Private Keys, Cold Storage, and Cryptographic Security

A private key is fundamentally a very large random number—a 256-bit number chosen from approximately 10^77 possible values.

PRIVATE KEY ANATOMY:

- 256-bit random number
- Typically displayed as 64 hexadecimal characters
- Example: e8f32e723...c7a1 (truncated)

- Mathematically derives public key
- Signs transactions (proves authorization)
- Cannot be reverse-engineered from public key

The Cryptographic Chain:
Private Key → Public Key → Address
     ↓
Can sign → Creates valid → Moves assets
transactions   signatures    permanently

XRP LEDGER SPECIFICS:

• secp256k1 (ECDSA) - Same as Bitcoin

• Ed25519 - Modern, faster alternative

• Master Key: Primary account control

• Regular Keys: Assignable signing authority

• Multi-sign: Multiple keys required

Unlike traditional finance where unauthorized transactions can be reversed, crypto transactions are permanent:

TRADITIONAL FINANCE:
Unauthorized Transaction → Contact bank → 
Dispute → Reversal → Assets recovered (usually)

CRYPTO:
Unauthorized Transaction → Assets gone →
On blockchain → Irreversible →
Assets likely lost permanently

ATTACK VECTOR TAXONOMY:

- Weak random number generators
- Predictable seeds

- Unencrypted storage
- Accessible backup files

- Network interception
- Side-channel leakage

- Memory scraping malware
- Cold boot attacks

- Phishing for credentials
- Insider threats

- Device theft
- Data center breach

---

Keys connected to the internet that can sign transactions immediately:

HOT STORAGE CHARACTERISTICS:

- Keys accessible to online systems
- Automated transaction signing
- Real-time processing capability

- Exposed to network attacks
- Larger attack surface
- Requires constant vigilance

- Minimize hot wallet balances (2-5% of assets)
- Rate limiting on transactions
- Behavioral monitoring
- Hardware security modules

- Customer withdrawals
- Trading operations
- Liquidity management

Keys never connected to the internet:

COLD STORAGE CHARACTERISTICS:

- Air-gapped from all networks
- Physical access required
- Manual transaction processing

- No remote attacks possible
- Reduced attack surface
- Physical security applies

1. Request generated online
2. Transferred to air-gapped system (QR/USB)
3. Human review of transaction
4. Signing on air-gapped device
5. Signature transferred back
6. Transaction broadcast

Time: Hours to days, not seconds
Holdings: 95-98% of total assets

Middle ground between hot and cold:

WARM STORAGE CHARACTERISTICS:

- Limited network connectivity
- Restricted transaction types
- Automated but constrained

- Maximum transactions per period
- Pre-approved destination addresses
- Time delays for large transactions

- Scheduled disbursements
- Pre-authorized transfers
- Medium-value operations

TYPICAL ARCHITECTURE:

Total Assets
             │
    ┌────────┼────────┐
    │        │        │
  Cold     Warm     Hot
 (95-98%) (2-4%)  (1-2%)
    │        │        │
Multi-week Hours   Real-time
Processing Days    Processing

REPLENISHMENT FLOW:
Cold → Warm → Hot
(when hot depleted)

---

Multiple private keys required to authorize a transaction:

MULTI-SIGNATURE CONCEPTS:

- Single key = single point of failure
- Multiple keys = distributed trust
- Threshold schemes: m-of-n required

Common Configurations:
2-of-3: Two of three keys required
3-of-5: Three of five keys required
4-of-7: Four of seven keys required

- No single point of failure
- Tolerates key loss (up to threshold)
- Requires collusion to compromise
- On-chain enforcement

XRPL MULTI-SIGN IMPLEMENTATION:

- Native to XRP Ledger
- Configurable threshold (quorum)
- Up to 32 signers
- Weighted voting possible

Example Configuration:
{
  "SignerQuorum": 3,
  "SignerEntries": [
    {"Account": "rKey1...", "Weight": 1},
    {"Account": "rKey2...", "Weight": 1},
    {"Account": "rKey3...", "Weight": 1},
    {"Account": "rKey4...", "Weight": 1},
    {"Account": "rKey5...", "Weight": 1}
  ]
}
// 3-of-5: Any 3 signers can authorize

- Enforced by ledger consensus
- Transparent and auditable
- Cannot be bypassed
- Well-tested over years

EXAMPLE INSTITUTIONAL SETUP:

• 2 keys: Operations (different people)

• 2 keys: Finance (different people)

• 2 keys: Compliance (different people)

• 2 keys: Executive (CEO, COO)

• 1 key: External (auditor/counsel)

• 3 keys: Primary office

• 3 keys: DR site

• 3 keys: Distributed individual custody

---

MPC CONCEPT:

- Private key NEVER exists in complete form
- Key is mathematically "sharded"
- Shards compute signature together
- Key reconstruction unnecessary

Traditional Multi-Sig:
Key 1 signs → Key 2 signs → Key 3 signs
(Complete keys exist)

MPC:
Shard 1 computes + Shard 2 computes + Shard 3 computes
        ↓
    Signature generated
        ↓
(No complete key ever existed)

MPC ADVANTAGES:

- Works with any blockchain
- Single signature on-chain
- Governance structure hidden

- Key resharing without transactions
- Add/remove parties without address change
- Easier key rotation

MULTI-SIG ADVANTAGES:

• On-chain visibility of structure

• Auditors can verify configuration

• Governance publicly enforced

• Well-understood cryptography

• Battle-tested implementations

• Easier to audit

WHICH TO CHOOSE?

