How does crypto password validation works?

[DavidAceti]

Hi, I am learning about crypto and crypto development for a hobby, and I am having a problem grasping some concepts, one of those is the validation system, I know that when you log in into metamask (for example) it hashes your 12 words and identifies you whit the hash that it corresponds, but who does this? I mean who hashes your 12 words? if it's done in the blockchain nodes wouldn't it means it's public for everyone to see? or if you do it yourself couldn't you just lie?



In short: Where does the hashing of your password occur so it doesn't get stolen and can't get "faked"?

[1715296454]

1715296454

[jackg]

Those 12 words are selected from a 2048 long wordlist to represent a 128 bit string.

There's no need to trust anyone as each word is turned into a number in your wallet/computer and all words can be hashed to make your private key and public keys.

The 12 words are just about long enough to encode a 128 bit integer, you can also get 24 word mnemonics from wallets which encode a 256 bit seed/key.

[DavidAceti]

Those 12 words are selected from a 2048 long wordlist to represent a 128 bit string.

There's no need to trust anyone as each word is turned into a number in your wallet/computer and all words can be hashed to make your private key and public keys.

The 12 words are just about long enough to encode a 128 bit integer, you can also get 24 word mnemonics from wallets which encode a 256 bit seed/key.

Ok, but if I try to authenticate myself, let's say login into metamask, whit a 12 words account already created, who checks what private/public key corresponds to those 12 words I wrote?

[franky1]

how keypairs work.. to dumb it down

its not done on the blockchain

it should be done on the GUI software AT YOUR END (your device)

imagine the 12 words as a password you keep and only you see/have control of..
these words, using complicated maths produce a username(public key/address)

no one can undo the math from public key(username/bitcoin/address) back to the seed.. as thats the beauty and security of cryptography.. it only calculates easily in one direction

it would take millions of super computers/device millions of years to bruteforce backwards

you can let people see the public key(your online identity/address) knowing they cant get the 12 word seed from it.

you control that public key/address by signing a message/data that calculates a new length of text that proves only you can have done it due to the math used that proves only the 12word seed owner signed the message associated to the public key

showing the signed message or the public key is not a reveal of anything private that loses you control..
now the safety briefing generally

just dont tell anyone the 12 words or use a software/system where that 12 words is used remotely by someone else. unless you can absolutely trust or know they cant use/abuse it. via some security prevention they have in place

if you are going to use a wallet that has a 'keyvault' then only use it for small amounts of value you are not afraid to lose should bad things happen
keep your main value on a wallet that is not online(remote controlled)

many cryptocurrency systems/wallets do the calculation at your device end, meaning they dont learn about your 12word seed. as it never leaves your device..

but watch out for the ones that do send it to their servers. sometimes its hard to tell for a non technical person to know if its being sent online, nor if once online is truly 100% secure.. .. so just be cautious that your not downloading or using any phishing apps or apps with trojans that you got from non official download services(not vetted/reviewed the code)

[DavidAceti]

its not done on the metamask blockchain

it should be done on the GUI software AT YOUR END (your device)

how keypairs workds.. do dumb it down

imagine the 12 words as a password you keep and only you see ahave control of
these words using complicated maths produce a username(public key)

no one can undo the math from public key(username/bitcoin/metamask address) back to the seed.. as thats the beauty and security of cryptography.. it noly calculates easily in one direction

it would take millions of super computers/deviced millions of years to bruteforce backwards

you can let people see the public key(your online identity/address) knowing they cant get the 12 word seed from it.

you control that public key/address by signing a message/data that calculates a new length of text that proves only you can have done it due to the math used that proves only the 12word seed owner signed the message associated to the public key

showing the signed message or the public key is not a revel of anything private that loses you control..

