Internet DRAFT - draft-vcgtf-crypto-assets-security-considerations
draft-vcgtf-crypto-assets-security-considerations
Network Working Group M. Sato
Internet-Draft M. Shimaoka
Intended status: Informational SECOM IS Lab.
Expires: 19 June 2021 H. Nakajima, Ed.
Mercari
16 December 2020
General Security Considerations for Cryptoassets Custodians
draft-vcgtf-crypto-assets-security-considerations-07
Abstract
This document discusses the technical and operational risks of
cryptoassets custodians and its security controls to avoid the
unintended transactions for its customers.
Discussion Venues
This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at
https://github.com/cgtf/draft-crypto-assets-security-considerations.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 19 June 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
Sato, et al. Expires 19 June 2021 [Page 1]
Internet-Draft General Security Considerations for Cryp December 2020
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Scope of this document . . . . . . . . . . . . . . . . . . . 4
3. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Basic description of a model system of a cryptoassets
custodian . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.2. A basic model of cryptoassets custodians system and its
functional components . . . . . . . . . . . . . . . . . . 5
5.3. The flow leading to the sending of the transaction . . . 7
5.4. Types of keys that are used for signature and
encryption . . . . . . . . . . . . . . . . . . . . . . . 8
5.4.1. Type of keys . . . . . . . . . . . . . . . . . . . . 8
5.4.2. Flow for the key generation and key usage . . . . . . 9
5.4.3. On the use of multiple keys . . . . . . . . . . . . . 10
5.4.4. On the suspension of keys . . . . . . . . . . . . . . 11
5.5. Characteristics of cryptoassets in blockchain and
distributed ledger . . . . . . . . . . . . . . . . . . . 11
5.5.1. About this section . . . . . . . . . . . . . . . . . 11
5.5.2. Importance of signature keys . . . . . . . . . . . . 11
5.5.3. Diversity of implementations . . . . . . . . . . . . 12
5.5.4. Possibility of blockchain forks . . . . . . . . . . . 12
5.5.5. Risks for Unauthorized Transactions . . . . . . . . . 13
6. Risks of cryptoassets custodian . . . . . . . . . . . . . . . 14
6.1. About this chapter . . . . . . . . . . . . . . . . . . . 15
6.2. Risks of cryptoassets custodian system . . . . . . . . . 15
6.2.1. Risks related to signature keys . . . . . . . . . . . 16
6.2.2. Risks related to assets data . . . . . . . . . . . . 22
6.2.3. Risks of suspension on system and operation . . . . . 23
6.3. Risks from external factors . . . . . . . . . . . . . . . 24
6.3.1. Risks related to the Internet, Web PKI, and users
environment . . . . . . . . . . . . . . . . . . . . . 24
6.3.2. Risks related to cryptocurrency blockchain . . . . . 25
6.3.3. Risks from external reputation . . . . . . . . . . . 26
7. Considerations of security controls on Cryptoassets
Custodians . . . . . . . . . . . . . . . . . . . . . . . 27
7.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 27
Sato, et al. Expires 19 June 2021 [Page 2]
Internet-Draft General Security Considerations for Cryp December 2020
7.2. Basis for consideration about security management . . . . 28
7.3. Considerations about security controls on Cryptoassets
custodians . . . . . . . . . . . . . . . . . . . . . . . 28
7.3.1. Information security policies . . . . . . . . . . . . 29
7.3.2. Organization of information security . . . . . . . . 29
7.3.3. Human resource security . . . . . . . . . . . . . . . 29
7.3.4. Asset management . . . . . . . . . . . . . . . . . . 29
7.3.5. Access control . . . . . . . . . . . . . . . . . . . 30
7.3.6. Security controls on signature keys . . . . . . . . . 32
7.3.7. Physical and environmental security . . . . . . . . . 37
7.3.8. Operations security . . . . . . . . . . . . . . . . . 38
7.3.9. Communications security . . . . . . . . . . . . . . . 40
7.3.10. Supplier relationships . . . . . . . . . . . . . . . 43
7.3.11. Information security incident management . . . . . . 43
7.3.12. Information security aspect of business continuity
management . . . . . . . . . . . . . . . . . . . . . 43
7.3.13. Compliance . . . . . . . . . . . . . . . . . . . . . 45
7.4. Other cryptoassets custodians system specific issues . . 45
7.4.1. Advance notice to user for maintenance . . . . . . . 45
8. Future work . . . . . . . . . . . . . . . . . . . . . . . . . 45
9. Security Considerations . . . . . . . . . . . . . . . . . . . 45
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 45
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 45
11.1. Normative References . . . . . . . . . . . . . . . . . . 46
11.2. Informative References . . . . . . . . . . . . . . . . . 46
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 47
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47
1. Introduction
This document gives guidance as to what security measure should the
cryptoassets custodians consider and implement to protect the asset
of its customers. The management of the signature key for
cryptoassets especially has different aspects than other types of
information systems and requires special attention.
This document reports especially on the appropriate management of the
signature key by the cryptoassets custodians to avoid the unintended
transactions for its customers.
The document organizes recommendations for considering security as a
purpose of protecting users' assets by operators of cryptoassets
custodians. Among the assets to be protected, in particular, the
signature key of the cryptoassets has a different characteristic from
the conventional information system and needs attention. Particular
emphasis is given to points that should be kept in mind for the
cryptoassets custodians to properly manage the signature key and to
prevent illegal transactions that the customer does not intend.
Sato, et al. Expires 19 June 2021 [Page 3]
Internet-Draft General Security Considerations for Cryp December 2020
The basic model of the cryptoassets custodians system covered in this
document is shown in Section 5. A system in a form different from
this basic model, for example, a system where an operator manages a
signature key provided by a user (e.g. online wallet), is handled in
another complementary document or later revision of this document.
2. Scope of this document
An operator covered by this document is a cryptoassets custodian that
manages the signature key used in the cryptoassets. Including the
case where the management of the signature key is entrusted to
another custodians operator. In that case, even for operators
entrusted with the management of signature key, a considerable part
of the recommendation indicated in this document is considered to
apply.
This document includes considerations on threats and risks for the
following subjects.
* A cryptoassets custodians system that provides cryptoassets
custodians work to customers (consumers and other exchanges)
* Assets information managed by the cryptoassets custodians system
(including the signature key of the cryptoassets)
* The social impact which can be exerted by imperfect security
measures of the cryptoassets custodians system
This document does not focus on the following items.
* Security measures for information systems used by daily operations
by custodians operators
* Security measures against blockchains that provide the mechanism
of cryptoassets and distributed ledger itself
* Operator's own management risk
* Specific requirements on separation of assets of customers and
custodians/exchanges
3. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Sato, et al. Expires 19 June 2021 [Page 4]
Internet-Draft General Security Considerations for Cryp December 2020
4. Terminology
Terms used in this document are defined in
[I-D.nakajima-crypto-asset-terminology]
5. Basic description of a model system of a cryptoassets custodian
5.1. General
In this section, a model of a cryptoassets custodians system that is
used to explain the concepts and provisions in this document are
explained.
5.2. A basic model of cryptoassets custodians system and its functional
components
Followings are the basic model of a crypto assets custodian that this
document deals with. A basic model of cryptoassets custodians system
is shown on Figure 1.
(Artwork only available as svg: No external link available, see
draft-vcgtf-crypto-assets-security-considerations-07.html for
artwork.)
Figure 1: Basic Model of Cryptoassets Custodians system
* Interface (Web Application, APIs) Provides screen and input
functions such as login process, account management (deposit/
withdrawal instruction etc.) and trade instruction for the
customers(users). Web application, API, etc.
* Customer Authentication Function Performs user authentication
process for login to the cryptoassets custodians.
* Customer Credentials Manages required IDs for login and
verification information related to user authentication process
(e.g. password verification info.).
* Customer Assets Management Function A group of functions to manage
customer accounts. Receive instructions for deposit or withdrawal
(outgoing coins) and perform processing according to the user
instructions. Retrieve or update assets data.
* Blockchain Node Connects to another blockchain nodes to retrieve
blockchain data.
Sato, et al. Expires 19 June 2021 [Page 5]
Internet-Draft General Security Considerations for Cryp December 2020
* Incoming Coin management Function Checks transaction stored in
blockchain and confirm whether incoming coins are involved in the
specified addresses. Update an assets database according to the
transaction from blockchain.
* Order processing function A group of functions that receives
orders from customers and performs processing related to trading
of cryptoassets. Retrieves and updates assets data based on the
orders.
* Assets Database Manages holdings of fiat currencies and
cryptoassets. The database does not include the private keys for
transaction signature. Assets are managed separately from the
assets of the custodian for each customer.
* Transaction Singing Function
- Transaction Generator Generates transactions to be sent to the
blockchain based on instructions from the customer asset
management function or the custodians operation function.
- Transaction Broadcaster Broadcasts the signed transaction to
the blockchain. Connects to other nodes on the blockchain.
- Transaction Signing Function Generates digital signatures based
on the instructed transaction contents and the signature key
(or its IDs and its addresses).
- Address Management Manages public keys with related to the
signature keys, or addresses (such as values calculated from
the public keys).
- Signature Key Management Function Manages the signature keys of
the cryptoassets (keys used for signing the transaction).
Sometimes signature keys are separately stored into the cold-
wallet as security countermeasure.
- Signature key generator Generates signature keys. The
generated keys are registered in the signature key management
function, and the public keys and addresses are registered in
the address management function.
* Custodians Operation Modules A group of functions for custodians'
operators or administrators. Based on operations from
administrators, the module instructs generating new signature keys
or transferring cryptoassets.
* Operator Authentication Function Authenticates the administrators.
Sato, et al. Expires 19 June 2021 [Page 6]
Internet-Draft General Security Considerations for Cryp December 2020
* Operator Audit Database Manages auditing data related to the
authentication of the administrators.
We defined each functional element to distinguish functions
logically, and do not show the actual arrangement on the actual
system. For example, in our actual system, the address management
unit may be managed by an integrated database. Also, there are
implementations with multiple functions packaged together. For
example, each functional element of the transaction signature system
may be integrated with the customer property management system, or
the transaction signature system may be operating as another system.
