Bitcoin startup Gem announced Tuesday the deployment of custom Hardware Security Modules (HSMs) from payment security giant Thales e-Security, now offered as part of the Venice, California-based company’s standard multi-signature wallet offering.
According to a press release sent to CoinReport, these HSM devices, which are used to protect military encryption keys and other mission-critical secrets, secure more than 80 percent of international payment transactions. They include FIPS (Federal Information Processing Standards)-140-2 Level 3 hardware-certified security, which is a tamper-resistant physical security mechanism that prevents intruders from gaining access to, using, or modifying sensitive private keys within the cryptographic module, and are created to operate within high-volume enterprise deployments.
In an interview with CoinReport, Gem founder and CEO Micah Winkelspecht said that about seven or eight months ago, as his company was developing its multi-signature platform, his goal was to essentially store keys better than anyone else out there. In his search to find an HSM manufacturer, he quickly discovered that none could support Bitcoin wallets.
In addition, what is at least standard practice now in the Bitcoin industry is to use a hierarchical-deterministic wallet, Winkelspecht said.
“Part of deriving keys in the way that we do with a hierarchical-deterministic wallet requires you to have access to a private key and you have to use that private key to generate sub-keys. I didn’t actually want to have that available in software because that would essentially create a point-of-failure where if somebody was watching our server while we were generating those keys they could potentially steal the private keys, so I wanted to be able to perform all those operations inside of a hardware security module and that just wasn’t possible,” Winkelspecht said. “One of the unique features that Thales provided was the ability for us to be able to write a custom application that would actually execute and operate within the walls of the hardware security module and they had a unique capability that none of the other machines had.”
Over the course of several months, the Thales team “started to perk up” as Winkelspecht met with them to explain what Bitcoin was, why it’s important, and why it’s going to revolutionize industries. Having worked with the Gem’s team for several months, Thales is now “fully on board with Bitcoin and they see this as a huge opportunity for them to really own a brand new market,” Winkelspecht said.
A division of Thales Group, an $11-billion aerospace and defense giant, Thales e-Security protects data for 19 of the 20 largest banks in the world and more than 3,000 financial institutions worldwide, making it the largest provider of key security to the payments industry.
“Bitcoin represents a compelling opportunity for both new entrants and traditional members of the payments ecosystem. As providers of the most trusted and widely deployed HSMs in the world, we are excited to work closely with Gem in this rapidly evolving market,” said Richard Moulds, Thales e-Security’s VP of Product Strategy, in the press release. “Gem’s focus on comprehensive Bitcoin security, deep technical expertise, and collaborative attitude has enabled them to rapidly incorporate the use of our HSMs at the core of their solution. By taking advantage of unique capabilities of these machines, Gem is securing Bitcoin transactions in a way that matches and exceeds security best practices that are a pre-requisite in the payments industry.”
Gem values Thales’ 20-plus years of experience and sole focus on developing dedicated hardware and secure private keys.
“If you’re going to store private keys, there’s really no better way to do it,” said Winkelspecht. “And we’ve seen what happens, time and time again, when companies are using less mature technology to try to secure keys.”
He explained that virtually all the solutions out there are using a software-based solution, which creates a single point-of-failure in the system. When that system is attacked, hackers can steal its private keys. With an HSM, the keys are stored within the walls of a protective barrier. Should an attacker gain physical access to a Level 3-certified machine and tried to steal the private keys out of that machine, the device would self-destruct and zero-out its memory, leaving the keys inaccessible by the attacker.
This kind of hardware is a first for the Bitcoin industry, and represents a maturing of the industry, said Winkelspecht, who acknowledged that this sector is a little bit behind, as the payments industry adopted this level of security many years ago.
Winkelspecht discussed with CoinReport standards with respect to products in the Bitcoin industry. He said the industry has known for long time it needs to switch to multi-signature.
With its multi-signature API wallet, Gem is never in possession with enough keys to move users’ funds without their permission, ensuring the consumer always has control over their funds.
