Aspects under Cryptographic Asset Management

• 1. Aspect 1.01 - Key Material Generation
     Aspect Objective: This aspect covers the generation of key material that will be used within a digital asset and blockchain protocol. The secure generation of key material requires two things to be secure: confidentiality and unpredictable numbers. Confidentiality is required to ensure that the newly generated key material is not read/copied by an unintended party. Nondeterministic and unpredictable numbers are required to ensure the newly generated key material cannot be guessed or determined by an unintended party. Each of the goals listed provide assurance that the key material is generated in a confidential and unguessable manner.
     
     Getting this right forms the foundation for protecting digital assets; if key material is predictable or exposed, the system cannot be trusted.
  2. Aspect 1.02 - Wallet Generation
     Aspect Objective: This aspect covers the generation of wallets or addresses that can receive digital assets. Wallets are generated using cryptographic signing methodologies that can support single-signer and multi-signer mechanisms. Furthermore, wallets can be generated individually (commonly referred to as “Just a Bunch Of Keys” or JBOK wallets) or in a deterministic way that allows a set of addresses/key pairs to be generated from a single master seed. Security of wallet generation is derived from the integrity of the wallet in the face of various risks such as a lost/stolen/compromised key material and the confidentiality of the wallet that would make it difficult to associate a wallet with a particular actor.
     
     Strong wallet generation ensures addresses are reliable, resistant to compromise, and do not easily reveal ownership– key ingredients for user confidence and system integrity.
  3. Aspect 1.03 - Key Material Storage
     Aspect Objective: This aspect covers the secure storage and backup of key material to ensure it remains protected, recoverable, and inaccessible to unauthorized parties. Key material is encrypted and backed up, with backups stored securely and protected from environmental threats. To prevent unauthorized use or tampering, access to operational key material and its backups is tightly controlled.
     
     Well-designed storage means funds can be recovered in a crisis while staying shielded from misuse.
  4. Aspect 1.04 - Key Material Access
     Aspect Objective: This aspect covers the policies and procedures surrounding granting and revoking access to key material. Personnel typically have greater access to the CCSS Trusted Environment with respect to accessing its information, invoking privilege-restricted actions, and representing the entity to the public. Improper management of the onboarding and offboarding of personnel introduces risks of privileged accounts remaining when personnel depart, as well as unrevoked key material that persists in signing authority for certain transactions.
     
     Well-managed access prevents key material from being abused after roles change.
  5. Aspect 1.05 - Key Material Usage Aspect Objective: This aspect covers the secure use of key material that minimizes the risks to the confidentiality of key material and the integrity of funds. A variety of risks are present when using key material that can lead to the loss of funds, including dirty signature vulnerabilities (i.e. re-used ‘R’ values), the opportunity for malware to copy or modify key material, and malicious insiders who use their authorized access to send unauthorized transactions.
     
     Careful usage protects funds in motion and keeps legitimate transactions from being hijacked.
  6. Aspect 1.06 - Data Sanitization Documentation Aspect Objective: This aspect covers the removal of key material from digital media. Due to the manner in which file systems allocate data on digital media, digital forensic techniques can be employed to read old data that has previously been sanitized. Proper sanitization of digital media ensures the proper removal of all key material, eliminating the risk of information leakage from decommissioned devices like servers, hard disk drives, and removable storage.
     
     Thorough sanitization prevents yesterday’s keys from becoming tomorrow’s breach.

  Aspects under Operations

   
  7. Aspect 2.01 - Security Tests / Audits
     Aspect Objective: This aspect covers third-party reviews of the security systems, technical controls, and policies that protect the CCSS Trusted Environment from all forms of risk as well as vulnerability and penetration tests designed to identify paths around existing controls. Regardless of the technical skills, knowledge, and experience of personnel who build and maintain the CCSS Trusted Environment, it has been proven that third-person reviews often identify risks and control deficiencies that were either overlooked or underestimated by personnel. For the same reasons that development companies require different people to test a product from those who write it, different people than those who implement a cryptocurrency system should assess its security. Third parties provide a different viewpoint and are independent of the technical controls and can be objective without risk of retaliation.
     
     Independent testing brings objectivity and uncovers what insiders miss.
  8. Aspect 2.02 - Log and Monitor
     Aspect Objective: This aspect covers monitoring the CCSS Trusted Environment's technical components audit logs for suspicious activity. When suspicious activity is identified, alerts must be generated so that personnel can triage and respond to the event to detect and respond to suspicious activity proactively.
     
     Logging and monitoring turn hidden activity into visible alerts that can be acted on quickly.
  9. Aspect 2.03 - Governance and Risk
     Aspect Objective: This aspect covers the governance policies, standards, and procedures that guide and control an entity to ensure its CCSS Trusted Environment is effective, efficient, and secure. It also includes the requirements for a comprehensive risk management program to identify potential risks to the CCSS Trusted Environment and apply appropriate risk treatments.
     
     Strong governance keeps security from being a one-time project and makes it an ongoing practice.
  10. Aspect 2.04 - Key Compromise Documentation
      Aspect Objective: This aspect covers the existence and use of documented policies and procedures that define the actions that must be taken in the event key material or its operator/holder are believed to have become compromised. Entities must be prepared to deal with a situation where key material has – even potentially – become known, determinable, or destroyed. Policies and procedures to govern these events decrease the risks associated with lost funds and increase the availability of the system to its users. Examples of when a Key Compromise Policy (KCP) would be invoked include the identification of tampering of a tamper-evident seal placed on the media that stores key material, the apparent disappearance of an operator whose closest friends and family cannot identify their whereabouts, or the receipt of communication that credibly indicates an operator or key material is likely at risk of being compromised. The execution of KCP makes use of Approved Communication Channels to ensure KCP messages are only sent/received by authenticated actors.
      
      A tested compromise plan turns potential chaos into a coordinated response.
      
      The CCSS is more than a checklist. It is a roadmap for building and operating crypto systems people can actually trust. Following it means protecting organizations, users, and, ultimately, the health of the entire crypto ecosystem.
      
      If you are building or working with digital asset systems, take the time to learn what CCSS covers. It might just be the difference between being remembered for your innovation and being remembered for a breach.