Part 6: Genesis of Ledger Recover – Threat Analysis / Evaluation

2023-9-23 14:38

Welcome back to the sixth part of our blog series on Ledger Recover’s genesis! 

In the previous parts, we explained how the entropy of a Secret Recovery Phrase can be split in multiple shares (or fragments), then sent to trusted Backup Providers, and finally stored safely while always maintaining the highest level of security.

In more details:

Genesis of Ledger Recover Part 1 – “Self-custody without compromise,” delves into all the potential challenges when building Ledger Recover, provided by Coincover, and introduces us to the core security feature of Ledger Recover, splitting your Secret Recovery Phrase into shares.

Genesis of Ledger Recover Part 2 – “Securely distributing the shares,” introduces several cryptographic tools and mathematical concepts that Ledger Recover leverages to securely distribute your seed shares to backup providers.

Genesis of Ledger Recover Part 3 – “Avoiding collusions and leaks,” tackles how we ensure that the shares are stored safely, and how we prevent backup providers from colluding to reconstruct your Secret Recovery Phrase.

Genesis of Ledger Recover Part 4 – “Controlling access to the backup: identity verification,” discusses how the service ensures that the person initiating the request for sharing or recovering their Secret Recovery Phrase is indeed its rightful owner.

Genesis of Ledger Recover Part 5 – ‘Operational Security,’ takes a closer look at how we ensure maximum security at the operational level, including security infrastructure, separation of duties, governance, monitoring, and finally the Incident Response strategy.

For this part, let the authors introduce you to Ledger Donjon, Ledger’s internal security evaluation lab. The Ledger Donjon is made up of a world-class expert team with extensive backgrounds in the security and smartcard industries. Its key functions are internal and external security assessment. They work closely with Ledger’s Firmware development and hardware teams to analyze and improve the security of Ledger products.

The team is continuously looking for vulnerabilities on Ledger products as well as Ledger’s providers’ products.

This last article explores the security challenges identified by the Ledger Donjon when building a seed recovery service, and how regular internal and external security audits are conducted in order to guarantee the maximum of security to users.

Protocol specification advising Protection of the seed phrase and share Ensuring User Consent for Seed-Related Actions

The aim of a hardware wallet is to protect your keys, either the embedded application’s private keys or the master seed itself. The user’s keys should not be accessed if the user did not grant access to them. Each time a user decides to interact with the keys, for example, by signing a transaction, a pin request is made and the action can only be performed if the user enters his pin code after validating the transaction on the trusted screen of the device.

This mechanism is guaranteed by our custom OS, dubbed BOLOS, running on top of the Secure Element. The Secure Element prevents unwanted access to your wallet by protecting it against most of the attack scenarios, still allowing for legitimate access to your seed or private keys. The combined work of the Secure Element and the custom OS  allows guaranteeing user consent when a user tries to access his secrets.

User consent mechanism did not change for Ledger Recover and the creation of the three Secret Recovery Phrase shares: the OS requires user consent because it needs to interact with the seed. From a device point of view, the Ledger Recover opt-in is like interacting with smart contracts or signing transactions. And if you do not grant access to the seed, the share creation is impossible. Moreover, Ledger Recover only allows exporting shares, not the seed itself, and only on fully encrypted secure channels, as described in the previous blog posts.  

Safeguarding Seed Access: Preventing Unauthorized Access

The duo custom OS and Secure Element also allows you to have custom applications on your Ledger devices without compromising security. As reminded by the Donjon when talking about the threat model for confidentiality of the Seed and Private Keys.

The applications on the device, therefore, never have access to your seed. They can only interact with private keys dedicated to each application, which are generated from the seed by BOLOS, without the possibility to extract them. Ledger Recover was designed as a feature integrated directly into BOLOS and not as an external app to maintain the validity of the threat model:

No possibility for Applications to interact with the seed, with all the risks it entails and Maintain the current application isolation mechanism (refer to the Ledger Nano X Security Target, section 7.5 Security Function #5: App Isolation). Guarantee the confidentiality of user seed

Another critical point for Ledger device security is to interact with the seed or the private keys without leaking any information about them.

Like for other cryptographic operations on the seed, shares are generated inside the Secure Element, providing us with security mechanisms that prevent external attackers from obtaining any information about the seed. Moreover, as seen in the first part, the chosen cryptographic protocol allows the creation of shares which alone provides no information about the original seed.

Communicate the shares safely

The shares also need to be protected during the communication between the Secure Element on the device and the HSM (Hardware Security Module). 