just dont tell anyone the 12 words or use a software/system where that 12 words is used remotely by someone else

many metamask/cryptocurrency systems do the calculation at your device end, meaning they dont learn about your 12word seed. as it never leaves your device.. many metamask/cryptocurrency systems dont send the 12 word key to their servers.. but watch out for the ones that do send it to their servers. sometimes its hard to tell for a non technical person to know if its being sent online.. so just be cautious that your not downloading or using any phishing apps or apps with trojans that you got from non official download services that have vetted/reviewed the code

Ok, but if the math is done on my end, couldn't I just lie and say that I make the hash and the result is X public key?. I am sure there is a way to ensure that I dont lie on my end, but not sure how it works.
If I am understanding correctly:
You send to the nodes of the blockchain a signature that is the public key, they know that it is you because the only way you got that public key is by hashing the 12 word seed related to that key. But how do they ensure that you actually hashed the 12 words and not just look in the public blockchain for a random public key, and just send that, assuming you replicate the answer your machine produces when you log in and hash the 12 words but changing the result of that hash for a fake one, once again I am not doubting that there is a logical explanation for why this is not possible, I am genuinely curious about how they manage to fix this problem.

[jackg]

Ok, but if I try to authenticate myself, let's say login into metamask, whit a 12 words account already created, who checks what private/public key corresponds to those 12 words I wrote?

Your "words" store your key. They're the whole key.

The only difference between creating a wallet and opening a wallet is thst you're using a random number generator to create a wallet.

There is a checksum placed in a lot of nmemonics but these are easy to bruteforce afaik so there's no way the system could know if you've "lied".

What stops you from accessing someone else's wallet is that the chances of doing it are considered so small that it's realistically impossible to do.

[DavidAceti]

Ok, but if I try to authenticate myself, let's say login into metamask, whit a 12 words account already created, who checks what private/public key corresponds to those 12 words I wrote?

Your "words" store your key. They're the whole key.

The only difference between creating a wallet and opening a wallet is thst you're using a random number generator to create a wallet.

There is a checksum placed in a lot of nmemonics but these are easy to bruteforce afaik so there's no way the system could know if you've "lied".

What stops you from accessing someone else's wallet is that the chances of doing it are considered so small that it's realistically impossible to do.

I think I expressed myself wrongly (English is not my mother tongue), Let me take you through what I think the process is and correct me if I am wrong:

12 words are your public key before being hashed into a string.
the public key is a hashed version of the 12 words, and thus its strongly associated whit the 12 words, you can get to the public key whit the 12 words, but you can't get to the 12 words whit the public key.

If I generate a new account on metamask:
-My computer ask metamask for 12 words at random
-My computer then proceeds to apply some math to the 12 words thus hashing those 12 words into a public key and a private key
-Then My computer goes to the blockchain and identifies itself whit this public key, it doesn't identify itself whit the private key, because in the blockchain everything is public so it wouldn't make sense to show it in public.
-Next time I log in, My computer makes the math to the 12 words I feed it, and comes whit the same public key to identify itself in the blockchain

Here is when my problem comes, if the hash of my 12 words is occurring on my private computer, what guarantees have the blockchain that I indeed did the correct math and the public key hasn't been altered previously to being sent to them?, otherwise I could check the blockchain for any "X" public key, and sent it as it was mine, like saying that I make the hash of 12 words and the final result is this X public key. I am not sure if I am explaining myself correctly?, I am not saying that I "decrypt" the public key, I know this is not possible I am saying that I don't need to decrypt anything to start whit, I could just send it as it is.I assume the private key plays a role in all of this, but if it's private how come the blockchain can check its veracity and remain anonymous? Also I know that metamask has nothing to do whit bitcoin blockchain, it's just an example I believe they work very similarly on the crypto key aspect.

[DavidAceti]

Ok, so I found a little bit more information about my question, and I got this:

https://andersbrownworth.com/blockchain/public-private-keys/signatures

That is the way it validates, and there is a lot of math involved, so its better for my mental health that it remains a mystery In Satoshi we trust!
Thank everybody anyways, your help was very useful!

