The custody of digital assets presents a unique challenge for banks and financial institutions. The mere theft or loss of a tiny piece of data, even smaller than this sentence, can respectively lead to theft and loss of funds. But how to avoid disasters, yet make the custody solution usable and dependable for its users in an enterprise setting? As we will see in this article, there is no magic bullet, and reliable approaches involve a mix of technology and procedures.
What is a digital asset custody solution?
Broadly defined, a digital asset custody solution is a system designed to:
Safeguard assets by employing cryptographic techniques to ensure ownership and control. This hinges on access to a cryptographic secret, usually a private signing key.
Offer enhanced functionalities, including secure interaction with smart contract functions and support for tokenized securities.
Operate within the realm of (regulated) financial institutions, where the custodian bears legal responsibility for protecting both client assets and their own holdings.
Banking-grade: Aligning security, operational, and compliance requirements
The level of security assurance provided by a banking-grade solution should align with the associated risks and value. The term "banking-grade" underscores that these offerings must surpass the rudimentary features provided by consumer-grade wallets and take also into account operational and compliance requirements. They should ensure security and reliability across various fronts:
1. against external attackers, insiders, or accidental failures.
2. in terms of asset control (thus private keys protection), but also of data integrity, keys restorability, audit trail, and other aspects sometimes overlooked.
3. in terms of pure technical security (software vulnerabilities and exploits) or support and choice of security protocols (such as multi-party approval, single sign-on, disaster recovery)
4. in terms of trust assumptions, from trusted hardware to cryptographic protocols' security level.
To achieve robust security, a banking-grade custody solution deploys a combination of procedural and technical security controls. Redundancy, coupled with a defense-in-depth strategy, forms the bedrock of protection, while rigorous and varied testing methods validate the solution's security measures.
Drawing inspiration from the foundational principles of secure systems established in the 1980s, our security architecture is anchored in principles such as auditability, reliability, manageability, adaptability, and dependability.
In the subsequent sections, let's delve into specific security objectives addressed within our digital asset custody design.
Key security goals of a banking-grade custody solution
We propose a list of the 10 most important high-level security goals of a banking-grade custody solution, illustrating the variety of security notions and control types involved. These goals are not ranked in terms of importance and are by no means exhaustive.
1. Prevent direct access to the seeds or keys
One critical goal is to prevent access to seeds or keys, otherwise one could steal the funds. Even the legitimate users of the platform should never have access to the keys; they should only able to sign transactions (after the necessary approvals), signatures that internally rely on said keys.
Remember that a digital asset account relies on a key pair:
1. The private key is required to sign transactions for asset transfers and should exclusively be accessible to authorized parties.
2. Conversely, the public key serves to verify signatures of transactions and derives the account's address.
The term "seed" denotes the master secret used to derive private keys, following blockchain standards like BIP-32, BIP-44, and SLIP10. Storing a seed can facilitate the derivation of multiple key pairs, streamlining the protection of a single short seed compared to numerous keys. Depending on the chosen model, a single seed might cover all asset types, specific blockchains, or varying granularity levels.
Irrespective of the custody mechanism—hot, warm, or cold—secure storage of seeds or private keys is imperative. Employing tamper-resistant systems prevents extraction, even among approved signatory groups. Hardware security modules (HSMs) offer a hardware-based secure environment, guarding against invasive physical attacks. For instance, secure memory erasure triggers in response to suspicious activity, bolstering the overall security of custody solutions.
2. Ensure reliable back-ups
Having top-notch cryptography and secure hardware in a custody solution is futile if reliable back-ups are absent, if unauthorized parties can access key backups, or if the backups fail to function when needed—such as during testing. Effective back-up strategies involve:
1. shared control through threshold secret-sharing mechanisms
2. rigorous testing during creation and at regular intervals, preferably annually
3. storage within tamper-evident containers, subject to frequent tampering checks
4. integration into disaster recovery plans, procedures, and corresponding contingency measures.
