Web Authentication: A Counter to Supply Chain Attacks

How can you verify your hardware wallet isn’t a fake?

By Patrick Kim Supply chain attacks are one of the most serious security threats for hardware wallets because they target vulnerabilities in the logistics process and could happen without the owner knowing. This is why you should never purchase a hardware wallet from anywhere other than an official website or authorized reseller. The Keystone, like most hardware wallets, comes with tamper-evident packaging as a countermeasure. While tamper-evident packaging raises the cost of supply chain attacks, it’s not a foolproof measure to prevent them.

How Web Authentication Works Upon Initialization

The Keystone’s Web Authentication process gives you a much higher degree of assurance that your device has not fallen victim to a supply chain attack. When you initialize your Keystone, you will be prompted to visit https://keyst.one/authentication to confirm your device has not been tampered with or swapped out for a fake somewhere along the supply chain. Web Authentication works because of the same digital signature algorithm used in Bitcoin. In asymmetric encryption, only a private key can produce a digital signature that can be verified with its corresponding public key, and only a private key can decrypt information encrypted using its public key. This is one-way transfer of information powers verifiability in Bitcoin.

Each Keystone has a pair of public and private keys pre-installed in the Secure Element during manufacturing that is used solely for the purpose of Web Authentication. This pair of keys has nothing to do with the public and private master key pair generated from physical entropy by the Secure Element during initialization of the Keystone. We will call this pair of public and private keys Web Authentication keys.

The backend of the Web Authentication page is operated by a hardware security module (HSM) server, which is a highly secure crypto processing service offered by AWS. Like a Secure Element, it also has a pair of public and private keys. Each Keystone’s Secure Element knows the public key of the HSM server, while the HSM server knows that device’s Web Authentication public key.

On the Web Authentication page, you will be prompted to scan a QR code. This QR code is a random string of numbers generated by the HSM which has been encrypted with your Keystone’s Web Authentication public key and then signed by the HSM’s private key. When you scan this QR code, your Keystone will first use the HSM’s public key to verify the HSM server’s signature of the message. This is to ensure that the QR code you are looking at is from the official Web Authentication page, and not the victim of a phishing scam.

The Keystone will then use its Web Authentication private key to decrypt the message that was encrypted with its public key by the HSM server. This results in the 8 digits you are asked to enter into the Web Authentication page after scanning the QR code. The HSM system will then check to see whether the digits align with the original random string it generated. If Web Authentication fails, you will not want to use your device at all. A failure message indicates that either your Keystone is not operating the Secure Element it was manufactured with, or that your device was swapped out for a counterfeit entirely.

What Are the Potential Risks for it Being Compromised?

To spoof this process, attackers would need a considerable amount of resources. Not only would the HSM server have to be hacked, but the device’s Secure Element would also have to have been compromised. We are using AWS’s HSM server, which in our evaluation has the highest degree of security. With the Secure Element’s strong track record of being notoriously difficult to directly hack into, it is extremely improbable that both would be compromised at the same time.

The Keystone Pro also includes an anti-tamper self-destruct mechanism that would render the device useless in the event attackers seek to open it and tamper with the components inside.