The communication channels ensure all the properties of a secure channel: confidentiality, integrity, and authenticity. This is done using a Secure Channel already integrated into Ledger devices and HSMs through the mechanism of Attestation: 

The confidentiality is assured by generating ephemeral keypairs on the device and the HSM, and encrypting messages with them. The cryptographic protocols ensure message integrity. The authentication is done through attestations and a chain of trust which guarantees that the communication happens between a genuine Ledger device and a genuine Ledger HSM. No one can impersonate them.

The shares will also transit to the backup providers’ databases, and the same requirements must be fulfilled. To ensure the encryption of the shares, we take advantage of the encryption mechanism brought by the HSM. This way, only a genuine Ledger Recover HSM can decrypt the shares. It also means that even if someone succeeds in stealing the shares databases it will have no information about the shares.

These first requirements allow us to ensure that the shares will only be transported through a genuine Ledger device to a genuine Ledger Recover HSM, with no one in between these two elements being able to retrieve the share. 

Concerning the user identity

The other critical asset of Ledger Recover is the user identity information. We also need to protect users from data breaches. This is why we have verified during reviews that: 

The communication of the identity from the IDV to the storage should be encrypted and provide confidentiality and integrity.  The database for long term storage should have a strong encryption mechanism using a HSM the same way the shares are stored. 

All the security reviews have been done by considering external attackers and internal rogue employees. The security requirements must consider the case of an insider trying to steal shares to ultimately steal user funds. This is why all the security behavior is put inside secure components, like HSMs and Nano devices.   

Security Analysis

Security Analyses are done continuously for Ledger components. The analyses are performed in two distinct ways: Internal Security Reviews and External Pentests. The following sections will detail what they are and why two different types of analysis are required.

Internal Security Reviews

As security is not an option at Ledger, a dedicated in-house team has been created: the Ledger Donjon (The Ledger Donjon, Enter the Donjon). (https://donjon.ledger.com/threat-model/). Its primary mission is to improve the security of Ledger’s products. To accomplish this, the Donjon has technical skills allowing them to perform: 

rigorous software and hardware attacks code security audits architecture security reviews static analysis validate that products resist the threat model 

To give concrete examples of what the team does:

Code security review: Nano firmware updates are securely analyzed before they can be downloaded on Ledger Live Applications are reviewed before being made available in Ledger Live Architecture security review: Product architecture and components are reviewed to maintain the level of security of our products Hardware attacks : https://blog.ledger.com/new-pin-screen/ Code Signing: The process of releasing updates is also protected by requiring the signature of several people with different interests in the company External Pentests

However, as transparency is one of our core values, we at Ledger also want to be challenged by our community. That’s where pentests, also called security evaluations, come into play.

These pentests allow us to demonstrate to customers – both individuals and companies – the level of security of products or services, such as our Ledger Nano line or Ledger Recover. By undergoing these evaluations, we are subjecting such products, services, software and knowledge to testing by an independent third-party security laboratory with highly advanced equipment and expertise. As a result of the evaluations, Ledger has been awarded CSPN certificates for the Nano S and Nano X by ANSSI.

Pentesting Laboratory

The pentests are not performed by any random laboratory. We decided to go with the ones licensed by ANSSI, France’s Cybersecurity Agency, known for its meticulous work in the field of cybersecurity.

Our decision led us to onboard Synacktiv for this crucial journey. Hailing from Paris, Synacktiv is an offensive security laboratory recognized for the quality of their work and their findings. Given our utmost desire to uncover any potential flaws, vulnerabilities, or bugs in Ledger Recover, we spared no effort in ensuring they were positioned for success by providing them with all the resources and support they needed:

all documentation (architecture, cryptographic specifications, sequence diagrams) white-box methodology (access to the source code) samples (Nano X) access to Ledger Recover interfaces (even the ones not exposed to the final user) access to Ledger personnel (architects, developers, security experts) 80 men.days to perform their assessment Security Analysis Outcome

The outcome was more than positive for Ledger. Despite all the hard work and time we put into developing and reviewing Ledger Recover, bugs and vulnerabilities were still found by Synacktiv, which led to refactoring and architecture changes in the code, adding additional security layers and toughening what was already in place. And, of course, the Ledger Donjon performed an Internal Security Review.

As firm believers that “the devil is in the details”, we are committed to forging ahead on that path, conducting regular pentests on Ledger Recover.

For example we will detail some outcomes from the different audits and the mitigation planned.

Man In the Middle attacks

Ledger Recover was designed to take advantage of the security built into our devices and HSMs. But even with such security, we need to ensure users cannot be fooled or manipulated into performing actions that would compromise their seed and therefore assure them maximum security.