When using existing implementations such as bitcoin wallet, bitcoin
wallet is thought to provide the functions of the transaction
signature system as just one implementation as a whole. It is also
conceivable that some functions are provided by a remote
subcontractor as in a form in which the function of the transaction
signature system is provided by a remote server.
5.3. The flow leading to the sending of the transaction
* Deposit Phase
1. Customers send fiat to custodian's bank account.
2. Custodians shall confirm to receive fiat, and shall update
assets database to reflect customer asset information.
* Input coin phase
1. Customer transfer cryptoassets to the address instructed by
custodians. The transfer shall be made by cryptoassets wallet
for the customer such as tools or services (other custodians
or Web wallet)
2. Custodians shall confirm cryptoassets has been transferred to
the address instructed and shall update the asset database to
reflect asset information of the customer.
* Trading phase
1. Customer access to interfaces to make instructions.
2. Instructions to transfer shall be processed by custodians
operations functions. The result of trade processed by
custodians operations functions shall be updated into the
asset database.
Sato, et al. Expires 19 June 2021 [Page 7]
Internet-Draft General Security Considerations for Cryp December 2020
* Instructions to output coins from customers
1. Customers access to interface and instruct it to transfer its
cryptoassets to other address. (Instruct to output coins)
2. Instructions to output coins shall be processed by customer
assets management functions. Transaction generator shall make
transaction messages based on instructions such as receive
address or amount of cryptoassets.
3. Transaction messages shall be added a digital signature by
transaction signing functions.
4. Transaction messages with a digital signature shall be
delivered to all nodes on blockchain by transaction
broadcaster.
* Instruction to transfer from Customer Assets Management Function
1. Administrator instructs to send cryptoassets to address
through the interface of Management Functions. For Example,
it may send between address managed inside custodians.
2. Instructions to transfer shall be processed on Management
Function, and shall be processed as described 2 to 4 on
"output coin". Transactions with digital signature shall be
delivered to all nodes on blockchain.
5.4. Types of keys that are used for signature and encryption
5.4.1. Type of keys
+===============+===============================================+
| Types | Description |
+===============+===============================================+
| Signature Key | A private key for signing transactions |
| | (asymmetric key cryptography) |
+---------------+-----------------------------------------------+
| Verification | A public key for verification of transactions |
| Key | (asymmetric key cryptography). Recipient |
| | address of transactions are the unique value |
| | calculated from verification key |
+---------------+-----------------------------------------------+
| Encryption/ | Secret key used to keep signature key |
| decryption | (symmetric key cryptography) confidential / |
| key for | protected |
| signature key | |
+---------------+-----------------------------------------------+
Sato, et al. Expires 19 June 2021 [Page 8]
Internet-Draft General Security Considerations for Cryp December 2020
| Master Seed | A seed, e.g. random number, to generate a |
| | signature key in deterministic wallet |
+---------------+-----------------------------------------------+
Table 1: Type of keys
5.4.2. Flow for the key generation and key usage
(Artwork only available as svg: No external link available, see
draft-vcgtf-crypto-assets-security-considerations-07.html for
artwork.)
Figure 2: Lifecycle of signature key, verification key and
encryption/ decryption key for signature key
After a pair of keys (signature & verification, hereafter "key pair")
is generated, an addressed to receive transaction is derived from the
verification key. By providing a sender of digital assets this
address, the sender is able to transfer one or more assets to this
address. When the recipient transfers the assets to another address,
the original recipient signs the transaction data which includes the
transfer order.
A signature key is considered to be in an inactive state when it is
stored in a confidential manner (ie. cannot be directly used to
sign), for example within the key management function in Figure 1.
An example of how to set a signature key in an inactive state is to
encrypt the signature key using an encryption key (ie. passphrase).
The opposite process of decrypting the signature key will return the
key inactive state. The activation of a key is assumed to be
executed within the transaction signing function in Figure 1.
Activation and deactivation of keys is part of the function set of
certain wallets.
The signature key is not needed after its generation until a
transaction has to be signed. Therefore this allows for the store
and manages signature keys offline while keeping the verification key
and addresses online (See: Section 7.3.6.2).
(Artwork only available as svg: No external link available, see
draft-vcgtf-crypto-assets-security-considerations-07.html for
artwork.)
Figure 3: Lifecycle of signature key, verification key and
encryption/ decryption key for signature key in case of
deterministic wallet
Sato, et al. Expires 19 June 2021 [Page 9]
Internet-Draft General Security Considerations for Cryp December 2020
The deterministic wallet is a mechanism that generates one master
seed and generates multiple signature key pairs from that master
seed. It is possible to regenerate each signature key pair from the
master seed by backing up the master seed and restoring it. On the
other hand, if the master seed is stolen, the crypto assets which are
managed by all signature key pairs (and addresses) derived from the
master seed may be stolen. Also, if the master seed is lost, all
signature key pairs will not be able to be regenerated.
As an extension of the deterministic wallet, there is a hierarchical
deterministic wallet (HD wallet). In the case of HD wallet, a master
key pair is created from the master seed, and child key pairs are
derived from the master key pair. Furthermore, descendant key pairs
can be derived from the child key pairs in a hierarchical manner.
Since the child key pair can be created from the parent key pair, it
is not necessary to access the master seed when generating the child
key pair. The implementation of hierarchical key pair generation
depends on the signature algorithm, and some currencies cannot be
realized in principle. Although this document refers mainly to the
management of the signature keys in the security control measures,
the master seed also needs security management equal to or higher
than the signature keys.
5.4.3. On the use of multiple keys
There are some cases to use cryptoassets where one user uses one
address, one user uses multiple addresses. The number of addresses
and pairs depends on the number of cryptassets and method of
management. For example, cryptoassets that can contain tags related
to the transaction such as Ripple and NEM, cryptoassets custodian may
distinguish customers by each tag if custodian uses one address. On
the other hand, cryptoassets that cannot contain any tags for
transactions, custodians have to make addresses for each customer, so
the number of addresses and key pairs would be increased. It is
considered to use multiple addresses and key pairs by risk evaluation
with not only a variety of cryptoassets (e.g., Bitcoin, Ethereum,
etc.) but also management by the hot wallet and cold wallet.
It is recommended not to reuse key pair for general. But it is
focussed for anonymous transactions by private use, so this is not
suitable for custodians from viewpoint of efficiency and
practicality. Cryptoassets custodians shall make effective controls
considered by risk evaluations and control objective.
Sato, et al. Expires 19 June 2021 [Page 10]
Internet-Draft General Security Considerations for Cryp December 2020
5.4.4. On the suspension of keys
Even if Figure 2 indicates operations on operations of custodian,
cancellation of transaction cannot be made for cryptoassets. Also,
it is difficult to revoke the signature key after suspension of using
keys. For example, it may happen to input coins to the address user
has suspended to use. To return coins to the sender, custodian needs
a signature key for the suspended address. cryptoassets custodians
shall assume those cases, and shall consider about revoking signature
keys carefully.
5.5. Characteristics of cryptoassets in blockchain and distributed
ledger
5.5.1. About this section
In the handling of cryptoassets using blockchain / distributed
ledger, there are things to emphasize and different characteristics
compared with general information systems and usages of private/
encryption keys. In considering the risk assessment described in
Section 6 and the security requirements and measures based thereon,
it is necessary to pay attention to these characteristics.
5.5.2. Importance of signature keys
As described in Section 5.3, by signing transactions using the
signature keys, it is possible to instruct the transfer of the values
of cryptoassets to other addresses. Once this transaction is written
to the block or ledger data and the transfer of the values of
cryptoassets is approved it is difficult to revert it or to
invalidate the transfer by revocation procedure etc. This property
is in contrast to taking time until the remittance gets caught or the
process can be canceled during remittance and be reassembled, even if
it requires complicated administrative procedures in the process of
remittance, and illegal remittances occur. In addition, when the
private signature keys have vanished in the cryptoasset scheme, there
will be a case that the cryptoasset held by the address corresponding
to the signature private key is impossible to transfer to the other.
In cryptoassets having such irreversible nature, it must pay
attention to the theft, fraudulent use and disappearance of the
signature secret key.
Sato, et al. Expires 19 June 2021 [Page 11]
Internet-Draft General Security Considerations for Cryp December 2020
5.5.3. Diversity of implementations
There are various cryptoassets including Bitcoin. The specifications
also vary widely from cryptoassets to cryptoassets. For example,
there are differences in the using of encryption algorithms, hash
functions, the methods of generating/spreading transactions, and
wallet implementations to protect the signature key(s), and so on.
Due to these differences in specifications, effective countermeasures
for a specific cryptoasset may not be able to be carried out under
the specification of another cryptoassets. And also, from the
current feaver trends of the cryptoassets, the appearance of new
cryptoassets and the speed of functional expansion and specification
change of existing cryptoassets mechanisms are very fast.
5.5.3.1. Cryptographic algorithm of cryptoassets
There are cases that new cryptographic algorithms in cryptoassets
that are not sufficiently reviewed for security may be adopted. In
ordinary use cases of cryptography technology, designers often use
cryptographic algorithms that are scientifically verified,
mathematically proved secure, and approved by official authorities/
agencies, however, cryptoassets designers are often adopting
"immature and unverified" cryptographic algorithms. This means that
it takes time to archive provable security for algorithms and approve
by official authorities/agencies, while in the blockchain where
competition and evolution are remarkable, the maturity level is low
as technology, and differentiation and blocking from other
cryptoassets. It must be optimized the technology specific to the
chain. These algorithms are likely to have no properly reviewed
implementation, or the risk of a vulnerability being discovered later
and compromising (compared to mature algorithms) is high.
5.5.4. Possibility of blockchain forks
In the blockchain using Proof-of-Work and the like typified by
bitcoins, a state such as a temporary fork of a chain due to
specification change of software or a single chain of branched chains
(re-organization) can arise. Also, as another case, due to the
division of the developer community, blockchains are divided from the
point of time and sometimes operated as separate cryptoassets. In
the real world, there are various forks, it may be difficult to
respond to all of them, and it should be consider countermeasures
according to the risks.
Sato, et al. Expires 19 June 2021 [Page 12]
Internet-Draft General Security Considerations for Cryp December 2020
5.5.4.1. Rolling back due to re-organization
If the chain is discarded due to a reorganization, the history of
transactions contained in the discarded chain will be lost. In that
case, the transaction on the block discarded within the
reorganization period may not be reflected in the main-chain.
