General Security Considerations for Crypto Assets Custodians
draft-vcgtf-crypto-assets-security-considerations-02
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
|
|
|---|---|---|---|
| Authors | Masashi Sato , Masaki Shimaoka , Hirotaka Nakajima | ||
| Last updated | 2018-07-25 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-vcgtf-crypto-assets-security-considerations-02
Network Working Group M. Sato
Internet-Draft M. Shimaoka
Intended status: Informational SECOM IS Lab.
Expires: January 26, 2019 H. Nakajima, Ed.
Mercari R4D
July 25, 2018
General Security Considerations for Crypto Assets Custodians
draft-vcgtf-crypto-assets-security-considerations-02
Abstract
This document discusses technical and operational risks of crypto
assets custodian and its security controls to avoid the unintended
transactions for its customers.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 26, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Sato, et al. Expires January 26, 2019 [Page 1]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Scope of this document . . . . . . . . . . . . . . . . . . . 3
3. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Basic description of a model online system of a crypto assets
custodian . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.2. A basic model of online system of a crypto assets
custodian and its functional components . . . . . . . . . 4
5.3. The flow leading to the sending of the transaction . . . 6
5.4. Types of keys that are used for signature and encryption 6
5.4.1. Type of keys . . . . . . . . . . . . . . . . . . . . 6
5.4.2. Flow for the key generation and the key usage . . . . 7
5.4.3. On the usage of multiple keys . . . . . . . . . . . . 8
5.4.4. On the suspension of keys . . . . . . . . . . . . . . 8
5.5. On the characteristics of crypto assets on Blockchain and
distributed ledger technologies . . . . . . . . . . . . . 8
5.5.1. The importance of the private key used for signing . 8
5.5.2. Diversity of implementations . . . . . . . . . . . . 8
5.5.3. On the possibility of the forking of the Blockchain . 8
5.5.4. Risk on the unapproved transactions . . . . . . . . . 8
6. Basic objectives for the security management of crypto assets
custodians . . . . . . . . . . . . . . . . . . . . . . . . . 9
7. Approaches to basic security controls . . . . . . . . . . . . 9
8. Risks of Crypto Assets Custodian . . . . . . . . . . . . . . 11
8.1. About this section . . . . . . . . . . . . . . . . . . . 11
8.2. Risks related to the system of the crypto assets
custodian . . . . . . . . . . . . . . . . . . . . . . . . 11
8.2.1. Risks related to signing keys . . . . . . . . . . . . 12
8.2.2. Risks related to asset data . . . . . . . . . . . . . 18
8.2.3. Risks related to suspension of systems and operations 18
8.3. Risks from external factors . . . . . . . . . . . . . . . 20
8.3.1. Risks related to the Internet infrastructure and
authentication infrastructure . . . . . . . . . . . . 20
8.3.2. Troubles due to block chains of crypto assets . . . . 20
8.3.3. Risks arising from external reputation databases . . 21
8.4. Financial Crime Risks . . . . . . . . . . . . . . . . . . 22
8.4.1. Risk of being abused in criminal acts . . . . . . . . 22
8.4.2. Anti Money Laundering . . . . . . . . . . . . . . . . 22
8.4.3. Counter Financing of Terrorism . . . . . . . . . . . 22
9. Consideration on security controls at crypto assets custodian 22
9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 22
9.2. Consideration on security controls . . . . . . . . . . . 22
9.2.1. Security controls on signing keys . . . . . . . . . . 23
9.2.2. Security controls at crypto assets custodian . . . . 26
9.3. Countermeasures against risks caused by blockchain and
Sato, et al. Expires January 26, 2019 [Page 2]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
network environment . . . . . . . . . . . . . . . . . . . 27
9.4. Risk mitigation against crimes . . . . . . . . . . . . . 27
10. Remaining issues . . . . . . . . . . . . . . . . . . . . . . 27
11. Security Considerations . . . . . . . . . . . . . . . . . . . 27
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
13.1. Normative References . . . . . . . . . . . . . . . . . . 27
13.2. Informative References . . . . . . . . . . . . . . . . . 27
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction
This document gives guidance as to what security measure should the
crypto assets custodians consider and implement to protect the asset
of its customers. The management of the secret key for the crypto
assets especially has different aspects than other types of
information systems and requires special attention.
This document reports especially on the appropriate management of the
secret key by the crypto assets custodians to avoid the unintended
transactions for its customers.
2. Scope of this document
This document discusses the threat, risk, and controls on the
followings:
o Online system of crypto assets custodian that provides the
custodian service to its customer (consumers and trade partners);
o Assets information (including the private key of the crypto
assets) that the online system of a crypto assets custodian
manages;
o Social impact that can arise from the discrepancy in the security
measures that are implemented in the online system of a crypto
assets custodian.
This document is applicable to the crypto assets custodians that
manages the private key that corresponds to the crypto assets. It
includes the organizations that outsources the key management to
another organization. In such a case, the certain recommendations
applies to those outsourcers.
Sato, et al. Expires January 26, 2019 [Page 3]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
3. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
4. Terminology
Terms used in this document are defined in
[I-D.nakajima-crypto-asset-terminology]
5. Basic description of a model online system of a crypto assets
custodian
5.1. General
In this section, a model online system of a crypto assets custodian
that is used to explain the concepts and provisions in this document
are explained.
