PINT PLATFORM — SECURITY COMES FIRST!

Nirmal Singh
Bitfia Labs
Published in
4 min readJul 30, 2018

Dear Community members. This is the first time I am reaching out to you through social media. Thanks for your wonderful support so far. I thought it was time that I shared some thoughts with you. While designing the PINT platform, I always asked myself what was the most important need of the crypto currency traders/investors/hodlers? What feature/functionality was of utmost importance to the users and would win their confidence for them to trust the PINT wallet with their precious crypto-holdings? “Security” was undoubtedly the first thing I could gather from my interaction with many traders and investors. The tech team at Bitfia Labs has ensured that PINT platform provides the highest level of security by implementing the best and the latest security features which are briefly described below for your understanding:

  1. Private keys storage on mobile handset

Every bitcoin or cryptocurrency wallet/address has two components, a public key for receiving cryptos and a private key to spend those crypto assets by signing transactions with it, but most of the wallet providers and exchanges keep their user’s private key on their centralized server storage in cloud, which has lead to some serious exploitation and theft of bitcoin or other cryptos e.g. Mt. Gox 850,000 BTC theft, silk road 100,000 BTC etc. The cause of these hacks has been a single point of failure i.e server, but PINT wallet platform is designed in a way that users wallet private keys are encrypted and stored in a secure inaccessible space in the users mobile handset itself, thus making it impossible to hack private keys, since an attacker have to get access to thousands or millions of devices, compared to hacking one server.

2. AES-256 encryption using OS native KeyStore

Military grade Fast and secure hardware AES-256 (Advanced Encryption Standard) encryption of every piece of data, network packets etc is used to secure the user data stored on the mobile handset. AES is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001 and used by agencies like NSA, CIA as their primary encryption algorithm. Each cipher encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128-, 192- and 256-bits, respectively. The AES encryption algorithm defines several transformations that are to be performed on data stored in an array. AES-256 encryption is not crackable since the combinations of keys are massive.

Encryption keys are stored in OS KeyStore, so there is no way for a malicious user to decrypt the data, without hacking entire OS i.e. android KeyStore API (Application Programming Interface).

3. Asynchronous Microservices

We have used microservices paradigm to design and develop our backend/cloud services, where business logic is divided into multiple very thin, mostly independent services and resource requests are rendered by aggregating response from a subset of these services. As a result, throughput is very high in terms of requests per second and developers can work independently on their services with interfaces provided by other developers.

This enables us to enforce strict security model at design level, without api developers having to understand, implement or maintain security logic.

Here are the key benefits of asynchronous microservices under RBAC.

  • Maximum isolation from other services, so that in case there is vulnerability in one or some service clusters, it won’t affect or propagate to the rest of infra.
  • Business critical logic like, escrow, transaction management or collateral can be written in separate isolated services, decoupling from open services like search, 3rd party APIs etc.

4. RBAC (role-based access control)

Custom RBAC (Role-based Access Control) has been implemented over existing microservice RPC (Remote Procedure Call) to handle internal security attacks and let microservices handle their permissions, eliminating chances of human error. Role Based Access Control is an approach to managing users’ access to resources or operations. Permissions specify exactly which resources and actions can be accessed. Instead of separately managing the permissions of each user, permissions are given to roles, which are then assigned to users or groups of users.

5. Self-hosted isolated full nodes

PINT platform has its own Full node cluster of supported cryptocurrencies thus providing maximum isolation and security against transaction replay, duplicate transactions, deadlocks and branching.

6. Trusted execution environment

All client code (android) especially related to private key and transactions is executed inside a trusted execution environment using android trusty TEE (Trusted Execution Environment) API (https://source.android.com/security/trusty/). A TEE processor is typically a separate microprocessor in the system or a virtualized instance of the main processor. The TEE processor is isolated from the rest of the system using memory and I/O protection mechanisms supported by the hardware. Software running on the main processor delegates any operations that require use of secret data to the TEE processor.

7. Specialized HID and HIP systems for microservices (work in progress)

We are in the process of implementing custom HIDS (Host Intrusion Detection System) and HIPS (Host Intrusion Prevention System), based on OSSEC (The Open Source Intrusion Prevention System), to further secure users in case of directed attacks. A host-based intrusion detection system is a system that monitors a computer system on which it is installed to detect an intrusion and/or misuse and responds by logging the activity and notifying the designated authority. HIPS is an installed software package which monitors a single host for suspicious activity by analysing events occurring within that host. So a Host Intrusion Prevention System aims to stop malware by monitoring the behaviour of code.

I would like assure our community members that at Bitfia Labs, the interest of our users drives us to innovate constantly to provide the most secure experience.

--

--