5.5.4.2. Handling forks of cryptoassets
As in the case of bitcoins and ether symbols, blockchains are divided
and sometimes managed as another cryptoassets (here, called a fork
coin). The fork coin is also derived from the same software as the
original cryptoassets and uses the same technology and compatible
technology (A description that incorporates the case where different
technologies are adopted for a fork is necessary). In addition, the
chain until just before splitting has exact identical data. By using
its functionality, it becomes possible to attack, for example, replay
attacks. A replay attack is an attack in which transactions used in
the original cryptoassets are retransmitted to the sender of the
transaction at the fork coin chain and the fork coin is illegally
acquired as a result. In this kind of replay attacks,
countermeasures such as monitoring of the transaction sender, for
fork coin chain, measures to be sent before transactions that return
coins to their own other address are required.
In addition, if a fork coin occurs in the cryptoassets held by the
exchanger, there is also a problem that the fork coin is not returned
to the user unless the fork coin is assigned to the user of the
exchanger in the exchange system.
5.5.5. Risks for Unauthorized Transactions
5.5.5.1. About this section
Just by sending the transaction instructing the transfer of the
coins(assets) to the node of the blockchain does not instantly
reflect the cryptoassets transfer. In order for a transaction to be
approved, it is stored in a block created every decided period and
needs to be accepted by the majority of mining nodes. It may be
difficult to confirm that the transaction has been approved for the
following reasons.
Sato, et al. Expires 19 June 2021 [Page 13]
Internet-Draft General Security Considerations for Cryp December 2020
5.5.5.2. Handling unapproved transactions
In a cryptasset using a distributed ledger, there are a variety of
cryptoassets (such as Bitcoin, Ethereum, etc.) that the transaction
sender sends transactions with a transaction fee. This transaction
fee is acquired by the miner who creates the block, and the higher
the transaction cost, It is easy to store in blocks (transactions are
easily approved immediately). If the cost of the transaction sent
from the cryptoassets custodian to the blockchain is low, it may take
times to approve the transaction, or there is a possibility that the
time will expire without being approved. Besides the case due to the
transaction fee, the temporary chain fork as in Section 5.5.4.1 can
be occurred that the transaction that should have been approved once
becomes the unapproved state and the dual spend of cryptoassets. In
usage scenes where cryptoassets transfer is required immediately,
such as payments in real stores, it may be difficult to take time to
confirm the approval of the transaction, and it is necessary to
assume the risk of unauthorized transactions.
5.5.5.3. Transaction failure due to vulnerabilities from cryptoassets
specifications and implementations
Although it is not exactly the case of unauthorized transactions,
there was a vulnerability called transaction malleability as a past
case of bitcoins. With this vulnerability, if the node relaying the
transaction is malicious, it is also possible to make transactions
illegally manipulate, thereby making it impossible to find the
transaction stored in the block (make it impossible to search by
transaction ID). There is also the possibility of an attack that
makes a duplicate by requesting transmission of the cryptoassets
again from the counterparty by making the approved transaction appear
as not approved. This attack is performed after sending the
transaction to the nodes, so it is characteristic that the sender can
not take measures beforehand before sending. Regarding transaction
malleability, it is now possible to avoid it by using SegWit in
bitcoins. However, as a lesson from this case, effective defense
measures cannot be made effective only with the cryptoassets
custodian that becomes the sender or receiver of the cryptoassets
with respect to faults and threats due to another vulnerability of
bitcoins and other cryptoassets.
6. Risks of cryptoassets custodian
Sato, et al. Expires 19 June 2021 [Page 14]
Internet-Draft General Security Considerations for Cryp December 2020
6.1. About this chapter
Below in this section, some risks custodian shall consider for the
system and for foreign factor outside of control from custodian such
as blockchain is described. The risks for systems in custodians are
listed as a threat, factor, and actor may cause threat. The risks
for foreign factor outside of control from custodian such as
blockchain are listed from the incident. Some risks may be caused by
property or quality described in Section 5.5.
On the other hand, there are some risks based on operations or
systems implemented by each custodians. Custodians shall pick up
risks to deal with control to refer these risks with understanding
with system or operation of custodian. Custodians shall evaluate
impacts may be affected by risks and shall decide controls and its
priority.
6.2. Risks of cryptoassets custodian system
In this section, major risks regarding information asset which
cryptoassets custodian system holds are listed. Among the
fundamental model shown in Section 5, the signature key and asset
data are focused as significant information asset to protect
customers asset.
The attacker may be able to broadcast a malicious transaction to
nodes of distributed-ledger after generating the transaction if the
signature key and surrounding environment are not safe.
Withdrawing transaction is almost impossible once the malicious
transaction has been broadcasted and built into the blockchain.
Therefore, prior countermeasures to prevent generating malicious
transaction are essential.
Moreover, consideration of a loss of signature key is also essential.
Cryptoassets stored in the address associated with the signature key
become unavailable in a case where the signature key has been lost.
Risk regarding the signature key including the signature key and
surrounding environment are mentioned in Section 6.2.1 based on
Figure 1.
In this document, the model is described as more abstract as the
content of data, data format, management model or details of
processing regarding asset data varies among custodians. Record such
as client assets (both cryptoassets and fiat currency), assets of
custodians(both cryptoassets and fiat currency), clients' account
information, or address of cryptoassets is listed as common content
Sato, et al. Expires 19 June 2021 [Page 15]
Internet-Draft General Security Considerations for Cryp December 2020
of asset data subject to protection. Manipulation to those asset
data caused by the attacker results in damage to client assets or
affect to the custodians' operation. Risks related to assets data
are discussed in Section 6.2.2.
Risks of system outage MUST be considered concerning availability
which allows clients to control their assets in addition to the
protection of important information such as the signature key or
assets data. Risks of system control are discussed in
Section 6.2.3.2.
In addition to information or risks mentioned in this section, system
specific risks varied among cryptoassets custodian or risks regarding
external contractor MUST be considered. Detailed risk analysis MUST
be performed against the actual system of the cryptoassets custodian.
6.2.1. Risks related to signature keys
Both role and risks of signature keys are extremely large on
cryptoasset exchange. Signature keys enable to transfer coins, but
it comes from properties of difficulties for revocation of lost,
leakage, stolen, and rollback transaction. Some risks about
signature keys are listed in this section. In addition, risks about
supply chain related to risks install wallets handles signature keys.
6.2.1.1. Risk analysis related to signature key
Risk analysis may depend on threats assumption, the structure of the
system, and threats model, the results for each custodians shall be
different. Some case studies are described in this section.
Threats for signature keys and its actors are assumed as listed
below. And actors are assumed as the input of signature key in
Figure 1.
* Threats:
- Loss
- Leakage, Theft
- Unauthorized Use
* Factors of Threats:
- Error in operation
- Maliciousness (of legitimate person)
Sato, et al. Expires 19 June 2021 [Page 16]
Internet-Draft General Security Considerations for Cryp December 2020
- Spoofing (for legitimate person))
- Malicious intentions of outsiders
- Unintended behavior (system)
* Actors:
- Custodians operation modules
- Transaction Signing modules
- Customer assets management function
- Incoming Coin management function
Factors of threats are organized as follow.
Error in operation: A human error caused by an authorized user
(including an administrator) during operation of the system. For
example, the expected operation was to withdraw coin equivalent to
100,000 JPY. But, the actual operation is withdrawing coin
equivalent to 1,000,000 JPY.
Malicious acts by authorized person: An act committed with malice by
an authorized person (including an administrator). For example,
theft or unauthorized use of the signature key by the insider.
Purpose or incentive of the act is not concerned.
Spoofing(of authorized person): Impersonation with a stolen
credential of an authorized person. For example, the order to
sell/buy/transfer cryptoassets by an external attacker impersonating
a client; the malicious order of transfer or generation/signing of a
transaction through access to the system with the legitimate
operator/administrator credential by an unauthorized insider.
Especially, theft and abuse of credential upon an account
registration by impersonating a legitimate user MUST be considered.
Note: Impersonation which is not caused by theft of legitimate user/
authorized person's credential (e.g., Privilege escalation) are
mentioned in "malicious acts by outsiders."
Malicious acts by outsiders: Access or operation to the system by
outsiders with malicious purpose excluding spoofing. (e.g., external
unauthorized access by exploiting a vulnerability; remote access to
the system which enables outsiders to operate to the signature key or
generate a transaction by a targetted attack to an administrator of
the custodians' system.)
Sato, et al. Expires 19 June 2021 [Page 17]
Internet-Draft General Security Considerations for Cryp December 2020
Unintended behavior: An unintended behavior of the system regardless
of intention or malice. (e.g., leakage of the signature key caused by
bugs of the system, generation of a transaction including an
incorrect amount of assets regardless of operation.)
Theft and unauthorized use are threats that can only be caused by a
clear malicious factor. Risks to be considered as a result of
threats are listed in Table 2. Please note that theft and
unauthorized use could happen in a case where multiple factors such
as an error in operation or unintended behavior have occurred. (e.g.,
insertion of backdoor that transmits a signature key or tampers a
signing order to the transaction in conjunction with a specific
legitimate operation.) This case can be covered in countermeasures
of theft or unauthorized use.
