Finish lesson 6 and start lesson 7

06-public-and-private-keys.html

@@ -4,70 +4,69 @@
 
 <title>Web3 From Zero - Lesson 6</title>
 
-<h1>6. Public & Private Keys (DRAFT)</h1>
+<h1>6. Public & Private Keys</h1>
 
 <p>
-  I wanted to start part II of this course with wallets. Because a crypto wallet will be the 
-  software, you need to install and set up for part II. But I thought the keys are only a 
-  part of the things a wallet manages for you and the most important part. So, I think keys 
-  deserve their own lesson.
+  I wanted to start part two of this course with crypto-wallets. Because they will be the software,
+  you need to install and set up for part II. But I thought the keys are only a part of the things a
+  crypto-wallet manages for you and the most important part. So, I think keys should have their own
+  lesson.
 </p>
 
 <blockquote>
-  This lesson won't go into the nitty-gritty details of elliptic curve cryptography (ECC). As you can
-  learn Web2 development with FreeCodeCamp; there are better resources to understand this topic.
-  "Practical Cryptography for Developers" is a free ebook with
+  This lesson won't go into the details of elliptic curve cryptography (ECC). There are better
+  resources to understand this topic. If you want to learn the technical details, I recommend 
+  the ebook <b>Practical Cryptography for Developers</b> that has
   <a href="https://cryptobook.nakov.com/asymmetric-key-ciphers/elliptic-curve-cryptography-ecc">
-    a chapter that explains ECC
-  </a> excellently.
+    a part that explains ECC
+  </a>.
 </blockquote>
 
-<h2>Security Considerations</h2>
+<h2>Security Best Practices</h2>
 
 <p>
   If I learned one thing about cryptography, it's that <b>you should never ever give away your
-  private key</b>. If you don't understand anything from the book mentioned above or written in this
-  chapter, at least keep that small piece of wisdom in mind.
+  private key or seed phrase</b>. If you don't understand anything from the book I linked before
+  or written in this lesson, at least keep that small piece of know-how in mind.
 </p>
 
 <p>
-  This means only ever write your private key in a secure wallet application and never in a text 
-  file on your PC or smartphone. It's too long for the average human to memorize without
-  much effort, so your best bet is to write it down on paper, so nobody with access to your 
-  computers can read it from your filesystem.
+  This rule means you should only ever type your private key in a secure crypto-wallet app and never
+  in a text file on your PC or smartphone. It's too long for the usual human to remember without
+  much work, so for backup <b>write it down on paper</b>. This way no one who uses your computers
+  can read it from your hard drive.
 </p>
 
 <p>
   In some countries, you might fear that the government will be after your keys, but the more likely
-  threat is your house burning down or water damage. So, make sure you have copies at different
-  secure locations.
+  threat is your house burning down or water damage. So, make sure you have copies at different safe
+  locations.
 </p>
 
 <p>
-  Also, if you need a private key for development that you will hard-code in a source file for
-  tests, make sure that you use a dedicated development key that's only used for this purpose,
-  otherwise, your key could end up on GitHub, S3, etc.
+  If you need a private key for development and tests that you will hard-code in a source file, make
+  sure you don't use this development key for your everyday crypto dealings. This way, it's not so
+  bad when your key ends up on GitHub, S3, etc.
 </p>
 
 <p>
-  The same goes for your seed phrase, which is a way to represent a private key as a list of short 
-  words. As a developer, you might interact with private keys directly, but most people usually use 
-  their private key in the form of a seed phrase when they move it around between wallets and
-  paper.
+  The same goes for your seed phrase, which is a way to write down a private key as a list of short
+  words. As a developer, you work directly with private keys, but end-users use their private key in
+  the form of a seed phrase when they move it around between crypto-wallets and paper.
 </p>
 
