Security of the Cloud: Why we decided to go with HSM
An oft-forgotten fact that the foundation of all blockchain ecosystems — the “crypto” in cryptocurrency — is a system known as public key cryptography.
While the public portion of a key pair may be disseminated in a decentralized manner, the private key is a fundamentally centralized concept. This has caused a bit of an impedance mismatch: it often seems like the centralized nature of private keys is an afterthought in the design of many blockchain systems — including Ethereum.
What exactly is a blockchain key pair?
For those who are new to the world of cryptocurrency, whenever you create a wallet to store your cryptocurrency, you will need to create both a public and a private key. The public key, also known as your wallet address, is a string of characters that you can share with others so that they can send cryptocurrencies to you; the private key on the other hand is a string of characters that acts as a “password” or “key” that unlocks your wallet, thus allowing you to send your cryptocurrencies to someone else.
What are the methods to secure the cryptocurrency?
There are several common approaches to manage private keys:
- Keep them on a device’s local storage. It’s easy, but also vulnerable to malware since the file storing private keys can be read by any process with permissions to the user’s folder. Private-key stealing malware has been identified since 2011, and has only grown more prevalent since. Users need to be very careful not to inadvertently share this folder outside of their computer, but at the same time they need to periodically create new backups of the key storage file to ensure that new keypool keys are stored.
- Use a password-protected encrypted wallet. These solutions encrypt the key storage file that is held on the device’s local storage. The user is therefore protected against theft of the file (to the degree to which the password cannot be cracked), but malware on the machine will still be able to use, for example, a keystroke logger to capture the password. Password-protected wallets may mislead the user to believe that the password itself provides access to their funds regardless of the location of the device storing the wallet.
- Offline storage of keys To protect against malware-based threats, wallets can be stored offline on portable media (e.g., a USB drive). Of course, this makes the wallet unavailable for immediate use, and the wallet is still exposed and potentially vulnerable to malware when mounted on a computational device. An interesting example here is paper wallets (e.g. https://bitcoinpaperwallet.com or https://walletgenerator.net/), though users still need to be aware that they should be vigilant in preventing the accidental sharing of the private key QR code, which commonly happens through taking a photo of it and broadcasting it through messages or social media carelessly.
- Air-gapped key storage. Here wallets are stored on a secondary device that is never connected to a network. This device is used to generate, sign, and export transactions. Care must be taken not to infect the air-gapped device with malware, such as when inserting portable media to export the signed transactions. Hardware security modules (HSMs) emulate the properties of an air gap. Trezor, for example, built a Bitcoin-specific HSM-based device.
- Password-derived keys, in which cryptographic keys are derived from a user-chosen password — although this requires one password per key pair in the basic scheme. A Hierarchical Deterministic wallet derives a whole set of keys from a randomly chosen passphrase serving as the master secret. It’s only as good as the chosen password, though.
Why choose HSM?
With adoption of strong cryptography, direct attacks against cryptographic algorithms and protocols have become increasingly rare, although not extinct, as demonstrated by WEP, MD5, GSM encryption and the never-ending saga of TLS vulnerabilities.
What is more common are system failures caused by inadequate key management (i.e. when secrets are mishandled) that allows attackers to bypass that cryptography altogether, ie. keys getting stolen or cryptocurrencies unknowingly being transferred out. To that end, Hardware Security Modules (HSMs) have been promoted as best practice for implementing strict control over private keys.
A HSM is a special-purpose, tamper-resistant device dedicated to managing cryptographic keys; as no other applications can be installed onto the device. It reduces vulnerability to malware, in turn drastically reducing the security risks. In order to access the system, they must be connected to a trusted client — an ordinary computer that instructs the HSM over a minimalist interface tailored for cryptography — in order to generate new keys, perform specific operations using those keys and destroy said keys when they are no longer needed or desired.
The beauty of using a HSM lies in the fact that secret keys never leave the HSM itself; all operations take place within the secure execution environment of the HSM. For example, when decrypting a message, the ciphertext itself is sent to the device, where it is decrypted using the private keys held by (and inside of) the HSM and the decrypted message is returned. This is distinct from a non-HSM device that actually reveals the private key to the attached trusted client to “borrow” for performing some operation. It is a fundamental design objective of HSMs to never reveal keys, not even to trusted clients when connected.
Multisignature storage with HSM
Multi-signature (‘multisig’) storage is one of the biggest developments in enterprise cryptocurrency security to date.
Multisig enables a sender to require more than one signature to confirm a transaction in what is known as ‘m of n’ signing. In an m of n multisig transaction, there are a total of n available private keys to sign a transaction, and the wallet can be set up to require m of those keys to sign the transaction for the transaction to be executed.
The idea is to stop a single person from being able to compromise a wallet, by requiring another known party to co-sign that transaction.
For example in a ‘2 of 3’ signature confirmation, meaning that two private keys must be used to sign a transaction from a total of three available.
In the case of NOX, we are utilising multisig to allow customers to have multiple signatories spanning across several HSMs holding private keys in custody. As such, only upon approval by a customer will the HSM sign the transaction. No one particular HSM can spend funds on its own. Instead, a quorum of several HSMs are required to sign and thereby validate a given transaction with their private keys, effectively making the quorum of HSMs the manifestation of funds on deposit.
What to expect from NOX?
At NOX we are constantly improving our technology to better service our customers and ensure that their monies are safe with us.
In the months to come, we will be releasing more news of our technological discoveries to the public on the research we have done in the cryptocurrency space.