Security of Funds
We take every measure to ensure the security of your assets
OKEX Cold Wallet Security Design and Protocol
Bitcoin is ideal for constructing a financial social network and for achieving financial democracy. Today, the Bitcoin security infrastructure still has much room for improvement. Two important issues facing the industry is how to operate a stable Bitcoin trading platform, and securing Bitcoin wallets.
Bitcoin's security is based on the core Bitcoin private key encryption algorithm. Cryptography experts believe Bitcoin's cryptographic foundation (SHA256 and EDSA) is absolutely safe based on current decryption capabilities. The main problem that remains is safely storing the private key which the industry usually does via a cold wallet (absolutely no contact with the Internet wallet) to hold large quantities of bitcoins.
But how do you design and run a truly secure cold wallet? OKEX has long implemented and improved on its security program and is now sharing it openly. We hope to help promote best practices amongst new entrants in the industry and to also explore new ideas with partners to ensure we stay a leader in Bitcoin security. We are always receptive to new suggestions from experts in the community, and look forward to operating the safest and simplest Bitcoin wallet.
Our security design philosophy
1. Any equipment connected to the internet is inherently vulnerable.
2. USB drives are unsafe as USB disks may be compromised with viruses. Such a USB virus may automatically record data in a computer network after it's inserted and steal the contents within.
3. No security practice can be reliant on one individual. Any access to cold wallet must require confirmation of two authorized parties.
4. Everyone has the potential to suffer from an unexpected event. Others need to be authorized to access offsite backups in order to ensure safety.
5. Individuals may be kidnapped, so important data must be saved in the highest security bank safe and require in-person access.
Our security design protocol
Private key generation and backup
1. Generate 10,000 private keys and corresponding address on the completely offline computer.
2. Add AES private key encryption on the completely offline computer.
3. Delete the original 10,000 private keys.
4. AES password to be controlled by two OKEX company personnel in separate locations - one in OKEX's Beijing office, one in a city on the West Coast of the United States.
5. The two AES master password holders cannot use the same means of transportation at the same time.
6. The address and encrypted private key on the offline computer are displayed in QR code format.
7. The QR code of the address is scanned by another computer to publish the address of the cold wallet in order to receive deposits from our hot wallet. Each cold wallet address will be used only once.
8. The QR code of the encrypted key is printed and stored inside a highly secure bank vault. Even if the holder of the encrypted key was kidnapped, the document is secure as the holder must be present at the bank to retrieve it.
9. The QR code of the encrypted key is stored and backed up - one in the bank safe in China, and another in a city on the East coast of the United States.
10. Access to these two banks are granted to two separate people.
11. These two people do not take transportation together.
12. Those with access to the bank safes cannot be the same as the ones who control the AES password.
Depositing bitcoins from online hot wallet to offline cold wallet
1. Once public address of cold wallet is retrieved, deposits of bitcoins can be made from the hot wallet. For security reasons, each address cannot exceed 1,000 bitcoins.
2. Each address will also no longer be used after a single outbound transaction.
Retrieving bitcoins from offline cold wallet
1. Send personnel to the bank safe near the office and retrieve the appropriate number of unused encrypted private keys. Scan the QR code of these keys into an offline computer.
2. The QR code is scanned into another completely offline computer.
3. The holder of the AES master password decrypts the encrypted private key on a completely offline computer.
4. The private key is scanned using QR code to import into another entirely offline computer.
5. Signing trading on another computer completely offline, and after the transaction signature synchronized to a computer with internet broadcast transaction through USB drive.
Highlights of the OKEX security protocol
1. The cold wallet addresses can only hold a limited amount of Bitcoins.
2. Private keys are stored on completely offline computers.
3. Certainty that the private key never had any contact with the internet or USBs.
4. Encrypted private key paper document requires offsite backup, and is controlled by different people in different places.
5. AES private key password shall also be controlled by different people in different places, and shall not be the same person with the master of the private key.
6. Holders of the AES private key password and those with the ability to retrieve the encrypted private key are different people and in different places.
7. Once a private key has been used to transfer Bitcoin out of the address, the address is no longer to be used again for deposits.
Targets that our security protocol hopes to achieve
1. Cold wallet Bitcoins spread across multiple private keys.
2. Accessing any private key requires two people - the holder of the AES password, and the holder of the bank safety deposit box.
3. There are backups for both the AES password and holder of the bank safety deposit box spread geographically. In the case of unexpected events, bitcoins are still safe.
4. Encrypted private keys are kept in bank vaults. Even if any personnel is kidnapped, the victim cannot be forced to obtain access to bitcoins.
5. Each cold address can only be transferred once and the address will be void thereafter.