Blockchain Key Management Solution
TEEvault is a key management solution for securely storing and managing cryptocurrency keys in an enterprise environment. The entire process of generation, back up, and usage of cryptocurrency private keys is completed inside a protected Trusted Execution Environment (TEE), keeping the keys safe from exposure to hacking or physical attack. It also harnesses threshold cryptography to mathematically split a key into multiple shares and store each share in different systems. Thus, the risk of loss or theft is greatly reduced and disaster recovery assured.
Introduction to TEEvault
Safe as much as you connect
A single TEEvault is sufficient to operate your service. However, a cluster of multiple TEEvault nodes connected with threshold cryptography assure greater protection and availability of protected assets. Threshold cryptography enables t-of-n signature where only t nodes are required among n. For example, in a cluster configured as 3-of-6, the clusters as a whole will still function even if up to 3 (out of 6 nodes) become unavailable. Strategic placement of TEEvault nodes in geographically distant locations will increase the availability of the connected system in the case of catastrophic events, including power outages, natural disasters, and security attacks such as targeted denial of service. In addition, TEEvault’s threshold cryptography technology can also be applied to blockchain applications that do not provide native multisig support, such as Ethereum.
- Risk diversification through distribution of keys
- High availability regardless of catastrophic events
- Cryptographic multisig support using threshold cryptography (Ethereum, etc.)
TEEvault’s triple replication architecture safeguards client assets and ensures robustness of secure operations. TEEvault is designed to synchronously back up protected data across multiple TEE systems, with each TEE system independently and uniquely encrypting the digital assets of clients. The tripled composition is also used for load balancing, enabling high performance.
- Data loss prevention by tripled backup
- Key synchronization among authenticated TEE systems
- Performance improvement with load balancing among TEE systems
Hardware-enforced security boundary
TEEvault utilizes one of the most powerful security features supported by a CPU — the Trusted Execution Environment (TEE). By establishing a hardware-enforced security boundary, TEEvault completely isolates client assets from the computer’s day-to-day run-time environment, which is always exposed to a vast variety of cyber threats and hacking attacks. To steal client assets sealed inside the isolated TEE, a hacker must have physical access to the CPU hardware and analyze every bit of the circuit. Even with the use of an electron microscope, this is virtually impossible in the real world.
- TEE completely isolated from run-time environment
- Data protection using hardware reinforced keys
- Virtually impossible to steal protected data even with an electron microscope
TEEvault-based Cryptocurrency Wallets
1. Store and manage cryptocurrency offline (Cold wallet)
Most cryptocurrency exchanges prefer to store part of their assets offline to mitigate the risk of being hacked, which is referred to as a cold wallet. Using TEEvault, enterprise-level cold wallets can be established with keys split and distributed among multiple nodes to eliminate the risk of loss and theft. All transactions involving the use of keys run securely inside TEEvault, completely protected from attacks — even from those with administrative privileges, e.g., such as malicious insiders.
2. Protect cryptocurrency keys stored online (Hot wallet)
Cryptocurrency exchanges must also store some of the cryptocurrencies online to process transactions and provide timely money transfers, which is referred as a hot wallet. Even if the keys are stored and encrypted, they must be decrypted in memory to be used when signing transactions, and this is the most vulnerable point where the keys are left unprotected. However, using TEEvault, keys are always protected even when online. When keys are generated and stored, they are encrypted by the unique key hardwired inside the CPU, and all cryptographic operations are securely executed inside the TEE during transaction signing, leaving no chance of hacking.
3. Multisig on Ethereum without using smart contract
Ethereum does not support multisig natively, instead encouraging users to use smart contracts to enable multisig. However, as seen in the Parity wallet incident, one small mistake in smart contract execution can result in catastrophic damages, such as cryptocurrencies being stolen or burned. TEEvault can turn the current process of signing a transaction with a single key into a multisig-based transaction. Threshold cryptography (k-of-n) can split a key into n shares, with k shares required to generate a whole signature, making TEEvault a secure alternative to smart contract-based multisig.
Looking for a solution?
TEEware shares your concerns about security.
We will continue to research and provide innovative solutions for your security needs. We will be your partner.