Sepior Threshold KMS
Blockchain Ledger Security

Sepior’s Threshold KMS blockchain ledger security introduces powerful new tools to efficiently manage confidentiality and privacy of data and applications accessed by private blockchain participants. Using the latest threshold cryptographic techniques, including threshold multiparty computation (MPC), Sepior™ Threshold KMS delivers the highest online ledger security available, with the lowest costs and complexity.

Sepior™ Threshold KMS works with virtually any blockchain technology, using the latest threshold cryptography techniques. Key management policies are fully defined and implemented off-chain, for administrative and operational simplicity.

Sepior’s patented threshold cryptographic approach, using threshold MPC, allows n number of Threshold KMS services to run on separate virtual machine (VM) servers that may be hosted across multiple data centers or clouds to provide maximum system resiliency. These systems use threshold MPC to confirm availability of at least t (a user definable threshold) of these Threshold KMS services are available for MPC to produce a key used by each authorized blockchain participant to access a specific object on the blockchain, without ever having a whole key exist on any virtual key management server. The result is an agile key management solution with industry leading key availability and security, with minimum complexity and cost.

Sepior™ Threshold KMS consists of:

  • n instances of Threshold KMS Services running in VMs

  • Management portal, an application specific web portal

  • SDKs for the relevant languages, including smart contract languages

  • Connectors when required (i.e., Hyperledger)


Sepior Threshold KMS

Sepior Threshold KMS is a threshold cryptographic key management solution that integrates with permission based blockchains to provide maximum ledger data confidentiality and participant specific privacy controls. Data and applications stored on the blockchain are encrypted using Sepior KMS for key management. Blockchain participants accessing specific documents or applications can be given different levels of authorization to access certain fields of data, but not others. This fine grained control gives blockchain providers a powerful new tool to satisfy compliance and business confidentiality and privacy requirements, while achieving efficiencies through multiparty access and collaboration.

Sepior Threshold KMS is implemented using threshold MPC to provide higher confidentiality, integrity, and availability than is achievable with more conventional KMS’s, and it does so with minimum cost or complexity.


Enterprise Grade Considerations

Permissioned access blockchains applications require confidentiality and varying levels of privacy

  • Deny access to illicit attempts to access data or applications within the network

  • Control access by legitimate participants to access some, but not all data and applications

Fine grained, context aware confidentiality and privacy control may be required for compliance purposes, and for business purposes

  • Confidentiality with regard to enabling access to the blockchain and data recorded on the blockchain

  • Privacy with regard to the individuals involved in a transaction

Effective security and management of encryption keys are required to assure that confidentiality and privacy are sustained, and that keys are continuously available, without risk of key corruption

Most blockchain implementations lack native control for privacy management

The use of channels with Hyperledger Fabric (a specific use case of blockchain) allows the creation of defined levels of access to specific audiences, but with the introduction of increased complexity and possibly increased on-chain workloads

  • Channels may be useful when a subgroup of participants have a lot of transactions in common, if there’s no dependency on blockchain state controlled by outside entities

  • Some have raised concerns about possible complexity and scale considerations of building, modifying, and maintaining large amounts of channels

Off-chain key management and participant access management may be preferable, to minimize on-chain computations and flexibly adjust to changing requirements

Threshold key management services (Threshold-KMS) represents a new opportunity to support fine grained access control with per-user privacy control, without increasing blockchain complexity, or on-chain workloads

  • Threshold-KMS may be implemented in conjunction with channels or other blockchain specific controls, or as an alternative form of control, providing flexibility for case-by-case optimization

Sepior™ Threshold KMS achieves these new benchmarks in performance through patented techniques using secure, multiparty computation (MPC).


Threshold KMS Features & Benefits

Enterprise-grade key management services for blockchain data confidentiality through discretionary access control

  • Manage blockchain access to authorized participants

Privacy control down to the object level

  • Enables fine grained control for participant access to specific fields of data (objects) on the blockchain as may be required for business or compliance purposes

Full lifecycle key management services

  • Generate, regenerate, rotate, and retire keys as required

Audit logging

  • Providing full visibility to events and authorizations

Cross-domain IdM support

  • Flexible identity management integration

  • Supporting administration down to a per user, per group, or per organization level

Integration at the application or the blockchain platform layer

  • Allows for use case specific optimization and simplified integration

Works with any blockchain

  • Eliminates requirements to use a particular blockchain technology to achieve business and compliance objectives

Distributed trust model, using threshold cryptography with multiparty computation

  • Keys are generated and managed without ever producing a whole key on any key server, eliminating the potential for server key theft

  • Provides hardware security module (HSM) trust level, without the need to purchase, install, physically secure, and maintain HSM appliances

  • Provides the system resiliency of fully redundant HSM configurations, without the cost or complexity of multiple redundant appliances

Cloud-native micro services architecture

  • Automatically scale key management services up / down based on service loads

  • Eliminates dependency on a hardware appliance or dedicated VM to support scale requirements

Very low CapEx and OpEx