Every industry has standards that help businesses keep their customers safe. Companies that store medical records follow HIPAA to keep their records secure. Companies that store credit card numbers follow PCI for the same reason. When it comes to cryptocurrencies like Bitcoin and Ethereum, the CCSS is the go-to standard for any system that stores or sends cryptocurrencies.
The CryptoCurrency Security Standard (CCSS) is a free-to-use standardized methodology for securing private keys that was put together by security auditors, researchers, and principals from a variety of companies. Spearheaded by C4 – the CryptoCurrency Certification Consortium – the CCSS is designed to help developers ensure that their new systems are being designed securely, and to help auditors grade the security posture of existing systems.
C4 is a not-for-profit organization dedicated to standards and measurements in the cryptocurrency ecosystem. C4 publishes standards for personnel such as the Certified Bitcoin Professional (CBP) exam, as well as standards for information systems like the CCSS. Today, the CCSS is steered by a committee of security professionals from blockchain companies such as ShapeShift, BitGo, Ciphrex, and Gem, as well as non-blockchain companies such as Deloitte and PwC.
To build the CCSS, each high-profile breach or theft in the cryptocurrency space was analyzed to identify common mistakes and design choices that lead to each theft. These deficiencies were used to create a list of controls that would mitigate each one. The result is a list of 33 controls that span 5 separate areas of any information system:
- Hardware
- Software
- Policies
- Procedures
- Training
Like a chain, any system’s security is as secure as its weakest link. By way of example, it doesn’t matter how long your password is or what encryption algorithm you choose if your daily procedure involves reading the password from a piece of paper hidden underneath your keyboard – it’s only a matter of time until your account suffers a breach.
All cryptocurrencies use private keys to send and receive funds, so the CCSS focuses on the security of these private keys at every moment in their life cycle:
- Creation of private keys
- Storage of private keys
- Access of private keys
- Usage of private keys
- Decommissioning of private keys
The standard involves 3 grades of increasing security: Level 1, Level 2, and Level 3. If an information system includes 19 security controls, it is considered “secure” at Level 1. If the system includes 28 controls, it is considered “very secure” at Level 2, and if it includes all 33 controls it is considered “highly secure” at Level 3. More details about the specific controls needed to reach Level 1, 2, or 3 can be found in this matrix online.
As of the writing of this article (March 2017), every system that suffered a high-profile cryptocurrency breach failed to comply with CCSS Level 1. I believe that any system compliant with CCSS Level 2 can withstand a cyberattack that gives the attacker full access to its systems (aka “root access”) while not losing a single satoshi (the smallest subunit of a bitcoin).
If you are designing a new system that will store or use any cryptocurrency, we recommend your technical staff review the details of the CCSS at https://cryptoconsortium.org/standards/CCSS. The standard is published online by C4 for anyone to use for free. If you would like to support the CCSS initiative, you may donate bitcoins to C4 by using the address at the bottom of the CCSS page.
Michael Perklin is Chief Information Security Officer at ShapeShift, President of standards body C4, and a blockchain security advisor to a variety of projects in the blockchain space.