The Master Seed
Applications running on Ledger :doc:`personal security devices <personal_security_devices>` are designed to be lightweight and easily recoverable. Ledger achieves both of these goals by using hierarchical deterministic key generation. Hierarchical deterministic key generation is used by applications to derive a theoretically infinite number of cryptographic secrets from a single master seed. In this way, your cryptocurrency private keys, passwords, and other cryptographic secrets can all be determined and intrinsically "stored" in a single master seed. Because of this, the device's apps don't have to store their own private keys, because they can all be generated on-demand by the device from the master seed. This means that if your device is lost, destroyed, or reset then all you need is your master seed to recover your secrets. In addition, an application that supports this scheme can be deleted and reinstalled without losing any secure data or assets. Your master seed is randomly generated for you when you first set up your Ledger device, and then you just need to write it down to allow you to recover your device in the future.
Generation and Serialization
The master seed is the key to your cryptographic secrets. As such, the master seed should be something that is long and nearly impossible for anyone to guess. Your master seed isn't like a password or a PIN (Ledger devices already have PINs to protect access to them), instead it's the root of all of your cryptographic secrets. You only need to access it when you first write it down on paper when your device randomly generates it for the first time, or in the future if you have to recover your device.
Ledger uses a standard called BIP 39 for the generation and interpretation of the master seed on all of our devices. BIP 39 is an industry standard used by many other hierarchical deterministic wallets. The exact type of BIP 39 seed used by Ledger devices by default is a 24-word mnemonic that consists of only the 2048 words from the BIP 39 English wordlist. Here's how a BIP 39 24-word mnemonic seed is generated:
- The device generates a sequence of 256 random bits using the true random number generator (TRNG) built into the device's Secure Element.
- The first 8 bits of the SHA-256 hash of the initial 256 bits is appended to the end, giving us 264 bits.
- All 264 bits are split into 24 groups of 11 bits.
- Each group of 11 bits is interpreted as a number in the range 0 - 2047, which serves as an index to the BIP 39 wordlist, giving us 24 words.
The result of this process is that your device will generate a single mnemonic seed out of 2256 possible mnemonic seeds (That's one of 115 792 089 237 316 195 423 570 985 008 687 907 853 269 984 665 640 564 039 457 584 007 913 129 639 936 possible mnemonic seeds). Note that while the first 23 words are completely random, the final word was derived from 3 random bits and 8 calculated bits from the SHA-256 hash. This means that the final word can act like a checksum - if you input an incorrect seed into the device while recovering it, it is possible for the device to detect that the inputted seed is invalid.
Can someone guess my seed? There are 2256 different possible 24-word mnemonic seeds. For comparison, the number of atoms on Earth is estimated to be around 2166. Just let that sink in for a second. The chance of someone else being able to guess your seed is astronomically small, to say the least.
But all we have here is a sequence of 24 words, how can the device use this as a cryptographic secret?
After the 24-word mnemonic is generated, it has to be converted into a binary seed by the device (this process is called serialization). This is done using the PBKDF2-HMAC-SHA512 key derivation function to convert your mnemonic seed and an optional passphrase of your choosing into a 512 bit binary seed. This BIP 39 passphrase can be set on your device through the Settings menu, and it can be changed at will without resetting your device (in fact, you can have multiple passphrases loaded onto the device at once if you wish). By changing the passphrase, the resulting 512 bit binary seed is completely changed.
This 512 bit binary seed is the root of your device's cryptographic secrets. Every cryptographic secret that your device needs (cryptocurrency private keys & addresses, passwords, etc.) can be derived from this 512 bit binary seed. We'll explore how an infinite number of cryptographic secrets can be derived from this one seed in the next section, :doc:`hd_keys`.