+=================+===============+====+=======+=====+==============+
| Risk |Factor |Loss|Leakage|Theft| Unauthorized |
| | | | | | Use |
+=================+===============+====+=======+=====+==============+
| Illegal |End user's |Y |Y |Y | Y |
| operation(Route |malicious | | | | |
| is legitimate) |operation | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Malicious |Y |Y |Y | Y |
| |operation by | | | | |
| |the | | | | |
| |administrator | | | | |
| |of customer | | | | |
| |assets | | | | |
| |management | | | | |
| |function | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Impersonation |Y |Y |Y | Y |
| |to end users | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Insider |Y |Y |Y | Y |
| |impersonating | | | | |
| |an | | | | |
| |administrator | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| Intrusion from |Intrusion into |Y |Y |Y | Y |
| outside |Tx signing | | | | |
| |function | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Intrusion into |Y |Y |Y | Y |
| |incoming coin | | | | |
| |management | | | | |
| |function | | | | |
Sato, et al. Expires 19 June 2021 [Page 18]
Internet-Draft General Security Considerations for Cryp December 2020
+-----------------+---------------+----+-------+-----+--------------+
| |Intrusion into |Y |Y |Y | Y |
| |customer asset | | | | |
| |management | | | | |
| |function | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Intrusion into |Y |Y |Y | Y |
| |custodian | | | | |
| |operation | | | | |
| |function | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| Incorrect |Unintended |Y |Y |- | - |
| behavior is |behaviors of Tx| | | | |
| different from |signing | | | | |
| operation |function | | | | |
| instruction | | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Unintended |Y |Y |- | - |
| |behaviors of | | | | |
| |incoming coin | | | | |
| |management | | | | |
| |function | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Unintended |Y |Y |- | - |
| |behaviors of | | | | |
| |customer asset | | | | |
| |management | | | | |
| |function | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Unintended |Y |Y |- | - |
| |behaviors of | | | | |
| |custodian | | | | |
| |operation | | | | |
| |function | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| Human error |Error in |Y |Y |- | - |
| |operation by | | | | |
| |end user | | | | |
+-----------------+---------------+----+-------+-----+--------------+
| |Error in |Y |Y |- | - |
| |operation by | | | | |
| |administrator | | | | |
| |of customer | | | | |
| |asset | | | | |
| |management | | | | |
| |function | | | | |
+-----------------+---------------+----+-------+-----+--------------+
Sato, et al. Expires 19 June 2021 [Page 19]
Internet-Draft General Security Considerations for Cryp December 2020
Table 2: List of possible risks for the signature key, Y means
applicable risk exists, - means no applicable risk exists
The following sections outline each risk. The control measures
corresponding to each risk are shown in Section 7.3.
6.2.1.2. Risk of loss of signature key
Risks listed below are an event which causes loss of the signature
key from a viewpoint of input to the signature key such as order or
operation.
As a typical event, the loss of the signature key caused by human
error in operation by the administrator of the custodians' system may
be considered.
6.2.1.3. Leakage and theft risk of signature key
In most case, theft is caused by the operation of a malicious person.
By contrast, leakage could happen by error or fault not requiring the
malice. Therefore, the risk of theft and the risk of leakage MUST be
separately considered.
The risks of leakage shown in Table 2 are lists of the event which
potentially causes leakage of the signature key including the leakage
caused by error/fault regarding the input to the signature key such
as an order or an operation. For example, an internal criminal,
unintentional behavior of the system and intrusion to the system.
Likewise, the risks of theft are lists of the event which potentially
causes the theft of the signature key by a malicious person. For
example, an internal criminal and intrusion to the system.
Regarding the leakage of sensitive information to the outside, both
leakage and theft are similar, and the countermeasures are the same.
The countermeasures are discussed in Section 7.3.6.
6.2.1.4. Risks of unauthorized use of the signature key
The risks of unauthorized use shown in Table 2 are lists of the event
which causes unauthorized use by a malicious person. For example,
spoofing of the authorized person and intrusion to the system.
Unauthorized use of the signature key could be caused by unauthorized
operation of pre-processes of an unsigned transaction at transaction
signing function in addition to the direct unauthorized use of the
signature key. Following example shows unauthorized use at an early
stage of the process.
Sato, et al. Expires 19 June 2021 [Page 20]
Internet-Draft General Security Considerations for Cryp December 2020
* A destination address of cryptoassets or amount of assets is
manipulated due to tampering of software at transaction signing
function. The tamper disables designed validation process at the
transaction signing function.
* A destination address of cryptoassets or amount of assets is
manipulated due to tampering of the unsigned transaction generated
by transaction generator. Besides, an unauthorized transaction
has generated and given to the transaction signing function.
* A destination address of cryptoassets or amount of assets is
manipulated due to tampering of software at transaction generator.
An unsigned transaction has generated with an unauthorized direct
operation to transaction generator.
* An incorrect amount or incorrect destination address of
cryptoassets has transmitted from custodian operation function
through transaction generator due to an internal crime, error in
operation, or spoofing of the identity by the administrator.
* Assets database has tampered in a case where the operation/order
to transaction generator refers to the assets database. (See:
Section 6.2.2)
As shown in the above example, the attacker is able to obtain
cryptoassets without attacking to the signature key illicitly. In
particular, countermeasures MUST be considered in a case where the
system automates each process.
Security control measures to the signature key MUST be performed.
Moreover, security control measures to the entire custodian's system
MUST be performed against these complex risks. Security control
measures are discussed in Section 7.
6.2.1.5. Other risks
6.2.1.5.1. Supply chain risk of hardware wallet
Hardware-wallet is known to have a function to manage signature keys.
In most hardware-wallet, key administration is done on an
administrative terminal connecting via USB such as PC.
Sato, et al. Expires 19 June 2021 [Page 21]
Internet-Draft General Security Considerations for Cryp December 2020
Cryptographic module validation program for products having a
cryptographic key management function such as FIPS 140-2 are
provided. However, most of the cryptographic algorithms used in
cryptoassets are not covered by those validation programs.
Therefore, third-party safety validation program subject to hardware-
wallet for cryptoassets is not well provided. For this reason, the
users of hardware-wallet MUST understand that safety level of the
hardware-wallet available at a market differs among the product.
Furthermore, the safety could be threatened by tampering the product
during distribution channel even though the product has a certain
level of safety in the factory. For example, hardware-wallet
tampered in a distribution channel to have a malware enables the
attacker to restore the signature key generated by a legitimate owner
without acquiring the hardware-wallet.
6.2.2. Risks related to assets data
Assets data is data to manage an amount of cryptoassets/fiat
currencies held by clients or custodian itself. The signature key
for transaction signing is not recorded in the assets data. (See:
Section 5.2)
As mentioned earlier, assets data differs among the custodians, an
abstracted model is used in this section. In this section, a brief
thought is given since detailed threat assessment and risk analysis
MUST be performed against assets data of the actual custodians'
system.
Major threats to the assets data are unauthorized manipulation, loss,
and leakage. The factors are an error in operation by the
administrator, malicious acts by the authorized person, spoofing of
the authorized person, malicious acts by outsiders, and unintended
behavior of the system.
In a case of the basic model shown in Section 5.2, attack surfaces
are custodian operation function, assets database, and incoming coin
management function.
Following example shows the incidents caused by unauthorized
manipulation among the risks to assets data.
* An incident that the malicious transaction generated by assets
database which refers manipulated assets data has broadcasted
through a legitimate process. (See: Section 6.2.1.4)
Sato, et al. Expires 19 June 2021 [Page 22]
Internet-Draft General Security Considerations for Cryp December 2020
* Unauthorized manipulation to a number of assets stored in asset
data between clients and/or between clients and custodians by
tampering a list of cryptoassets address linked to clients. This
enables losing assets of clients or custodians without
broadcasting the transaction to the blockchain.
Risks of assets data may be considered as risks of system in
financial service and settlement service. However, countermeasures
to the incident that transaction(s) has merged into blockchain as a
result of unauthorized manipulation to the assets data MUST be
considered with an understanding that transaction broadcast to the
network is irreversible.
6.2.3. Risks of suspension on system and operation
Cryptoassets custodians' systems are composed of software, hardware,
networks. Operations are classified as monitoring, opening an
account, an order of transfer, deposit/withdrawal of (crypto/fiat)
assets from the wallet, and any operations by the operator. The
system may be suspended due to various factors.
Cryptoassets custodians' system tends to be a subject to the attack
due to following: the systems are connected to the Internet for 24
hours 365 days, not by the leased line, many of the systems are
deployed on cloud services, prices of cryptoassets are effected from
operating condition of the cryptoassets custodians. Therefore,
countermeasures to the attack MUST be considered.
6.2.3.1. Risks related to network congestion
Cryptoassets custodians may be attacked by DoS and traffic flooding.
In general, targets of attack are a top page of the Website, API
endpoint, etc., but operation and monitoring system deployed on the
Internet may be a target of DoS attack in a case where the attacker
acquired the information of the system beforehand.
6.2.3.2. Risks of system suspension due to infrastructure
System and operation may be suspended in a case data center or cloud
infrastructure where custodian's system is deployed are suspended.
The system may be suspended due to various factors such as blackout
and disruption of communication due to acts of nature, due to
operation failure by cloud or infrastructure, and failure of software
release.
Sato, et al. Expires 19 June 2021 [Page 23]
Internet-Draft General Security Considerations for Cryp December 2020
6.2.3.3. Risks of system suspension due to the operator
Even if the system is in operation, there is a possibility that the
service may be suspended if operation monitoring and the activities
of the operator in charge of work are hindered. For example, there
is a possibility that business would be suspended due to various
factors such as periodic inspection of power supply facilities at
operational sites, disruption of transportation by disaster, strikes,
and obstruction of building access by protest activities and rush of
reporters. There are also risks that many personnel cannot operate
due to the same reasons, such as using the same transportation
method, participating in the same event, or traffic accident or food
poisoning.
6.2.3.4. Regulatory risks
In countries where the cryptoassets custodian is defined by law and
should be licensed or registered, operations may be suspended by
order of business improvement, operation suspends, deletion of
license or registration issued by the authority.
6.3. Risks from external factors
Even if a cryptoassets custodian performs its operation
appropriately, the cryptoassets custodian could not continue the
service or might not execute transactions when encountering attack to
the blockchain network and/or the network infrastructure connecting
each node.
6.3.1. Risks related to the Internet, Web PKI, and users environment
6.3.1.1. Attack to Internet routing and DNS
Attackers can lower the reachability to cryptoassets custodians, lure
a user into the fake cryptoassets custodian, or fork deliberately by
preventing the synchronization of the blockchain, through the
intervention in routing or DNS, such as BGP hijacking. These methods
might be used by not only malicious attackers, ISPs acting
governments order.
6.3.1.2. Attack to Web PKI
Most cryptoassets custodians provide their services on the Web and
use TLS and server certificates for authenticity and confidentiality
of their website. When the certification authority issuing their
certificates encounter an attack, it yields to enable to spoofing the
cryptoassets custodians' website. When the certificate is revoked,
the cryptoassets custodian might not be able to provide own service.
