Private keys are created within secure area and never transmitted or passed anywhere.
The overall goal of the security model is to provide confidentiality, integrity, availability, accountability, and authentication.
This means that data at rest and in transit must be secure from eavesdropping or tampering. Clients must be appropriately authenticated and authorized to access data or modify policy. All interactions must be auditable and traced uniquely back to the origin entity. The system must be robust against intentional attempts to bypass any of its access controls.
ChainFront is designed to be deployed on a private subnet, not public anywhere, to which developers can directly connect.
Developer access to the ChainFront APIs will depend upon successful multi-factor authentication.
Automatic Key Rolling
Developers and their apps will use rolling keys to access the APIs that continuously expire.
Anomaly detection systems will monitor the apis and immediately “seal” the secure storage area in the event of an intrusion. The storage area can only be “unsealed’ by the entry of sharded keys by a quorum (minimum of 3) of ChainFront security ops personnel.
Additionally, the service is architected such that private keys are mostly kept in cold storage and rotated into storage areas as needed; and are kept in multiple storage areas.
Amazon Web Services
The physical security of ChainFront adheres to NIST Cybersecurity Framework guidelines and leverages Amazon Web Service security controls. For more information, go here.