[franky1]

Ok, but if the math is done on my end, couldn't I just lie and say that I make the hash and the result is X public key?. I am sure there is a way to ensure that I dont lie on my end, but not sure how it works.
If I am understanding correctly:
You send to the nodes of the blockchain a signature that is the public key, they know that it is you because the only way you got that public key is by hashing the 12 word seed related to that key. But how do they ensure that you actually hashed the 12 words and not just look in the public blockchain for a random public key, and just send that, assuming you replicate the answer your machine produces when you log in and hash the 12 words but changing the result of that hash for a fake one, once again I am not doubting that there is a logical explanation for why this is not possible, I am genuinely curious about how they manage to fix this problem.

there is no problem you just dont know how its done

a seed calculates to a public key.
you dont choose the public key.. the seed creates a public key specific to the seed..

you cant make it up or lie..

when you sign a message. the message uses the math to create another unique result(signature). where the message in combination with the seed changes if you change the message. so you can create unique signatures. by changing the message

but all those signatures can be checked against the message and public key so that it validates that the certain seed was used (which is associated with that public key) without revealing the seed


you cannot grab a random public key or random signature already on a blockchain.. and then pretend that you own it.

you would need to sign a new message that proves you own the public key.

to prove you own a public key. some one would make up a new message. and tell you to sign it.

if that signature now produced matches the message and public key then its deemed as valid for that message

[odolvlobo]

Hi, I am learning about crypto and crypto development for a hobby, and I am having a problem grasping some concepts, one of those is the validation system, I know that when you log in into metamask (for example) it hashes your 12 words and identifies you whit the hash that it corresponds, but who does this? I mean who hashes your 12 words? if it's done in the blockchain nodes wouldn't it means it's public for everyone to see? or if you do it yourself couldn't you just lie?
In short: Where does the hashing of your password occur so it doesn't get stolen and can't get "faked"?

The 12 words are not a password. They are the source of your private keys. Anyone with the 12-word phrase will have the keys that are generated by that phrase. That is why you must keep the phrase secret.

The password (and not the 12-word phrase) that you enter into a wallet is used to encrypt and decrypt the data stored by the wallet, which includes your 12-word phrase. (or just the "seed" derived from it).

Ok, but if the math is done on my end, couldn't I just lie and say that I make the hash and the result is X public key?. I am sure there is a way to ensure that I dont lie on my end, but not sure how it works.
If I am understanding correctly:
You send to the nodes of the blockchain a signature that is the public key, they know that it is you because the only way you got that public key is by hashing the 12 word seed related to that key. But how do they ensure that you actually hashed the 12 words and not just look in the public blockchain for a random public key, and just send that, assuming you replicate the answer your machine produces when you log in and hash the 12 words but changing the result of that hash for a fake one, once again I am not doubting that there is a logical explanation for why this is not possible, I am genuinely curious about how they manage to fix this problem.

To spend bitcoins at an address, your transaction must provide a valid signature.

The signature contains the public key that the address is generated from and is it created using the private key associated with that public key. It is not possible to fake a public key because it won't match the address. It is not possible to fake a private key because it won't match the public key. An address is a hash of a public key that is associated with a private key. A private key is generated using the seed phrase (the 12-word phrase). It is not possible to obtain a public key from an address. It is not possible to obtain a private key from a public key.

If I generate a new account on metamask:
-My computer ask metamask for 12 words at random
-My computer then proceeds to apply some math to the 12 words thus hashing those 12 words into a public key and a private key
-Then My computer goes to the blockchain and identifies itself whit this public key, it doesn't identify itself whit the private key, because in the blockchain everything is public so it wouldn't make sense to show it in public.
-Next time I log in, My computer makes the math to the 12 words I feed it, and comes whit the same public key to identify itself in the blockchain

A wallet only "goes to the blockchain" when publishing or searching for transactions. A block chain only contains transactions. There is no identification process. The 12-word phrase is your identity and you prove it by encrypting information with your private keys (creating a "signature"), and others verify it by decrypting the signature with your public keys.