UTRECHT UNIVERSITY MASTER THESIS A Security Assessment Model for Crypto Asset Safekeeping First Supervisor: Dr. R.L. Slinger JANSEN Author: Second Supervisor: Tim Braam Dr. F. Fabiano DALPIAZ External Supervisor: Henk Brink A thesis submitted in fulfillment of the requirements for the degree of Master of Science in the Graduate School in Natural Sciences, Business Informatics November 7, 2019 UTRECHT UNIVERSITY Abstract Graduate School in Natural Sciences, Business Informatics Master of Science A security assessment model for crypto asset safekeeping by Tim Braam In this study we research crypto asset security by dissecting existing se- curity systems, reviewing academic and grey literature and interviewing experts. We then propose a model on crypto asset security and employ it on well-knwown crypto asset safekeeping solutions. We validate the re- sults with experts and elicit mass evaluation with our demonstrations and release to the public. Keywords: Cryptocurrency, Cryptocurrency security, Cryptocurrency exchange, Cryptocurrency custodian, Cryptocurrency wallet, Blockchain Acknowledgements A year ago I started this project, which at that time had a different subject that is, however, closely related to the current one. It is the second time I am writing a thesis, the first being for my bachelor, but the first time I enjoyed doing so. I would like to thank dr. Slinger Jansen for letting and helping me write about a relatively uncharted subject I was passionate about. I would also like to thank my external supervisor, Henk Brink, for believing in the project and supporting me every step of the way. Another huge pillar of support has been my girlfriend and her family, my family-in- law and especially my father-in-law helping me with whatever they could think of. And finally, my own family and friends, thank you all for listening to my blockchain rambling that may have taken up one too many an hour. Contents 1 Introduction1 2 Context3 2.1 Different wallet providers..................3 2.2 Different cryptocurrencies.................4 2.3 Cryptocurrency governance.................5 3 Research Method6 3.1 Problem identification and motivation...........6 3.2 Define the objectives for a solution.............7 3.3 Design and development..................8 3.3.1 Design.......................8 3.3.2 Development....................8 3.4 Demonstration........................ 15 3.5 Evaluation.......................... 15 3.6 Communication....................... 15 4 Model Development 16 4.1 Feature Modeling...................... 16 4.1.1 Escrow two out of three feature model....... 16 4.2 Literature Review...................... 19 4.2.1 General perspective................. 19 4.3 Technical perspective.................... 24 4.3.1 Authentication protocol.............. 24 4.3.2 Encryption..................... 27 4.3.3 Digital Signature.................. 28 4.3.4 Hashing function.................. 29 4.3.5 Social hacking or social engineering........ 30 4.4 Attacker perspective..................... 32 4.5 Governance perspective................... 36 4.6 Candidate key process area shortlist............ 40 5 Expert Evaluation 41 i 6 The crypto-asset safekeeping security maturity assessment model (CSSMAM) 43 6.1 Level one : Unsafe..................... 43 6.2 Level two : Unsafe..................... 43 6.3 Level three : Lacking.................... 44 6.4 Level four : Lacking.................... 44 6.5 Level five : Relatively safe................. 46 6.6 Level six : Relatively Safe................. 47 6.7 Level seven : Safe...................... 48 6.8 Level eight : Safe...................... 49 6.9 Level nine : Optimal.................... 49 6.10 Level ten : Optimal..................... 50 6.11 Mass evaluation of the crypto asset safekeeping security maturity assessment model................. 50 7 Demonstration 52 7.1 Largest VCEPs by volume................. 52 7.2 Top Custodian Wallet Providers (CWPs).......... 55 7.3 Top wallet providers.................... 57 8 Discussion 62 8.1 Major Findings....................... 62 8.2 Model Validity....................... 62 8.2.1 Validity of literature review............ 62 8.2.2 Validity of model creation............. 63 8.2.3 Validity of model evaluation and adaption..... 63 8.3 Model Accuracy....................... 64 8.4 Practicality......................... 65 8.5 Accumulation of information................ 68 8.6 Suggestions for future research.............. 68 9 Conclusion 70 Bibliography........................... 70 A 79 B 80 C 84 List of Figures 1.1 A private key........................1 3.1 The DSRM process model.................6 3.2 A maturity model with 10 maturity levels and example ca- pabilities...........................8 3.3 The Information Systems Research Framework......9 3.4 Example of a feature model concerning an e-shop..... 10 4.1 A complex crypto asset security setup using escrow 2 out of 3 feature model...................... 