Traditional HSM solutions have no way to identify if the message they are signing will validate a block or empty the wallet.
The safeSig <.io> KeyGuardAPI provides a secure HSM proxy that uses DMI Technology with two-pass validation to ensure that access to your cryptocurrency keys remains solely in your control.
HSM <--> safeSig <.io> KeyGuardAPI <--> Blockchain Application <--> Users
Reduce your attack surface with safeSig <.io> KeyGuardAPI.
Reduce your attack surface by isolating your blockchain applications from direct HSM access to protect against key exposure and fund theft even if your blockchain application is fully rooted by attackers.
safeSig <.io> KeyGuardAPI reduces the attack surface for many types of attacks:
Chosen-PlainText Attacks
Side-Channel Attacks*
Key Dumps
Malicious Transaction Signing
Restrict and sanitize cryptocurrency signature and other key operation requests to your private keys with safeSig <.io> Cryptocurrency DMI Technology powering KeyGuardAPI.
Authorize and bind your private keys to sign specific cryptocurrency data messages:
Transactions [Amount, Origin, Destination, Time, scriptSigs, 2FA]
Blocks [Timestamp, Transactions, BlockReward, Version, Network]
Smart Contract Operations [Import your own ABI]
Manage user and application access to your private keys with an easy-to-use Admin Panel.
Take full control of restricting and granting user and application access rights with intuitive permission settings.
Add conditions for requiring multi-party 2FA for large amounts
View and audit logs for all signature requests and actions
Manage levels of access for employees
Keep track of signature operations across many DLTs
Instant “key-kill-switch” to instantly take your key offline to prevent signing new transactions*
Bring your own HSM solution or use our BareMetalHSM.
safeSig <.io> KeyGuardAPI integrates with our BareMetalHSM, Azure Key Vault, AWS CloudHSM or your custom solution.
safeSig <.io> BareMetalHSM service provides dedicated FIPS 140-2 Level 3 Validated hardware.
Hosted in a SAS70 certified Tier 4 Data Center with 24-hour security and biometric restricted access.
safeSig <.io> BareMetalHSM is the only cloud HSM that quickly and easily supports BIP32 key management.
safeSig <.io> supports secure key operations for multiple DLTs in one API.
Secure BIP32 HSM key management support available.*
safeSig <.io> offers custom solutions for new signature schemes and operations.
*Only available with safeSig <.io> BareMetalHSM
How does KeyGuardAPI work?
For signature operations in DLT nodes/applications a private key is normally used locally to sign a message.
HSMs transfer the private key handling from the application server to a dedicated secure hardware device.
For an application to use an HSM it calls an API with credentials and a message payload for the key on the HSM to sign.
If an application is compromised the private key can be forced to sign messages chosen by the attacker.
The attacker can perform a time consuming chosen-plaintext attack to reveal the private keys.
But it is much easier to send the HSM a payload to sign that gives the attacker all of the funds secured by your keys…
KeyGuardAPI sits in between the application and the HSM and firewalls each signature request to the HSM.
If the request does not fit the configured validation requirements it is rejected and does not reach your HSM.
Once messages are signed by the HSM they are sanitized again to ensure safe data is returned to the application.
This prevents even the most determined hackers from gaining unintended access to your private keys.
safeSig <.io> never has unencrypted access to your private keys
Who is using KeyGuardAPI and BareMetalHSM?
DLT Block Producers/Validators
Cryptocurrency Exchanges and Trading Platforms
Cryptocurrency Mining and Staking Pools
Layer 2 Cryptocurrency Payment Nodes and Relays
Compliant Cryptocurrency Businesses
Blog
Jun 10, 2018 Using HSMs for blockchain applications
June 9, 2018 How to secure keys stored in HSMs from unauthorized requests
June 8, 2018 Hardware security and cryptocurrency keys
About safeSig <.io>
safeSig <.io> was created with in San Francisco by cryptographers and blockchain security professionals.