Sato, et al. Expires 19 June 2021 [Page 24]
Internet-Draft General Security Considerations for Cryp December 2020
6.3.1.3. Attack to messaging systems
Attackers can swindle or block the e-mail and SMS using for
delivering One-Time Password, through the intervention in messaging
systems such as SMS or e-mail. When a users message is swindled,
attackers can log in as the spoofed user or reset the password.
6.3.1.4. Risks related to users environment infection
When a user's environment such as PC and smartphone is infected by
malware, any secrets such as credentials in the environment might be
swindled.
6.3.2. Risks related to cryptocurrency blockchain
6.3.2.1. Split or fork of blockchain
A distributed ledger might be forked by specification changes without
consensus in the developers community. There are two cases around
the fork; one is that the transaction before the fork is executed and
recorded in both ledgers after the fork, another one is that the
transaction before the fork is executed and recorded in only one
ledger.
6.3.2.2. Blockchain Re-organization caused by 51% attack or selfish
mining
When a block which is committed in the past is discarded, the
transaction included in the discarded block might be rolled back.
The transaction included in the discarded block is disabled, and
cryptoassets or fiat money paid in compensation for the transaction
might be swindled.
6.3.2.3. Compromising cryptographic algorithm and hash function
Improvement of performance of computing power and the discovery of
effective attack might cause being compromisation of the
cryptographic algorithm and hash function.
6.3.2.4. Inadequate blockchain specification and implementation
In the cryptoassets Lisk, there were implementations in which the
timestamp value of the transaction allowed implementation of
numerical value input in a range not permitted by the internal
database so that each node could not process the transaction and
block generation stopped[LISK-ISSUE_2088]. This issue was fixed
within several hours after the problem occurred and the node updated
the client software, and the network was sequentially recovered.
Sato, et al. Expires 19 June 2021 [Page 25]
Internet-Draft General Security Considerations for Cryp December 2020
However, the transactions could not be processed in the blockchain
for a certain period.
There are cases that token value collapses due to inadequate
implementations of smart contract. In Beautychain Token (BEC) of
ERC20 token issued on Ethereum, there is a vulnerability that causes
overflow in the smart contract, so there is an attack which derives
greatly exceeded tokens over the upper limit, then the worth of BEC
was collapsed. [CVE-2018-10299]
6.3.2.5. Rapid changes in the hashrate
When the hash rate increases or decreases rapidly, it might take a
very long time for generating blocks using the remaining node.
6.3.3. Risks from external reputation
6.3.3.1. Bank account frozen
Banks might freeze an account of cryptoassets custodians operation,
by the guidance of regulatory as a countermeasure for AML/CFT, or by
some accidents/incidents. This freeze results in a suspending a
deposit/withdraw operation of clients fiat assets.
6.3.3.2. Address of cryptocurency
As countermeasures for AML/CFT, other cryptoassets custodian Y might
assess whether the destination address of cryptoassets custodian X
have a high deal risk when a user of Y transfers some assets to the
address of X. If an address of X is blacklisted, the transaction
between X and Y might not be executed smoothly.
Since criminals often transfer the stolen "cryptoassets" to
unmalicious third party's address for disrupting investigation, the
address might be involuntarily categorized as high-risk.
6.3.3.3. Filtering or blocking website
Users might not be able to access cryptoassets custodian when its URL
is filtered out by network operators or is blocked by ISPs. When a
cryptoassets custodian's website is recognized as used for malware
distribution, its URL might not be appeared in search results or not
be able to browse in the browser.
Sato, et al. Expires 19 June 2021 [Page 26]
Internet-Draft General Security Considerations for Cryp December 2020
6.3.3.4. Email
Most mail servers provide a filtering service or a classifying
service based on reputation, as countermeasures for spam mail. If
the e-mail from the cryptoassets custodian is recognized as spam
mail, the custodian might not be able to contact the user.
6.3.3.5. Appraisal of a smartphone application
Application delivery platform might limit applications from handling
cryptoassets. When the application provided by a cryptoassets
custodian could not be approved by the platforms, a user cannot
download the application for access to the custodian, and cannot use
the services.
6.3.3.6. ID theft
There is some case where the attacker acts malicious instruction
spoofing as a user, for example: - list based attack, - theft of ID,
password or other credentials, by a malware infection, and - theft of
API access token.
The distinctive purposes of spoofing are: - theft of fiat currency or
cryptoassets by unauthorized withdrawals, - money laundering by
cashing cryptoassets with an account in the name of other people, and
- profit shifting by market manipulation by unauthorized buy and sell
cryptoassets.
7. Considerations of security controls on Cryptoassets Custodians
7.1. General
Below is a basis of security controls about risks written in
Section 6.
To promote understanding and coverage, all security controls in this
chapter are followed by below: [ISO.27001_2013] , [ISO.27002_2013].
There are some specific considerations for Cryptoassets Custodians to
follow ISOs. Especially, the organization shall consider for strong
controls to manage signature keys for cryptoassets backed by assets.
Other security controls are expected to be referred to similar
operations by the financial sector. Security controls should be
included concrete content from results of risk analysis and
vulnerability diagnosis. Threats of cybersecurity are changing,
reviews of security controls according to situations are important.
Articles below are expected to describe contents by references and
completion of description.
Sato, et al. Expires 19 June 2021 [Page 27]
Internet-Draft General Security Considerations for Cryp December 2020
7.2. Basis for consideration about security management
There are some standards of requirement for information security,
[ISO.27001_2013] and [ISO.27002_2013]. Cryptoassets Custodians shall
refer the requirement or guidance of these standards and consider
security controls needed and shall establish, implement, maintain and
continually improve security management. Cryptoassets Custodians has
data of customers asset, self asset, customer information, signature
keys. Those shall be protected from leakage, loss, tampering, and
misuse. Cryptoassets Custodians shall consider about risks of lost
assets by foreign factors such as blockchains or network, suspension
of system, and shall act properly. Cryptoassets Custodians shall
mainly consider about security management described below:
* Interested parties (from "4. Context of organization",
[ISO.27001_2013]) To protect assets of cryptoassets custodian's
customer. Division of responsibility between outsourced and
cryptoassets custodians such as management of signature keys for
cryptoassets. Impact of business such as money laundering shall
be considered from another viewpoint.
* Policy (from "5. Leadership", [ISO.27001_2013]) Cryptoassets
custodians shall establish an information security policy that
includes information security objectives and controls.
Information security policy shall be disclosed so that customers
can browse.
* Continual improvement and risk assessment (from "6. Planning",
"8. Operation", "9. Performance evaluation", and
"10.Improvement", [ISO.27001_2013]) As described in Section 6.3.2,
numbers of cryptoassets have been developed and its speed of
evolving is rapid, Cryptoassets Custodians shall monitor security
risks about cryptoassets in addition to information security
management applied in general. Cryptoassets Custodians shall
review and improve security controls according to the situation.
7.3. Considerations about security controls on Cryptoassets custodians
Cryptoassets Custodians shall determine information security
objectives and controls from the viewpoint listed below:
* Risk treatment options to prevent from loss, steal, leakage,
misuse of secret keys used for cryptoassets, customer data, and
customer asset.
* Compliance with business
* Compliance with legal and contractual requirements
Sato, et al. Expires 19 June 2021 [Page 28]
Internet-Draft General Security Considerations for Cryp December 2020
There are some considerations described in Section 7.2 about security
controls based on system risks at Cryptoassets Custodians. There is
a guidance for security controls as [ISO.27002_2013], Cryptoassets
Custodians shall refer it to design and / or identify security
controls. Section 7.3.1 to Section 7.3.13 below are followed to
[ISO.27002_2013] and describe items to be especially noted in the
virtual currency exchange system.
7.3.1. Information security policies
Information security policies shall be defined to follow Section 5 on
[ISO.27002_2013]. Information security objectives on Cryptoassets
Custodians shall include conservation of customer's asset,
requirements of the business, compliance with legal and contractual
requirements, social responsibilities. Information security policies
shall contain policies about access controls ( on Section 7.3.5 ),
cryptographic controls ( on Section 7.3.6 ), operations security ( on
Section 7.3.8 ), and communications security ( on Section 7.3.9 ) .
7.3.2. Organization of information security
Cryptoassets custodians shall follow "6. Organization of information
security" on [ISO.27002_2013], and shall establish a management
framework to implement and operate information security.
Cryptoassets custodians shall consider about threats such as an
illegal acquisition of signature keys or illegal creation of
transaction carefully. Segregation of duties shall be fully examined
to manage signature keys for signing or to permit create
transactions.
7.3.3. Human resource security
Cryptoassets custodians shall follow section "7. Human resource
security" on [ISO.27002_2013]. To examine and evaluate security
controls, cryptoassets custodians shall deploy human resources with
expertise not only in information security applied in general but
also in cryptoassets and blockchain technology. All employees may
handle assets and shall receive appropriate education and training
and regular updates in organizational policies and procedures.
7.3.4. Asset management
Cryptoassets custodians shall follow section "8. Asset management"
on [ISO.27002_2013]. Cryptoassets custodians shall contain any
pieces of information to manage assets, and information and asset of
the customer such as the signature key. Cryptoassets custodians
shall determine controls suitable for risks to follow this section if
cryptoassets custodians operate hardware wallets. To protect assets
Sato, et al. Expires 19 June 2021 [Page 29]
Internet-Draft General Security Considerations for Cryp December 2020
of customers, cryptoassets custodians shall separate assets into
customers and custodians to follow compliances with accounting.
7.3.5. Access control
Cryptoassets Custodians shall follow section "9. Access Controls" on
[ISO.27002_2013].
Users are separated into 2 parties; Permitted operators and
administrators within outsourced, and customers. Some considerations
for operators and administrators are written in Section 7.3.5.1, and
for customer is written in Section 7.3.5.2
7.3.5.1. Access controls for operators and administrators
There are some cases for operators and administrators.
* Operators and administrators for custodians system. They will
command to create keys or to transfer funds by software or
terminal.
* Administrators to maintain hardware, OS, databases, and
middleware.
Management measures of signature keys such as activate, backup,
restore are described on Section 7.3.6. Cryptoassets custodian shall
be carried out to assign authority to operate properly and shall set
access control. Access controls shall be include authorize and
permit to connect custodians system from remote, authorize for
external service if using as functions for cryptoasset custodians,
authorize as a user for OS and databases, permit to enter and leave
facilities systems or terminals installed. There are some factors to
permit access: Only office hours or predetermined hours, Only IP
addresses assigned for specific terminals, Confirm by credentials to
connect from operators or terminals predetermined. Cryptoassets
custodians shall consider for access control policies by roles or
authorities of operators and administrators for each system. Access
control shall be set the minimum to run functions or software
permitted for operators or administrators, not only for applications.
Any damage may be happened by miss or injustice operations on
transferring assets or managing signature keys as described
Section 6.2. To deter these threats, Confirmation of or approval by
multiple operators or multiple administrators shall be needed on
important operations such as transferring assets and operations for
the signature key. Cryptoassets custodians shall not concentrate
duties for one operator or administrator, decentralize of duties for
multiple operators or administrators shall be needed.
Sato, et al. Expires 19 June 2021 [Page 30]
Internet-Draft General Security Considerations for Cryp December 2020
7.3.5.2. Access control for customers (user authentication / API)
* Strict personal identification on setup account The account shall
be set up by strict personal identification, and account
information shall be sent to the person itself. For example,
personal identification shall be operated by an identification
document issued by the public organization and shall be sent a
letter to the address without forwarding. Personal identification
shall be carried out in accordance with relevant laws,
regulations, treaty such as FATF. Replacement of pictures on an
identification document or falsification of attribute information
is typical treats for personal identification. In order to
operate personal identification strictly, it shall be carried out
to verify by software or visual check and verify by an electric
method such as signature that is hard to falsification.
* Managing credential and multi-factor authentication For user
authentication, it is expected to prevent from spoofing and
internal injustice by installing risk-based authentication on not
normal access ( such as a characteristic of terminal or route, and
different time slot from usual ) and multi factor authentication
on spoofing by leakage of single credential. It is NOT
recommended to deliver one-time-password by unprotected
transmission line as email because there is a risk of
impersonation or fraud on the transfer route. Confirming
telephone number by SMS was valid for verifying owner and
reachability, but that has been RESTRICTED by NIST, so personal
authentication technology such as possession identification and
transaction authentication technology should be applied. SMS may
be one factor used to recovery account, but not measure to confirm
the existence and authenticate.
* Multi-factor authentication, risk-based authentication It shall be
carried out to register customer and set access controls strictly
to avoid defraud customer funds, changing to fiat and money
laundering by spoofing customers.
* Confirmation of intention according to the risk of operation To be
consistent with the convenience of customers and safety of
service, It shall be considered to make a different level to
authenticate by risks of customer's operation. For example, low-
risk operations such as display balance of account or details of
trade may be allowed by single-factor authentication, but update
transactions such as trading coins or changing address or account
shall be authenticated by an additional factor. In addition,
operations it may cause damages such as output coin or order of
fiat transaction shall be ordered to confirm by additional
authenticate or to confirm intention by an operator.
Sato, et al. Expires 19 June 2021 [Page 31]
Internet-Draft General Security Considerations for Cryp December 2020
* Data preservation on deleting an account Cryptoassets custodians
shall implement system be able to rollback after erasing for a
certain period if customer stated spoofed or unauthorized access.
Cryptoassets custodians shall delete the account if requested from
a customer, but they also shall consider about risks that attacker
spoofed to customer requests to delete the account.
* Signature key preservation on discontinue addresses Signature keys
linked to an account shall not be deleted even if the address of
cryptoassets has no value. On a prediction for the general
cryptoassets customer is allowed to send assets for any addresses
and not technically prevented to send, signature keys for wallet
stopped to use shall be taken back up for reuse because the
possibility of receive coins to the address exists.
* Consideration for supplying APIs To set access control for
operations by a customer, it shall be considered about not only
operations of dialogue operations on the web but also APIs
connecting from the application by smartphone and from external
systems. For providing APIs, It shall be implemented to consider
cases that are difficult to get explicit approval from customer.
It shall comply with best practices shared in the industry based
on the attack risk peculiar to API. For reference, it may be
followed to Financial API by OpenID Foundation.
7.3.6. Security controls on signature keys
It SHALL conform to Section 10 "Cipher" of [ISO.27002_2013].
Particularly, some security controls for the signature key, an issue
specific to cryptoassets custodians, are closely related to the
controls in other sub-sections in this section (e.g., Section 7.3.5).
Amount of cryptoassets in Hot Wallet MUST be limited to a minimum
amount and isolate their remain assets to another secure place, e.g.,
Cold wallet. The minimum amount means the amount which can be
temporarily paid within the time it takes to withdraw the assets from
the secure place. Custodian can be refunded to the customers from
the remain assets even if the assets in Hot Wallet leaks.
Custodians MUST choose an appropriate cryptographic technology that
has been evaluated its security by the third party in accordance with
the purpose of use, as with general information systems. Also, they
MUST decide the life cycle of a signature key and MUST implement and
operate appropriate controls.
Sato, et al. Expires 19 June 2021 [Page 32]
Internet-Draft General Security Considerations for Cryp December 2020
7.3.6.1. Basics of Signature Key Management
In general, followings are required in the management of private keys
including signature keys.
* They should be isolated from other informational assets. Rigorous
access control is mandatory.
* Limit the number of access to signature keys as minimum as
possible.
* Be prepared for unintentional lost of signature keys.
Followings are three basic security control to realize above.
Additional security controls specific to crypto assets custodians are
described in and after sub-sections Section 7.3.6.2.
1. State management of signature keys As described in Figure 2, a
signature key has one of the multiple states generally, and it
may be an active or inactive state in its operation. The
signature key MUST be in an active state when it is used for
signing (or decryption). It is recommended to enforce to input
some secret information to activate from the inactive signature
key. This makes keeping the inactive signature key away from
abuse if the adversary does not have the secret information.
This method ensures also the security of the signature key
against leakage and lost. It is also recommended to minimize the
term of activation to limit the risk of abuse as minimum as
possible. Unnecessary activation of the signature key increases
the risk of abuse, leakage, and theft, though keeping the
activation state is efficient from a business viewpoint. On the
other hand, frequent activation/inactivation may give impact to
business efficiency. It is important to consider the trade-off
between the risk and business efficiency and provide clear key
management policy to customers.
2. Administrator role separation and two-person rule It is a
fundamental form of operation of a critical business process
which uses the signature key to perform cryptographic operations
by multiple parties to prevent internal frauds and errors. For
example, by setting separated privilege on digitally signing and
approval to go into the area of signing operation, it becomes
difficult for the single adversary to give a malicious digital
signature without known by the third party. Additionally, the
enforcement of the two-person rule is effective security control
to internal frauds and misoperations.
Sato, et al. Expires 19 June 2021 [Page 33]
Internet-Draft General Security Considerations for Cryp December 2020
3. Backup of a signature key Lost of the signature key makes signing
operations (by using the key) impossible any more. Thus backup
of the signature key is an important security control. Since
lost of the signature key makes signing operations impossible any
more, backup of the signature key is an important security
control. On the other hand, risks of leakage and theft of backup
keys MUST be considered. It is needed to inactivate the backup
keys. Additionally, monitoring the blockchain whether to perform
the outgoing-coin from that address to detect the inappropriate
backup and the illegal-use of little-used address.
7.3.6.2. Offline Key Management
There is a type of offline key management (as known as "cold wallet")
which isolates signature keys from the system network to prevent
leakage and theft caused by the intrusion.
(Artwork only available as svg: No external link available, see
draft-vcgtf-crypto-assets-security-considerations-07.html for
artwork.)
Figure 4: Example of offline signature key management
In this case, it REQUIREs some kind of offline operations to make the
system use the signature key.
Examples are a) it requires to move a signature key from the vault
and to connect to the online system, b) input/output between online
system and offline (key management) system does perform through a
kind of storage, such a USB Flash Drive.
If there is not an explicit approval process for the signature key
used in the offline operation, anyone cannot stop the malicious
transaction. That is, for achieving this solution can prevent abuse,
loss, and theft of signature keys, an explicit approval process is
needed for this solution.
7.3.6.3. Privilege separation of signature keys (Authorization process)
Both privilege separation and two-person control of signature key
management are effective as shown in Section 7.3.6. In addition,
there is multi-signature as a typical scheme for
blockchain[BIP-0010][BIP-0011]. Multi-signature REQUIREs an
authorization process with multi-stakeholders, and it is achieved by
signing with the signature keys managed by each stakeholder. Each
stakeholder MUST verify other signatures technically if exists, and
MUST validate the practical consistency of the transaction.
Sato, et al. Expires 19 June 2021 [Page 34]
Internet-Draft General Security Considerations for Cryp December 2020
Authorization process with multiple stakeholders can expect for a
general countermeasure for malicious generation of a transaction.
Note, however, that security controls for the leakage and/or loss of
the signature key are still needed.
Since a multi-signature scheme is provided by software, its logic and
implementations are varied with some blockchain. e.g., multi-
signature in Ethereum is implemented on smart contract, so that there
are various implementations with each wallet software. Also, some
blockchains might not support multi-signature, therefore some
cryptoassets could not adopt multi-signature.
Also, there is another similar scheme "Secret Sharing Scheme" which
is applicable to privilege separation. This is a management
technology in a distributed environment which has divided secret
respectively, and one of the countermeasures for leakage and/or lost
of signature key. However, this scheme is rather a technology for
single stakeholder with multi-location operation than multi-
stakeholders, because it REQUIREs a validation scheme separately for
the transaction to each stakeholder and management of the divided
secret is rather depend to implementation than the signature key.
7.3.6.4. Backup for Signature Key
Backup is the most fundamental and effective measure against lost of
signature key. On the other hand, there are risks of leakage and
loss of the backup device.
These risks depend on the kind backup device, thus security controls
on such devices MUST be considered independently. Followings
describe typical backup devices and leakage/theft risks associated
with them.
* Cloning to the tamper-resistant cryptographic key management
device If a signature key is managed by a tamper-resistant key
management device (device X) and X has cloning function, cloning
the key to another device Y is the most secure way to back up the
key, where the cloning function is the technique to copy the key
with keeping confidentiality to other devices than X and Y
// For example, cloning via PC does not meet this requirement when
// the signature key is read into memory on the PC in the cloning.
