Article last updated in July 2022 for CCSS Version 8.0.
Marc Krisjanous is one of the first CCSS Auditors and assisted C4 in the development of their auditors program.
In this series we will review each of the core Aspects in the CCSS and provide our interpretation for each of the Aspect’s requirements and what possible evidence could provide assurance to the auditor that a requirement is in-place. Make sure to read our other in-depth articles on the CCSS Aspects:
CCSS Aspect 1.02 Wallet Creation
In this article we will explore how an auditor could interpret the CCSS Aspect 1.02 Wallet Creation.
Aspect 1.02 Wallet Creation addresses the security of cryptocurrency wallet creation and covers the people, process and technology components for wallet creation. The Aspect’s objective defined within the CCSS is provided below.
“This aspect covers the creation of wallets or addresses that can receive digital assets. Wallets are created using key signing methodologies that can require a single key’s signature, multiple keys’ signatures, or a minimum number of signatures from many keys. Furthermore, wallets can be created individually (commonly referred to as JBOK wallets, or “Just a Bunch Of Keys”) or in a deterministic way that allows a set of addresses/key pairs to be created from a single master seed. Security of wallet creation is derived from the integrity of the wallet in the face of various risks such as a lost/stolen/compromised key, and the confidentiality of the wallet that would make it difficult to associate a wallet with a particular actor.“
Aspect Controls
There are five controls to this Aspect. In this article we will address each control.
- 1.02.1 Multiple keys for signing
- 1.02.2 Redundant key for recovery
- 1.02.3 Geographic distribution of keys
- 1.02.4 Organizational distribution of keys
- 1.02.5 Documented wallet creation policy
CCSS Levels
CCSS provides three levels of compliance – Level 1 being the base level of implementing CCSS requirements up to Level 3 being the most in-depth implementation of CCSS requirements. We shall review each compliance level and provide our thoughts on what evidence an auditor should seek to provide assurance that the requirements are in-place.
Level 2 Compliance
The CCSSA should ensure that there are policy-level statements that require at least two signers for ever transaction where funds are spent and that an authorized person holds or has access to only one key for any cryptocurrency wallet.
The CCSSA should request the key inventory to review the ownership and access of each cryptocurrency private key within the assessed entities environment to ensure no authorized personnel has access to more than one private key for a wallet.
The CCSSA should interview a sample of personnel who have conducted signing of cryptocurrency transactions to transfer funds during the assessed period to ensure that they only had access to one private key for the wallet.
The CCSS glossary does not provide a definition of a “redundant key”. However, the requirements rationale provides the following guidance:
“This ensures that the funds are still available in the event one of the primary keys becomes inaccessible for any reason. One common method of achieving this goal is to create a wallet that requires any 2 of 3 possible signatures in order to spend funds (i.e., there is 1 redundant key).“
The rationale defines the use of a “multi-signature wallet” where the wallet is configured to support M-of-N transactions, where M represents the minimum required number of signatures and N is the total number of signatures authorized for signing a transaction. For example, if there are 5 authorized signers for a transaction but only 2 signers are required then the wallet supports a 2-5 configuration.
The assessed entity should have a policy where some of the private keys used for signing with a M-of-N configuration are never used in production and those keys are stored as redundant keys only used for recovery purposes. In our 2-5 example configuration the assessed entity may remove 3 of the 5 private keys from production and only use those redundant keys if any of the remaining two private keys are lost or compromised.
The CCSSA should ensure policy statements are documented that require the cryptocurrency private keys for a cryptocurrency wallet are not stored in the same physical location.
The CCSSA should review the policy, standards and procedures for key generation that requires a key not to reside in the same location as other keys with signing privileges to the same wallet.
The CCSS should review the key inventory to ensure that keys with signing privileges to a wallet do not reside in the same location.
The CCSS should interview a sample of personnel who have conducted key generation, updating key data or retiring keys to ensure the applicable policy, standards and procedures have been adhered to.
The CCSS should review the assessed entities policy(s), standards and procedures addressing cryptocurrency wallet creation to ensure the applicable CCSS requirements are meet. The CCSSA should also ensure that the policy(s), standards and procedures are reviewed at least annually to ensure they remain aligned to the latest industry standards and best practices.
Level 3 Compliance
The requirements rationale provides guidance on what is acceptable in regards to “multiple organizational entities/business units”. The requirements rationale is below.
“By giving keys to separate business units and legal entities (such as lawyers, accountants, or other businesses), legal risks that can disrupt your business will not necessarily disrupt your funds. Note that this does not violate the Key/Seed Generation Level I requirement, as the separate organizations fail to meet the definition of an actor.“
The rationale allows for assessed entities who may be based in only one location to utilize third-party entities to stored private keys. We would also include as an acceptable third-party entity organizations that are qualified to provide safes or other secure storage facilities.
The CCSSA should review the policy(s), standards and procedures to ensure that private keys must be stored by multiple entities/business units.
The CCSSA should ensure that there are policy(s), standards and procedures that defined a procurement process for third-party organizations that will store private keys that ensures the organization is suitably qualified to provide this service.
The CCSSA should interview a sample of personnel who are responsible for the distribution of private keys to ensure the policy(s), standards and procedures are adhered to.
The CCSSA should review the key inventory to ensure that private keys are dispersed to multiple locations to ensure the policy(s), standards and procedures are adhered to.
Summary
In this article we reviewed the CCSS Aspect 1.02 Wallet Creation. The Aspect covers requirements for the people, process and technology components that interact with wallet creation processes.