Trustworthy Wallets

Bitcoin is a subject that Cyber Matters first reported on two years ago, concluding it was premature to invest, unless you can afford to lose your stake. Since that time, the underlying Blockchain has been gaining an increase in interest.

Trustworthy WalletsThe UK Government has just recently published “Distributed Ledger Technology: beyond block chain”, which looks closely at the potential applications in government and explores the challenges.

As the document notes, Bitcoin wallets are where the value is, and where there is value, there is motivation to break in:

In the case of Bitcoin, the ‘wallets’ that hold the currency have proved vulnerable to theft — but the ledger itself has remained resilient

This leads to the report’s recommendation 5:

Government needs to work with academia and industry to ensure that standards are set for the integrity, security and privacy of distributed ledgers and their contents. These standards need to be reflected in both regulatory and software code.

Such standards are emerging, as we’ve been a keen supporter of the Trustworthy Software Initiative, which has developed PAS 754 – which defines overall principles for effective software trustworthiness.Trustworthy Software Initative Logo - with text

In helping customers understand PAS 754 we are keen to point out that it is not simply about the development of the code, but managing the code in the full lifecycle.  This is also recognised in the government report:

It must not be overlooked that the software and hardware systems can become degraded over time, as better technology emerges and hostile agents learn ‘new tricks’.
So for systems intended to have a long lifetime, the initial design should make it straightforward to update hardware and software components during that lifetime.

As the report moves into the detail, it observes that to support an emerging Ecosystem, activities required “may include”:

Establish security standards for wallet providers

We believe “may include” is a weak statement, as a set of standards already exist that can be built on to develop the Ecosystem.

tScheme is a self-regulatory scheme set up to create strict assessment criteria, against which it will approve Trust Services.  It already provides a profile for “Signing Key Pair Management”.  While a wallet has many functions, a core function is to keep the signing key pair secure.

So in the absence of focused standards, we can draw guidance on what is important from tScheme and PAS 754 – something Qonex has recently been helping our customers with.