Threat Model - Confidentiality of Seed and Private Keys

Even if the device is genuine and the random generator of high quality, a hardware wallet which stores its seed unencrypted on an SD card cannot be considered as secure because the seed can be retrieved trivially.

On Ledger devices, the seed is stored in the non-volatile memory of the Secure Element. The seed can be either generated by the Secure Element itself thanks to its True Random Number Generator, or manually imported during the initial configuration, or when the device is booted in recovery mode.

Once the device is initialized, there is absolutely no way to retrieve the seed. Even apps installed on the device cannot read it because the non-volatile memory can’t be read by the apps and the OS doesn’t expose an API to access it. Ledger Nano devices are HD (hierarchical deterministic) wallets that perform key derivations as specified in BIP-0032, SLIP-0010, etc. The OS implements these derivations in a way that allows apps to derive a dedicated tree of keypairs from the seed. This can be achieved thanks to specifications such as BIP-0044 and SLIP-0044, that record derivation paths for several coins.

Associated Threats: Seed extraction attacks are classical threat vectors already demonstrated by the security community (Glitch attack, SRAM seed extraction, EMFI attack).

← Back to index