Wallet Security / 2FA

Overview: BONKbot's Next-Generation Key Management System (KMS) is a custom-built software and hardware solution designed to enhance the security of crypto transactions. It includes a Hardware Security Module (HSM) specifically tailored for this purpose.

Hardware Components:

• Server Hardware: BONKbot uses dedicated servers equipped with AMD processors and Trusted Platform Modules (TPM) Version 2.

• Secure Boot: Only BONKbot-signed images can be booted, ensuring that unauthorized software cannot run on the servers.

• RAM Encryption: RAM encryption is enabled to protect data even if hardware is compromised.

Software Components:

• Custom Unikernel: BONKbot's KMS software is built as a custom unikernel, combining the Linux kernel with the KMS application into a single, secure binary.

• TPM-Based Security: The TPM measures and verifies each stage of the boot process, ensuring that only authorized firmware, kernel, and application versions can access critical keys.

Key Management:

• Master Key: The KMS master key encrypts and authenticates all other keys managed by the system. It is never exposed to engineers and can only be decrypted by authorized systems.

• Key Isolation: The KMS application is divided into three isolated processes:

  1. Message Bridge: Synchronizes encrypted keys and manages communication with BONKbot's business logic.

  2. HTTPS Client Pool: Ensures secure communication with Telegram.

  3. Signer: Manages encrypted private keys and handles signature requests securely.

User Interaction & Security:

• Transaction Verification: When a transaction signature is requested, the KMS generates a human-readable description of the transaction and sends it to the user via Telegram. The user confirms their intent by selecting a response that is securely transmitted back to the KMS.

• Master Key Protection: To protect against attacks, the master key is stored using a method that requires specific memory pages to be accessed in the correct order.

• Additional Security: Users can enable 2FA or Passkey (e.g., Face ID) for added security. These features ensure that even if a Telegram account is compromised, the user's funds remain secure.

Backup and Rollout:

• Private Key Backup: Users will have the opportunity to back up their private keys. This step is essential for maintaining control over assets and is necessary for upcoming features like multiwallet support.

• Three-Phase Rollout:

  1. Phase 1: Gradual migration of user keys to the new system without any need for user intervention.

  2. Phase 2: Users will be prompted to back up their private keys and enable 2FA, ensuring they have secure control over their assets.

  3. Phase 3: Users will receive new private keys, and can choose to transfer their assets to the new key gradually or all at once.

Conclusion:

BONKbot's new KMS sets a new standard for security while maintaining the user-friendly experience that our users love. This is just the beginning of what BONKbot has in store, and we’re excited to share more in the future!