With its wallet, Gem issues three keys: two in the consumer’s possession (in online and offline storage) and one held by the company as a co-signer. Should a consumer’s online key be compromised in an attack, the attacker would not be able to move funds from the affected account without Gem’s co-signing key or the consumer’s offline key.
As developers fight to get their product to market, what happens a lot of the time is that security is not at the top of the list in terms of priorities, and left to be dealt with eventually.
“When one of the more respected exchanges in the space, Bitstamp, got hacked, it sent a chilling message to everybody in the industry that it’s no longer prudent to wait. If you don’t implement multi-sig now, your product is not going to be a premier product,” Winkelspecht said. “The customer perception is changing, too. So now, multi-sig is becoming a default standard and if you don’t follow it, then you’re behind.”
In addition to announcing the HSM integration, Gem announced new partnerships with two Bitcoin-oriented companies. Bitmo, an American mobile payments company focused on incentivizing consumers and merchants through a seamless Bitcoin payment experience, will integrate Gem wallets into their platform. CryptoSigma, Southeast Asia’s first multi-currency Bitcoin wallet provider, will use the Gem development platform to secure their wallets.
“The decision to use Gem’s multi-sig solution was a no-brainer for us,” said Bitmo founder Michael Smallwood in the press release. “Not only was their API easy to integrate, but we felt great knowing that our funds would be secured by the strongest solution on the market. The news that Gem will now be securing keys inside of HSMs custom built for our industry is yet another reminder why we made the right decision partnering with Gem.”
CryptoSigma CEO Aaron Siwoku said in the press release, “Addressing our customers’ need for security and giving them full control and manageability of their coins is our number one priority. Gem’s platform offers our customers the security and flexibility they desire and allows us to focus on providing a superior product and user experience. Their addition of HSMs to store and protect all Gem keys just further reinforced to us how seriously they take protecting cryptocurrency.”
Gem COO Ken Miller told CoinReport that his company met with both Bitmo and CryptoSigma right before the holidays.
“(Bitmo) had invested a fair amount of time and money up to that point building infrastructure to manage bitcoin payments and storage, and found it was taking them away from their core vision and product,” Miller said. “They looked at our wallet API and decided to use our platform instead to handle all underlying bitcoin infrastructure and security. It’s really changed their business and made their resources way more efficient.”
Miller said as the CryptoSigma team was building out their wallet, they wanted to launch with a multi-sig wallet already in place from day one. CryptoSigma checked out a couple of different options and decided to select Gem for its launch, determining that Gem’s API was the easiest and most secure to work with.
In addition to multi-signature and hardware security, Winkelspecht said Gem is developing a rules engine, which would allow people to customize rules meant to prevent the signing of a transaction, such as spending limits, velocity controls, and multi-track authorization.
“Our real focus here is not necessarily just security but also it’s to make the security extremely accessible to developers, and to make it really easy,” Winkelspecht said. “Our belief is that, for technology to really take off at the mainstream level, we have to package this thing up and make it really dead simple for developers who are not in our space to be able implement.” (Gem’s API can be integrated into numerous applications and services with fewer than 10 lines of code.)
“There’s such a huge learning curve right now to build anything in Bitcoin; you have to be expert in cryptography, security, network security, and all the underlying protocols of Bitcoin, which change all the time,” said Winkelspecht. “And so what we’re doing is abstracting that out, giving developers tools to be able to build in a matter of minutes what would have taken them six months to learn.”
In the press release, Winkelspecht said, “The year 2014 was all about multi-sig; now we’re finally starting to see major adoption of that security standard by Bitcoin companies, and it’s growing at an exponential pace. 2015 is the year of hardware security. The great news is they work perfectly together…like peanut butter and jelly.”
Asked what other trends or developments he sees on the horizon for 2015, Winkelspecht told CoinReport that the cryptocurrency industry is starting to see more specialization.
“What you’re starting to see is a lot more companies that are focusing on one particular issue and doing it better than anyone else. And I think that’s very good for the ecosystem. Our focus is really on building developer tools and solving the security problem,” said Winkelspecht.
Images courtesy of Gem