* Backup to storage for digital data Here, it is assumed to backup
keys to storage like USB memory and DVD. There are two types of
operations; one is backup data is stored in movable devices in an
offline manner, the other is backup data is stored in an online
accessible manner. If the device is movable, the possibility of
steal and lost increases, thus the device MUST be kept in a
Sato, et al. Expires 19 June 2021 [Page 35]
Internet-Draft General Security Considerations for Cryp December 2020
cabinet or a vault with the key, and the access control to such
cabinet/vault MUST be restricted. Of the backup storage is
online, risks of leakage and theft MUST be assumed as same as the
key management function implementation inside the cryptoassets
custodian. In general, the same security control is recommended
to such backup storage. If there is some additional operation,
for example, the backup device is inactivated except for the time
of restore, the security control may be modified with considering
the operating environment. When it is not avoided the raw key
data is outside of the key management function implementation, the
custodian MUST deal with the problem of remained magnetics.
* Backup to paper There is a way to backup keys in an offline
manner, to print them to papers as a QR code or other machine
readable ways. It is movable than storage for digital data and
easy to identify. There remains some risk of leakage and theft by
taking a photo by smartphone and so on.
* Redundant with Sharing secret scheme Dividing of signature key to
multiple parts, then managing them by multiple isolated systems is
an effective measure to protect the keys against leakage and
theft. This document does not recommend a specific technique but
RECOMMENDs to implement this control based on a certain level of
security evaluation like a secret sharing scheme. In that case,
secure coding and mounting penetration test are REQUIRED to
eliminate the implementation vulnerabilities. This method is also
effective for backup devices.
7.3.6.5. Procurement of hardware wallet
When introducing a wallet, it is RECOMMEND to use a product whose
technical security is guaranteed like HSM which is originally used
for existing PKI service etc. However, some products may not be
applicable currently because they often do not support a kind of
cryptographic algorithm used by crypto assets. Therefore, if
introducing a wallet, it is RECOMMEND to operate in mind the
following points with accepting the technical insufficiency:
* MUST not use hardware obtained through the untrusted procurement
route.
* MUST apply the latest firmware and patches provided by the
manufacturer.
* Initialization and key generation MUST do themselves, SHOULD NOT
use default settings without careful considerations.
Sato, et al. Expires 19 June 2021 [Page 36]
Internet-Draft General Security Considerations for Cryp December 2020
* MUST consider trustworthy of software instructing a sign to
hardware wallet, especially whether it supports multi-signature or
signing at the offline environment.
Additionally, when custodian uses only hardware wallets in the
marketplace, they MUST manage it according to section Section 7.3.4.
On the other hand, hardware wallets MUST be subject to the third-
party or independent certification scheme for security. If
introducing a software wallet from outside, it MUST consider the
potentiality of containing malicious code, vulnerability, and bugs.
7.3.7. Physical and environmental security
Cryptoassets custodians system MUST follow section "11. Physical and
environmental security" on [ISO.27002_2013].
Cryptoassets custodians system MUST consider strict physical security
protections for the following elements.
* Media containing a signature key. (Signature key management shown
in Figure 1)
* Media containing a signature key for cold wallet environment.
(Signature key management for offline management shown in
Figure 4.)
* Media containing a backup data of signature key
If the signature key mentioned above is stored in the deactivated
state, and also key encryption key to activate the signature key is
controlled separately, the media containing the key encryption key
MUST be strictly managed.
The security control to these signature key MUST be separated from
the security control of the crypto assets custodian system. In
addition to this control, access to facilities and environments which
store media containing a signature key or information required to
operate the signature key MUST be restricted. (See: Section 7.3.6)
Furthermore, countermeasures to loss or theft for the operational
device MUST be taken place if the administration or operation is
executed from a remote place such as out of a facility.
Sato, et al. Expires 19 June 2021 [Page 37]
Internet-Draft General Security Considerations for Cryp December 2020
7.3.8. Operations security
Crypto Assets Custodian systems MUST follow section "12. Operations
security" on [ISO.27002_2013]. In addition to the standard,
cryptoassets custodian systems SHALL comply with the security
controls mentioned following sections.
7.3.8.1. Protections from malicious software (Related to ISO.27002:2013
12.2)
Detection and recovery measures of malware MUST be appropriately
taken place according to configurations, the environment of
cryptoassets custodian systems and confidentiality and importance of
information handled in the systems.
In general, one of the prevention measures for malware is applying
security patches to operating systems, middlewares of cryptoassets
custodian systems. However, those patches MUST be applied upon
sufficient confirmation based on the importance and urgency of a
patch. Moreover, testing and deployment procedure of security patch
MUST be considered beforehand just in case attacks against the
vulnerability have already confirmed.
7.3.8.2. Backup (Related to ISO.27002:2013 12.3)
Upon making a backup of systems, strict security controls to
important data which suffered severe damage by leakages such as the
signature key or master seed MUST be applied same as data subject to
backup (e.g., an appropriate selection for storage, and enforcement
of strict access controls.) Security controls such as distributed
storage mentioned in Section 7.3.6), proper privilege separation on
backup and restore between operators and people making an
authorization, and operation with multiple parties are also
important.
7.3.8.3. Logging and monitoring (Related to ISO.27002:2013 12.4)
Crypto asset custodians systems MUST obtain/monitor/record logs
properly (not limited to but include following logs).
* Logs on the environment where the cryptoassets custodian system
Collecting and monitoring of event log outputted from the system
components such as middleware, operating systems, and computers
detects an abnormal state of environment where the system runs.
Collected logs are used to investigate a cause in the case of the
incident.
Sato, et al. Expires 19 June 2021 [Page 38]
Internet-Draft General Security Considerations for Cryp December 2020
* Logs on the processing of components of crypto assets custodians
system Collecting and monitoring of the processing logs from each
component detects an abnormal state of crypto assets custodians
system. Collecting proper logs are used as a proof of proper
processing inside the crypto assets custodians system, and also
used to investigate a cause in a case of the incident.
* Access log of signature key Information such as date, a source
terminal, an operator(not a role but information to identify an
operator) MUST be obtained and recorded in a case of operations
such as activation and deactivation of the signature key, access
to the activated signature key and backup/restore. Those records
MUST be validated against the records such as operational
procedures, operating hours, on a periodical inspection such as
weekly inspection. Moreover, in a case where the signature key is
managed online, operational log such as the creation of a
transaction signature by operator MUST be recorded and validated
as well.
* Operational Log of a wallet managed by custodians Logs on
remittance MUST be monitored real-time against the attempt of
outgoing coin transfer in a case where the signature key and
backup are unexpectedly leaked. In a case where an unexpected
remittance has occurred in one of the wallets, monitoring logs
help timely detecting the incidents, suspending all signing
operations, rechecking on other existing wallets, and migrating to
other wallets using a different signature key.
* Access log of administration remote terminal If a remote access to
cryptoassets custodian system is permitted, audit information such
as date, source IP address, terminal information(e.g. terminal ID,
latest result of security evaluation if it's possible) and
destination IP address (or hostname) MUST be obtained and recorded
for auditing which checks the accesses are from/in authorized
range.
* Traffic log between the inside and the outside (e.g., the
Internet) As mentioned in Section 7.3.9.1, Inbound traffic to
cryotoassets custodian systems such as traffic from the Internet
MUST be restricted to a permitted external network or permitted
protocol. Inbound traffic from disallowed network and traffic
using disallowed protocol are denied at the firewall and other
middleboxes. Logs from that equipment are effective to protect
customers from malicious access in terms of not only cryptoassets
custodian system but also the information security. Usually,
outbound traffic from protected assets such as cryptoassets
custodian systems to the Internet and other systems is not a
subject to logging. However, those logs are useful in cases such
Sato, et al. Expires 19 June 2021 [Page 39]
Internet-Draft General Security Considerations for Cryp December 2020
as investigations on incidents (e.g., malicious usage of the
signature key, theft of signature key) and detection of the
incident, so entire traffic or network flow are RECOMMENDED to be
acquired according to protocols/destinations.
* Customers access log Customers access log MUST be obtained since
those logs are used to detect malicious login or request. Also,
those logs are used as evidence in a case of incidents. In a case
of malicious login, custodians MUST notify its customer.
- Provide information about the malicious activity to customers
Providing a feature to allow a customer to confirm login
history, source IP address, region, and terminal information,
and login notification by a push-notification or an e-mail are
effective to detect malicious access after the incident.
Feature protecting an account and alerting to a user in cases
when detecting login from unknown source address or terminal,
or detecting consecutive login to multiple accounts from the
same source IP address, are effective to protect a user from
malicious access.
* Images/videos recorded by a surveillance camera and entry/exit
records Storing images/videos recorded by the surveillance camera
and entry/exit records for proper period enables validating if
physical safety control measures work properly after the incident.
Detecting a malicious process execution (e.g., malware), malicious
access, an abnormal state of cryptoassets custodians system by
monitoring logs mentioned above comprehensively is important.
Moreover, storing this evidence is important to prevent internal
fraud and exonerate person involved from the charge. Security
Operation Center (SOC) may help to monitor the system. Outsourcing
to trusted operators about detection and notification of threats in
the operation of SOC may be helpful.
7.3.9. Communications security
Cryptoassets custodians system MUST follow section "13.
Communications security" on [ISO.27002_2013].
Since assets are managed in a state accessible from the Internet on
cryptoassets custodians system, preventive measures, detection
measures, countermeasures and recovery measures as measures to
prevent information leakage, MUST be considered according to the
risk.
Sato, et al. Expires 19 June 2021 [Page 40]
Internet-Draft General Security Considerations for Cryp December 2020
7.3.9.1. Network security management (Related to ISO.27002:2013 clause
13.1.1)
As same as security control measures to general systems, measures
such as a definition of a boundary to the external network,
restriction of connection to a network system(e.g., firewall), stop
unnecessary services or close unnecessary ports, obtaining and
monitoring logs and malicious access detection MUST be considered and
performed.
For logs, logs of internal systems MUST be monitored to detect
internal malicious access, as well as monitoring of boundary to the
external network. (See: Section 7.3.8.3)
Secure communication with proper mutual authentication such as
TLS(Transport Layer Security) MUST be used to protect from attacks to
communication between modules such as eavesdropping and manipulation
in a case where modules of cryptoassets custodians systems are
remotely located.
