Ben Chan, Director, UKISS Technology, delivers a talk on 'The Future of Decentralised Security: Private Key Management Made Easy' at Crypto Expo Asia 2022.

‘The Future of Decentralised Security: Private Key Management Made Easy’ by Ben Chan, Director, UKISS Technology, at Crypto Expo Asia 2022

Thank you, everyone, my name is Ben. It’s an honour to be here this afternoon to share this topic, this very interesting topic, and I want to thank the Crypto Expo organiser for putting me right after the previous panel because the previous panel did a very good job of discussing centralised and decentralised exchanges, and what it means to every one of us who want to invest, who want to trade and want to earn from this crypto industry.

My topic focuses on the future of decentralised security. I think there was one question just now about crypto, how it is going to be adopted, how do we achieve mass adoption? Are we ready? I’m going to touch on that as well. 

Understanding Centralised Security

First of all, let’s look at centralised security – what is centralised security. I think most of us know because we live in a Web 2.0 world right now, Web 2.0 platforms like traditional banks, centralised exchanges, CeFi, even Facebook. These are all centralised, where they control your identity, basically your private key. The private key to your crypto assets, NFTs. These are [in central] custody. Just now, the panel already discussed the different ways that centralised entities can ensure the safety of your crypto assets. But they have to do that because they want to standardise the security services for all users. Users come in 24/7 anytime, so they have to be ready to be able to withdraw their assets. But in the crypto world, we have this understanding. This saying that says, “not your keys, not your coins.” Now, why is that? Look at some of the examples that we have: Coinbase recently announced that if they ever go through bankruptcy; I’m not saying they are, but if they ever go through it, the crypto that the user deposits at custody by Coinbase could also be part of the bankruptcy proceedings. According to my understanding, the users themselves will be the last in line after the creditors – after the lawyers have taken everything of whatever that’s left – [and] then given to the users. So we have to be aware of that. At least Coinbase is honest enough to share that. A lot of exchanges are not, but they still do it.

We have a lot of horror stories we learned about this centralised platform, where somehow the asset is gone one way or another. There are risks. We have to be very clear that there are definitely risks in centralised security. For example, we heard recently [that] Finblox’s staking and yield earning platform paused all reward distribution, and users can only withdraw up to 500 per day – [a] maximum [of] 1,500 in a month. And Celsius; anyone has assets in Celsius? Anyone? Looks like I’m the only one. Indeed, I still have two, a couple of Ether left in there. I withdrew most of it when the rumours started to come up, but I think, well, maybe I left a few there; should be okay. Now I cannot withdraw anything. Because it’s centralised, we have to wait for them. We are at their mercy, basically. So centralised security is good and convenient, definitely, but it also has a point – a single point of failure. So because it’s a single point of failure, hackers can employ all resources to hack it because there’s a big payoff from one successful attack. We have the Bitfinex cryptocurrency exchange hack, 119,999 Bitcoin was stolen. At today’s price, it’s roughly 2.2 billion. Recently, it was recovered, but recovered by the FBI, not the user. I’m not sure what the FBI is going to do with that. In 2018, we have the very famous Singapore SingHealth hack, even PM Lee’s data was stolen. In 2022, we know the OCBC phishing attack happened, and OCBC had to pay back the users even though, technically, it was not OCBC’s fault. Of course, we talk about Celsius. And very big news this year, everybody knows, even a nuclear-capable country – their foreign exchange – was confiscated, let alone people like us. These are risks that we have to be very clear about.

We’ll analyse the pros and cons. The problem is, the private keys in the centralised security platform have to be stored and accessible to the user constantly – 24/7. That means the hackers have 24/7 to hack it all the time, and they just need one successful hack to be able to penetrate and get their assets. It also means high costs for security organisations, like banks. All these organisations have to deploy a lot of money, effort, [and] manpower, to secure their whole servers. But bear in mind these are not profit centres for them. Correct? These are just costs they have to do, but it’s not making money for them. The risk of the security implication is very high. If ever they breach the data leak privacy law, they’re going to be fined by the government, so they have to do it, but it’s not making money for them. Also, no matter how good your security is, it’s very hard to prevent insider attacks. Disgruntled employees or the founder, himself, run away and so on. But it does offer convenience. That means users like us, we give up our personal control of our private key so that we can rely on [a] centralised authority to recover passwords for us if we ever forget it. And also, maybe in some cases, recover some stolen assets.