5.2. A basic model of online system of a crypto assets custodian and
its functional components
Followings are the basic model of a crypto assets custodian that this
document deals with.
https://raw.githubusercontent.com/VCGTF/draft-crypto-assets-security-considerations/master/CryptoAssetCustodiansSystemModeling.svg
Figure 1: Basic Model of Crypto Assets Custodian
Figure 1 Basic Model of Crypto Assets Custodian
o Customer Interface
Provides screen and input functions such as login process, account
management (deposit/withdrawal instruction etc.) and trade
instruction for the customers(users). Web application, API, etc.
o Customer Authentication Function
Performs user authentication process for login to the crypto
assets custodians.
o Customer Credential Database
Manages required IDs for login and verification information
related to user authentication process (f.g password verification
info.).
Sato, et al. Expires January 26, 2019 [Page 4]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
o Customer Assets Management Function
A group of functions to manage customer accounts. Receive
instructions for deposit or withdrawal (outgoing coins) and
perform processing according to the user instructions. Refer or
update asset data.
o Blockchain Node
Connects to another blockchain nodes to retrieve blockchain data.
o Incoming transaction management Function
Checks transaction stored in blockchain and confirm whether
incoming coins are involved in the specified addresses.
o Order processing function
A group of functions that receives sales instructions from
customers and performs processing related to trading of crypto
assets. Refers and updates asset data based on asset data.
o Assets Database
Manages holdings of fiat currencies and crypto assets. It does
not include the private keys for signing transactions. Managed
separately from the assets of the custodian for each customer.
o Transaction Singing Function
* Transaction Generator
Generates transactions to be sent to the blockchain based on
instructions from the customer asset management system or the
exchange management system.
* Transaction Broadcaster
Sends the signed transaction to the blockchain. Connects to
nodes of the another nodes on the blockchain.
* Transaction Signing Function
Generates digital signatures based on the instructed
transaction contents and the private signature key (with IDs
and addresses).
* Address Management
Manages public keys with related to the private signature keys,
or addresses (such as values calculated from the public keys).
* Private Signature Key Management Function
Manages the signing keys of the crypto assets (the keys used
for the transaction signing). Sometimes it is separated into
the cold-wallet as security sountermeasure. "Signature key
generator" creates signature keys. The generated keys are
Sato, et al. Expires January 26, 2019 [Page 5]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
registered in the signature key management unit, and the public
keys and addresses are registered in the address management
units.
o Exchange Operation Modules
A group of functions for custodians' administrators. Based on
operations from administrators, instructs generation of generating
new signature keys or transfer crypto assets.
o Operator Authentication Function
Authenticates the administrator users.
o Operator Audit Database
Manages verification data related to the authentication processes
of the administrators.
We defined each functional element to distinguish functions
logically, and do not show the actual arrangement on the actual
system. For example, in our actual system, address management unit
may be managed by an integrated database. Also, there are
implementations with multiple functions packaged together. For
example, each functional element of the transaction signature system
may be integrated with the customer property management system, or
the transaction signature system may be operating as another system.
When using existing implementations such as bitcoin wallet, bitcoin
wallet is thought to provide the functions of transaction signature
system as just one implementation as a whole. It is also conceivable
that some functions are provided by a remote subcontractor as in a
form in which the function of the transaction signature system is
provided by an remote server.
5.3. The flow leading to the sending of the transaction
5.4. Types of keys that are used for signature and encryption
5.4.1. Type of keys
Sato, et al. Expires January 26, 2019 [Page 6]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
+-----------------------+-------------------------------------------+
| Types | Description |
+-----------------------+-------------------------------------------+
| Signature Key | A private key for signing transactions |
| | (asymmetric key cryptography) |
| | |
| Verification Key | A public key for verification of |
| | transactions (asymmetric key cryptography |
| | Recipient address of transactions are |
| | unique value calculated from verification |
| | key |
| | |
| Encryption/decryption | Secret key to keep confidentiality of |
| key for signature key | signature key (symmetric key |
| | cryptography) |
| | |
| Master Seed | A seed to generate a signature key in |
| | decisional wallet |
+-----------------------+-------------------------------------------+
5.4.2. Flow for the key generation and the key usage
https://raw.githubusercontent.com/VCGTF/draft-crypto-assets-security-considerations/master/SignaureKeyLifeCycle.svg
Figure 2: Lifecycle of signature key, verification key and
encryption/decryption key for signature key
After a pair of a signature key and a verification key (hereafter
"key pair") is generated, an address to receive transactions is
generated from the verification key. By notifying a sender of crypto
assets this address, the sender is able to transfer the asset to the
address. When the recipient transfers the asset to the other
address, the original recipient signs the transaction data which
includes the transfer order. Inactive state of the signature key is
the state such that the signature key is stored in confidential
manner in the signature key management function of Figure 1. An
example of inactivation is encryption by encryption/decryption key
(e.g. pass phrase), that is, the signature key is encrypted. In
contrary, activation is the process to make the key usable to sign,
by decrypting the inactivated key. The activation is assumed to be
executed in transaction signing function if Figure 1. Activation and
inactivation may be executed in an implementation of wallet, when the
wallet have both functions. The signature key is not needed after
its generation until execution of signing to transaction. Thus,
there is a way to manage the signature key in offline manner with
storing the verification key and address online (see Section 9.2.2).