During one of the reviews, we noticed that the restore process was vulnerable to social engineering attacks. It relied on a prerequisite: having installed beforehand a rogue Ledger Live on the user’s computer. The idea was the following:

With the help of the rogue Ledger Live, the attacker is waiting for the user to start an Identity Verification. Once this latter is initiated, the attacker also launches an Identity Verification. As he controls the rogue Ledger Live, the attacker is able to switch the sessions leading the user to a wrong session and the attacker stealing the real session from the user. At the end the attacker could have been able to retrieve the user’s seed.

This attack could be carried out through social engineering, for example, by manipulating the user into performing an Identity Verification. To fix this issue, we decided to have two lines of actions: first, like for all other products we decided to provide user documentation to give users the right process to follow and not be fooled during some actions. The second action we put in place is a technical measure: preventing a single account from starting two restores from the same seed.

Internal threats

Other outcomes of the security reviews were about the potential internal threats. This security point of view was already present in the original architecture with the idea of having three companies to store the different parts of seed and prevent a bad actor from stealing elements. But at first the mitigation was designed at a high level by the separation of knowledge. The security reviews showed some weakness which led to additional mitigations.

For example, we developed the diversification of backup_id. Originally the backup_id was the same in the three databases, so the Ledger Recover service could retrieve easily which part of the share on the first backup provider was linked to the one on the second backup provider. Then we decided to diversify the backup_id in a way that if people from two companies decide to collude it will be difficult to know which share is paired with another share.

Another case was the database where the user identity information is stored. At first it was encrypted with a simple encryption. To prevent an internal attacker from being able to retrieve the key we decided to use HSM encryption in that way no one could retrieve the key. Even if we add several infrastructure hardening (see Part 5 <TODO: link when published>). 

Next steps

This last chapter shows you that our products are built by prioritizing the safety of our users. This is why several actions are already planned for the future of Ledger Recover: the security will be analyzed regularly either by our internal team or by external security actors.

Our devices are also repeatedly audited and assessed to assure the pair custom OS and Secure Element guarantee the security of the user secrets. This process is never ending and will continue throughout the life of Ledger Recover as a service.

Last but not least, Ledger Recover is part of our Bounty program and the source code containing the implementation of Ledger Recover is also public and can be reviewed by anyone.

Thank you again for having stayed with us through this journey of unveiling what’s behind the scene of Ledger Recover. And hoping to see you on the day of the official launch!

Similar to Notcoin - Blum - Airdrops In 2024

origin »

SherLOCK Security (LOCK) на Currencies.ru

$ 0.1387 (+1.71%)
Объем 24H $13
Изменеия 24h: 10.06 %, 7d: -33.06 %
Cегодня L: $0.1387 - H: $0.1387
Капитализация $0 Rank 3458
Доступно / Всего 0 LOCK / 4.969m LOCK

security ledger external internal service regular conducted

security ledger → Результатов: 126


Фото:

Ledger Vault Enters Into Agreement with YouHodler To Protect and Secure Funds

YouHodler becomes the first lender to utilize the digital asset security and infrastructure of the global leader in safety solutions PARIS, June 24, 2020 – Ledger, the global leader in security and infrastructure solutions for critical digital assets and blockchain applications, has announced that YouHodler, a FinTech platform and crypto-backed loan service provider, has selected […] The post Ledger Vault Enters Into Agreement with YouHodler To Protect and Secure Funds appeared first on BeInCrypto.

2020-6-25 11:58


Google удалил еще 22 расширения браузера Chrome для кражи криптовалют

Google удалил из интернет-магазина расширений для Chrome еще 22 утилиты, распространявшиеся под видом приложений популярных криптовалютных кошельков, включая Ledger и MetaMask. Новостной сайт Naked Security, управляемый специализирующейся на безопасности фирмой Sophos, сообщает, что Google удалил из своего интернет-магазина расширений для браузера Chrome 22 мошеннических утилиты.

2020-5-12 14:00


В Google Chrome обнаружено более 20 новых фейковых криптовалютных расширений

В браузере Google Chrome найдено 22 новых расширения, выдающих себя за официальные продукты разработчиков криптовалютных кошельков. Об этом пишет Naked Security. Фейковые расширения, в том числе имитирующие кошельки Ledger, KeepKey, MetaMask и Jaxx, обнаружил специалист по безопасности Гарри Денли.

2020-5-9 10:19


Ledger Nano S Review: Best-Selling Wallet, Still King in 2020?