Understanding Decentralised Security

Next, look at decentralised. What is decentralised security? This is a bit new because it’s Web 3.0. Typically, non-custodial wallets, cold wallet hardware, DeFi, DEX, all these are using this decentralised security where you own the private key yourself, not the organisation. You own it yourself, you alone have complete control over your asset. How that is done is, typically individual users will store and own the private key to their crypto assets, to their NFTs, to their decentralised digital identities and so on in a non-custodial wallet. Whether it’s a cold wallet, a hard wallet or a hot wallet. It is therefore their own individual responsibility for their own security and storage so you have to make sure that you “custody” it properly. The result is this, because individual users control our own private key. Now, imagine you are the hacker, you want to hack all these people. What are you going to do? You have to hack every one of you. Hack one by one, so the cost is very high, and the problem is, you do not know if let’s say, I hack this person, in the end, I look at his wallet, he may not have any money in there. You go to the next one and so on and so on. The cost is much higher, and therefore, it’s less incentive for the hackers to target individual users. But if they target a centralised exchange or a bank, one successful hack is good enough. At least, as far as you know, nobody can hack Bitcoin, the network itself and for hard wallets, cold wallets, it’s almost impossible to hack. These are the best options for us to secure our individual private keys.

But there are cons, of course, the pro is that the user keeps their private keys offline in the cold wallet, for example, that’s the most secure one. If you put it in a hot wallet, like an app, like those hot wallets in the app, your private key is on the app 24/7, and therefore it is quite dangerous. But if you keep your key offline in a cold wallet, like a hardware wallet, then it’s definitely safe because hackers cannot hack a cold wallet because it’s offline. It makes it very difficult to target these users, and also the hacker doesn’t know when you are going to execute a transaction, so it’s very hard to predict. To the user itself, actually the cost is quite low because the hardware wallet costs how much? Less than $200? You can secure your crypto assets or your NFT assets that are worth thousands or hundreds of thousands of dollars, so it’s definitely worth it to invest in a cold wallet. It matters to us because it’s our own assets. And because the cost now is distributed across thousands and hundreds of thousands of users, and it avoids what we call a single point of failure. But why is it very challenging? It is still very challenging. How many of you use the hardware wallet? Can I have a show of hands? Anyone? A few, okay not that many, I think less than ten, okay out of this audience I am assuming most of us are crypto users. Only 10, around 10 have hardware wallets. Why? It’s very challenging. Let’s look at some of the problems. It requires individual users to have high-security consciousness and awareness to be able to properly secure that asset in a non-custodial, decentralised manner. Especially how to store and manage recovery phrases, your seed phrases, and your password. It places [a] high demand on individuals, but the problem is most of us are not [security] trained. Most of us here, I would say, would know what the importance of seed phrase is. But if you look at the 300 to 500 million crypto users that are in the crypto industry right now, I think 90% of them are not aware that the seed phrase is very important. If you lose a seed phrase, you lose your asset. The seed phrase is your private key. Therefore, we encounter so many horror stories of how they lose their assets overnight. There is always a risk there, and they fall prey to phishing attacks.

Problems with seed phrases

Imagine if someone pretends to be a big company, a listed company sends you an email and says that your key is now obsolete, you need to upgrade it, please send me your seed phrase, I’ll do it for you. Ninety per cent of us will do that. We won’t, I’m sure none of us will, but I’m sure 90% of people outside there will do that, including our parents. Our mom and dad, they say, “Oh, this company is a listed company, must be safe so I send our seed phrases to them.” And of course, the next day, all the assets are gone. It is very important, one of the reasons is because it relies on one factor only, and that factor is what you know; your seed phrase is what you know, your password is what you know, by relying on what you know, people can phish it from you. They can attack you. But if you combine what you know with what you have, which is the hardware wallet or cold wallet, then the hacker cannot hack it, you need both. The hacker needs to access what you know, and also needs to steal your hardware wallet, so that is much safer. But the problem is, seed phrase is a very complicated process, I think a lot of us have already done that, you have to copy the 12 to 24 words on a piece of paper, make sure you copy everything correctly; not one single dot less, not one single dot more, and don’t take a picture of it. Make sure you do it manually because if you take a picture of it, it’s gone. Because anyone with a picture of your seed phrase has your private key. 

