One of the most integral pieces of the growing digital asset ecosystem is custody, or asset safekeeping. As digital assets become more widely adopted, the need for trusted custodians will also continue to grow in scope.
In our Digital Asset Custody 101 series, we explore some of the key elements of this important and necessary element of the digital asset sector: hardware security modules, Faraday technology, coin purity and multi-signature storage and multi-party authentication.
Digital Key Safekeeping with Hardware Security Modules
Digital keys are as important as your home keys, and should be well protected. Safekeeping of these keys is integral to digital asset custody, and this is best achieved through the use of hardware security modules (HSMs).
An HSM is a physical computing device with cryptographic functions, which provide digital keys management, encryption, decryption and hashing, and has become the gold standard for digital key protection over the past few decades.
The main benefit of HSMs is a strong guarantee of security through tamper-proofing/tamper-resistance and tight access controls for administrative operations. Modules can be attached directly to a computer or network server, however, it is recommended that they be airgapped when storing private keys.
Custodians built around HSMs are safer because the modules are:
- Built on top of specialized hardware
- Tested and certified against strict industry standards
- Security-focused OS
- Limited access via a network interface that is strictly controlled by internal rules
- Active management and protection of cryptographic material
How a Faraday Cage Protects Digital Assets from TEMPEST Electronic Attacks
A transient electromagnetic pulse emanation standard, or TEMPEST, attack is the process by which a bad actor can destroy digital keys or steal information from an electronic device by eavesdropping on electrical emanation leakage produced by everyday use. A TEMPEST attack is one of the most dangerous for digital assets because it is completely unobtrusive and difficult to detect.
In a test environment, a white-hat TEMPEST attack by Technion and Tel-Aviv University was able to steal private key information from an air-gapped laptop, through a 15cm thick concrete wall reinforced with metal studs. What is even more shocking is that the white-hat team was only equipped with equipment that cost US$3,000.
A Faraday cage or Faraday shield can protect against TEMPEST attacks and is an essential part of effective and secure digital asset custody. Faraday technology refers to protective structures that surround data storage and blocks electromagnetic fields, ensuring that private key data remains confidential, intact and accessible. A Faraday shield is generally formed by a continuous covering of conductive material, and a Faraday cage, refers to a mesh enclosure around data storage.
The technology is named after scientist Michael Faraday, who invented the first cage in 1836. As requirements to access digital asset private keys by become more complex and customers demand faster access, Faraday technology offers proven mitigation against TEMPEST attacks while keeping private key infrastructure in an accessible environment.
The technology is now so trusted that it is often used by governments bodies to protect sensitive data and electronics, the United States Department of Defense has created standards that many adhere to. OSL uses a Faraday cage as one of the many safeguards for its leading custody solution.
The Importance of Coin Purity
No one wants to be on the wrong side of AML/CFT regulations. Yet many are caught unawares through quick money scams that promise to quickly fill bank accounts.
Money laundering and financing of terrorism continues to be a significant risk for blockchain assets. With the amount of assets lost due to hacks and scams increasing every year, the threat that assets may not be ‘clean’ is real.
Coin purity is the process of tracking a token’s entire journey through the blockchain and is used in the sector to aid in combating money laundering and terrorist financing. Understanding and acting on this information can mean the difference between having peace of mind or being exposed to unnecessary regulatory risk.
Coin purity protects investors from unknowingly accepting tainted assets that can cause regulatory action against an entire wallet. It is an often-overlooked area of asset protection that is no less critical than protecting private keys.
Multisig and Multi-Party Authorization
Digital asset custody must minimize risks associated with the asset transfer process. Multiple signature (multisig) storage and multi-party authorization (MSA) are two methods that are essential for this protection.
Mutisig storage prevents a private key from being a single point of failure by breaking a key into multiple pieces called shards, that need to be reassembled to conduct transactions. Multisig is often referred to as a form of ‘trustless escrow.’
MSA also helps protect private key access processes. As with multisig, MSA enables customers to require several sign offs before a transaction is authorized. Called ‘quorum authorization,’ this process requires multiple predetermined parties to approve prior to private key access being granted.
This is similar to the process required for traditional bank account withdrawals, which also require multiple signatures before a withdrawal is made.
The key difference between MSA and multisig is that for MSA, pieces of keys are not distributed for various parties to manage. By utilizing one or both of these methods, custodians and institutions can help make the digital asset process more safe and secure.