Sato, et al. Expires January 26, 2019 [Page 7]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
5.4.3. On the usage of multiple keys
In some crypto assets system, it is recommended not to use the same
key pair twice, thus it produces multiple key pairs. This feature is
for preventing trace and not relevant to the business efficiency of a
crypto assets custodian. However, a crypto assets custodian should
manage addresses for each customer. Thus it should manage multiple
key pairs for the same crypto assets.
5.4.4. On the suspension of keys
Suspension of key usage is only an operation inside a crypto assets
custodian. By definition of blockchain based crypto assets system,
any user cannot cancel transaction once it is made. As another case,
it is difficult to revoke signature key even after the suspension of
key. For example, a customer accidentally operate some crypto assets
for suspended address. In such case, the suspended signature key is
needed to make an reimbursement. Thus, suspension of keys should be
conducted with considering such cases.
5.5. On the characteristics of crypto assets on Blockchain and
distributed ledger technologies
In this sub-clause, following items will described as characteristics
of crypto assets over blockchain and distributed ledger technology in
preparation for Section 8 and Section 9.
5.5.1. The importance of the private key used for signing
5.5.2. Diversity of implementations
5.5.2.1. On the cryptographic algorithms used by crypto assets
5.5.3. On the possibility of the forking of the Blockchain
5.5.3.1. Rollback by reorganization
5.5.3.2. The treatment of the forked crypto assets
5.5.4. Risk on the unapproved transactions
5.5.4.1. General
5.5.4.2. The handling of the unapproved transactions
Sato, et al. Expires January 26, 2019 [Page 8]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
5.5.4.3. Transaction failures caused by the vulnerabilities of the
implementation or the specification of the crypto assets
6. Basic objectives for the security management of crypto assets
custodians
At crypto assets custodians, it is mandatory to establish, conduct,
maintain and continuously improve security management. As
requirements in term os security management, items described in
[ISO.27001:2013] are sufficiently considered according to the
business process of each crypto assets custodian. Especially,
following items should be carefully considered, because a crypto
assets custodian retains customer's asset and should deal with issues
specific to crypto assets.
o On stakeholders (Related to [ISO.27001:2013] Clause 4)
It is needed to consider protection of customer's assets, as well as
division of responsibility with outsourcers including security of
private key management for crypto asset, and mattes by which a crypto
assets custodian may give social impacts like money laundering.
o On security policy (Related to [ISO.27001:2013] Clause 5)
A crypto assets custodian should define a security policy which
includes security objectives and controls described in and after
clause 7. Especially, it is recommended to disclose the security
policy on the management of crypto assets to customers to facilitate
self evaluation.
o Continuous risk evaluation and improvement (Related to
[ISO.27002:2013] Clause 6, 8, 9 and 10)
A crypto assets custodian should watch security risks of crypto
assets in addition to aligning the general security management
framework, because the risks change and increase due to rapid
development of related technology as described in clause 5.3.2. It
is especially important to continuously evaluate risk and improve
security objectives, policy and controls to keep effectiveness of
security controls after starting their operations.
7. Approaches to basic security controls
A crypto assets custodian should decide security objectives and
controls with considering all of following viewpoints.
o Countermeasure to threat as lost, theft, leak and abuse of
customer's assets data and private key for crypto assets
Sato, et al. Expires January 26, 2019 [Page 9]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
o Requirements for actual business
o Compliance to laws and rules
o Social responsibilities to prevent crimes in use of crypto assets
like scam and money laundering
The crypto assets custodian conducts threat analysis, vulnerability
evaluation, risk evaluation and defining security objectives and
controls according to its actual business and system. Security
objectives and controls should be decided with considering threats
and risks specific to crypto assets described in clause 5, as well as
general security objectives and controls described in
[ISO.27002:2013].
Followings are items of security objectives and controls described in
[ISO.27002:2013].
o Information Security Policies
o Organization of information security
o Human resource security
o Assets management
o Access control
o Cryptography
o Physical and environmental security
o Operations security
o Communications security
o System acquisition, development and maintenance
o Supplier relationships
o Information security incident management
o Information security aspects of business continuity management
o Compliance
Consideration of above items is mandatory. Next close describes
specific items to be considered by a crypto assets custodian.
Sato, et al. Expires January 26, 2019 [Page 10]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
8. Risks of Crypto Assets Custodian
8.1. About this section
The main risks to be noted as a crypto assets custodian office are
roughly classified into those related to the system of the crypto
assets custodian office, those caused by external factors such as a
block chain outside the control of the crypto assets custodian
office, and risks leading to abuse such as criminal acts Enumerate.
Risks related to the system of the crypto assets custodians are
organized in terms of threats and factors, actors that pose a threat.
Organize in terms of possible incidents in risks caused by external
factors such as block chains and risks of misuse. There may also be
risks inherent in systems and operations that are different for each
operator. Each business operator needs to identify the risks to be
dealt with while taking into consideration the risks shown in this
section, taking into consideration different systems and operations
for each business operator. After that, it is desirable to determine
the priority of the control measures by evaluating the impact each
risk can have on the business.
