Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

Harmonizing Private Key Security and Ethereum Account System Flexibility: A FIDO2 and AA-Based Cryptocurrency Wallet

개인키 보안과 이더리움 계정 시스템의 유연성 조화: FIDO2와 AA 기반 암호화폐 지갑

  • Dawoon Jung (Korea University) ;
  • Beomjoong Kim (Korea University) ;
  • Junghee Lee (Korea University)
  • 정다운 (고려대학교) ;
  • 김범중 (고려대학교) ;
  • 이중희 (고려대학교)
  • Received : 2024.08.16
  • Accepted : 2024.09.03
  • Published : 2024.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

This study proposes a novel model to address the security, usability, and scalability challenges of cryptocurrency wallets. The model is implemented as a web application that combines FIDO2 (Fast Identity Online v2) with Account Abstraction (AA), offering enhanced security by storing private keys within the Trusted Execution Environment (TEE) of users' mobile devices. By utilizing two types of private keys, the model supports three account types, allowing users to flexibly select security levels and functionalities according to their needs. The research findings show that the proposed model provides strong security against various attack scenarios while also improving usability and scalability. By integrating hardware wallet-level security with the convenience of software wallets, this new paradigm for cryptocurrency wallets is expected to contribute to the widespread adoption of blockchain technology

본 연구는 암호화폐 지갑의 보안성, 사용성, 확장성 문제를 해결하기 위한 새로운 모델을 제안한다. 이 모델은 FIDO2(Fast Identity Online v2)와 계정 추상화(Account Abstraction, AA)를 결합한 웹 애플리케이션으로, 사용자 모바일 기기의 신뢰 실행 환경(Trusted Execution Environment, TEE)에 개인키를 저장함으로써 강화된 보안을 제공한다. 제안된 모델은 두 가지 타입의 개인키를 활용하여 세 가지 계정 유형을 지원한다. 이를 통해 사용자는 상황에 따라 보안 강도와 기능을 유연하게 선택할 수 있다. 연구 결과, 제안된 모델은 다양한 공격 시나리오에 대해 높은 보안성을 보이면서도, 향상된 사용성과 확장성을 제공했다. 이 새로운 패러다임은 하드웨어 지갑 수준의 보안성과 소프트웨어 지갑의 편의성을 결합함으로써, 암호화폐 지갑의 발전을 촉진하고 블록체인 기술의 대중화에 기여할 것으로 기대된다.

