On Friday, Star Xu, CEO of trading platform OKCoin, published his company’s security policy in a Reddit thread.
“OKCoin has decided to openly share [its] cold wallet security information. Through this transparency, OKCoin aims to assure users of the security of their funds,” the post stated.
Xu then encouraged members of the community to contribute feedback.
He began by outlining the company’s security design philosophy, focusing on key vulnerabilities inherent in Internet connections, USB drives and reliance on centralized management.
He went on to explain how the company’s security design protocol addressed concerns surrounding private key generation and backup, depositing bitcoin from an online hot wallet to an offline cold wallet, and retrieving bitcoin from an offline cold wallet.
The post listed key highlights of the OKCoin security protocol:
The cold wallet addresses can only hold a limited amount of bitcoin.
Private keys are stored on completely offline computers.
Certainty that the private key never had any contact with the Internet or USBs.
Encrypted private key paper document requires offsite backup, and is controlled by different people in different places.
AES private key password shall also be controlled by different people in different places, and shall not be the same person with the master of the private key.
Holders of the AES private key password and those with the ability to retrieve the encrypted private key are different people and in different places.
Once a private key has been used to transfer bitcoin out of the address, the address is no longer to be used again for deposits.
In an interview with Bitcoin Magazine, Michael Perklin, president of the CryptoCurrency Certification Consortium (C4) and president of Bitcoinsultants Inc., commended Xu.
“Having a strong security policy is one of five things that every cryptocurrency storage solution should have,” Perklin said, adding that the other four pillars include “procedures, trained personnel, secure hardware and secure software.”
According to C4’s Cryptocurrency Security Standard matrix, it appears that OKCoin’s manifesto covers many, though not all, of the points companies need to include in their security policies to earn Level II and Level III ratings.
Perklin added that by publishing its security policy, OKCoin doesn’t lose anything in terms of security. The move should, in fact, give their clients a degree of confidence.
“Kudos to OKCoin for doing this,” Perklin said.
March 13, 2015 at 08:14PM