The Ledger Nano S is one of the first and most popular hardware wallets designed by French blockchain security company, Ledger. Founded in 2014, the same year as the iconic Mt. Gox exchange hack, Ledger has always had a strong focus on fund security and has since become one of the leading hardware wallet producers in […] Ledger Nano S Review: Best-Selling Wallet, Still King in 2020? was originally found on Cryptocurrency News | Tech, Privacy, Bitcoin & Blockchain | Blokt.

2020-4-1 23:55


Фото:

U.S. Authorities List Blockchain Among COVID-19 Critical Services 

In accordance with the COVID-19 guidance issued by President Donald Trump on March 16, the Cybersecurity and Infrastructure Security Agency (CISA), has listed distributed ledger technology (DLT) among the critical infrastructure services needed to effectively reduce the spread of the virus, as such, blockchain managers as “Essential Critical Infrastructure Workers” are expected to maintain theirRead MoreRead More.

2020-3-24 20:00


DTCC Urges Financial Institutions to Collaborate in Forming A DLT Regulatory Framework

U.S Depository Trust & Clearing Corporation (DTCC) published a white paper on Feb,12 calling for the establishment of a proper regulatory framework on blockchain technology. The leading American financial markets clearing and settlement company noted that this would help avoid the risks associated with Digital Ledger adoption in future. This white paper dubbed ‘Security of […]

2020-2-14 00:29


Фото:

Amendments: Ensuring Sensible Evolution of the XRP Ledger

The XRP Ledger (XRPL) was designed to provide a robust feature set for the foundation of the digital asset XRP in addition to settling payments and exchanging digital assets of all kinds. The open source community of developers supporting innovation on XRPL continue making core improvements to the technology to ensure performance, stability, security, quality, … Continued The post Amendments: Ensuring Sensible Evolution of the XRP Ledger appeared first on Ripple.

2020-2-12 03:15


Фото:

Block.One Promises Scalability and More Security with EOS Version 2.0

Block. One, the distributed ledger technology (DLT) project in charge of EOS (EOS), has announced the successful upgrade to the EOS software to version 2. 0. The team says EOS version 2. 0 is designed to offer more scalability and security, while also enabling newbie blockchain developers to easily create decentralized applications with EOS, according to a blogRead MoreRead More.

2020-1-13 14:00


Фото:

Taiwanese Startup Unveils Solution to Bridge IoT and DLT

International Trust Machines Corporation (ITM), a Taiwan-based startup that claims to be focused on empowering Internet-of-Things (IoT) devices with blockchain capabilities and make it easier for businesses to adopt distributed ledger technology (DLT), has joined forces with Microsoft and Qualcomm to launch a solution aimed at boosting the performance and security of chipsets certified forRead MoreRead More.

2020-1-6 16:00


Фото:

DXM Partners With Ledger to Launch Institutional Custody Solution

DXM, the cryptocurrency branch of the Korean market operator Dunamu, will offer custodial services in partnership with the French hardware firm, Ledger. Upbit Safe Service to Use Ledger Vault Security Technology Ledger, the producer of some of the most popular hardware wallets of the Nano series, will offer custody with institutional-grade quality, reported the News Asia.

2019-12-6 14:28


Litecoin Foundation's exec says LTC chose decentralization, security over scalability

Decentralization, scalability, and security are crucial to any distributed ledger technology or DLT-based network. This has been a key challenge in the case of Ethereum blockchain. In fact, Ethereum CThe post Litecoin Foundation's exec says LTC chose decentralization, security over scalability appeared first on AMBCrypto.

2019-11-30 17:00


Ledger continues its security certification program with Ledger Nano X

The Ledger Nano X receives CSPN (First Level Security Certificate) certification issued by ANSSI (National Agency for Information Systems Security).  Following the Ledger Nano S announcement a few months ago, this makes both Ledger Nano X and S the only hardware wallets to be certified, according to the security requirements specified in the CSPN security […]

2019-12-12 16:59


Фото:

ILCoin Resolves Scalability, Security Issues Of Blockchain Data Storage

The dawn of blockchain has given way to a field of possible adaptations for the technology. One of the leading possibilities for the distributed ledger network is on-chain data storage. ILCoin Trumps the Scalability Hurdle Because of the decentralized nature of blockchain — having no centralized entity controlling access to the files — blockchain storageRead MoreRead More.

2019-10-21 13:40


Фото:

HashCash Building DLT Solution for a Global Bank

HashCash Consultants, a software firm that claims to be developing distributed ledger technology (DLT) solutions that allow enterprises to facilitate real-time cross-border payments, has inked a strategic partnership deal with an unnamed global bank for the development of core banking solutions aimed at increasing the speed, security and efficiency of banking processes, reports Yahoo FinanceRead MoreRead More.

2019-10-7 17:00