A year into my stint at the Bank of France, I was still struggling to understand why they employ cryptographers. One day, I saw them huddled around a white board for a few hours and struck up a conversation. They walked me through their highly sophisticated key management solution that included everything from certificate signing mechanisms to deep traffic inspection contraptions. Baffled by the complexity of it all, I resorted to my go-to cryptographer question - "So, where are the keys?". The key storage, as it turned out, was outsourced to "a cool startup here in Paris.” There are very few reasons to outsource the security risks associated with storing and managing your encryption keys. However, this what often happens at companies dealing with digital asset custody. These companies overgrow with analytics, support, marketing, and administrative personnel, but end up relying on BitGo and others to sign their transactions. Keep your key storage in house. BitGo as much as you do. Snowden taught us the importance of end-to-end encryption, but we still failed to understand the fundamental problem with outsourcing encryption. We've put too much trust in Google employees who did not care about their client’s privacy enough to . Crypto custody is hard. will never care about your keys encrypt traffic between their data centers Encryption was being worked on prior to Snowden but it didn't seem like a high priority because there was no evidence it would achieve anything useful, and it rquires a lot of resources. Google Cloud Exploitation - NSA presentation . Cryptographers are as good at implementing protocols as interior designers are at laying brick. You also can't hire astrophysics PhDs hoping that they'll figure it out on the job. They will sit there for a year reading articles and dreaming up . Neat idea, until or Vitalik decides to fork Ethereum on Friday evening. CS degrees are no guarantee of expertise time locks for your cold wallet Pearl Harbor happens on Sunday have plagued existing crypto custody providers and stopped others from joining the market. Some are straight from spy novels and TV shows. Others will likely make their way to DEFCON slides in the coming years. Amateur key management setups . OKEx cold wallets cannot survive a single signature loss . Gemini founders like traveling around the country with pieces of paper to address Armageddon risks . Bitmex execs personally sign transactions every day . Fishing rod key storage system is a thing Swiss mountains don't add an extra security layer. Airgapping cold wallets without proper access and emergency procedures is useless. IP address attribution and SMS as a second factor authentication are fundamentally broken. Hardware wallets aren't any more secure than a regular smartphone, but attract way more attention to their users. exists. So does . A few basic things to remember. Rubber-hose cryptanalysis deniable encryption What you really need is a team of highly experienced software and infrastructure engineers led by security professionals, preferably the ones that haven't . Getting them won't be easy. The post-Snowden IT security job market has been vacuumed by armies of corporate and government recruiters. Big IT companies and three-letter agencies catch talented kids well before they graduate college. Anyone who doesn't have the time or expertise to grow talent internally is mostly out of luck. Talk to your local key management professional. lost all their data at their last place of employment There are still plenty of people who are unable or unwilling to pass security clearances or pee in the cup. You can also pick up whole teams by looking outside the crypto space. Unlike what you've been told, blockchain is not magic. It's a decentralized system like many others, and we have plenty of hustling security-oriented startups staffed with talented network, database, and systems engineers. Think outside the box. Anything and anyone who doesn't need to have access to your keys can and should be outsourced. Establish relationships and offload your headaches to professionals in their respective areas. Unless you plan to , you will need to put KYC and AML programs in place. Regulators will ask you to watch hundreds of metrics and produce dozens of reports every day, but they will not say which ones upfront. You are better off letting someone else argue with them about the methodology of . Your IT department will thank you for it. Open up and focus on fundamentals. bribe officials with coconuts calculating the price of a 51% attack . While the goal of a compliance team is to produce good-looking reports for the regulators, an auditor is there to show you weak spots in your setup. Hire an outside Red Team and give them sizeable bonuses for discovering vulnerabilities. Security by obscurity only works to a certain point - publish your security designs and . Create an and let people gradually poke holes in your systems. and the ability to laugh at yourself go a long way in saving you public humiliation. Separate auditing and compliance openly talk about your failures open bug bounty program Hacker t-shirts . Any asset custody is about reputation and companies that shift their security risks to others will not last long. When their assets under management reach critical mass, many of their security mechanisms will fail at once. When someone robs a bank, getting to the vault is only the beginning. Getting away with the loot and spending it is an equal problem. There's always a chance of catching the thief and getting the money back. Not so much in crypto. Bitcoin money laundering services cost 1-4% of the total sum. Hackers will start looking into yachts the second they get to your private keys. Remember, it's a marathon Digital currency money laundering services offered at a Russian darknet marketplace. Illustration by Mihailo Tatic

Google

Read My Stories

Too Long; Didn't Read

Discover Saakuru: Web3 Mass-Adoption with 0-FEES

Worried About Your Crypto's Custody? Outsource Everything Except Key Management

Too Long; Didn't Read

Company Mentioned

Ev Dmitriev

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Worried About Your Crypto's Custody? Outsource Everything Except Key Management

Too Long; Didn't Read

Company Mentioned

Ev Dmitriev

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES