The past year numerous applications and business models have been developed on top of blockchain technology. One of the recurring challenges is securing the private key of the participants. In every blockchain this is the responsibility of the user and for obvious reasons it’s paramount to get this right. In most clients the private key is encrypted with a single password. In the early days of Bitcoin this was optional and there was malware in circulation that scanned a victim’s PC for unencrypted key files. Some users lost their funds and so the hunt for better security began.
Hardware wallets were a good step up and many were developed for Bitcoin. More recently a hardware wallet for Ethereum also appeared (see here) and many more will follow. This form of 2 Factor Authentication, or 2FA, is popular but requires the user to keep a physical device with him. Most users know these devices from their banks and based on research by banks we know that they’re quite unpopular.
Another form of 2FA is the use of the Secure Element in a smartphone. This is also known as a Trusted Execution Environment (TEE) and when the guys from Ledger Wallet showed off their first implementation in February 2015 I was generally impressed. The use of a TEE is an increasingly popular concept for securing blockchain transactions but some smartphone manufacturers (Yes you Apple) have locked down the functionality of their TEE. For Ledger this meant that their TEE solution never made it to market, they do still offer a beta of their original concept for a limited number of smartphones. For the tech savvy reader: The Apple implementation of the TEE is called the Secure Enclave. Our tests showed that Apple enabled it to store and sign only specific versions of the ECDSA curves such as Secp256r1 which is NOT used by any of the blockchain applications out there. For those hoping Apple will add support: It’s called Apple Pay and they will charge you for it. Of course you can run your own consortium blockchain and replace secp256k1 with little effort but that breaks compatibility with the public Ethereum and Bitcoin blockchain.
To meet our requirements (such as vender-independency) we’ve been looking at white box cryptography solutions to safely store a key in a smartphone application. There are some interesting solutions in the market such as the Private Arithmetic solution from Philips, they designed a software module that supports the safe generation and usage of a private key. It’s been reviewed by Brightsight and UL and they concluded that it did not leak any information through side channels and was resistant to reverse engineering. We’re currently exploring this application for use in our Digital Signing solution.
We’ve learned that there are many ways to apply 2 factor authentication security for signing transactions in blockchain-based applications. If you’re interested in learning more about securing your blockchain application please get in touch.