8.2. Risks related to the system of the crypto assets custodian
Here are the typical risks to the information assets held by the
system of the crypto assets custodian. In the basic model of
Section 5.2, pay attention to the signing secret key and the asset
data as an information asset which is particularly important from the
viewpoint of protecting customer assets. If the signing secret key
and the surrounding environment are not secure, it is also possible
for a malicious person to create an illegal transaction and send it
to the node in the block chain. Once an illegal transaction is sent
to the node and written to the block chain it is nearly impossible to
cancel the transaction. Therefore, prior measures to prevent illegal
transactions being created are particularly important. It is
necessary to carefully evaluate the risks related to management of
signing secret keys and illegal transaction creation and to consider
appropriate safety measures. In addition, it is necessary to
consider the loss of the signing secret key. When the signing secret
key is lost, it becomes impossible to use the Crypto Assets stored in
the address corresponding to the signing private key. As for the
risk concerning the signing secret key, consider the secret key for
signature and the environment surrounding it based on the basic model
in Section 5.2 in Section 8.2.1. As for the asset data, since the
contents of data, data format, management form, and details of
processing vary from custodians to custodians, this document
considers the model more abstracted. Common contents of asset data
to be protected include the total amount of Crypto Assets and legal
currency deposited by the customer at the custodians, the amount of
Sato, et al. Expires January 26, 2019 [Page 11]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
Crypto Assets and legal currency held by the custodians, customer
account number and Crypto Assets An address and so on are
conceivable. If such asset data is illegally rewritten by a
malicious one, it will also cause damage to customers and impede the
work of the custodians. The asset data is discussed in
Section 8.2.2. In addition to protecting important information such
as transaction signature private key and asset data, it is also
necessary to consider risks such as system outage so that customers
can smoothly control their own assets. Risks related to system
outages are discussed in Section 8.2.3. In addition to the
information and risks mentioned in this section, there are risks
inherent to each system of the crypto assets custodian and risks in
cooperation with external business operators. It is necessary to
conduct a detailed risk assessment on the actual system of the crypto
assets custodian.
8.2.1. Risks related to signing keys
In the crypto assets custodian, the role and risk of the signing key
are extremely large. This is not only to enable the transfer of
coins but also to disappear due to the anonymity of the Crypto Asset,
the property that it is impossible to revocation the signing key
against leakage / theft or roll back the transaction by. In this
section, we show the risk of fraudulent use that could lead to the
loss of the signing key, leakage / theft, and damage of value. It
also shows supply chain risk etc. when introducing Wallet related to
signature key.
8.2.1.1. Risk analysis of signing secret key
Risk analysis differs depending on the assumed threats, system
configuration, threat modeling, and so on. In this section, we show
a case study based on the following assumption as an example. Here,
the threat concerning the signature secret key and the factors that
can cause the threat are assumed as follows. In addition, we assumed
the following as the actor giving input to the signing secret key
based on Figure 1 in Section 5.
o Threats:
* lost
* leakage, theft
* fraudulent use
o Factors of Threats:
Sato, et al. Expires January 26, 2019 [Page 12]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
* mis-operations
* Legitimate users' malice
* Spoofing
* Intrusions from outside
* Unintended behaviors of implementations
o Actors:
* exchange operation modules
* Transaction Signing modules
* customer asset management function implementation
* incoming coin management function implementation
Factors of threats are organized as follows.
Mis-operation: An act that an authorized user (including an
administrator) of the system accidentally operated by mistake. For
example, it is incorrectly supposed that an operation to coin 100,000
yen is incorrectly dispatched for 1 million yen.
Legitimate users' malice: Acts performed by a legitimate user of the
system (including administrator etc) with malicious intent. For
example, theft or unauthorized use of the signature private key due
to internal fraud. In this case, it is the purpose of identifying
acts that can be factors, and the purpose and incentive of the act
are not limited here.
Spoofing: An act other than an authorized user of the system
impersonating a legitimate user (more accurately impersonating some
kind of operation). For example, an internal burglar without
administrator privilege accesses the system with administrator
authority.
Intrusions from outside: an act of an outsider accessing the system
maliciously in a manner other than spoofing. For example, by using
malicious intrusion from the outside by exploiting the system's
vulnerability, incorporating malware into the exchanging system via
targeted e-mail to the custodians administrator or the like and
generating a private signature private key (or transaction creation)
from the outside, Allow remote control of etc.
Sato, et al. Expires January 26, 2019 [Page 13]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
Unintended behaviors of implementations: The system behaves
unexpectedly by the designer or operator irrespective of the
intention or malice of the operation. For example, a signature
private key leaks due to a bug in the exchange management system.
