Enterprise

From Trezor Wiki
Jump to: navigation, search
Trezor Wiki/ Enterprise


NoteWork in progress. This article is a draft.

The Trezor device was created by SatoshiLabs to safely store keys and credentials to cryptocurrencies. As the development of the device firmware progressed, new and interesting functionalities were implemented which were not meant only for cryptocurrency enthusiasts. After all, the applicability of asymmetric keys goes beyond Bitcoin and cryptocurrencies.

For instance, Trezors could be used to sign and verify arbitrary data, as an encrypted password manager thanks to Trezor Password Manager, or use current standards for GPG signing and encryption, to remote login via SSH. Moreover, we expanded the capability of third-party integrations thanks to a comprehensive Trezor Connect API. The device itself can also be used as a second factor authenticator, using the well-known FIDO standard U2F. Coming back to cryptocurrencies, the Trezors also understand multiple signatures schemes, which can be leveraged by individuals as well as by businesses to improve IT security processes and to mitigate security risks. With that in mind, Trezors can now be set up without a backup, to the benefit of various enterprise-level use-cases.

Let's have a closer look at what the devices and we can offer.

Device setup methods[edit]

For individual, end-user purposes, it is logical that we offer a backup method of their master recovery seed (from which all child private/public key-pairs are generated). However, we do realize that for business purposes, key backup may be undesirable. Therefore, we have implemented a second way to initialize and setup a Trezor device.

Seedless setup[edit]

If a Trezor is initialized in the so-called "seedless" mode, the device will generate the master seed as expected, using entropy from internal RNG, XOR-ed with entropy from the host device. However, instead of offering to create a backup in form of a recovery seed, the device will permanently show a label "SEEDLESS" on the device. This is to make sure that the user will know for certain which device is backed up and which not.

The purpose of seedless devices focuses on business use-cases, where either multisig is employed, allowing for safe extraction of the funds in case one device is lost or damaged. Alternatively, it is intended for enterprise-level development, where key management is done by other software in the company's infrastructure, allowing for key rotation upon device loss. These enterprise-level applications do not necessarily need to be related to cryptocurrencies, as they can be developed for custom use of the company, with Trezor being the authenticator or authorizator. As there is a central authority (the company), key rotation is possible.

Devices which are set up in the seedless mode cannot access the Trezor Wallet interface. This is to avoid catastrophic coin loss, in case an inappropriately setup device is used for a wrong purpose.

Normal setup[edit]

Of course, SatoshiLabs also enables businesses to use the standard and backuped initialization method. (In this case, the seed is also generated from two sources of entropy, as in the seedless mode.) If the normal initialization method is chosen, it is highly advised to educate the employees and administrators well beforehand about the most important security precautions when handling a recovery seed. The recovery seed is ultimately a master key and therefore if compromised, the attacker can bypass the hardware device.

On the other hand, with the advent of SatoshiLabs' new seed-splitting mechanism, thanks to Shamir's algorithm, this normal setup procedure should become attractive for enterprise use as well, as it will be possible to cryptographically divide a master key into more pieces.

Third-party firmware[edit]

As Trezor and the firmware running on the device are completely open-source, it is possible for you to develop your version of the firmware running on the device. You can do this for various reasons: branding, feature-limiting, custom development, or control over the devices.

For a seamless support of third-party firmware, we utilize the so-called vendor headers. Each approved developer will receive their unique signing keys, issued by SatoshiLabs, to sign and certify their version of the firmware released to Trezor devices.

Firmware versions with the same vendor headers will be updatable without memory wipes. On the other hand, devices updated to a firmware version with a different vendor header will be wiped, for security reasons. This ensures that data meant for one purpose will not be reusable on a different firmware, unless the user wants to explicitly recover their seed. For seedless devices, this ensures that the seed will never leave the device.

Enterprise-level use-cases[edit]

Arbitrary message signing[edit]

The Trezor device is essentially a small computer. As such, it is capable of signing any message you send to the device, of course, after confirming the action on the device.

This can be useful for your custom use-cases, as signing and verifying messages can fit into your approval, confirmation, or verification system. Message or data signing can of course use single or multiple signature schemes. The latter is described below.

Multi-signature[edit]

This feature, with or without the seedless setup, can be used in various cases, such as custodial services (eg.,Casa) when a transaction or any arbitrary user request has to be confirmed by two or more subjects (eg., individuals or executive board members), or several times by a single person from different locations. It can be used in personal finances, eg., when Alice and Bob both have to confirm spending their money on buying a new car, or in custodial services, eg., to add security to a single person’s cryptocurrency wallet.