• Transparency valued

• Native support available (XRPL)

• Auditor familiarity important

• Protocol doesn't support multi-sig

• Frequent key rotation needed

• Privacy of governance valued

MAJOR MPC PROVIDERS:

- Market leader
- $8B valuation (2022)
- XRP supported

- Hybrid MPC approach
- Combined with HSMs

- Adding MPC capabilities
- Enterprise focus

EVALUATING MPC:

1. What MPC protocol is used?
2. Has it been formally verified?
3. Independent security audits?
4. How many parties? What threshold?
5. Where are shards held?

• "Proprietary" MPC without audits
• All shards in one location
• Threshold too low (e.g., 1-of-3)

---

HSM CONCEPT:

- Dedicated cryptographic processor
- Tamper-resistant physical packaging
- Keys generated and stored inside
- Keys NEVER leave the HSM

Key Protection:
┌────────────────────────────────┐
│           HSM Device           │
│  ┌──────────────────────────┐  │
│  │   Secure Key Storage    │  │
│  │   (Never exported)      │  │
│  └──────────────────────────┘  │
│              ↓                 │
│  ┌──────────────────────────┐  │
│  │   Signing Operations    │  │
│  │   (Keys used internally)│  │
│  └──────────────────────────┘  │
│              ↓                 │
│  Only signatures leave HSM    │
└────────────────────────────────┘

FIPS 140-2 SECURITY LEVELS:

- No physical security requirements
- Software implementations can qualify

- Tamper-evident coatings/seals
- Role-based authentication

- Tamper-resistant (active response)
- Identity-based authentication
- Zeroization on tamper detect

- Environmental protection
- Active tamper response
- Rare in commercial use

MAJOR HSM VENDORS:

- Market leader
- Common in financial services

- German engineering
- Banking heritage

CLOUD HSM OPTIONS:

• FIPS 140-2 Level 3

• Managed service

• Thales Luna-based

• Cloud KMS backed by HSM

ON-PREMISES VS. CLOUD:

• Higher upfront cost

• Trust assumptions

---

CUSTODY SECURITY ASSESSMENT:

LAYER 1: KEY GENERATION
□ Hardware random number generator?
□ Key ceremony procedures?
□ Witness and audit trail?

LAYER 2: KEY STORAGE
□ HSM for key protection?
□ FIPS Level 3+?
□ Cold/warm/hot segmentation?
□ Geographic distribution?

LAYER 3: KEY USAGE
□ Multi-sig or MPC?
□ Threshold appropriate?
□ Role separation?

LAYER 4: OPERATIONAL SECURITY
□ Background checks?
□ Physical access controls?
□ Monitoring and alerting?

LAYER 5: INCIDENT RESPONSE
□ Breach detection capability?
□ Response procedures documented?
□ Key rotation procedures?

RED FLAGS:

Technical:
⚠️ Keys generated in software, not HSM
⚠️ No multi-sig/MPC for large holdings
⚠️ Hot wallet holds >10% of assets
⚠️ Single location for all keys
⚠️ Low FIPS level (<3)

Operational:
⚠️ Single person can authorize large transactions
⚠️ No background checks
⚠️ Missing audit logs
⚠️ No incident response plan

Transparency:
⚠️ Won't discuss security architecture
⚠️ No SOC reports available
⚠️ Vague about key management

BEST PRACTICES:

✅ Hardware key generation (HSM)
✅ FIPS 140-2 Level 3+ HSMs
✅ Multi-sig/MPC for cold storage
✅ Geographic distribution
✅ ≤5% assets in hot storage
✅ Documented key ceremonies
✅ Regular security audits
✅ SOC 2 Type II certification

---

✅ Private key security is the fundamental challenge - All security measures exist to protect these secrets

✅ Cold storage dramatically reduces attack surface - Air-gapped systems cannot be remotely hacked

✅ Multi-sig eliminates single points of failure - Properly implemented, requires attacker to compromise multiple parties

✅ HSMs provide meaningful key protection - Tamper-resistant hardware prevents key extraction

⚠️ MPC long-term security - Newer protocols less battle-tested

⚠️ Cloud HSM trust model - Shared infrastructure introduces assumptions

⚠️ Operational security consistency - Technology only as good as humans using it

📌 Assuming technology alone is sufficient - Most breaches involve human factors

📌 Trusting marketing claims without verification - "Military-grade" is meaningless without specifics

📌 Single-technology reliance - Security requires defense in depth

Custody security is genuinely complex. The technologies discussed—HSMs, multi-sig, MPC, cold storage—provide real security benefits when implemented properly. But "when implemented properly" is doing a lot of work. The same technology can be highly secure or security theater depending on implementation.

---

Assignment: Compare three custody providers with different security approaches.

Format: Technical memo with diagrams, 5 pages

Time Investment: 4-5 hours

---

1. What makes private key security fundamentally different from password security?
Answer: B - Private keys directly control assets with irreversible transactions

2. What additional information would you need to evaluate "95% cold storage" claim?
Answer: B - How cold is defined, replenishment procedures, physical security, key ceremonies

3. Primary security advantage of multi-sig over MPC?
Answer: B - On-chain enforcement and transparency

4. Primary benefit of FIPS 140-2 Level 3 HSM?
Answer: C - Keys generated and used inside tamper-resistant hardware with zeroization

5. Response to "military-grade encryption, multi-sig, cold storage" claim?
Answer: B - Request specific details on all technologies and implementations

---

End of Lesson 2

Total Words: ~4,200
Estimated Completion Time: 60 minutes reading + 4-5 hours for deliverable