Of these threat factors, theft and fraudulent use are regarded as
threats that can only be caused by explicit malicious factors. As a
result, the possible risks for signing key to be assumed are the
following:
1. Threat by lost - Risk of Unauthorized operation (with legitimate
path)
* End-user's malice
* Operator's malice in Custodian
* Spoofing to end users
* internal frauds (spoofing to operators) - Risk of Intrusion
from the outside
* Intrusion into the transaction signing modules
* Intrusion into the incoming coin management function
(implementation)
* Intrusion into the customer asset management function
(implementation)
* Intrusion into the exchange operation modules - Risk of System
Behaviors different from human operation
* Unintended behaviors of the transaction signing modules
* Unintended behaviors of the incoming coin management function
(implementation)
* Unintended behaviors of the customer asset management function
(implementation)
* Unintended behaviors of the exchange operation modules - Risk
of mis-operation (by human error)
* Mis-operation of end user
* Mis-operation of operator
Sato, et al. Expires January 26, 2019 [Page 14]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
2. Threat by leakage - Risk of Unauthorized operation (with
legitimate path)
* End-user's malice
* Operator's malice in Custodian
* Spoofing to end users
* internal frauds (spoofing to operators) - Risk of Intrusion
from the outside
* Intrusion into the transaction signing modules
* Intrusion into the incoming coin management function
(implementation)
* Intrusion into the customer asset management function
(implementation)
* Intrusion into the exchange operation modules - Risk of System
Behaviors different from human operation
* Unintended behaviors of the transaction signing modules
* Unintended behaviors of the incoming coin management function
(implementation)
* Unintended behaviors of the customer asset management function
(implementation)
* Unintended behaviors of the exchange operation modules - Risk
of mis-operation (by human error)
* Mis-operation of end user
* Mis-operation of operator
3. Threat by theft - Risk of Unauthorized operation (with legitimate
path)
* End-user's malice
* Operator's malice in Custodian
* Spoofing to end users
Sato, et al. Expires January 26, 2019 [Page 15]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
* internal frauds (spoofing to operators) - Risk of Intrusion
from the outside
* Intrusion into the transaction signing modules
* Intrusion into the incoming coin management function
(implementation)
* Intrusion into the customer asset management function
(implementation)
* Intrusion into the exchange operation modules
4. Threat by fraudulent use - Risk of Unauthorized operation (with
legitimate path)
* End-user's malice
* Operator's malice in Custodian
* Spoofing to end users
* internal frauds (spoofing to operators) - Risk of Intrusion
from the outside
* Intrusion into the transaction signing modules
* Intrusion into the incoming coin management function
(implementation)
* Intrusion into the customer asset management function
(implementation)
* Intrusion into the exchange operation modules
The following sections outline each risk, and their security controls
are shown in Section 9.2.2.
8.2.1.2. Risk of loss of signing secret key
The disappearance risk shown in Table 8-2 is an enumeration of events
having a possibility of causing disappearance, paying attention to
the input (operation instruction) to the signature secret key. As a
typical risk, loss of the secret key for signature due to erroneous
operation by the administrator may be considered.
Sato, et al. Expires January 26, 2019 [Page 16]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
8.2.1.3. Leakage / theft risk of signing private key
Intentional operation by malicious intention is essential, but
leakage can be caused by negligence without malice. For this reason,
leakage risk and theft risk need to be sorted out.
The leakage risk shown in Table 8-2 lists events that have the
possibility of causing leakage including negligence, paying attention
to the input (operation instruction) to the signing secret key.
Typically, an internal criminal, leakage risk due to unintentional
behavior, illegal invasion, etc. can be considered. Likewise, the
theft risk enumerates events that have the possibility of being woken
up by some sort of malicious intention, paying attention to the input
(operation instruction) to the signature secret key. Typically,
there is a risk of leakage from internal criminals or unauthorized
intrusion from the outside.
Both leaks and theft are similar in terms of leakage of sensitive
information to the outside, and the control measures are common.
This will be described later in Section 9.3.2.
8.2.1.4. Risk of unauthorized use of signing private key
The fraudulent use risk shown in Table 8-2 is an enumeration of
events having a possibility of being caused by something with a
malicious intention, paying attention to the input (operation
instruction) to the signature secret key. Typically, there is a risk
of illegal use due to illegal invasion or impersonation from the
outside.
8.2.1.5. Other related risks
Supply chain risk of hardware wallet As a product having a secret key
management function, there is a so-called hardware wallet. Many
hardware wallets connect to the management terminal such as PC via
USB and perform key management operation from the management
terminal. FIPS 140-2, etc. as a security certification of products
with key management function, etc. However, since most of
cryptographic algorithms handled by Crypto Assets are not subject to
certification, the security of hardware wallet for Crypto Assets
Unfortunately it is inevitable that the third-party accreditation
system on insurance is inadequate. For this reason, while there are
products with sufficient safety in the hardware wallet that generally
available, it is necessary to recognize that there are products with
insufficient safety. Furthermore, even with products with certain
safety, safety may be impaired by being crafted on the distribution
route. For example, a hardware wallet that is loaded with malware in
the middle of a sales channel, even if the purchaser newly generates
Sato, et al. Expires January 26, 2019 [Page 17]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
a signing secret key in the hardware wallet, the attacker can use the
signature secret It becomes possible to restore the key.
8.2.2. Risks related to asset data
The asset data is data for managing assets such as Crypto Assets and
statutory currency held by customers and custodians. The secret key
of the transaction signature shall not be included (see Section 5.2).
As mentioned above, since asset data varies from custodians to
custodians, we consider this as a more abstracted model in this
document. Since detailed threat analysis and risk assessment need to
be performed on the asset data handled by the actual custodian
system, only the way of thinking is shown here. The main threats of
asset data may be illegal rewriting, loss, or leakage. The factors
include mis-operation by the manager, malice of the righteous person,
spoofing the legitimate person, malicious intent of the outsider,
unintended behavior of the system. In the example of the basic model
in Section 5.2, there is a route from the exchange management system,
the customer property management system, and the incoming coin
determination unit. Among the threats of asset data, the following
examples are considered as incidents due to illegal rewriting. A
customer asset management system referring to unauthorized asset data
may create an illegal transaction and flow through the normal process
to the block chain (Section 8.2.1.4). For example, it is possible to
rewrite the holding amount recorded in the asset data, change the
Crypto Assets transfer destination address, or the like. For
example, by rewriting the list of addresses associated with the
customer, illegal recombination of the amount held between customers
or between customers and custodians within the asset data within the
custodian will be made. As a transaction in the block chain the
result is not reflected, assets that a customer or custodian should
have had is lost. Risks related to asset data can be thought of as a
problem similar to general financial and settlement systems, but
transactions can be canceled if transactions are written to the block
chain as a result of fraud against asset data It is necessary to
consider it on the premise that there is no property.