 <p>
-  It's also worth mentioning that <b>you shouldn't throw around your addresses and public keys
-  mindlessly</b>. While nobody can directly steal your assets without your private key, an attacker
-  can send tokens to your address for phishing purposes. These could lead you to some web apps that
-  try to scam you into using your private key to do something dumb.
+  It's also good to know that <b>you shouldn't show people your addresses and public keys without a
+  good reason</b>. While no one can directly steal your tokens without your private key, an attacker
+  can send tokens to your address for phishing. These could lead you to some web apps that try to
+  scam you into using your private key to do something dumb.
 </p>
 
 <h2>What are Keys?</h2>
 
 <p>
-  A key, private or public, is just some kind of information. In the specific case of ECC, these two 
-  keys are massive numbers. So big that you usually end up storing them as <code>string</code> or
+  A key, private or public, is just some kind of data. In the specific case of ECC, these two  keys
+  are very big numbers. So big that you will store them as <code>string</code> or
   <code>BigInteger</code>in JavaScript.
 </p>
 
@@ -81,26 +80,25 @@ <h2>What are Keys?</h2>
 <h3>Private Key</h3>
 
 <p>
-  A private key for ECC is a randomly generated integer that can look something like this<br>
+  A private key for ECC is a randomly generated integer that can look something like this in hexadecimal:<br>
   <code>57cfa2d774eab59998a0b87d641b504aaefeae12f244db08d77e019e6d90afb9</code>
 </p>
 
 <p>
-  In Ethereum and many other blockchain networks, this key must be smaller than a predefined prime number.
+  In Ethereum and many other blockchain networks, this key must be smaller than a special prime
+  number.
 </p>
 
 <p>
-  This big number looks like this in hexadecimal: <br>
-  <code>fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f</code><br>
-  And like this in decimal: <br>
-  <code>115792089237316195423570985008687907853269984665640564039457584007908834671663</code>
+  This big prime number looks like this in hexadecimal: <br>
+  <code>fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f</code>
 </p>
 
 <p>
-  The reason for this specific number is out of the scope of this course, but you can read about
-  it in the book I linked at the beginning of this lesson. But this limit is important because not
-  every random integer is a valid private key, and if you want to generate your own, you have to
-  stay under it.
+  The reason why this exact prime number is used is out of the scope of this course (you can
+  read about it in the book I linked above). But the limit set by that prime number is important!
+  Not every random integer is a valid private key, and if you want to generate your own, it has to
+  be smaller than that prime number.
 </p>
 
 <pre>
@@ -114,9 +112,9 @@ <h3>Private Key</h3>
 <h3>Public Key</h3>
 
 <p>
-  A public key for ECC consists of two integers that are concatenated together. Both of these
-  integers can have the private key length, but they aren't random. These two numbers are
-  calculated from the private key.
+  A public key for ECC is two integers that are concatenated together. Both of these integers can
+  have the private key length, but they aren't random. These two numbers are calculated from the
+  private key.
 </p>
 
 <p>
@@ -125,9 +123,9 @@ <h3>Public Key</h3>
 </p>
 
 <p>
-  The function used to calculate a public key from a private key is based on a specific
-  algorithm and some predefined parameters. All systems interacting with the Ethereum network have
-  to use the same algorithm and parameters to get the same results.
+  The function used to calculate a public key from a private key is based on a specific algorithm
+  and some predefined parameters. All systems interacting with the Ethereum network have to use the
+  same algorithm and parameters to get the same results.
 </p>
 
 <pre>
@@ -140,46 +138,11 @@ <h3>Public Key</h3>
   const publicKey = generatePublicKey(privateKey)
 </pre>
 