18 4.2 The value of Bitcoin (BTC) over its entire lifespan.... 20 4.3 The largest drop in BTC history, December 2017 to Febru- ary 2018........................... 21 4.4 A soft fork.......................... 22 4.5 A hard fork......................... 23 4.6 AML legislation rollout 2018-2020............. 36 4.7 Coverage of major financial task forces worldwide.... 37 4.8 Countries on the FATF blacklist.............. 37 6.1 The crypto asset safekeeping security maturity assessment model............................ 51 8.1 Percentage of users per wallet type (Exceeds 100% be- cause of multiple answering options)............ 66 8.2 Number of cryptocurrency wallets............. 67 B.1 2-FA authentication using SMS feature model....... 80 B.2 2-factor authentication feature model........... 81 B.3 Identification method fingerpint or PINcode........ 82 B.4 Pincode verification feature model............. 83 C.1 Binance Model....................... 84 C.2 Okex Model......................... 85 C.3 Digifinex Model....................... 86 C.4 Dobi exchange Model.................... 87 C.5 Bitmax Model........................ 88 iii C.6 BitGo Model........................ 89 C.7 Xapo Model......................... 90 C.8 Trezor Model........................ 91 C.9 Ledger Model........................ 92 C.10 Exodus Model........................ 93 C.11 Electrum Model....................... 94 C.12 Bitcoin core Model..................... 95 C.13 Armory Model....................... 96 C.14 Edge Model......................... 97 C.15 Coinomi Model....................... 98 C.16 Greenadress Model..................... 99 List of Tables 3.1 General perspective queries................. 12 3.2 Technical perspective queries................ 12 3.3 Attackers perspective queries................ 13 3.4 Governance perspective queries.............. 13 3.5 Example kpa candidacy................... 14 4.1 Discovered features..................... 19 4.2 CKPA distribution of power................ 23 4.3 literature list of the technical perspective - authentication. 24 4.4 CKPA authentication protocol............... 26 4.5 literature list of the technical perspective – encryption... 27 4.6 CKPA encryption...................... 27 4.7 literature list of the technical perspective – digital signature 28 4.8 CKPA digital signature................... 28 4.9 literature list of the technical perspective – hashing.... 29 4.10 CKPA hashing function................... 30 4.11 literature list of the technical perspective – Instruction... 30 4.12 CKPA instruction...................... 32 4.13 CKPA webhost....................... 32 4.14 CKPA active development & CKPA open source..... 33 4.15 CKPA javascript cryptography............... 33 4.16 CKPA secure database management............ 35 4.17 Collection of user data................... 35 4.18 CKPA monitoring of supported cryptocurrencies..... 35 4.19 FATF blacklist 2019..................... 37 4.20 CKPA governance & CKPA legislation........... 39 4.21 Collected CKPAs...................... 40 5.1 Collected CKPAs...................... 42 7.1 Top VCEPs......................... 52 7.2 Top CWPs.......................... 55 7.3 Top wallet providers.................... 57 8.1 Providers, maturity levels and wallet type......... 66 v 8.2 KPAs and how to accumulate the necessary information to correctly asses them..................... 68 A.1 Maturity model question list................ 79 C.1 Binance review....................... 84 C.2 Okex.com review...................... 85 C.3 DigiFinex.com review.................... 86 C.4 DOBI exchange.com review................ 87 C.5 Bitmax review........................ 88 C.6 BitGo review........................ 89 C.7 Xapo review......................... 90 C.8 Trezor review........................ 91 C.9 Ledger review........................ 92 C.10 Exodus review........................ 93 C.11 Electrum review....................... 94 C.12 Bitcoin Core review..................... 95 C.13 Armory review....................... 96 C.14 Edge review......................... 97 C.15 Coinomi review....................... 98 C.16 Greenadress review..................... 99 Chapter 1 Introduction On 9 January 2009 Satoshi Nakamoto implemented and released the first bitcoin code. The code was released as open source. It would be the first “cryptocurrency”, which is a form of electronic cash. Fast forward to the present and the first cryptocurrency has become popular and valuable. With it thousands of new cryptocurrencies have sprouted, with a different degree of popularity and success. Bitcoin, and other cryptocurrencies, rely on