Taking Exchange API Security to the Next Level with HMAC-MPC

Posted by Idan Ofrat on Jan 29, 2020 2:24:18 PM
Idan Ofrat
Find me on:

FB-SGX-Blog-Post-V3@2x

 

At Fireblocks, we’ve developed a Secure Transfer Environment that protects our users’ private keys, deposit addresses, and API keys. We’ve achieved this through a combination of MPC (multi-party computation) and Intel SGX (chip-level hardware isolation).

Currently, our solution is primed for organizations employing cloud-based setups. However, as we begin to serve traditional financial institutions, the need for on-prem configurations has increased.

That’s why over the last year, our cryptography and engineering team has been developing a new layer of security for API keys—applying MPC to API secret credentials. This patent-pending technology provides security teams with an alternative solution for distributing API keys without using the cloud.

Though combining HMAC and MPC is not a breakthrough in and of itself, the Fireblocks team is the first to successfully combine them in a memory-constrained Intel SGX enclaves, achieving:

  1. Storage of API shares in an HSM-like environment, sealed using a hardware key
  2. Execution of sensitive business logic inside an isolated secure enclave

Combining MPC with HMAC—and running it within an Intel SGX environment—is the safest way to store and authenticate exchange API keys and credentials on-prem. It allows two parties to make an HMAC computation without either of them needing to hold the entire API secret while protecting each party from cyberattacks and insider threats.

 

A Breakthrough in On-Prem API Key Distribution

The Role of Exchange APIs & HMAC

Most exchanges provide a pair of credentials—an API key and an API secret—to work with and authenticate their API. The API key is considered public, whereas the API secret should be stored safely as it is used for signing requests and authenticating the user.

API services commonly use HMAC as the signing method for the API requests, and specifically HMAC over SHA256 or SHA512 (with the API secret as the cryptographic key). The HMAC algorithm, co-developed by Prof. Ran Canetti (our Cryptography Advisor at Fireblocks and Professor of Computer Science at Boston University & Tel Aviv University), is currently being used to sign the majority of API calls over the internet.

 

Hardware Isolation with Intel SGX Enclaves

Currently, to connect to any of Fireblocks’ 20+ supported exchanges, users encrypt and load their API secret into hardened Intel SGX enclaves. The SGX enclaves then encapsulate and make API calls to these exchanges.

The unique security properties of SGX enclaves guarantee confidentiality and execution integrity on the hardware level. This prevents hackers, Fireblocks, and our cloud providers from accessing keys or spoofing the authenticity of deposit addresses to where funds are transferred.

Our usage of Intel SGX hardware isolation is, in and of itself, more powerful than any other service currently available.

 

Bringing HMAC-MPC into an SGX Environment

However, some institutions have policy constraints around adopting cloud services, but simultaneously need to distribute trust between multiple entities and endpoints. Combining our new HMAC-MPC method with Intel SGX allows these organizations to:

  1. Create API credentials on an exchange
  2. Copy-paste API credentials into the Fireblocks exchange setup interface on the user’s side
  3. Break API credentials in two—splitting shares between two components, one on-prem SGX server on the user’s side and one SGX server with Fireblocks

This enables institutions to keep one of the two shares, while Fireblocks securely stores the other share. With this configuration, the key material, policy, and approval logic can be distributed between the customer’s on-prem environment and Fireblocks. This effectively increases the number of lines of defense while using on-prem data-centers.

 

The Case for Combining HMAC-MPC and SGX

In order to mitigate external and internal threats while enabling trust distribution on-prem, we believe it is necessary to layer HMAC-MPC with SGX.

These are the core elements of a strong on-prem API storage solution:

 

FB-Table-HMAC-Defense-in-Depth-Matrix-v2@2x

 

 

Solving for Memory Constraints and Malicious Security

The standard protocols for technology like HMAC-MPC require substantial memory consumption. Deploying our HMAC-MPC technology alongside Intel SGX was a unique challenge that required optimizations in a variety of areas.

We adjusted the HMAC-MPC protocol using our proprietary method, slicing, to allow execution on a memory-constrained environment—specifically on SGX enclaves, and potentially also on low-resource devices (like other HSMs or security dongles).

Another main requirement we had while developing this technology was assuring that the setup was secure even in a situation where one of the acting parties (either the user or Fireblocks) has been compromised. Our cryptographers developed a set of methods to protect against the submission of a maliciously garbled circuit and prevent various types of attacks such as denial-of-service or leakage of secret information.

 

Conclusion

As we serve larger and more traditional institutions, they require new protocols for accessing the Fireblocks infrastructure—because not all security policies and workflows are created equal. Our new API key security layer is one of the many innovations we’re working on to help these organizations operate securely and efficiently.

Interested in piloting this technology or learning more about our roadmap? Reach out to our team at sales@fireblocks.com.

 

Download the Fireblocks Whitepaper

Fireblock Whitepaper Cover

Recent Posts

Get Fireblocks research & news delivered to your inbox.