-
-<h3>Address</h3>
-
-<p>
-  In part I, you learned that addresses are to a blockchain are like IPs are to the internet, but
-  how are addresses related to keys?
-</p>
-
-<p>
-  An address is a 20 byte long integer that gets calculated from the public key and it can look like 
-  this:<br>
-  <code>0xdd00Cc906B93419814443Bb913949d503B3DF3c4</code>
-</p>
-
-<p>
-  The 0x usually indicates a hex number, and the length was chosen to allow for enough addresses in 
-  the future while still being short enough for everyday usage.
-</p>
-
-<p>
-  The public key gets hashed with Keccak256, and the first 20 bytes of this hash become the address
-  for an externally owned account (EOA) controlled by the related key pair.
-</p>
-
-<pre>
-  let privateKey
-
-  do {
-    privateKey = generateRandomInteger()
-  } while(privateKey > 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn)
-
-  const publicKey = generatePublicKey(privateKey)
-
-  const address = keccak256(publicKey).toString().slice(0,20)
-</pre>
-
 <h3>Seed Phrase</h3>
 
 <p>
-  A seed phrase, also known as a secret recovery phrase, is a list of 12-24 short random words used to generate one or more private keys and, in turn, public keys and addresses in the end.
+  A seed phrase, also known as a secret recovery phrase, is a list of 12-24 short random words used
+  to generate one or more private keys and, in turn, public keys and addresses in the end.
 </p>
 
 <p>
@@ -188,17 +151,16 @@ <h3>Seed Phrase</h3>
 </p>
 
 <p>
-  While you can generate a private key directly, many wallet applications use a seed phrase to 
+  While you can generate a private key directly, many crypto-wallet apps use a seed phrase to
   generate them for you. Many people use multiple addresses, and if you're developing with Ethereum
-  and using it for day-to-day things, you will at least need two addresses and, in turn, private
-  keys.
+  and using it for day-to-day things, you will at least need two addresses and two private keys.
 </p>
 
 <p>
-  The idea is that not every private key is random, but only the seed phrase they are generated
-  from. This allows to generate multiple keys from one phrase and, in turn, recover all these keys 
-  from the seed phrase. Otherwise, you would have to write down every private key you used on its
-  own. 
+  The idea of a seed phrase is that it's a random list of words, but the algorithm to generate
+  multiple private keys from that phrase is deterministic. This allows to generate multiple keys
+  from one phrase and recover all these keys from one seed phrase. Otherwise, you would have to
+  write down every single private key on its own. 
 </p>
 
 <pre>
@@ -222,14 +184,16 @@ <h3>Seed Phrase</h3>
 <br>
 
 <p>
-  The downside of this is that if your seed phrase gets stolen, all addresses generated from it are 
-  compromised. This means everything true for your private key is also true ten-fold for
-  your seed phrase because it essentially represents multiple private keys.
+  The downside of this is that if your seed phrase gets stolen, all private keys generated from it
+  are stolen too. This means everything true for your private key is also true ten-fold for your
+  seed phrase because it's the same as multiple private keys.
 </p>
 
-<p><b>Never write your seed phrase down on your PC or smartphone outside of your wallet apps, never
-  store it in an S3 bucket, or GitHub, etc.</b> To recover your keys when you lose your devices, or
-  they break, you can write the seed phrase on a piece of paper and store it in a secure location.
+<p>
+  <b>Never write your seed phrase down on your PC or smartphone outside of a crypto-wallet app,
+  never store it in an S3 bucket, or GitHub, etc.</b> To recover your keys when you lose your
+  smartphone or laptop, or they break, you can write the seed phrase on a piece of paper and store
+  it in a safe location.
 </p>
 
 <h2>What are the Keys Used for?</h2>
@@ -239,16 +203,22 @@ <h2>What are the Keys Used for?</h2>
 </p>
 
 <p>
-  The private and public keys are used for different tasks. Their usage follows from the fact that
-  everyone can potentially have your public keys, and no one should ever have your private key.
+  Private and public keys are used for different tasks. Their usage follows from the fact that
+  everyone can have your public keys, and no one should ever have your private keys.
 </p>
 
+<h3>Signing Messages with the Private Key</h3>
+
 <p>
   The private key is used mainly to sign data. Signing means you attach a signature to the data. 
   A signature is created with a signature algorithm that uses your private key and the data that
   needs to be signed.
 </p>
 
