How COTI is Securing Our Blockchain and Non-Blockchain InfrastructureWritten by COTI CTO, Dr. Nir Haloani
Dr. Nir Haloani
In today’s world, security is imperative for maintaining control of your belongings, be they physical or virtual. Cyber security is vital to keeping you protected, safeguarding your integrity, and avoiding unwanted data disclosure.
COTI’s ecosystem and technical solutions provide robust cyber security measures around data integrity and confidentiality, and are future proof against blockchain cyber attacks.
Wallet SecurityThe COTI wallet is based on the React Native framework which provides easy cross-platform portability. The COTI wallet requires user credentials paired with a 2FA login to establish a session with the node manager, after which all communication with the COTI network and nodes requires the wallet’s seed. This seed is then used to encrypt and sign all transactions and messages sent on COTI. All messages sent from the wallet are validated and no spoofing or manipulations are possible.
COTI tokens are stored in private, pseudo-anonymous virtual ‘wallets’. Each wallet is identified and protected by a unique access key known as a ‘seed’. Although we call them wallets, they do not actually store the tokens, instead they are like keychains that give you access to the tokens permanently stored on the COTI ledger.
It is important to note that your seed is the one thing that you need to safeguard from disclosure at all times. If someone knows the login credentials to your wallet, it does not mean they have access to your wallet because it is also safeguarded by your locally stored private key.
While these technological security features are a major benefit to using public and private key encryption, the keys themselves rely on more ‘human’ security measures. It is this latter type of security that is most frequently the weak link.
COTI’s MainNet wallet
Seed Generation & BackupThe COTI Wallet includes a foolproof algorithm for generating random seeds and forces the user to back up their seed in a paper wallet or a password manager (e.g. LastPass) before finalising the wallet creation process. This not only protects the seed from brute force attacks, but also ensures the user’s funds can still be safely recovered if their device is lost.
As the seed is the key to the wallet and funds, it is very important to back it up safely. The most secure option is to simply write it down on a piece of paper, though you have to keep that piece of paper safe. We recommend you also use a password manager that will encrypt and store your seed. This solution will protect it from getting misplaced or stolen.
Hardware Wallet IntegrationAfter all is said and done, a digital wallet is not the most secure means of storing crypto. A safer method is to use leading hardware wallets like the Ledger Nano S or Trezor for large holdings.
Support for hardware wallets is of paramount importance. It should be noted that due to the technical differences of the COTI Trustchain infrastructure from typical blockchains, COTI currently has no hardware solution support. However, this is an issue that we are working hard to overcome, and hardware support will be available in the near future.
Is HTTPS a big deal for COTI?For a network such as COTI the answer is NO. Unlike online stores, node owners do not handle highly sensitive information like credit card numbers. As all interactions between the wallet and the network are encrypted, the data that the wallet sends doesn’t pose any potential privacy risks or user experience downgrading.
The seed can be entered into the wallet as plain text, as it is not sent anywhere and is instead used locally together with the private key to encrypt all the messages sent from the wallet to the network. All communication with the COTI network is encrypted using the private key of the user and signed using both the private key and the seed, so all messages sent from the wallet are validated and no spoofing or manipulations are possible.
The seed itself is not sent and no SSL is required. Even if an attacker were to use some sort of phishing manipulation to get a user’s seed, it wouldn’t help them connect to the wallet of the user because the private key is also required for the messages to be properly encoded and validated . Moreover, the private key is always stored locally and not sent anywhere.
What does SSL/TLS mean for COTI and Node Operators?Regardless of the above, to better protect the session initiation phase of the COTI network, we have added SSL certifiacte requirements on all our pages, which in essence means that it is now mandatory for COTI nodes to also install SSL certificates.
This is important for several reasons:
Firstly, Apple requires App Transport Security (ATS) to be enabled in all apps submitted to the App Store. Once we deploy our mobile-supported application, this would be mandatory since developers who submit apps without ATS must justify their decision to disable it.
Additionally, browsers such as Google Chrome mark any website that does not use HTTPS as ‘not secure’. As part of the continued efforts to follow best practices, COTI will not allow non-HTTPS connections to the network.
This does require that every node operator in the COTI network install an SSL/TLS certificate in order to connect and transact.
How Are Transactions Confirmed in COTI?In COTI we have introduced a new approach to achieving consensus between transacting parties operating on a DAG-based data structure. The Cluster is a ledger, or a record of all transactions in the network, which is based on a completely decentralized DAG that is not stored by any central authority. The Cluster achieves scalability through its use of parallel source selection and confirmation of transactions, as well as its use of COTI’s Trust Scores.
To reach consensus on whether the transaction is legitimate or a double spend. DSP Consensus consists of a majority of DSP nodes, and consensus can be achieved when a transaction has more than one half of the DSP Node signatures.
Because the transaction verification process performed by the DSP Node is quick, only the amounts involved are checked, as opposed to the signatures of a transaction. The verification that the DSP Nodes perform are only carried out after a transaction has been attached to the Cluster.
Transactions require the signature of a DSP Node before they can be considered fully confirmed. Any detected double-spending attempts are flagged and refused, while valid transactions receive signatures from DSP Nodes. Valid transactions are required to receive a number of signatures defined by the consensus in order to continue as confirmed.
Receiving tokens is simple, you provide an “address” (public key) to the sender, and that person sends (signing with private key) a defined amount of tokens to you.
When you send tokens to someone (i.e., spend tokens), you will need to prove to everyone that you own the address from which you are spending. By signing the transaction, you prove that you are the holder of the private key for that address.
How are addresses generated?The seed is used to generate an address. COTI handles addresses in a deterministic fashion — i.e., the same set of addresses are always generated in the same order. You may hear the term “index,” which like page numbers in a book, describes the order of the generated keys.
For enhanced privacy measures, users can generate more than one address associated with their seed and by using a new address for each transaction, can better protect the privacy of any transaction. By generating different addresses, users will be able to protect themselves from anyone tracking their transaction history.
Security AuditsCOTI is currently conducting multiple external audits to assess any vulnerabilities, which once finalized will be released to the public for peer review and all required fixes will be implemented as we move forward toward our public MainNet. We’ve also added SSL certificates to better protect the first layer of wallet sessions and we will also add enhancements in regards to user/password compliance issues and or any other aspects raised by the auditors.
Key Aspects of the COTI Network Security- No single point of failure — The distributed nature of blockchains increases the resiliency of the overall network from being compromised by a single point of failure.
- Eliminates ledger manipulation — The consensus mechanism, a key feature of any blockchain system, improves the overall robustness and integrity of shared ledgers and precludes the possibility of ledger manipulation.
- Prevents double spends — Cybersecurity is maintained in the COTI network by introducing DSP Nodes and applying a trust measure for every participant. To this effect, double spending attacks are not possible, which creates a highly secure environment.
- COTI’s PoT adds an extra layer of security — No possibility of penny spend attacks
- No likelihood of man-in-the-middle attacks — The possibility of such an attack is problematic because when users first join COTI, it will not be clear whether they are using the public key of an attacker or a real COTI Node. To solve this problem, the COTI client will have the COTI servers’ public key hard-coded into it. Once a secure connection with the COTI servers has been established, the servers can be used to retrieve the Nodes’ authentic public keys.
* * * * * * *
Final WordsThe TrustChain Protocol captures the best of what COTI has to offer: An easy to use, scalable crypto ecosystem that is not dependent on restrictive fees and slow confirmations. The simplicity of the COTI products while still maintaining and complying to the highest security measures is of massive importance and will be the key to COTI mass adoption.
For other COTI news, you can stay up to date on our Telegram group.
