access to an account can be restored with only the passphrase. For this reason, record passphrases in some form external to the equipment on which the software is installed.
The most secure and private way to interact with Signum is with Signum Node installed on a local computer that is secure from intrusion. It downloads and validates the complete blockchain, enforces network protocols, contributes to security and decentralization whenever it is running, and includes the classic and Phoenix wallets.
BTDEX is an all-in-one program that includes essential wallet functions, plotting, mining, and a decentralized exchange. It connects to the Signum Network remotely rather than maintaining a local copy of the blockchain (operates as a thin client). Alternatively, it can be connected directly to a local Signum Node installation.
Only use Signum’s official software. Signum’s software is open-source under a GPL license, protected by a multi-signature signing process, and frequently upgraded to make the features of the Signum Network more fully accessible.
In general, do not use online wallets as they are centralized (controlled by third parties). There is no way to know they do not record the passphrases entered. If you access an online wallet for convenience, only do so for low-value accounts or use read-only mode (enter address rather than passphrase).
The Signum Network provides online wallets for the sole reason that they are possible, and therefore it is prudent to make them available from a reliable source.
Follow the prompts in your software to automatically generate an account with a secure 12-word passphrase (private key). The passphrase is the only detail that controls access to your account. If it is lost, the account would have no value because it cannot be accessed. There is no central organization to contact in this circumstance, so care must be taken to preserve a record of each account’s passphrase in more than one secure location such as an encrypted hard drive, password manager, or printed. For a convenient printed form, click here: Passphrase-Record
Any string of characters can serve as a passphrase, but a long random passphrase is essential. Signum’s automatically generates passphrases protect against Brute Force and Rainbow Table attacks. Do not change without a complete understanding of entropy and cryptography. Self-composed passphrases may be easily discovered. Adding additional words or numbers is not problematic, but unnecessary. Special characters, particularly Unicode characters, should be avoided as they are not implemented uniformly across devices and software.
Passphrases cannot be changed after completing the account setup process. However, funds can always be transferred to a new account with a new passphrase.
Knowledge of an account’s passphrase essentially gives ownership of the account. Therefore, do not share your passphrase with anyone you cannot trust. Do not store your passphrase unencrypted on a remote node or local workstation. Use special care when connecting to remote nodes. Do not enter passphrases into online forms or use online wallets for high-value accounts or accounts that will ever hold a significant balance. Consider using accounts with smaller balances for daily operations and accounts with higher balances with particular attention to security. Use discretion when considering password management software.
The same care should also be taken when making transactions, as they are not reversible. If a transfer is made to an account without a known passphrase, there is no way to retrieve it. When transferring Signum among several accounts, ensure that the passphrase for each is known.
Transactions are signed by entering the account’s passphrase on a local device. The device should be secure from intrusion and uncompromised by malicious software or keystroke recorders. It is possible to sign transactions using a device not connected to the internet (air-gapped) using Signum’s Offline Transaction Signing feature for enhanced security. However, this is an advanced feature that Signum developers generally use.
Passphrases are not included when a transaction is broadcast to the network. Only a single-use digital signature is included. Using cryptography, it can be derived from this signature that the transaction was authorized by the account owner that created it. However, the actual passphrase cannot be derived from the signature.
Signum is not technically a privacy coin or platform. However, there are no records relating public addresses to account holders or disclosing personal information unless the account holder chooses to do so when making a transaction. Example: Ordering a product and providing shipping details. Privacy is enhanced when making transactions by using separate accounts for different purposes.
Security Level of Signum’s Automatically Generated Passphrases
Centralized organizations limit login attempts for online accounts. Otherwise, the short passphrases they allow would quickly be compromised.
Because Signum’s open-source nature allows unlimited login attempts, the account reservation process automatically generates long, complex passphrases of twelve words drawn randomly from a list of 1,626 words for the classic wallet and 2,048 words for Phoenix and BTDEX.
341,543,870,028,173,427,817,970,975,906,355,941,376 or 341 billion billion billion billion 12-word combinations can be generated from a list of 1,626 words. Attempting to compromise an account by testing all combinations would be an exercise in futility as it would take billions of billions of years on average with optimized equipment.
In 2017, twelve accounts containing 1,000 Signa were created with automatically generated passphrases. The 1st account was limited to a single word passphrase, the 2nd, two words, etc. The 12th account used the entire 12 words. A public challenge was made to discover the passphrases.
After six months, the first three passphrases were discovered, but the remaining accounts could not be compromised, even using a highly optimized password cracking tool that tried 160,000 combinations per second. It would take an estimated 515 days to discover the 4th passphrase and more than 2,000 years for the 5th. With each additional word increasing the difficulty by 1,626, discovering the 12th passphrase would not be possible.
|Bits of Entropy
Account ID and address are derived from a permanent and immutable cryptographic hash of an account’s passphrase.
Elliptic-curve cryptography (ECC) is used to generate a public key, a private key (for signing transactions), and a so-called agreement key (for message encryption) from an account’s passphrase. It is unnecessary to understand these keys precisely as they are only used programmatically. It is an account’s passphrase that allows interaction with the blockchain for making transactions.
- A passphrase can be any string of characters. Signum uses 12 random selections from a collection of English words.
- A private key is a cryptographic hash of an account’s passphrase.
- A public key is a cryptographic hash with the private key as a seed. It decodes as two interchangeable public addresses; an almost unique number ( account id ) and the more commonly used Reed-Solomon formatted address.
- Although the public key, numeric account id, and RS address are all derived from the cryptographic hash of an account’s passphrase, the passphrase is not derivable from any of these.
Signum’s Vision for Security
Signum security entails more than just passphrase and wallet security. From its inception, Signum sought to enhance the faster adoption of blockchain technology while guaranteeing maximum security in all aspects of its operation. It was created in 2014 when attacks on cryptocurrency networks were already commonplace. To keep the network safe, the development team implements several strategies.
- To prevent collusive node attacks where 51% of nodes conspire to harm the network, Byzantine fault-tolerance technology is employed to build dependable protocols. The focus is on identifying honest nodes by setting an upper boundary for maximum tolerance.
- All nodes must perform proof-of-capacity validation to prevent denial of service attacks (DDOS). Regular vetting identifies and blocks problematic nodes.
- Advanced encryption is employed to keep details private and funds secured from third-party attacks. When sending funds on the network, details are not easily revealed.
The nature of threats to cryptocurrency networks changes rapidly. The development team has adopted a system of progressive improvement that involves constant checks to identify and address even theoretical avenues of attack.