That is one of the reasons why we don’t have mass adoption right now. All of you, I think less than 10 of us have a hardware wallet. Mass adoption is very difficult right now because of all these challenges. If we look at some of them, for example, we have this very famous guy from the UK who lost 200 million dollars worth of Bitcoin because he lost the password. He had 10 tries to try his password but he already tried 8 times; left 2 times. He dared not try anymore, because if he do that then the Bitcoin will be lost forever. Then another UK guy – why always UK? I’m not sure – a UK guy who accidentally dumped his Bitcoin worth of 300, which is about I think $100 million, in a hard drive, and he threw away the hard drive; accidentally. And now the hard drive is somewhere in a rubbish dump in the UK, and he’s trying to get someone to dig it up for him. That’s a challenge.

With all these problems, is there a better way? What is the future of private key management? Private key management is the key to all our future assets. Whether it’s crypto, whether it’s an NFT, or whether it’s a digital identity, it all relies on your private key. Without the private key, if you lose a private key, you lose everything. Now, imagine in the future metaverse where you have hundreds of identities; each identity for different games, different metaverse, some of the identities, some of the NFTs, the private key; the NFT could be worth millions of dollars. Now, if you lose the private key to that, what happens? Disaster. We propose to remove the single most vulnerability; the weakest point in the whole chain, which is actually human error right? It’s human error. 

Hardware problem – no problem. Software – very good. But human error is always the weakest link because of this very key thing, the seed phrase. Most decentralised security relies on seed phrases or recovery phrases, like what I mentioned just now, 24 words or 12 words. But if you think about it, what is a seed phrase? A seed phrase is basically converting your private key, which is supposed to be private, onto a piece of paper and expose it for the world to see. Because you need that to copy in order to recover your hardware, in case you ever lose your hardware, or you lose your private key, you need to enter the seed phrase to recover. But that is actually a very, I would say [unsecure] way of storing your private key because you have no idea if anyone has ever taken a picture of your seed phrase, right? Someone may have taken your seed phrase and you have no idea he had done it. And one day when your private key owns 100 Bitcoin, and next day they can come and take it away from you without you knowing. That is the problem, we have human error; we copy wrongly, we misplace the seed phrase; the seed phrase is worn out, the ink faded; all kinds of horror problems could happen. It’s a ticking time bomb. If we can remove this it will solve the problem. I think it will make the whole process very easy, and idiot-proof, and even my mom and dad can use this. Is there a way?

Future of private key management

Let me introduce the local company called UKISS. He developed a hardware – Hugware – which is a hardware wallet, and it has been patented in 20 other countries, basically from the U.S. to China, to Europe and Southeast Asia; and they’re all patented already. It removes the need for seed phrases altogether; that means it uses hardware to recover and backup hardware. Your private key is stored in the hardware and it never leaves the hardware, and to backup, use another hardware to backup this hardware. You can have multiple hardware backing up. Instead of a piece of paper, you use the hardware. Now, why is it that hardware is better? Of course, if anyone gets a hold of this hardware, they cannot see the seed inside, right? It’s not transparent, and they have to plug it into the computer; and now there’s a problem. You need a PIN, if you do not know the pin, you cannot access the key inside. It’s two-factor authentication – what you have and what you know. Combining what you have and what you know. Now, imagine a hacker – they want to hack your private key. First, he may steal your PIN, because maybe you wrote your PIN in a file and you put it in Google Drive. Someone hacks your file and says, “Ah, this is the PIN,” but he doesn’t have your hardware, right? He has to come to your house, somehow, steal your hardware and then plug it into the computer, key in the PIN, then he can access your private key. That makes it very hard for hackers to do that on a mass scale. We believe that this will be the answer to achieving mass adoption of personal private key decentralised management. It’s so easy, you can set it up in under two minutes because there’s no seed phrase, just plug in and set up your PIN; you’re done in under two minutes. Anybody can do it, and it’s relying on a PIN-protected hardware technology for secure synchronisation of the private key; so easy and convenient. We believe this is decentralised security made easy, finally.

