Locked Out of Knox
As a Bitcoin key storage agent, Knox has custody over all the keys of our clients. While we recommend that a majority of consumers hold their own keys, some exceptions apply. It is less desirable for service providers such as exchanges, funds, or other companies to hold Bitcoin for their users—a secondary endeavour adjacent to their core activity. Usually, the incentives can be distorted, forcing these entities to treat key management as the cost of doing business, and exposing clients to unnecessary risks.
Holding Bitcoin securely for others is hard, and requires special risk mitigation technologies with an undivided focus. It is also dangerous for employees of these organizations who become targets for both cyber and physical attackers. It is evident that offline (cold) and online (hot) custodial services have distinct threat models when it comes to the risks of theft and loss. Network attacks substantially increase the attack surface of hot wallets while internal collusion is the most severe risk for cold storage services.
To ensure the security of our clients and to protect the safety of all employees at Knox, we decided to lock ourselves out of the Bitcoin we hold for our clients from day one. Knox cannot arbitrarily sign any withdrawal that could lead to movement of funds not explicitly requested by a customer.
We are locked out of our own vault.
Our cold storage makes internal collusion extremely unlikely across the entire key lifecycle — from generating keys to using them for transaction signing and archiving backups. Our aim is to provide a responsible service to a particular segment of customers requiring custodial services. We use three core controls to ensure that we can provide such guarantees to our clients:
- Independent key generation
- Third-party backup archiving
- Signature-swapped transactions
Independent key generation
Generating keys is a very sensitive activity, which requires high-quality entropy that cannot be known to anyone but the holder of the Bitcoin. Observing the entropy, which is used to create a seed utilized as the master private key to generate addresses and sign transactions, is the highest level of privilege one can have. This information allows full control over all the derived addresses where Bitcoin is held.
What if the agent generating Bitcoin keys cannot know all the information used to construct a Bitcoin wallet? All Knox multisig wallets have individual keys generated independently from each other, making collusion very hard. Each key is generated by two agents in a secure location protected by a partner security firm in four distinct cities.
Third-party backup archiving
Once generated, keys are then cut into four different pieces each, or shards, and kept at separate archival sites with a partner security firm outside of our physical control. At this point, Knox employees cannot physically access the archives of the keys, as they are stored across sixteen different locations, or four distinct vaults for each key with four keys for each multisig wallet.
Each generated key is flashed onto hardware security modules (HSMs). These HSMs are shipped by a secure transportation partner from the generation sites to the processing sites, where they will be vaulted by three different independent agents.
At this point, a Knox 3 of 4 multisig wallet is protected from internal collusion by machines, not human policy. Each HSM holding one key from the 3 of 4 multisig quorum is incapable of signing transactions unless it receives a valid customer request for withdrawal. The staff at Knox is cryptographically locked out.
Our clients hold the keys that are bound to the HSMs we have vaulted. Only our clients can produce a valid transaction request that will be verified by our processing sites, and ultimately approved for signing by our HSMs. The HSMs will swap the signature they verified from our clients and apply a signature using the key they hold as part of the 3 of 4 signing quorum. This is a cryptographic handshake that cannot be forged.
In all regular instances, Knox staff, employees, contractors, and any other agents are incapable of executing withdrawals without our clients’ explicit requests. In other words, no single employee or group of employees at Knox can arbitrarily move the funds we custody. We are locked out of our own custody system—ensuring the security of our employees and the holdings of our clients.
All requests are authorized by clients and guaranteed by machines, which helped Knox get an insurance policy against both internal and external theft, covering 100% of the value of Bitcoin we hold for our clients.
This is obviously important for all current and prospective clients to understand, but also essential to understand for attackers looking to compromise systems of this sort. We believe that the only responsible way to custody Bitcoin is to have rigorous security that prevents us from voluntarily doing harm, or being hurt by others.