Sepior Threshold KMS
Blockchain Privacy Control
Sepior’s Threshold KMS Blockchain Privacy Control introduces a powerful new tool to efficiently manage confidentiality and privacy of permissioned blockchain data and applications accessed by authorized participants. Using the latest threshold cryptographic techniques, including threshold multiparty computation (MPC), Sepior™ Threshold KMS delivers the highest online ledger security and privacy available, with industry leading granularity, while also minimizing costs and complexity.
Sepior Threshold KMS provides fine-grained privacy control in a simple to implement and highly interoperable off-chain manner, which maximizes interoperability with other systems and future blockchain technologies.
The control to content access may be defined per user on a per document or smart contract level, or to the level of specific fields or objects within the application. The result is an agile privacy control solution with industry leading key availability, and minimum complexity and cost.
Sepior™ Threshold KMS works with virtually any blockchain technology, using the latest threshold cryptography techniques. Key management policies are fully defined and implemented off-chain, for administrative and operational simplicity.
Sepior’s patented threshold cryptographic approach, using threshold MPC, allows n number of Threshold KMS services to run on separate virtual machines that may be hosted across multiple data centers or clouds to provide maximum system resiliency. These systems use threshold MPC to confirm that at least m (a definable threshold) of these Threshold KMS services are available for MPC to produce keys used by each authorized blockchain participant to access content, without ever having a whole key exist on any virtual key management server.
Sepior™ Threshold KMS consists of:
n instances of Threshold KMS Services running in VMs
Management portal, an application specific web portal
SDKs for the relevant languages, including smart contract languages
Plugins or connectors when required (i.e., Hyperledger Fabric)
The result is that Sepior’s Threshold KMS approach:
Maximizes fine-grained privacy control for distributed trust across multiple organizations
Eliminates the need for costly hardware security modules (HSMs)
Supports unlimited scale and high availability using the cloud
Maximizes interoperability with an off-chain implementation
Enterprise Grade KMS Considerations
Permissioned access blockchains applications require confidentiality and varying levels of privacy for business purposes
Deny access to illicit attempts to access data or applications within the network
Control access by legitimate participants to access some, but not all data and applications
Fine grained confidentiality and privacy control may be required for compliance purposes
Confidentiality of Personally Identifiable Information (PII) recorded on the blockchain
Privacy with regard to the individuals involved in a transaction
Effective security and management of encryption keys are required to assure that confidentiality and privacy are sustained, and that keys are continuously available, without risk of key corruption
The use of channels with Hyperledger Fabric (a specific implementation of blockchain) allows for natively defined levels of access to specific audiences, but with increased on-chain workloads. Channels may be complex to administer in certain use cases.
Channels may be useful when a subgroup of participants have a lot of transactions in common, if there’s no dependency on blockchain state controlled by outside entities
Some have raised concerns about possible complexity and scale considerations of building, modifying, and maintaining large amounts of channels to support fine grained control
Off-chain key management and participant access management may be preferable, to minimize on-chain computations and flexibly adjust to changing requirements
Threshold key management services (Threshold KMS) represents a new opportunity to support fine grained access control, off-chain, with per-user privacy control, without increasing blockchain complexity or on-chain workloads
Threshold KMS may be implemented in conjunction with channels or other blockchain specific controls, or as an alternative form of control, providing flexibility for case-by-case optimization
Sepior™ Threshold KMS achieves these new benchmarks in performance through patented techniques using secure, multiparty computation (MPC).
Threshold KMS Features & Benefits
Enterprise-grade key management services for managing blockchain data confidentiality
Manage blockchain access to authorized participants
Privacy control down to the object level
Enables fine grained control for participant access to specific fields of data (objects) on the blockchain as may be required for business or compliance purposes
Full lifecycle key management services
Generate, regenerate, rotate, and retire keys as required
Providing full visibility to events and authorizations
Cross-domain IdM support
Flexible identity management integration
Supporting administration down to a per user, per group, or per organization level
Integration at the application or the blockchain platform layer
Allows for use case specific optimization and simplified integration
Works with any blockchain
Eliminates requirements to use a particular blockchain technology to achieve business and compliance objectives
Distributed trust model, using threshold cryptography with MPC to provide a distributed, virtual key management system across multiple VMs
Keys are generated and managed without ever producing a whole key on any key server, eliminating the potential for server key theft
Provides hardware security module (HSM) trust level, without the need to purchase, install, physically secure, and maintain HSM appliances
Provides the system resiliency of fully redundant HSM configurations, without the cost or complexity of multiple redundant appliances
Cloud-native micro services architecture
Automatically scale key management services up / down based on service loads
Eliminates dependency on a hardware appliance or dedicated VM to support scale requirements
Implemented as VMs, with no dedicated or proprietary hardware required
Minimizing CapEx and OpEx