+<p>
+  The idea is that the signature data can't be generated without having the private key.
+</p>
+
 <p>
   A signature could look like this in its Base64 version:<br>
   <code>MEQCIEamErEp0wjW2nBCwPJyMWB1UEb8UHaEFeUDko88MOs/AiB5daIS5j1stXRetBsEWbvd0TeoYsfucmADmxFUxbE2oQ==</code>
@@ -257,15 +227,19 @@ <h2>What are the Keys Used for?</h2>
 
 <p>
   The public key is used to verify that signature. If you sign something with a private key, the 
-  related public key, in combination with the signing algorithm, the signature, and the signed data,
+  related public key, in combination with a signing algorithm, the signature, and the signed data,
   will either lead to a "yes, this signature is from the correct private key" or not.
 </p>
 
 <p>
-  Since you are the only one who should have your private keys, you are the only one who can create 
-  these signatures. If it gets stolen, other people can pretend they are the original owners (i. e. 
-  you). If you lose your private key, you can't create correct signatures anymore, and systems 
-  with your public key won't believe that you are indeed who you pretend to be.
+  Since you are the only one who has your private keys, you are the only one who can create these
+  signatures. If your keys get stolen, other people can pretend they are the original owners (i. e.
+  you). If you lose your private key, you can't create correct signatures anymore, and systems with
+  your public key won't believe that you are indeed who you pretend to be.
+</p>
+
+<p>
+  In Figure 2, you see how the three parts interact with each other.
 </p>
 
 <figure>
@@ -275,33 +249,47 @@ <h2>What are the Keys Used for?</h2>
   </figcaption>
 </figure>
 
-<h2>Example: Spending Tokens</h2>
+<h3>Enctypting Messages with the Public Key</h3>
 
 <p>
-  Let's say you want to spend tokens from an address.
-</p>
-
-<p> 
-  You tell the Ethereum network your intent, and it will send you a message that you need to sign
-  with your private key. Since the address is created from your public key, and the public key is
-  created from a private key, Ethereum knows if your signature belongs to that address. 
+  You learned you can use the public key to verify a signature, but that's not all it can do. The
+  public key can also encrypt a message that only the corresponding private key can decrypt.
 </p>
 
 <p>
-  When you create a signature and give Ethereum a public key to verify it, Ethereum can run the
-  Keccak256 hash on your public key and compare it with the address.
+  If you want to use asymetric encryption to communicate privately, you have to exchange public keys.
+  Everyone with your public key can then send you messages that only you can read.
 </p>
 
 <p>
-  If the address doesn't match the public key, Ethereum doesn't care that your signature matches 
-  your public key.
+  Figure 3 shows the simplified process. For performance reasons, the message in that picture is
+  usually not the actual data you want to send, but a symmetric encryption key that will be
+  exchanged with the private key holder and then used to encrypt/decrypt all messages flowing
+  between the two parties.
 </p>
 
+<figure>
+  <img src="images/encryption.png">
+  <figcaption>
+    Figure 3: Encryption and decryption
+  </figcaption>
+</figure>
+
+<h2>Conclusion</h2>
+
 <p>
-  If your public key matches the address, but the signature can't be verified with that public key,
-  Ethereum concludes that you don't own that address.
+  In this lesson, you learned that keys are just numbers. Very big numbers, that have specific 
+  properties. They are often displayed in hexadecimal, which makes things a bit confusing for 
+  beginners.
 </p>
 
-<h2>Conclusion</h2>
+<p>
+  These keys are used together with ECC-based algorithms and in the case of Ethereum, with a
+  specific set of parameters that are the same in the whole Ethereum network to ensure, all
+  participants have the same results when signing and verifying data.
+</p>
 
-<p>...</p>
+<p>
+  In <a href="07-externally-owned-accounts.html">the next lesson</a>, you will learn more about 
+  externally owned accounts, and how they relate to the keys we discussed here.
+</p>