What is CryptoCurrency Security Standard (CCSS)?
The word “crypto” was initially used as an abbreviation of cryptocurrency. However, with the growth of cryptocurrency and the creation of new protocols, standards, assets such as NFT and finance services aimed at cryptocurrency such as DEFI. “Crypto” is now used to encompass the entire sector of cryptographic-based assets and services.
The Cryptocurrency Security Standard (CCSS) is an open standard which focuses on the management security of cryptocurrency wallets.
In the world of “crypto” a crypto wallet is the bank account for your crypto assets such as cryptocurrency and NFTs. The crypto wallet also gives you the ability to conduct transactions such as buying products / services with cryptocurrency and transferring cryptocurrency to different wallets.
A crypto wallet stores the private keys used to sign transactions that will be validated and recorded on a blockchain. You don’t have to use a crypto wallet to sign transactions or manage crypto assets, but it becomes a lot more complex exercise if you don’t.
Since a crypto wallet has complete control over the crypto assets managed by it, the security of the wallet is incredibly important – especially if the wallet is under someone else’s control such as an exchange. This is where CCSS comes in.
What are the CCSS Controls?
CCSS provides a list of information security controls that must be implemented to become CCSS compliant. The security controls focus directly on the people, process, and technology of crypto wallets. The baseline information security controls such as PCI DSS and ISO 27001 cover cryptographic security controls such as:
- key design,
- key strength,
- key management processes and other related factors
- disk encryption,
- data encryption while in transit, at rest and processing,
- encryption of system and data backups, and
- hardware and software encryption/decryption mechanisms.
CCSS therefore does not replace baseline information security controls but adds additional wallet-focused security controls when a system implements a crypto wallet. It’s important to note that CCSS does not replace nor does it purport to be an alternative to baseline security standards.
The diagram below details the different control categories (called “aspects”) covered by CCSS (left column).
CCSS provides three levels of compliance:
Level 1 CCSS Compliance
Level 1 covers the baseline level all the controls provided by CCSS and should be considered the absolute minimum of security controls to implement. However, when reviewing recent breaches of crypto-related services #2 one can see that even implementing Level 1 CCSS controls would have stopped or dramatically reduce the impact of a breach.
For example, with Key/Seed Generation at Control Level 1 the basics of key generation are covered such as: (1) the person who uses the key must generate the key to ensure confidentiality of the key, (2) if a key is used by an “automated agent” then the key must be generated by an offline system and that the key is securely transferred from the offline system that generated the key to the target system and then deletion of any copies of the key not required are securely deleted, and (3) keys are generated with sufficient entropy to reduce the risk of bias towards a reduced range of values or other deterministic properties.
Level 2 CCSS Compliance
Level 2 offers a higher level of compliance by focusing on key controls and adding further rigour to each of the applicable controls.
Expanding on the example from Level 1, Level 2 adds further rigour to the Key/Seed Generation control by requiring validation and auditing of the key generation process. This includes things like generating a signature of the key generation system after audit and publishing the digital signature to the signature generated each time the key generation system is used to ensure no unauthorised tampering has occurred. This is much like comparing the published checksum of an operating system image to the one that has been downloaded.
Level 3 CCSS Compliance
Level 3 adds more detailed requirements to the applicable controls.
Building on the Key/Seed Generation example from the Level 1 and Level 2, Level 3 for example adds specific standards as part of the control. For example, at Level 3, an organisation would be expected to generate keys according to NIST SP 800-90A (Recommendations for Random Number Generation Using Deterministic Random Bit Generators).
How Do CCSS Audits Work?
An example of auditing for CCSS compliance is shown in the above diagram. When an assessed entity is audited for CCSS compliance the auditor will review the entities compliance for each aspect. The diagram above contains checkmark icons in each of the aspects and within some or all levels depending on the aspect. The auditor in this example, has deemed the Wallet Creation, Keyholder Grant/Revoke Policies & Procedures and Data Sanitization Policy (DSP) aspect’s security controls meet Level 1,2 and 3 requirements. The Wallet Creation, Key Usage, Key Compromise Policy, Keyholder Grant/Revoke Policies & Procedures, Data Sanitization Policy (DSP) and Audit Logs aspects have been deemed by the auditor to meet Level 1 and 2 compliance. Overall, the auditor has deemed the assessed entity to be compliant with Level 1 CCSS because all controls are in place for Level 1 whereas only some controls are in place at Levels 2 and 3.
Is Anyone CCSS Compliant?
At the time this post was initially published (April 2022) there was no official registry of CCSS compliant entities to review. This is not surprising as the world of crypto is still in early adopter stage and unfortunately many start-ups consider security as something to consider after market dominance is reached.
One of the first entities to state they have reached CCSS compliance with Level 3 is Crypto.com.
Who Maintains the CCSS?
The CCSS is maintained by the CCSS Steering Committee which has as its members key knowledge matter experts in the field of cryptocurrency such as Dirk Anderson, Petri Basson, Mike Belshe, Stefan Beyer, Jameson Lopp, Joshua McDougall, Michael Perklin, Ron Stoner, and Joe Ventura.
How Does an Organisation Become CCSS Compliant?
Currently an entity seeking to become CCSS compliant must engage an external CCSS certified auditor. The issue here is that the auditor’s certification program (CCSSA) has not been publicly released so the author recommends contacting the CryptoCurrency Certification Consortium (C4) to see if there is an early adopters program for entities.
The crypto sector is very much in the early adopter stage with many considering the sector to be a wild west of scams and shady start-up projects where the project members hide their true identities and communicate only through chat applications. Loss of investors’ funds is an almost daily occurrence either via scams or breaches caused by poor or non-existent information security. Rekt tracks and records breaches within the crypto space. If you review a random sample of the breaches on the site, you can see a majority of them could have been adverted by simply implementing Level 1 security controls from CCSS so that you’re not the subject of a story on Rekt, like the developers who left the private keys to a wallet with minting capability on Github.
As with any other financial service or product, investors seek assurance that who they are investing in considers security of fundamental importance. Right now, regulation is limited and of little value when the project members will not even provide their real identities. CCSS goes some way in providing assurance to investors that at least the basics of wallet security (wallets that will manage their investment funds) have been audited by an external qualified auditor and comply with an open security standard. When CCSS is combined with a base-line information security standard such as PCI DSS or ISO 27001 the risk of an information breach is greatly reduced.
In our next Crypto Corner post, we’ll explore how a baseline information security standard can be used with CCSS.