Security Overview
Eliminating Single Points of Compromise
Last updated
Term Structure Institutional Docs
Eliminating Single Points of Compromise
Last updated
TSI employs a multi-layered security architecture designed to eliminate single points of compromise and protect digital assets. This architecture combines user-side security measures, robust infrastructure protection, and the advanced cryptography of Multi-Party Computation (MPC).
User/Admin Account Security:
Two-Factor Authentication (2FA): Both User and Admin accounts are protected by 2FA. The configuration of 2FA is enforced in the registration process. This requires users to provide two forms of authentication (a time-based code from an authenticator app), significantly reducing the risk of unauthorized access due to compromised credentials.
Device Binding: Trader/Liquidator accounts are bound to specific devices. This adds another layer of security by preventing access from unauthorized devices, even if credentials are compromised.
User-Side Key Management (Trader/Liquidator/Admin):
Passphrase and Local Storage: A user's passphrase is generated in their browser and the passphrase is used to decrypt their encrypted key share (#2). This encrypted key share is stored locally within the user's browser. This local storage minimizes the risk of server-side key compromise.
Decryption: The passphrase is only used for local decryption and is never transmitted over the network. This protects the passphrase from interception.
Multi-Party Computation (MPC) with Fireblocks:
2-of-2 MPC Signature: TSI utilizes a 2-of-2 MPC scheme, meaning two key shares are required to sign any transaction. One key share (#2) is held by the user (as described above), and the other key share (#1) is securely managed by Fireblocks within a secure enclave using Intel SGX.
Fireblocks Server and Verification: The Fireblocks server plays a crucial role in the MPC process. It co-signs transactions with the user's key share, ensuring that no transaction can be executed without both parties' agreement. The Fireblocks server also handles transaction verification. This prevents unauthorized or fraudulent transactions.
Infrastructure Security:
AWS (Amazon Web Services): TSI's infrastructure is hosted on AWS, benefiting from their robust security measures, including physical security, network security, and access control.
AWS Secrets Manager: Sensitive information, such as the Fireblocks API key, is securely stored and managed using AWS Secrets Manager. This prevents unauthorized access to these critical credentials.
TSI Server and Whitelisted IPs: The TSI server's IP addresses are whitelisted to Fireblocks' server. This limits access to authorized systems and reduces the attack surface.
