To ensure that you don’t lose access to your cryptocurrency in the event that your wallet is lost, you will need to back up your key by creating reserve copies. This is usually done using a seed phrase, but this is highly risky given that anybody who gets hold of the seed phrase can use it.
For this reason, Tangem Wallet offers a secure private key cloning technology. You can simply copy your private key to your second and third Tangem cards without worrying about one of them being lost or stolen. They are all protected by an access code that you provide after the backup procedure.
But is this backup method safe? Let's look at how it works in Tangem Wallet.
Creating a private key
Before activation, there is no private key (KPRIV on the diagram) in Tangem Wallet – it needs to be created first. This involves sending an activation command from the Tangem mobile application to the chip, which creates a new key based on the numerical sequence received from its own true random number generator (TRNG in the diagram). We covered this process in our previous article on How to create a private key for a crypto wallet with and without a seed phrase.
After the activation process is completed, the chip remembers a pair of keys – the private key KPRIV and the public key KPUB. The chip provides the public key to the mobile app when the wallet user enters the correct access code, allowing the mobile app to show users their cryptocurrency balances. The chip does not reveal the private key.
The diagram shows another key, KISS. This key is written onto the chip at the factory during the production of Tangem wallets. It is used only once, during the backup procedure.
Backing up the private key
So, you’ve listened to the pleas of the Tangem app and have decided to back up your key. After receiving a command to start the backup procedure, the activated card’s chip encrypts the KPRIV key using KISS. This process uses symmetric key encryption, meaning that the resulting KENC key can be decrypted using the same KISS key.
The chip sends the KENC key to the mobile app. If an attacker manages to intercept KENC during this process, they still won’t be able to gain access, as they don’t know the KISS key and therefore won’t be able to decrypt KENC.
After receiving KENC, the mobile app asks the user to scan the second card with their smartphone, and then sends KENC to the chip of the second card. The second card also knows KISS as part of its factory settings and decrypts KENC. The second card now knows the same private key as the first one. This procedure is then repeated with the third card.
The Tangem firmware allows for KISS to be used just once. This means that once it has provided or received the private key once, the chip will no longer respond to the backup procedure. The private key therefore becomes unrecoverable from all cards, and even Tangem cannot extract it.
Of course, if you carry out a factory reset on your Tangem wallet, the chip will forget KPRIV and KPUB, and you will be able to reactivate the wallet, generating a new key and creating a backup. The old key will, however, be destroyed after the reset.