Security Architecture
Core Security Model
Frostsnap's security is based on physical access to a threshold number of keys on geographically distributed devices (or their backups).
Coordinator Permissions
Knowledge of Keys
Coordinators can only initiate sensitive operations with a device (sign, show backup, etc) if it demonstrates knowledge of the group's public key. Operations need to be confirmed on the device.
Restoring a Coordinator
A new Coordinator can learn about a key and associated wallets by visiting a threshold number of devices. Each device reveals a share of the public key along the way.
Note: if devices are in geographically separate locations, an attacker needs to visit a threshold number of devices before they can begin a signing session.
Protecting Device Secrets
- Device secrets are encrypted on the device itself with a decryption key stored on your phone's secure element.
-
To access any device's secret share of the group private key, you
need either:
- • Your phone PIN (which accesses the phone's secure element), OR
- • Physical access to a threshold number of devices to pair to a new coordinator