Security For Cryptocurrency Exchanges And Bitcoin Startups
Companies that own or trade cryptocurrencies, such as Bitcoin, must effectively protect their digital money. A long list of successful hacks shows that such protection is not easy to implement. If trading with digital money is to be integrated into own business processes or be part of own services, then it is mostly not possible to store coins at external exchanges (especially since it is questionable whether this would increase security). In these cases, effective protective measures must be implemented by the company itself.
Entrusting access to cryptocurrencies exclusively to management gets in the way of dynamic business processes and is associated with risks (See: A Crypto Exchange CEO Dies-With the Only Key to $137 Million). On the other hand, insiders are a real threat, so access to coins should not be entrusted to individual employees. In addition, lack of two-factor authentication is always a gateway for attackers, even though two-factor authentication has been state of the art for a long time.
The following measures should therefore be considered for comprehensive security:
Cold Storage and Hardware Security Module
As far as possible, cryptocurrencies should be stored in so-called cold storage, i.e. not on a computer with an online connection. For dynamic business processes, this is sometimes only possible for a small portion of the coins. In this case, the values should not be stored in an ordinary wallet software but in a Hardware Security Module (HSM). An HSM is a device that protects cryptographic keys from digital and physical attacks. Attackers who could break into company computers can thus not simply steal the wallet file. At the same time, attacks that steal the HSM from the data center or office are prevented.
Nitrokey HSM 2 combines professional key management features with a low price that is affordable for any cryptocurreny startup. With a performance of approximately 100 transactions per second and per device, low to medium performance requirements are met. Linear scaling of multiple Nitrokey HSMs allows for high performance of several thousand transactions per second.
Four-eyes principle
Access to coins and the initiation of transactions must not be controllable by individual persons. Instead, a four-eyes principle or n-of-m access protection should apply. This means that from a group of authorized employees (m) more than one (n) must agree to trigger transactions. For example, transactions must be confirmed by at least three employees from a group of ten. This prevents access from being dependent on individual employees. Such n-of-m access protection is provided by the Nitrokey HSM 2.
Specifically for Bitcoin, the Nitrokey HSM supports the Koblitz secp256k1 curve. In addition to a proof-of-concept wallet for Bitcoin, integration with Go Ethereum and DFINITY Internet Computer exists. We are happy to assist with integration into your own systems.
Two-factor authentication
Two-factor authentication (also: two-factor authentication, 2FA) is used to protect accesses/accounts. This combines two factors, often using knowledge (namely a password) and physical possession (hardware device).
Nitrokey supports all common standards for two-factor authentication, namely one-time passwords (OTP), FIDO U2F, certificate/key-based authentication for SSL/TLS/HTTPS and SSH.
For consulting and development, please contact us.