Effective key management is essential to the security of any cryptographic system. OmniSafe implements a comprehensive suite of procedures to govern the entire lifecycle of cryptographic keys, from generation and storage to rotation, recovery, and destruction.

  • Security The master key is generated and distributed to avoid many single points of failure.
  • Trust is managed through the various techniques such as access control, Zero-Knowledge proofs for key operations, multi factor authentication and all the above.

Secure Key Generation: Establishing a Secure Root of Trust

The secure generation of cryptographic keys is the cornerstone of OmniSafe. All keys used in the custody system, especially the Master Key (MK), are generated within a tightly controlled and auditable process.

  • Hardware Security Modules (HSMs): Keys are generated within FIPS 140-2 Level 3 certified HSMs. These HSMs provide a tamper-resistant environment that ensures the integrity and confidentiality of the key generation process.
  • Strong Entropy: To guarantee the unpredictability of the generated keys, high-quality entropy sources are used. This involves hardware-based random number generators (RNGs) that meet cryptographic standards.
  • Deterministic Key Generation: For certain applications where reproducibility is required, deterministic key generation schemes, such as Hierarchical Deterministic (HD) wallets, can be employed. In such cases, the initial seed is protected with the same stringent security measures as the Master Key.

Purpose:

  • Securely generate cryptographic keys.

Secure key Access and Encryption: Controlled Access and Key Protection

Access to cryptographic keys is tightly controlled and secured to prevent unauthorized usage or extraction.

  • Secure Access to Key Material: Access to sensitive data and cryptographic keys is protected with access controls following Role-Based Access Control (RBAC)
  • Multi-Factor Authentication (MFA): Enforce MFA for accessing and managing keys to add an extra layer of security.
  • Access Control Lists (ACLs): Use ACLs to specify exactly who can access or manage each key.

Purpose:

  • Securely manage cryptographic keys.
  • Prevent unauthorized access.

Key Usage Policies: Enforcing Key-Specific Restrictions

To further minimize risk, OmniSafe implements strict Key Usage Policies. These policies define precisely how specific keys can be used, limiting the potential damage even in the unlikely event of unauthorized access. E.g. by restricting the scope and lifecycle of each key, OmniSafe ensures data protection.

The cornerstone of OmniSafe’s security is a carefully orchestrated Key Ceremony, designed to generate, distribute, and protect the foundational Master Key. This is not an automated process – it involves trusted, carefully chosen individuals and stringent procedures to ensure the highest levels of security.

Here’s a glimpse into what the Key Ceremony involves:

  • Secure, Offline Environment: The ceremony is conducted in a physically secured location, isolated from all networks, to prevent any external interference. All activity are recorded with CCTV and detailed protocols in place for auditing.
  • Trusted Participants: Designated individuals (“custodians”) are identified.
  • Key Generation: The Master Key is generated from a Hardware Security Module (HSM) or computer with secure randomness (i.e random key), which creates parts to prevent the theft of cryptographic key.
  • Shamir’s Secret Sharing: The Master Key is mathematically split into multiple “shares,” distributed among the trusted custodians. No single custodian possesses the complete Master Key.
  • Multi-Factor Authentication: Users are required to perform multi factor authentication to continue with procedures and limit external tampering.

Purpose of this: We are following these steps to make sure the key is unhackable by various methods such as human stealing, digital stealing, side channel attacks or math.

Multi-Layered Security ArchitectureCold vs Hot Storage