8.2.3. Risks related to suspension of systems and operations
The system of the crypto assets custodian office is software,
hardware, network, and the like constituting the crypto assets
custodian. In addition, the term "operation" refers to an operation
performed manually, such as operation monitoring of a switching
center system, account opening, remittance instruction, wallet
deposit / withdrawal. It is conceivable that the system and work may
be stopped due to various factors. Risks related to suspension of
systems and operations can be regarded as problems similar to general
financial and payment systems. However, the fact that the crypto
Sato, et al. Expires January 26, 2019 [Page 18]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
assets custodian office is connected to the Internet all the time,
not the dedicated communication network at all times, that it is
operating 24 hours a day, 365 days, that many crypto assets
custodians are built on the public cloud infrastructure, crypto
assets custodian It is necessary to consider it based on the fact
that the operating situation of the place has a large effect on the
crypto assets price and it tends to be an object of attack.
8.2.3.1. Risks related to network congestion
Crypto assets custodians frequently receive denial of service
attacks. As a target of a denial-of-service attack, publicly-
released top page, API endpoint, etc. are common, but when an
attacker knows the system configuration and a business system or
operation monitoring system is placed on the Internet, A case of
receiving a denial of service attack may be considered.
8.2.3.2. Risk of system outage
It is conceivable that the data center, the cloud infrastructure,
etc. where the system is installed are stopped, and the system and
operations are stopped. The system can be stopped due to various
factors such as power outage due to natural disasters and disruption
of communication, large scale failure due to mistake by cloud
infrastructure operator, large scale system failure due to mistake of
infrastructure operation, failure of software release.
8.2.3.3. Risks related to Operator
Even if the system itself is in operation, if operations monitoring
and tasks of personnel responsible for the operation are hindered,
the work will be suspended. For example, regular inspections of
power facilities at operation bases, disruption of transportation
means due to catastrophic changes and strikes, protest activities and
rush of press reporters may hinder the entrance and exit of buildings
and halt operations. In addition, when personnel are using the same
transportation method or participating in the same event, there is a
risk that many personnel can not operate due to the same accident
such as traffic accident or food poisoning.
8.2.3.4. Regulatory risks
In countries where the crypto assets custodian office is stipulated,
licensing system or registration system, business may be suspended
due to business improvement order, business suspension order,
deletion of registration etc etc.
Sato, et al. Expires January 26, 2019 [Page 19]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
8.3. Risks from external factors
Even if the systems and operations of the crypto assets custodian are
appropriately operated, if the blockchain / network in which the
crypto assets operates and the Internet infrastructure supporting the
connection between the nodes are attacked, On the other hand, the
service cannot be continued or the transaction can not be handled
properly.
8.3.1. Risks related to the Internet infrastructure and authentication
infrastructure
8.3.1.1. Internet routing and name resolution attacks
An attacker interferes with routing of the Internet such as route
hijacking and domain name resolution (Domain Name Service), hindering
the reachability to the custodians and guiding it to a fake custodian
office or block chain It is possible to intentionally cause a branch
by hindering synchronization. This method can be considered not only
by malicious attackers but also by ISP etc. based on instructions
from the government.
8.3.1.2. Attacks on Web PKI
Many crypto assets custodian offices provide services on the Web, and
TLS and server certificates are used for user authenticity
verification and encryption of sites. When a certificate authority
issuing a server certificate is attacked, it may be possible to
impersonate the site, or if the server certificate is revoked, the
service cannot be provided.
8.3.1.3. Attack on Messaging
By intervening with an e-mail or other messaging system, an attacker
can fraud and block SMS / MMS of e-mails and mobile phones used for
interaction with users and delivery of one-time passwords. When a
user's message is fraudulent, it is possible to log in as a user and
reset the password.
8.3.2. Troubles due to block chains of crypto assets
8.3.2.1. Crypto assets blockchain fork, split
8.3.2.2. Re-org of Blockchain by 51% attack and selfish mining
Sato, et al. Expires January 26, 2019 [Page 20]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
8.3.2.3. Compromise of hash function and cryptographic algorithm
8.3.2.4. Inadequate consensus algorithm
By misusing a bug in the agreement algorithm, fake transaction
information is sent to a specific node and disguised as to whether or
not to send money to the counter party. For example, in the case of
the MtGOX case in 2014, double payment attacks abusing Transaction
Malleability occurred frequently in piggybacking.
8.3.3. Risks arising from external reputation databases
8.3.3.1. Establishment of Bank Account Elimination and Freezing
As a part of AML / CFT, there are cases where banks refuse to open
accounts related to the work of the crypto assets custodian office,
the risk that the bank accounts will be frozen, such as receiving
guidance from the regulatory authorities or accident is there. In
the event that the account is frozen, the business of depositing and
withdrawing a legal currency with the user as a crypto assets
custodian office is stopped.
8.3.3.2. Crypto assets address
As a part of AML/CFT, when another crypto assets custodian trader
remittles to another crypto assets address, there are cases where it
is checked whether the remittance destination address does not
correspond to a high risk transaction. In the case where the address
of the hot wallet of the custodian office is registered as a
problematic address, it is assumed that the custodian of the crypto
assets with such a service can not be performed smoothly. Since it
is common in many cases that criminal remit crypto assets stolen for
disturbance to a known address, there is a risk that the address of
the hot wallet of the crypto assets custodian office will be
classified as a high risk customer by mistake.
8.3.3.3. Filtering and blocking for Web sites
There is a risk that the URL of the crypto assets custodian office is
filtered by the network or blocked by the ISP so that the user can
not access it. Also, if it is recognized as a malware distribution
site or the like, there is a risk that it will not be displayed as a
search result or it will be impossible to browse from the browser.
Sato, et al. Expires January 26, 2019 [Page 21]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
8.3.3.4. Email
As a measure against spam mails, most of mail servers provide mail
rejection based on reputation and classification function of spam
mails. If the e-mail delivered by the custodian is judged as spam,
it may be impossible to contact the user.
8.3.3.5. Appraisal of a smartphone application
Depending on the platform, there are cases where handling of crypto
assets by the application is restricted. If the examination of the
smartphone application is dropped, the user may not be able to
download the smartphone application for accessing the custodian and
may be unable to use the service.
8.4. Financial Crime Risks
8.4.1. Risk of being abused in criminal acts
8.4.1.1. Identity Theft
8.4.1.2. Scams
8.4.1.3. Ransom
8.4.1.4. Utilization for transactions in the dark market
8.4.2. Anti Money Laundering
8.4.3. Counter Financing of Terrorism
9. Consideration on security controls at crypto assets custodian
9.1. General
In this clause, considerations from the ISMS viewpoint in
implementing security controls to crypto assets custodians for risks
described in clause 8 are described. They included issues caused by
specific characteristics to crypto assets. This clause also
describes relationship to [ISO.27001:2013] and [ISO.27002:2013] for
each consideration.
9.2. Consideration on security controls
### Direction of the information security management
Objectives of security management at a crypto assets custodian
contain secure protection of customer's asset, compliance to business
Sato, et al. Expires January 26, 2019 [Page 22]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
requirements, laws and rules, and realization of social
responsibility. Security policies and execution statements derived
from such objectives are recommended to be publicly available for
consumers, business partners, auditor and regulators to help their
judge.
9.2.1. Security controls on signing keys
9.2.1.1. Basics of key management
In general, followings are required in management of private
cryptographic keys.
o They should be Isolated from other informational assets. Rigorous
access control is mandatory.
o Limit the number of access to private keys as minimum as possible.
o Be prepared for unintentional lost of private keys.
Followings are three basic security control to realize above.
Additional security controls specific to crypto assets custodians are
described in and after sub-clause Section 9.2.2.
1. State management of private keys
As described in Figure 2, a private key has one of multiple
states, and it may be active or inactive state in its operation.
The private key should be in active state when it is used for
signing or decryption. It is recommended to enforce to input
some secret information to activate an inactive private key.
This makes keep the inactive private key away from abuse, if the
adversary does not have the secret information. This method
ensure security of the private key against leakage and lost.
It is also recommended to minimize the term of activation to
limit the risk of abuse as minimum as possible. Unnecessary
activation of secret key increases the risk of abuse, leakage and
theft, though keeping the activation state is efficient from
business viewpoint. On the other hand, frequent activation/
inactivation may give impact to business efficiency. It is
important to consider the trade-off between the risk and business
efficiency and provide clear key management policy to customers.
2. Administrator role separation and mutual check-and-balance
It is fundamental form of operation of a critical business
process which uses private key to perform cryptographic
operations by multiple party to prevent internal frauds and
errors. For example, by setting isolated rights on digitally
signing and approval to go into the area of signing operation, it
Sato, et al. Expires January 26, 2019 [Page 23]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
becomes difficult for single adversary to give an malicious
digital signature without known by the third party.
Additionally, the enforcement of attendance of other person is
effective security control to internal frauds and mis-operations.
3. Backup of private key
Lost of private key makes signing operations by using the key
impossible any more. Thus backup of private key is an important
security control. On the other hand, risks of leakage and theft
of backup keys should be considered. It is needed to inactivate
the backup key.
9.2.1.2. Backup
Backup is the most fundamental and effective measure against lost of
signing key. On the other hand, there are risks of leakage and lost
of backup device. These risks depend on the kind backup device, thus
security controls on such devices should be considered independently.
Followings describe typical backup devices and leakage/theft risks
associated with them.
o Cloning to tamper-resistant cryptographic key management device
If a signing key is managed by a tamper-resistant key management
device (device X) and X has cloning function, cloning the key to
another device Y is the most secure way to backup the key, where the
cloning function is the technique to copy the key with keeping
confidentiality to other devices than X and Y. The implementation of
the function is recommended to be evaluated/certified by
certification program like CMVP or FIPS 140. Note that, the
cryptographic algorithms supported by such tamper-resistant key
management devices are limited and all crypto assets systems can
utilize it, but it is one of the most secure way of backup.
o Backup to storage for digital data
Here, it is assumed to backup keys to storage like USB memory and
DVD. There are two types of operations; one is backup data is stored
in movable devices in offline manner, the other is backup data is
stored in online accessible manner. If the device is movable, the
possibility of steal and lost increases, thus the device should be
kept in a cabinet or a vault with key, and the access control to such
cabinet/vault should be restrict.
