Ledger to Help NDAX Exchange to Store Crypto

NDAX believes big players are not in a hurry to invest in crypto because of the lack of reliable solutions for asset storage and they are going to fix it
30 April 2019   616

The hardware wallets manufacturer Ledger has provided the Canadian National Digital Asset Exchange (NDAX) with the blockchain solution Ledger Vault, which will allow you to safely store the digital assets of the clients of the site.

According to NDAX representatives, institutional investors are not in a hurry to invest in cryptocurrencies precisely because of the lack of reliable solutions for their storage.

The recent QuadrigaCX scandal, during which some $190 million of customer funds vanished, was a major wake up call to cryptocurrency investors worldwide. Our partnership with Ledger Vault to provide custody for all of the crypto assets NDAX supports, including Bitcoin, Ethereum and XRP, will reinforce NDAX's mission to bring cryptocurrency mass adoption.

Bilal Hammoud

Founder and CEO, NDAX

NDAX offers banks, hedge funds and family investment firms an infrastructure for managing cryptocurrency assets. In turn, the Ledger Vault technology provides multiple authorizations to ensure direct access to digital assets without compromising their security.

Secure storage of large digital asset funds is complex, and exchanges and institutions are looking for safe, comprehensive and integrated solutions. By leveraging the Ledger Vault, NDAX will give investors total control of and instant access to their funds while giving them peace of mind that their assets are secure, without sacrificing convenience.

Demetrios Skalkotos

Global Head, Ledger Vault

In addition, the Ledger Vault solution will provide customers with a number of advantages. In particular, the control of private keys will be carried out through segregated accounts, and the hardware security module will allow you to add additional key holders in case of an emergency.

Ledger to Discover HSM Vulnerability

HSM is an external device designed to store public and private keys used to generate digital signatures and to encrypt data, used by banks, exchanges, etc
10 June 2019   1639

A group of researchers from Ledger identified several vulnerabilities in the Hardware Security Module (HSM) devices, which can be used to extract keys or perform a remote attack to replace the firmware of an HSM device. The problem report is currently available only in French, the English-language report is scheduled to be published in August during the Blackhat USA 2019 conference. HSM is a specialized external device designed to store public and private keys used to generate digital signatures and to encrypt data.

HSM allows you to significantly increase protection, as it completely isolates keys from the system and applications, only by providing an API to perform basic cryptographic primitives implemented on the device side. Typically, HSM is used in areas where you need to provide the highest protection, for example, in banks, cryptocurrency exchanges, certification centers for checking and generating certificates and digital signatures.

The proposed attack methods allow an unauthenticated user to gain complete control over the contents of the HSM, including extracting all the cryptographic keys and administrative credentials stored on the device. The problems are caused by a buffer overflow in the internal PKCS # 11 command handler and an error in the implementation of the cryptographic protection of the firmware, which bypasses the firmware check using the PKCS # 1v1.5 digital signature and initiates loading the own firmware in the HSM.

The name of the manufacturer, the HSM devices of which have vulnerabilities, has not yet been disclosed, but it is argued that the problem devices are used by some large banks and cloud service providers. At the same time it is reported that information about the problems was previously sent to the manufacturer and it has already eliminated vulnerabilities in the fresh firmware update. Independent researchers suggest that the problem may be in the devices of the company Gemalto, which in May released an update to Sentinel LDK with the elimination of vulnerabilities, access to information about which is still closed.