Creating back-ups must occur within a controlled, secure environment with multiple layers of access control to prevent unauthorized entry. The backup process should be verifiable, allowing periodic checks of backup integrity. Here, it's worth noting that personnel involved in key generation and backup management should undergo comprehensive background checks and training to ensure adherence to security protocols. Together, these measures establish a robust defense against internal and external threats to the confidentiality and integrity of keys.
3. Prevent unauthorized access to signing capabilities
Safeguarding against unauthorized access to signing capabilities is also essential. While secret keys are not directly exposed, including to the solution's user, potential attackers could still exploit the signing module to endorse unauthorized transactions. To counter this, a custody solution needs to establish an approval mechanism, often based on a quorum approach, that effectively thwarts attempts to manipulate approval rules. This security can be realized through technologies like HSMs or secure enclaves. While blockchain-specific multi-signature systems have their merits in specific scenarios, blockchain-agnostic solutions tend to offer greater reliability and smoother integration and scalability. Flexibility is crucial, particularly for large institutions with global reach.
Addressing the approval challenge, multi-party computation (MPC) based technologies cryptographically restrict access to a single key, requiring interaction among multiple systems. This means compromising several computers or individuals to bypass signature rules—rules that must be well-defined and consistently implemented. However, a drawback of MPC is that an authorized group of parties can directly sign any transaction and retrieve the key, potentially bypassing security controls on transaction content and type—unless a trusted execution environment is applied atop the MPC layer.
4. Prevent unauthorized transactions
Although authorized parties adhere to a four-eyes principle for transaction approval, there's still a possibility that they might initiate transactions that breach business rules either inadvertently or deliberately. To counter this risk, it's crucial to establish and rigorously enforce well-defined business processes and rules. This ensures that all requested transactions align with operational standards. For instance, a secure environment such as an HSM can enforce security measures concerning transaction content and approver rights. These measures encompass practices like whitelisting specific addresses, setting transaction amount limits, and specifying permissible actions within smart contracts. By consistently following these rules, custody solutions bolster transaction integrity and maintain compliance with established protocols.
5. Ensure secure key generation
Key generation, or more precisely, the creation of seeds for key derivation demands a meticulously prepared, documented, audited, and well-executed procedure usually referred to as “key ceremony”. This involves the creation, testing, and secure sealing of backup recovery values.
In addition, a decision must be made regarding the use of a single seed for all assets, per-asset type, or per-blockchain seeds. Paradoxically, safeguarding one secret is often simpler than safeguarding many. This is partly because a single seed requires the generation and backup process only once, with restoration tests being more straightforward.
6. Enhance security of logs and databases
Similar to contemporary digital services, a custody solution generates extensive logs and carries out various read and write activities within a database. To protect sensitive data, like personally identifiable information (PII), it's imperative to encrypt the contents of the database. Moreover, robust measures should be implemented to ensure the integrity of this data.
Equally important is the preservation of log integrity to prevent the erasure of unauthorized actions from historical records. Establishing redundant systems is a given, thus ensuring the availability of logs and databases. This can be achieved through a multi-site distributed configuration, bolstered by failover protocols and thorough testing to establish comprehensive reliability.
7. Ensure custody solution’s auditability
To maintain a high standard of security, a custody solution should not function as a completely closed-off or black-box system. Instead, it should offer a level of transparency regarding its internal operations—such as sharing its source code with users—and its activities, evident through generated logs from its various components. The ability to monitor and audit the solution is vital for compliance audits, security assessments, change management, and incident response protocols. The more control the provider has over the technology stack, the more transparent the solution becomes. Users should have access to audit reports from credible third parties.
In line with our commitment to transparency and auditability, we provide our clients with the source code of our HSM firmware extension and offer our MPC library as open-source software.