Now, these are the two hardware; you have the grey one and a silver one. The grey one is the Authentication Key, both of them are synced. When you initialise it, the private key is synced, the master seed key is synced. Normally you use the grey one, the A-Key for your normal transactions. Every time you need to transact, you plug it in, key in your PIN and you can digitally sign the transaction. The R-Key, the Rescue Key, is the silver one, you typically put in a safe, make sure it’s safe. You don’t use it until when, let’s say you forgot the PIN to the A-Key, then you take it out and then you reset the PIN. Or if you lose the A-Key, somehow someone steals the A-Key, what you do is you buy a blank one and then you take out your R-Key from the safe, plug it into the computer, synchronise it and you’re done. You’ve recovered your A-Key. It’s very simple.

Welcome to the future of Web3 security. It can easily secure your private key to all your crypto assets using this technology, and it has been patented in Singapore, and of course, in 20 over countries. Therefore, there are no more complicated procedures and manipulation regarding the seed phrase, and you will not fall into a phishing attack because there’s nothing to phish, no seed phrase to phish. It is easy for normal users like us, to be able to do self custody of our private keys. We believe that for this mass adoption of decentralised security, maybe the next time next year when I give the same talk, here again, I can see more than half of you having hardware wallets. That’ll be an improvement. We believe that with this technology we can have one security system for all applications and services. In fact, UKISS Technology is not just used for crypto assets, it is also used traditionally to encrypt your data files. Now, all the files that you have on the hard drive; your pictures, your family photos, your financial statement, your contract, these are also on the hard drive or also in the cloud. Now, imagine you store in a cloud; you know who can access it? The cloud administrator. Yes, it is supposed to be encrypted; the master key is you, the cloud administrator. If you want to, or under the order of the government, they have the right to open the file and access it, or even delete it. Imagine all your files are encrypted, this same technology can encrypt all the data files in your computer and in the cloud, in addition to securing your private key. It’s one security system for applications and services.

Now, imagine this could have a big implication and potential for your future identity, your NFT; your daily use. We call that self-sovereign assets; realising self-sovereign assets. First of all, it reduces the data privacy breaches because you now control your own data. We are Singaporeans, we all have Singpass with us, right? We all love our Singpass. Right now, with this single Singpass I can log into all government websites, and Singpass has all my data for my CPF, my tags, my graduation certificates, my education; they have everything. It’s very convenient if anyone wants to use this data; I can just authorise it using my Singpass but Singpass is only for Singaporeans and it is centralised. Now, imagine a decentralised version of Singpass, an international version of Singpass, powered and protected by the same technology. Wouldn’t that be very useful for us in the world? In the future, we can go to any website; we don’t need to have a user ID and password; it’s just one single app where I scan the QR code to log in. And I know the private key is secure because it’s in my hardware, no one can steal it. That is the future of what we are envisioning based on blockchain implementation, of what we call decentralised DID and self-sovereign identity. That’s what UKISS is doing, and they’re powered all by UKISS Hugware. How we do that is by creating a DID wallet application, an international version of SingPass, and also a smart wallet application that can use the same DID and smart contract to automate a lot of our business and personal asset management, contracts and so on. At the same time, it protects our privacy because I only review what information I need for the counter-party; I do not have to give them my whole private data. For example, you want to know if this person is above 18, then my Verifiable Credentials (VC) will tell you, yes, they are above 18. I do not have to give you my IC number, my birthdate and everything, so it protects my privacy. At the same time, I can participate in KYC; I participate in a lot of DeFi exchanges and so on, so the user will benefit. And if you think further, if I have my information with me or my medical data, I can sell it, right? I can have a DeFi exchange that can trade all this information authorised by myself. It’s my own data, I can sell it, authorised by myself through the private key. I can earn from my data, we call that data monetisation. We’ve been talking about data monetisation for many years, I think it is finally within reach because I control the private key myself. 

In the end, what we call user-centric private key management is what we want to achieve. That brings me to the end of my sharing, thank you everyone for your patience and your support.

Watch the session, here:

Related posts

UKISS welcomes Kevin Nguyen as Strategic Global Partner

UKISS welcomes Kevin Nguyen as Strategic...

We are pleased to announce that we have partnered with Kevin Nguyen, who will lead…
Security meets fun in the ASPC Mystery Box experience

Security meets fun in the ASPC...

The UKISS team is proud to present our best Christmas present yet: the Anti Seed…
Expanding our partners’ network to secure the web’s future

Expanding our partners’ network to secure...

UKISS Technology is dedicated to promoting the widespread use of self-custody security across blockchain-based technologies.…

Share this post