Cypherock
  • Introduction
  • Design Decisions
    • The balance between security and convenience
    • Cypherock X1 Hardware architecture
      • Using ultrasonic welding for the X1 Vault enclosure
      • Encrypted NFC communication for X1 cards
      • Using Javacards instead of MicroSD
      • Choosing USB vs QR Code
      • Why the X1 cards are not upgradeable
    • Cypherock is BIP39 compliant
    • Private keys should be near to impossible to extract
    • Conflict between trusted parties should not result in unauthorized access
    • Using Shamir Secret Sharing vs. Multi-sig
      • How is Shamir Secret Sharing implemented within Cypherock X1
      • Why Cypherock has a default 2/5 threshold scheme
      • Rejected Key Schemes
    • PIN Protection on Cypherock X1
      • Difference between backing up your PIN vs. Seed Phrase
  • Security Overview
    • Introduction
    • Keylabs - Third Party Security Audit
    • Remote Attacks
    • Physical Attacks
      • $5 Wrench Attack
      • PIN Brute Force Attack
      • Evil Maid Attack
      • Flashing Malicious Firmware
      • Side Channel Attack
      • Supply Chain Attack
  • Cypherock X1 Features
    • Eliminate messy paper backups
    • Open source with secure elements
    • Use Cypherock as a seed phrase vault
    • All-in-one Portfolio Manager
  • Getting Started
    • Download cySync
    • Import Seed Phrase from existing BIP39 compatible wallet
    • Generate a new wallet with Cypherock X1
    • How Cypherock generates your 24-word seed phrase
    • Best practices in keeping your X1 cards secure
      • Use the protective card sleeves
      • Geographical Seperation
      • Choosing your guardians
    • How do I know I am not locked-in to using only Cypherock X1
    • How do I know my Cypherock X1 is genuine?
      • Email 2FA for Product Authentication
    • How to recover your Crypto assets in the case of loss or theft
    • What happens to my Cypherock X1 if Cypherock goes out of business?
Powered by GitBook
On this page

Was this helpful?

  1. Getting Started

How do I know my Cypherock X1 is genuine?

PreviousHow do I know I am not locked-in to using only Cypherock X1NextEmail 2FA for Product Authentication

Last updated 1 year ago

Was this helpful?

Before shipping each device is provisioned with a unique set of private-public keys for both device and card authentication as well as for end-to-end encrypted NFC communication between the device and the card. Authentication is performed by verification of signatures generated by the private key in the hardware. Signature verification is performed by the server using the corresponding public key.

Secure device authentication is carried out in the following steps -

  • Unique key pairs are generated via a common seed (see key derivation paths )

  • The device includes a secure chip ATECC608A for storing private keys and sensitive data. ATECC608A and the MCU share an IO_PROTECTION key which is used to read/write data in encrypted form.

  • After provisioning is complete, the sensitive data in ATECC is locked and prohibited for read.

  • During the provisioning process, the private keys and NFC pairing keys are stored in the device, and its public key along with the device serial number is stored on the server for authentication at a later stage.

  • During the authentication process, the private key is used to generate signatures on serial numbers and random data, which is then verified at the server using the corresponding public key

  • Change in hardware i.e. the MCU or ATECC during transport to the user can be detected as the shared key won't match.

  • On both MCU and ATECC, the IO_PROTECTION key is read disabled so cannot be used to create clones.

To read more about the authentication process, refer to the device provision documentation on the .

Secure card authentication is carried out in the following steps -

  1. Each set of Cypherock X1 is provisioned with a unique set of public and private keys for device authentication and card authentication. These unique pairs are generated from a common seed via different derivation paths.

  2. Therefore before shipping, each set of X1 cards is provisioned with a unique set of private keys for NFC card authentication, along with its derivation path. Correspondingly, the device is provisioned with the xpubs for verification of X1 cards.

  3. During the card authentication, the X1 card signs a random message using its private key, and shares the signature along with the derivation path to the device. Since the device is provisioned with xpubs, it is able to generate the public key corresponding to the private key provisioned on the X1 card and verifies the signature of the random message.

  4. Only if the message was signed correctly, the card is understood to be authenticated by the X1 Vault.

here
Cypherock Github