8. Ensure supply chain and build integrity
A custody solution's provider must ensure that the software used within the solution, whether on-premise or through a service provider, aligns with the auditable components and remains unaltered during operation. These assurances require a combination of technological tools, such as continuous integration and authentication mechanisms, alongside procedural practices related to change management and role separation. For example, enhancing supply-chain security can be achieved by:
1. maintaining an auditable Continuous Integration (CI) and delivery pipeline
2. facilitating audited and reproducible builds of critical components
3. systematically scanning software dependencies and generating software bills of materials (SBOMs) in a standardized format.
9. Ensure segregation of duties
Segregation of duties must be upheld at multiple levels. First, between development and production stages. Second, when role-based access systems are implemented, roles should be assigned to avoid conflicts in responsibilities or access levels. However, each role should still be fulfillable by different individuals in case of absence or unavailability.
It's also important to address internal role changes and the potential expansion of permissions beyond their intended scope. To tackle these challenges, we have found that the following controls work in tandem:
regular access reviews
multi-party approval for role changes
tests to ensure business continuity in scenarios like staff loss.
10. Offer security-driven user interface
The field of user interface (UI) security is relatively recent and is concerned with designing graphical interfaces that reduce the security risk through different means, including:
providing clear and unambiguous information, such as instructions, field labels, and so on
incentivizing the users to make the required visual controls while minimizing fatigue
defaulting to secure parameters, such as strictest access control
avoiding similar-looking buttons or concepts having different, conflicting roles
preventing third-party services from integrating or overlaying malicious content.
Concretely, in a digital asset custody solution, these might translate into creating clear visual cues upon security alerts (such as poor AML rating of an address), or into facilitating the validation of blockchain addresses.
Leverage reliable security technologies: HSMs and MPC
There is no single way, let alone single technology, to achieve the aforementioned goals. Leveraging robust security technologies is also crucial, with HSMs and MPC leading the way.
In the case of Taurus' flagship custody solution, Taurus-PROTECT, HSMs take center stage across most deployments, in particular with banks. These HSMs are certified FIPS 140-2 Level 3, detecting any data extraction attempts and triggering the erasure of stored secrets as a response. Taurus takes an additional step towards fortifying HSM security by introducing a proprietary and auditable firmware extension—a functional module within the HSM framework: Taurus-PROTECT Engine. This augmentation not only enhances security measures but also facilitates the execution of critical business-level controls within the HSM's secure environment.
An alternative approach to ensuring seed confidentiality involves fragmenting private keys into cryptographic shards or shares. This technique enables the issuance of signatures through a collaborative process, preventing any single party from having complete access to the private key. Referred to as threshold signing, this protocol falls under the larger category of MPC. Taurus has been actively engaged in advancing MPC since its inception, evident in our research contributions and the development of a leading open-source software library available on GitHub.
It's important to note that HSM and threshold signing are not mutually exclusive technologies; they cater to distinct purposes and use cases. While HSMs and secure hardware excel, MPC becomes a valuable alternative, effectively mitigating risk when HSMs are unavailable. This dual approach emphasizes the versatility and sophistication of Taurus' custody solutions, ensuring optimal security levels across various scenarios.
Secure your assets with a provider mastering the full technology stack
When evaluating custody technology providers, a crucial consideration is the extent of control they possess over the components within the value chain. This involves differentiating between components they handle internally and those that are outsourced or subcontracted to third parties.
The greatest value should be attributed to providers who exhibit mastery over the complete technology stack, encompassing the development and oversight of critical elements such as cryptographic and embedded software—essentially the core of the system. This approach offers the most robust defense against technological obsolescence, a scenario that has been witnessed when providers relying on assembled modules struggle to keep pace with technological advancements, prompting clients to switch. In essence, the distinction between builders and assemblers who source critical components externally is crucial.
At Taurus, we maintain control over the entire stack, effectively mitigating counterparty risks, reducing vendor lock-in vulnerabilities, and minimizing the necessity for third-party risk evaluations.
For a comprehensive analysis of the essential elements involved in a banking-grade custody solution, we encourage you to take a look at our whitepaper, Banking-Grade Digital Asset Custody.