Of the backup storage is online, risks of leakage and theft should be
assumed as same as the key management function implementation inside
the crypto assets custodian. In general, the same security control
is recommended to such backup storage. If there is some additional
Sato, et al. Expires January 26, 2019 [Page 24]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
operation, for example the backup device is inactivated except for
the time of restore, the security control may be modified with
considering operation environment. When it is not avoided the raw
key data is be outside of the key management function implementation,
the custodian should deal with the problem of remained magnetics.
o Backup to paper
There is a way to backup keys in offline manner, to print them to
papers as a QR code or other machine readable ways. It is movable
than storage for digital data and easy to identify. There remains
some risk of leakage and theft by taking a photo by smartphone and so
on.
9.2.1.3. Offline management
There is a type of offline key management (as known as "cold wallet")
which isolates private keys from the system network to prevent
leakage and theft caused by intrusion.
In this case, some offline operation is needed to make the system use
the key. Examples are, keys are usually stored inside a vault and
connected to the system only when it is utilized, and USB memory is
used to data transportation between an online system and an offline
system. If there is not explicit approval process in the offline
operation for key usage, anyone cannot stop malicious transaction.
That is, this solution can prevent lost and theft, however, an
explicit approval process is needed to prevent abuse of keys.
9.2.1.4. Distributed management
It is also a good security control to distribute the right to use
private key to multiple entity. There are two examples; division of
secret key and multi-signature.
o Division of secret key  Division of the signing key to
multiple parts, then manage them by multiple isolated system is an
effective measure to protect the keys against leakage and theft.
This document does not recommend a specific technique, but
recommends to implement this control based on a certain level of
security evaluation like secret sharing scheme. In that case,
secure coding and mounting penetration test are needed to
eliminate the implementation vulnerabilities. This method is also
effective to backup devices.
o Multi-Signature
This is a signature scheme which requires multiple isolated
signing keys to sign a message. It is effective to protect each
Sato, et al. Expires January 26, 2019 [Page 25]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
key hold by an entity and signing mechanisms. There are many
different realization of multi-signature and they are different
according to specific crypto assets system. Thus, consideration
on preparing multiple implementations and their interoperation is
need when a crypto assets custodian operate multiple crypto
assets.
9.2.1.5. Other issues
In this sub-clause, following topics will be described.
o Security of wallet implementation
o Monitoring of private key access
o Log audit
9.2.2. Security controls at crypto assets custodian
Following security controls addition to kay management in sub clause
Section 9.2.2 will be described in this sub clause.
o Organization of information security
o Category and management of assets
o Access control
o Communications security
o Operations security
o Physical and environmental security
o System acquisition, development and maintenance
o Consideration in user authentication and providing API
o Flow control in transaction generation
Above controls are described with aligning to [ISO.27002:2013] and
considering security controls specific to crypto assets custodians.
The structure of this sub clause aligns the structure of
[ISO.27002:2013].
Sato, et al. Expires January 26, 2019 [Page 26]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
9.3. Countermeasures against risks caused by blockchain and network
environment
9.4. Risk mitigation against crimes
10. Remaining issues
11. Security Considerations
Security Considerations are included in main section of this
document.
12. IANA Considerations
None.
13. References
13.1. Normative References
[ISO.27001:2013]
International Organization for Standardization,
"Information technology -- Security techniques --
Information security management systems -- Requirements",
ISO/IEC 27001:2013, October 2013,
<https://www.iso.org/standard/54534.html>.
[ISO.27002:2013]
International Organization for Standardization,
"Information technology -- Security techniques -- Code of
practice for information security controls", ISO/
IEC 27002:2013, October 2013,
<https://www.iso.org/standard/54533.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
13.2. Informative References
Sato, et al. Expires January 26, 2019 [Page 27]
Internet-DraGeneral Security Considerations for Crypto Assets July 2018
[I-D.nakajima-crypto-asset-terminology]
Nakajima, H., Kusunoki, M., Hida, K., Suga, Y., and T.
Hayashi, "Terminology for Crypto Asset", draft-nakajima-
crypto-asset-terminology-00 (work in progress), July 2018.
Acknowledgements
Thanks to Masanori Kusunoki, Yasushi Matsumoto, Natsuhiko Sakimura,
Yuji Suga, Tatsuya Hayashi, Keiichi Hida and other members of the
Security Working Group of Virtual Currency Governance Task Force.
Authors' Addresses
Masashi Sato
SECOM Co., Ltd. Intelligent System Laboratory
SECOM SC Center
8-10-16 Shimorenjaku
Mitaka, Tokyo 181-8528
JAPAN
Email: satomasa756@gmail.com
Masaki Shimaoka
SECOM Co., Ltd. Intelligent System Laboratory
SECOM SC Center
8-10-16 Shimorenjaku
Mitaka, Tokyo 181-8528
JAPAN
Email: m-shimaoka@secom.co.jp
Hirotaka Nakajima (editor)
Mercari, Inc. R4D
Roppongi Hills Mori Tower 18F
6-10-1 Roppongi
Minato, Tokyo 106-6118
JAPAN
Email: nunnun@mercari.com
Sato, et al. Expires January 26, 2019 [Page 28]