Keywords

References

  1. Github, "nexus-wallet," https://github.com/tyrannojung/nexus-wallet/tree/main/results, Aug. 2024.
  2. erc4337, "ERC-4337, UserOperation," https://www.erc4337.io/docs/understanding-ERC-4337/user-operation Jul. 2024.
  3. NIST, "Digital signature standard," https://csrc.nist.gov/pubs/fips/186-5/final, Jun. 2024.
  4. FIDO2 Alliance, "FIDO2: WebAuthn & CTAP," https://fidoalliance.org/fido2/, May 2024.
  5. Y. Yu, T. Sharma, S. Das, and Y. Wang, "Don't put all your eggs in one basket: How cryptocurrency users choose and secure their wallets," Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems, pp. 1-17, May 2024.
  6. Ethereum, "Ethereum accounts," https://ethereum.org/en/developers/docs/accounts/, Apr. 2024.
  7. ETHGlobal, "Opclave - ERC4337 and Apple Sign," https://ethglobal.com/showcase/opclave-opstack-impr-erc4337-and-apple-sign-94def, Mar. 2024.
  8. P. Xia, Y. Guo, Z. Lin, J. Wu, P. Duan, N. He, K. Wang, T. Liu, Y. Yue, and G. Xu, "WalletRadar: towards automating the detection of vulnerabilities in browser-based cryptocurrency wallets," Automated Software Engineering, vol. 31, article no. 32, Mar. 2024.
  9. United Nations Security Council, "Final report of the Panel of Experts submitted pursuant to resolution 2680," United Nations, Mar 2024.
  10. Android, "Hardware-backed Keystore" https://source.android.com/security/keystore, Mar. 2024.
  11. Apple, "Secure Enclave," https://support.apple.com/ko-kr/guide/security/sec59b0b31ff/1/web/, Feb. 2024.
  12. Q. Wang and S. Chen, "Account abstraction, analysed," in Proceedings of the 2023 IEEE International Conference on Blockchain, pp. 323-331, Dec. 2023.
  13. V. Buterin, Y. Weiss, D. Tirosh, S. Nacson, A. Forshtat, K. Gazso, and T. K. Stanczak, "ERC-4337: Account abstraction using alt mempool," EIP-4337, Ethereum Improvement Proposals, Sep. 2023.
  14. S. Houy, P. Schmid, and A. Bartel, "Security aspects of cryptocurrency wallets-A systematic literature review," ACM Computing Surveys, vol. 56, no. 1, pp. 1-31, Aug. 2023.
  15. A. K. Singh, I. U. Hassan, G. Kaur, and S. Kumar, "Account abstraction via singleton entrypoint contract and verifying paymaster," in Proceedings of the 2023 2nd International Conference on Edge Computing and Applications, pp. 1598-1603, Jul. 2023.
  16. K. Chalkias, P. Chatzigiannis, and Y. Ji, "Broken proofs of solvency in blockchain custodial wallets and exchanges," in Financial Cryptography and Data Security, FC 2022 International Workshops, LNCS 13412, pp. 106-117, Jul. 2023.
  17. R. Dubois, "Speeding up elliptic computations for Ethereum Account Abstraction," Cryptology ePrint Archive, Jun. 2023.
  18. T. Barbereau and B. Bodo, "Beyond financial regulation of crypto-asset wallet software: In search of secondary liability," Computer Law & Security Review, vol. 49, article no. 105829, May 2023.
  19. L. Schrempp, "Formal verification of fido2 with human interaction," Master's thesis, Swiss Federal Institute of Technology (ETH) Zurich, Apr. 2023.
  20. J. Choi, K. Jeon, J. Lee, J. Sim, and M. Kim, "CryptoPad: dedicated device for convenient and secure wallet," in Proceedings of the Conference, Venice, Italy, pp. 59-62, Apr. 2023.
  21. S. C. Sethuraman, A. Mitra, K.-C. Li, A. Ghosh, M. Gopinath, and N. Sukhija, "Loki: A physical security key compatible IoT based lock for protecting physical assets," IEEE Access, vol. 10, pp. 112721-112730, Nov. 2022.
  22. A.J. Levitin, "Not your keys, not your coins: Unpriced credit risk in crypto-currency," Texas Law Review, vol. 101, Aug. 2022.
  23. M. Tran, S. Amft, and D. Wermke, "Poster: User awareness of phishing and WebAuthn," in Proceedings of the 43rd IEEE Symposium on Security and Privacy, May 2022.
  24. FIDO Alliance, "Client to Authenticat or Protocol (CTAP)," https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html, Jun. 2021.
  25. W3C, "Web Authentication: An API for accessing Public Key Credentials Level 2," https://www.w3.org/TR/webauthn-2/, W3C Recommendation, Apr. 2021.
  26. K. Owens, O. Anise, A. Krauss, and B. Ur, "User perceptions of the usability and security of smartphones as FIDO2 roaming authenticators," in Proceedings of the Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), pp. 57-76, Aug. 2021.
  27. A. Voskobojnikov, O. Wiese, M.M. Koushki, V. Roth, and K. Beznosov, "The U in crypto stands for usable: An empirical study of user experience with mobile cryptocurrency wallets," in Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pp. 1-14, May 2021.
  28. C. Li, D. He, S. Li, S. Zhu, S. Chan, and Y. Cheng, "Android-based cryptocurrency wallets: Attacks and countermeasures," Proceedings of the IEEE International Conference on Blockchain, pp. 9-16, Dec. 2020.
  29. S. G. Lyastani, M. Schilling, M. Neumayr, M. Backes, and S. Bugiel, "Is FIDO2 the kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication," Proceedings of the 2020 IEEE Symposium on Security and Privacy, pp. 268-285, May 2020.
  30. R. Phillips and H. Wilder, "Tracing cryptocurrency scams: Clustering replicated advance-fee and phishing websites," Proceedings of the IEEE International Conference on Blockchain and Cryptocurrency, pp.1-8, May 2020.
  31. R. Zhang, R. Xue, and L. Liu, "Security and privacy on blockchain," ACM Computing Surveys, vol. 52, no.3, Jul. 2019.
  32. P. Praitheeshan, Y. W. Xin, L. Pan,and R. Doss, "Attainable hacks on keystore files in ethereum wallets-a systematic analysis," Communications in Computer and Information Science, vol. 1113, pp. 99-117, Oct. 2019.
  33. A. M. Antonopoulos and G. Wood, Mastering Ethereum: Building Smart Contracts and DApps, O'Reilly Media, Dec. 2018.
  34. T. Haigh, F. Breitinger, and I. Baggili, "If i had a million cryptos: Cryptowallet application analysis and a trojan proof-of-concept," International Conference on Digital Forensics and Cyber Crime, pp. 45-65, Dec. 2018.
  35. A. Al-Shaikh and A. Sleit, "Evaluating IndexedDB performance on web browsers," Proceedings of the 8th International Conference on Information Technology, pp. 488-494, May 2017.
  36. M. Gentilal, P. Martins, and L. Sousa, "TrustZone-backed Bitcoin wallet," Proceedings of the 2nd Workshop on Cryptocurrencies and Blockchains for Distributed Systems, pp. 1-6, Jan. 2017.
  37. A.G. Malvik and B. Witzoee, "Elliptic curve digital signature algorithm and its applications in Bitcoin," pp. 1-5, Dec. 2016.
  38. A. Gollamudi and S. Chong, "Automatic enforcement of expressive security policies using enclaves," Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 494-513, Oct. 2016.
  39. G. Wood, "DApps: What Web 3.0 Looks Like", https://gavwood.com/dappsweb3.html, Apr. 2014.
  40. A.M. Antonopoulos, Mastering Bitcoin: Unlocking Digital Cryptocurrencies, O'Reilly Media, Dec. 2014.
  41. J.E. Ekberg, K. Kostiainen, and N. Asokan, "The untapped potential of trusted execution environments on mobile devices," IEEE Security & Privacy, vol. 12, pp. 29-37, Aug. 2014.
  42. D. R. L. Brown, "SEC 2: Recommended elliptic curve domain parameters," JMI, vol. 2, no. 3, pp. 75-83, May 2010.
  43. N. Jansma and B. Arrendondo, "Performance comparison of elliptic curve and RSA digital signatures," Technical Report, University of Michigan, Apr. 2004.