Security & Wallets - Part 2.a : Key Management Architectures
Kei Brousmiche
Welcome to the second installment of our comprehensive guide on selecting the optimal wallet solution for your business. In our previous article, we delved deep into the nuances of User Experience (UX), highlighting its significance in ensuring a seamless interaction for your users. As we navigate further, this article will pivot to a topic of paramount importance: security.
In the realm of blockchain and digital assets, security isn't just a feature; it's the bedrock upon which trust is built. Wallets, being the gatekeepers of digital assets, must exemplify the highest standards of security to protect both the user's assets and the platform's reputation.
This is the first of a three-part series on blockchain wallet security. We'll cover key management architecture here, followed by articles on additional security layers and, finally, account management and security assessments.
Key Management - Architectures
Before diving into the key management architectures, it's essential to understand the foundational role of signatures in blockchain transactions. Each time a user interacts with the blockchain to write or modify data, a signature is required. This signature is generated using specific secrets or keys. The integrity and security of these keys are paramount, as they identify the user, validate and authorize the transaction on the blockchain. In essence, the wallet solution's primary role is to protect these secrets while facilitating seamless interactions with the blockchain.
As businesses evaluate wallet solutions, understanding the underlying key management infrastructure becomes crucial.
Centralized Key Management: Basic Signature
In the centralized approach to key management, the private key is stored on a specific device. This could be either the user's device or a cloud-based system. While this method offers simplicity, it introduces a Single Point of Failure (SPOF), also referred to as a Single Point of Compromise. This vulnerability exists both at rest, when the private key is stored and not actively used, and at run, during the signing process when the private key becomes accessible on the device.
To mitigate risks, particularly when the key is dormant, encryption techniques are frequently utilized. This typically leverages secure hardware, which we'll delve into in the upcoming Security Layers section.
The primary advantage of the centralized approach is its straightforwardness. Transactions are signed swiftly, making this method particularly suitable for scenarios that demand rapid transaction speeds, such as high-frequency trading platforms.
Decentralized Key Management: MPC - Secret Sharing
Multi-Party Computation (MPC) is a cryptographic protocol that allows multiple parties to jointly compute a function over their inputs while keeping them private. Secret sharing is one of the foundational algorithms underpinning MPC.
The secret sharing approach to key management involves dividing the private key into multiple fragments or "shards." These shards are then distributed across a network of participants. The primary advantage of this method is the elimination of a Single Point of Failure (SPOF) at rest. Since no single device or participant holds the complete private key, the risk of compromise is significantly reduced in its dormant state.
One of the standout features of this approach is its robustness. Even if some of the key shards are lost or inaccessible, the system doesn't necessarily require all shards to reconstruct the private key. This means the system can sustain the loss or unavailability of some participants and still remain functional.
However, challenges arise during the signing process. To sign a transaction, the private key must be reconstructed, typically on the user's device. This reintroduces a SPOF at run, as the entire key becomes accessible during this brief window.
Another crucial consideration in the sharded approach is the identity and trustworthiness of the participants holding the shards. Understanding who these participants are and their reliability is vital. Specifically, it's essential to ascertain whether these participants can independently reconstruct the private key without the user's input. Such a capability not only poses security risks, but can also lead to legal complications. We will delve deeper into these legal aspects in the subsequent article.
Keyless Architecture: MPC - Threshold Signature Scheme (TSS)
The Threshold Signature Scheme (TSS) represents a cutting-edge MPC approach to key management. Unlike traditional methods, TSS ensures that the private key is never fully reconstructed, even during the signing process. Instead, each participant involved in the signature creates a unique share. These shares are stored by each participant and never communicated, even during the signature phase.
When a signature is required, a subset of the initial participants, typically the user and some servers of the wallet service provider, collaborate. Through their interaction, they generate a valid signature without ever piecing together the complete private key. This method effectively eliminates the Single Point of Failure (SPOF) both at rest and at run, offering a heightened level of security.
However, the TSS approach is not without its challenges. Implementing this advanced cryptographic method can be complex, and the process of creating shares and producing a signature can be more time-consuming than traditional methods.
Similar to the sharded key management approach, understanding the participants in the TSS process is crucial. It's essential to determine their trustworthiness and ascertain whether the wallet service provider has the technical capability to produce a signature without the user's direct involvement.
Note on Multi-Signature
Multi-signature, often abbreviated as "multi-sig”, is a digital signature scheme that requires multiple private keys to authorize a transaction. In essence, it's akin to a shared bank account, where multiple signatures are needed to make a transaction. This technology is particularly suited for groups or entities that wish to collaboratively manage a blockchain account, ensuring that no single individual has unilateral control over transactions.
For businesses looking to integrate a wallet solution targeting the mass market, we are not aware of solutions that utilize multi-signature, given the complexities it introduces which may not align with the typical user experience expectations of a singularly controlled wallet.
Summary
The architecture of key management, be it centralized, sharded, or rooted in threshold signatures, carries its distinct advantages and challenges. While the core architecture is pivotal, it doesn't solely define the comprehensive security of a wallet. Moreover, these architectures aren't necessarily exclusive and can be combined for enhanced robustness. It's vital to balance these architectural merits and constraints with your platform's specific demands. As we explore in the subsequent article, the incorporation of supplementary security layers can refine and bolster the selected architecture to optimally align with your platform's objectives.
For those exploring varied security strategies, Eniblock's security page offers valuable insights.
.svg){kind=logo}