This article is part of a short series about security at Knox. You can find more details on our website on the security page.
Knox has custody of all keys held in distinct 3 of 4 multi-signature wallets for each client in order to get an insurance policy covering up to 100% of value held. Signing offline Bitcoin transactions in that context requires keys to be stored in hardware security modules (HSMs) that are air-gapped from any network connection. Knox HSMs are purpose-built physical devices flashed with specialized firmware that safeguards Bitcoin keys and uses them to sign transactions. Once provisioned for a client account, a Knox HSM is designed to prevent any data, such as keys, from being changed or revealed. The Knox HSM has received an independent technical assessment to verify its properties, which may be released sometime in the future for external verification.
In our cold storage solution, Knox HSMs have never been, and never will be, connected to a network. This reduces the attack surface of the transaction signing operations. Retrieving keys from a Knox HSM is is by design extraordinarily difficult, if at all possible without corrupting the device, even with direct physical access. The physical integrity of the signing device is further assured by way of vaulting all Knox HSMs. This slows down any would-be attacker. Due to the absurd difficulty in executing such an attack, insuring against its execution is made possible.
All HSMs are vaulted in specialized locations called Knox processing facilities, which allow for the replication of HSM physical vaulting across geographically distinct sites operating in a 3 of 4 multisignature scheme. For all Knox customer accounts, 3 keys are required to sign and broadcast a transaction to the Bitcoin network. All processing facilities form a private network to communicate with each other and propagate partially signed Bitcoin transactions, until full signing is completed. Prior to signing, each Knox processing facility verifies the integrity of a transaction against bespoke customer wallet policies such as signing quorum authorizers, rate limits and whitelisted addresses. By design, every processing facility assumes that every other is corrupted, and so independently verifies everything.
A Knox processing facility is staffed with a minimum of two human operators in a dual control pair to receive a customer transaction, verify and sign it before propagation to the next facility.
Signing happens 100% offline, which requires a particular design in Knox processing facilities, which are monitored by alarm systems in undisclosed locations. Within a processing facility, an access restricted communication room receives partially signed bitcoin transactions from a network-connected machine. In a room adjacent to the communication room, protected by another secure gate is the signing room, which guards vaulted offline HSMs to issue transaction signatures. The HSMs remain vaulted even during signing. In the air-gapped signing room, once the vaulted HSM issues a signature on the verified transaction, the partially signed transaction is re-introduced to the communication room over a sneakernet so it can be forwarded to the next processing facility. This process continues until the 3 of 4 signature threshold is met.
Within the offline signing room, a Knox HSM is incapable of issuing a signature unless a customer has explicitly requested a withdrawal authenticated with a personal access key sent to them at the time of account onboarding. The HSM must receive and verify a signature tied to such client device. All Knox HSMs perform signature swaps, which locks the operators out of any signing operations, further reinforcing the resistance to collusion. At the time of configuration of a Knox customer account, the 3 HSMs holding the corresponding keys (out of 4 keys in the multisig quorum) are flashed with these external access keys, which will be held by the customer.
As the first step of a Knox transaction, a verified client must initiate a withdrawal using the personal access key, which was received at the time of account onboarding. A client is only able to use their personal access key to sign on transactions from wallets where the policy mentions them as valid authorizers. No transaction will ever be signed at a Knox processing facility unless it was originated by a verified and valid client access key signature.
The customer service level agreement for our 100% cold storage Bitcoin transaction processing is 24 hours, though turnarounds of under 40 minutes are more common during our usual business hours.
Transaction signing with secure key storage is a core activity of Knox. We will be sharing more details about additional technology building blocks as part of a series on security at Knox. More details available on knoxcustody.com, in the custody risk management registry or via email directly: firstname.lastname@example.org.