Casa setup is a 3-of-5 multi-sig wallet, which means at least three signatures are required to spend any cryptocurrency. The signatures come from different devices (hardware wallets such as Trezor), which are all in different locations but owned by one person. This provides significant security against hackers and in-person attackers because every transaction must be physically approved from three different locations. Read more in their blog.

GPG signing and encrypting[edit]

The Trezor device can be used to operate GPG (GNU Privacy Guard) software that is compliant with the OpenPGP (RFC4880) standard. Using GPG, your company can encrypt (and decrypt) files that contain sensitive data or digitally sign and verify your emails and documents.

SSH login to servers[edit]

Thanks to Trezor SSH Agent, administrators and developers can now use Trezor device to enjoy passwordless and secure authentication to their servers.

The process is a common challenge-response mechanism, known to you if you already use key-based authentication (which is more secure than password-based authentication). The only difference is that the key is in the Trezor device, significantly decreasing the attack vector to steal your authentication keys, and therefore increasing the security of your data and servers.

U2F - second-factor authentication made better[edit]

To boost your online security, you can implement U2F with Trezor device to log into your web applications. It is already possible to use Trezor as your second-factor authentication token with services such as Google, GitHub or Dropbox. A further advantage of Trezor is that its users can truly verify what they are about to authorize on the device display.

U2F authentication is in many ways better than other available two-factor authentication systems:

  • No shared secret (private key) is sent over the internet at any time. No confidential information will ever be shared, thanks to public key cryptography.
  • It is easier to use. No retyping of one-time codes involved.
  • Privacy - no personal information is associated with the secret.
  • Backup with Trezor device is easier.
  • As there is no secret shared with U2F and no confidential databases stored by the provider, a hacker cannot simply steal the entire database to get access. Instead, he or she has to target individual users and that is much more costly and time-consuming.

Considering that all larger technological companies are enforcing two factor authentication, the Trezors features can kill many birds with one stone.

Password manager[edit]

A password manager helps users to generate and store complex and secure passwords. Password managers are a convenient way of storing a large amount of difficult-to-remember passwords under one master password. However, a master password is a single point of failure.

To solve this problem, Trezor Password Manager brings a safer way to unlock your passwords with a simple click on your Trezor device. This is a much more secure way to unlock your password manager, without using one master password.

Trezor Connect API[edit]

Using Trezor Connect API - written in JavaScript - makes it possible to implement various Trezor device functionalities such as "Sign in with Trezor" to your web application.

Moreover, Trezor Connect allows for deeper and seamless integration, thanks to the common UI that the user will interact with.

The abilities of Trezor Connect are ever expanding. For a complete set of features, please see our documentation available here.

Cryptocurrency-service use-cases[edit]

The section above relates to all businesses, independently of their primary focus. As Trezor is still primarily a cryptocurrency hardware wallet, in charge of keeping your keys safe, there are more use-cases that are tailored to cryptocurrency businesses.

Multi-signature[edit]

As mentioned above, multisig can be used by a custodial service to divest their risk. By using multiple keys and multiple devices, a company can make it significantly more difficult for a hacker or thief to access the company funds (which in many cases are funds held on behalf of the customers). By implementing multisig schemes with hardware wallets, a company can also protect itself from attackers from within the company.

Custom applications can be developed, using the access API of Trezor Connect. Alternatively, SatoshiLabs is working on its own multisig interface, both for individual and business usage. We estimate the new platform to be ready by the end of Q3/2019.

Trezor Connect API -- Direct deposit and withdrawal from your interface[edit]

Using the Trezor Connect API, you can implement an easy and straightforward method for your user to deposit and withdraw funds from their Trezor device to your service. By implementing Trezor Connect API, the user will not need to leave your interface to make the transfer. Instead, they can do it seamlessly from one, in this case your, UI. This will increase the probability that a user will transmit money between your service and the Trezor. A Trezor user would thus be more likely to use your services.

Trezor Connect API -- Login with Trezor[edit]

As cryptocurrency users are likely to own hardware wallets, a service can also implement Trezor Connect to allow the users to log in with them, thus limiting the attack vector against their accounts.

Firstly, there will be no password, meaning keylogger malwares and phishing sites will not be able to steal the user's credentials. Secondly, Login with Trezor works on a challenge-response mechanism, and the key for generating the response never leaves the device, akin to the keys for cryptocurrencies. Thirdly, if the service also implements direct deposits and withdrawals, a Trezor user will be more likely to use a service that caters directly to them, by implementing convenient features.

Like Trezor? Get one here!