The “Two-Man Rule” and Bitcoin Security

This morning, OKCoin shared information on how it secures cold wallets in an effort to move the industry forward.

The company released a statement saying,

Through this transparency, OKCoin aims to assure users of the security of their funds. We hope this helps the industry be more open and welcome feedback and new ideas.

The principles of the cold wallet security system borrow heavily from the “The Two-Person Concept,” otherwise known as the “two-man rule,” from the United States Air Force instructions (AFI 91-104). The two-man rule is a system designed to achieve a high level of security for especially critical operations.

During the height of the Cold War in the 1960s, the United States had several minute-men missile systems in which the “two-man rule” was used. In the event of an ordered launch, both crew members of the silo would have to turn their keys at the same moment on the commander’s count. The two ignitions were situated far enough apart that one person alone could not reach both keys and single-handedly provide the go-ahead to launch a missile.

OKCoin has implemented new security measures to protect customer cold-wallets after a security breach with the Bter cold wallet. On a reddit post this morning, OKCoin shared the following security principles and philosophies the company has applied to the cold wallet security system:

1. Any equipment connected to the internet is inherently vulnerable.

2. USB drives are unsafe as USB disks may be compromised with viruses. Such a USB virus may automatically record data in a computer network after it’s inserted and steal the contents within.

3. No security practice can be reliant on one individual. Any access to cold wallet must require confirmation of two authorized parties.

4. Everyone has the potential to suffer from an unexpected event. Others need to be authorized to access offsite backups in order to ensure safety.

5. Individuals may be kidnapped, so important data must be saved in the highest security bank safe and require in-person access.

The company also outlined how it is generating private keys and backups, including principles from the “two-man rule”:

1. Generate 10,000 private keys and corresponding address on the completely offline computer.

2. Add AES private key encryption on the completely offline computer.

3. Delete the original 10,000 private keys.

4. AES password to be controlled by two OKCoin company personnel in separate locations – one in OKCoin’s Beijing office, one in a city on the West Coast of the United States.

5. The two AES master password holders cannot use the same means of transportation at the same time.

6. The address and encrypted private key on the offline computer are displayed in QR code format.

7. The QR code of the address is scanned by another computer to publish the address of the cold wallet in order to receive deposits from our hot wallet. Each cold wallet address will be used only once. 8.The QR code of the encrypted key is printed and stored inside a highly secure bank vault. Even if the holder of the encrypted key was kidnapped, the document is secure as the holder must be present at the bank to retrieve it.

8. The QR code of the encrypted key is stored and backed up – one in the bank safe in China, and another in a city on the East coast of the United States.

9. Access to these two banks are granted to two separate people.

10. These two people do not take transportation together.

11. Those with access to the bank safes cannot be the same as the ones who control the AES password.

OKCoin is the first major exchange to publicly outline the measures being taken to secure customer funds at each step. The team’s statement also highlighted the handling of coins from cold-storage to hot-wallets:

1. Send personnel to the bank safe near the office and retrieve the appropriate number of unused encrypted private keys. Scan the QR code of these keys into an offline computer.

2. The QR code is scanned into another completely offline computer.

3. The holder of the AES master password decrypts the encrypted private key on a completely offline computer.

4. The private key is scanned using QR code to import into another entirely offline computer.

5. Signing trading on another computer completely offline, and after the transaction signature synchronized to a computer with internet broadcast transaction through USB drive.

OKCoin CEO Star Xu reiterated to Coin Fire that the private keys for cold-storage are truly cold and that the two-man aspect is just one of the security precautions OKCoin has taken.

OKCoin’s transparency is another move forward towards increased information sharing in the cryptocurrency industry. The OKCoin team is looking for additional feedback on the security principles on reddit.

Titan missile launch key image courtesy of James Brooks.