7.3.9.2. Network segmentation (Related to ISO.27002:2013 13.1.3)
It is important to limit a connection between cryptoassets custodians
systems and other systems/the Internet as minimum as possible to
reduce the risk of exposing against attacks through a network.
Measures as follow such as network segmentation and limitation to
connection MUST be considered.
* Network isolation between custodians systems and other information
systems
- Objectives: Preventing a connection to custodians systems
through information systems used in daily operations, which has
been compromised due to malware infections caused by external
attacks such as targeted attack.
- Countermeasures: Isolate a network between information systems
used in daily operations and custodians system by segmentation
of network or limiting access.
* Network isolation at the boundary to the Internet
- Objective: Preventing access to critical information such as a
signature key from attack through the Internet by minimizing
and isolating modules which connect to the Internet.
Sato, et al. Expires 19 June 2021 [Page 41]
Internet-Draft General Security Considerations for Cryp December 2020
- Countermeasures: Features which connects external services on
the Internet to achieve the functionality of custodians system,
transmit transactions or obtain blockchain data MUST be
packaged as a module as minimum as possible or be isolated from
other systems such as locating on DMZ. Moreover, if modules
are connecting to external services, access controls to those
services MUST be adequately performed.
* Limitation on a terminal used in custodians system administration
- Objective: Preventing a malicious operation due to a hijacking
of terminal used in custodians system administration.
- Countermeasures: Limiting a terminal which can connect to
custodians system, such as a terminal to manage a custodians
system administration function and a terminal running an
administrative tool to order operation to custodians system.
7.3.9.3. System acquisition, development and maintenance
Cryptoassets custodians system MUST follow section "14. System
acquisition, development, and maintenance" on [ISO.27002_2013].
Cryptoassets handled by cryptoassets custodians ranges from high
liquidity cryptoassets dealt with by multiple custodians to emerging
cryptoassets. It is important to reduce a risk regarding system
acquisition, development and maintenance in addition to
[ISO.27002_2013] as characteristics of blockchain network used by
those cryptoassets varies. For example, the following
countermeasures are effective.
* Software development method Secure software development method
such as secure coding and code review MUST be used in the software
development of the custodian system. Code review not only with
the development team but also with an operational team is
effective to detect a vulnerability from the viewpoint of
operation.
* Penetration test Conducting a penetration test helps to detect a
known vulnerability at systems and results in obviating the
attacking risk by the attacker in advance.
* Integration test with blockchain network Test MUST be performed
not only with the test network of blockchain but also with the
production network of the blockchain. Risk assessment MUST be
taken with an understanding of the limitation of test on the
production network such as high-load test.
Sato, et al. Expires 19 June 2021 [Page 42]
Internet-Draft General Security Considerations for Cryp December 2020
* Privilege separation on the operation Privilege separation such as
limiting code reviewed software deployment to the production
environment to the system operating team is effective to prevent
tampering attacks from internal.
* Prohibiting using default (factory-configured) values Any factory-
configured authentication information such as password MUST NOT be
used regardless of hardware/software, development environment or
production environment.
7.3.10. Supplier relationships
Cryptoassets custodians system MUST follow section "15. Supplier
relationships" on [ISO.27002_2013].
Outsourcing wallet-related services may be a reasonable choice in a
case technical security of those services has been secured.
Administrative measures according to [ISO.27002_2013] MUST be taken
in terms of outsourcing contractors or security controls of cloud
service providers in cases where signature key in multi-signature is
delegated to contractors or custodians system is implemented on cloud
services.
7.3.11. Information security incident management
Cryptoassets custodians system MUST follow section "16. Information
security incident management" on [ISO.27002_2013].
Since cyber attacks got complex, cyber security incidents
unprecedented in the past could occur, especially in cryptoassets
custodians. In addition to security control measures as a
preparation to expected threat in advance, Emergency response
framework MUST be prepared in a case of incidents caused by an
unknown threat. For example, the establishment of internal
CSIRT(Computer Security Incident Response Team) and building a
relationship with external organizations.
7.3.12. Information security aspect of business continuity management
Cryptoassets custodians system MUST follow section "17. Information
security aspect of business continuity management" on
[ISO.27002_2013].
Requirements, Processes, Procedures and control measures to secure
information security for the cryptoassets custodian in a case of the
severe situation(such as disaster or crisis) MUST be established,
documented, performed and maintained. In this case, administrative
Sato, et al. Expires 19 June 2021 [Page 43]
Internet-Draft General Security Considerations for Cryp December 2020
measures in a case where countermeasures have performed or in a
period of a severe situation MUST be verified periodically.
Moreover, operators MUST consider to shut down the system
situationally.
* In a case where facilities (including facilities used as an
office) are unavailable
- Power outage
- Damages of building
- An act of nature (e.g., earthquakes, fires (including sprayed
water for neighborhoods fire), water outage, flood)
- Other reasons (e.g., facilities are unavailable, or access to
the facilities are prohibited by law/regulations/authorities.)
* In a case where it's difficult to continue the system
- In a case of becoming difficult to continue running an
emergency electric generator.
- Long suspension of public transportation services, a pandemic
of disease, lack of human resources by an act of nature.
- Failure of a communication network
- Failure of equipment
- Failure of the system (regardless of reasons such as failure of
a program or cyber attacks)
- Loss of paper wallet or hardware wallet.
- Suspension of outsourcing contractor's business
- Leakage or loss of signature key
* In the case of becoming difficult to continue business
- Business-suspension order by law/regulations.
Sato, et al. Expires 19 June 2021 [Page 44]
Internet-Draft General Security Considerations for Cryp December 2020
7.3.12.1. Maintaining availability of the system
Cryptoassets custodians system MUST be designed and implemented to
have enough scalability and redundancy for users with consideration
of a number of users, peak date/time of transactions, system response
time, maintenance period/frequency and securing a human resource for
operation. Moreover, consideration for increasing the capacity of
the system MUST be performed in advance with enough threshold (e.g.,
number of transactions or memory usage during a peak period).
7.3.13. Compliance
Cryptoassets custodians MUST respect the guidelines or laws of the
region or country. (See Appendix 3 for a country of Japan)
7.4. Other cryptoassets custodians system specific issues
7.4.1. Advance notice to user for maintenance
Cryptoassets custodians are RECOMMENDED to publish a notice of
maintenance schedule in advance in a case where periodical schedule
especially service suspension is planned in a night. Also,
Cryptoassets custodians are RECOMMENDED to provide information
regarding the failure of the system at other FQDN/IP addresses to
avert high volume traffic to the web server in addition to usual way
of notice such as by e-mail or on the website, in a case of emergency
maintenance.
Moreover, cryptoassets custodians are RECOMMENDED to put forth an
effort to minimize an affected area from a viewpoint of user
protection in a case of service suspension caused by immediate issues
such as attacks from external.
8. Future work
Discussion of distributed exchange (DEX) is currently out-of-the-
scope of this document.
9. Security Considerations
Security Considerations are included in the main section of this
document.
10. IANA Considerations
None.
11. References
Sato, et al. Expires 19 June 2021 [Page 45]
Internet-Draft General Security Considerations for Cryp December 2020
11.1. Normative References
[ISO.27001_2013]
International Organization for Standardization,
"Information technology -- Security techniques --
Information security management systems -- Requirements",
ISO/IEC 27001:2013, October 2013,
<https://www.iso.org/standard/54534.html>.
[ISO.27002_2013]
International Organization for Standardization,
"Information technology -- Security techniques -- Code of
practice for information security controls", ISO/
IEC 27002:2013, October 2013,
<https://www.iso.org/standard/54533.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References
[BIP-0010] Reiner, A., "Multi-Sig Transaction Distribution", BIP 10,
28 October 2011,
<https://github.com/bitcoin/bips/blob/master/bip-
0010.mediawiki>.
[BIP-0011] Andresen, G., "M-of-N Standard Transactions", BIP 10, 18
October 2011,
<https://github.com/bitcoin/bips/blob/master/bip-
0011.mediawiki>.
[CVE-2018-10299]
MITRE Corporation, "CVE-2018-10299", CVE 2018-10299, 22
April 2018, <http://cve.mitre.org/cgi-bin/
cvename.cgi?name=CVE-2018-10299>.
[I-D.nakajima-crypto-asset-terminology]
Nakajima, H., Kusunoki, M., Hida, K., Suga, Y., and T.
Hayashi, "Terminology for Cryptoassets", Work in Progress,
Internet-Draft, draft-nakajima-crypto-asset-terminology-
04, 2 July 2020, <http://www.ietf.org/internet-drafts/
draft-nakajima-crypto-asset-terminology-04.txt>.
Sato, et al. Expires 19 June 2021 [Page 46]
Internet-Draft General Security Considerations for Cryp December 2020
[LISK-ISSUE_2088]
MaciejBaj, ., "Check INT_32 range for transaction
timestamps", June 2018,
<https://github.com/LiskHQ/lisk/issues/2088>.
Acknowledgements
Thanks to Masanori Kusunoki, Yasushi Matsumoto, Natsuhiko Sakimura,
Yuji Suga, Tatsuya Hayashi, Keiichi Hida, Kenichi Sugawara, Naochika
Hanamura, and other members of the Security Working Group of
CryptoAssets Governance Task Force (https://vcgtf.github.io).
Authors' Addresses
Masashi Sato
SECOM Co., Ltd. Intelligent System Laboratory
Shimorenjaku 8-10-16
SECOM SC Center, Tokyo, Mitaka
181-8528
Japan
Email: satomasa756@gmail.com
Masaki Shimaoka
SECOM Co., Ltd. Intelligent System Laboratory
Shimorenjaku 8-10-16
SECOM SC Center, Tokyo, Mitaka
181-8528
Japan
Email: m-shimaoka@secom.co.jp
Hirotaka Nakajima (editor)
Mercari, Inc.
Roppongi 6-10-1
Roppongi Hills Mori Tower 18F, Tokyo, Minato
106-6118
Japan
Email: nunnun@mercari.com
Sato, et al. Expires 19 June 2021 [Page 47]