cryptnox-logo
Shop Now

Hardware Wallet technical specifications

Phone Application Characteristics

Our mobile application supports both iOS and Android platforms, providing a seamless experience for managing your hardware wallet.

Supported Blockchain Networks

  • Bitcoin (BTC)
  • Ethereum (ETH) and ERC-20 tokens
  • BNB Chain and BEP-20 tokens
  • Tron (TRX) and TRC-20 tokens
  • XRP (Ripple)
  • Other EVM chains added via WalletConnect or manual config (not native)

For a more detailed guide on how our hardware wallet integrates with Ethereum Read here

Signature Provider Functionalities (via Mobile App)

  • QR-based hardware wallet compatibility with Metamask QR code communication (EIP 4527)
  • Web3 Dapp connectivity via WalletConnect

Kiosk Mode

The application can be configured into a card “point-of-sale” terminal for secure transactions

Card Initialization Options

  • Dual Card Init (default): Identical BIP32 seed generation via a secure channel (Diffie Hellmann & shared secret)
  • Single Card BIP39 Seed Injection: 12-24 word mnemonic support
  • Internal Key Generation: Most secure option using a True Random Number Generator (TRNG), but note that the BIP32 seed cannot be extracted or backed up

Card Administration

  • Change PIN
  • Change PUK
  • Reset card

Desktop application

Our desktop command line application for advanced users is available for:

  • Windows, macOS, and Linux

Card technical specifications

Authentication

  • PIN (4 to 9 digits) / PUK (12 characters). Card power cycle needed after 3 wrong PIN. Card locked after 12 wrong PIN (4×3). Can be unlocked with the PUK.
  • Slot NIST256 R1 signature authentication (mobile phone secure element or PIV) x 1
  • Slot RSA2048 (Windows Hello TPM) x 1
  • Slot for Webauthn/FIDO2 x 1
  • Option to set a dedicated derivation path which doesn’t require the PIN to sign.
  • Possibility to disable auth by PIN once a key slot is filled.

Secure channel

  • AES256 from Hash (ECDH, PairingKey)
  • With MAC
  • 256 bits pairing key
  • Key in the card certificate tree

Custom user data

  • At initialisations : 20 + 60 bytes user data filed (email/name)
  • 6 custom bytes provided at SELECT
  • 3600 bytes private data buffer

Digital signature

  • ECDSA on “Koblitz Bitcoin” 256 k1 curve
  • ECDSA on NIST P256 r1 curve
  • BIP 340 “Schnorr” signature (256k1)
  • EOS 32 bytes loop option

Key deviation

  • BIP 32 key derivation function, with SLIP10 standard for NIST 256R1 curve. Max derivation depth is 8 levels
Random number generation
  • True Random Number Generator (AIS31 compliant)

Encryption/ Decryption

  • ECIES using an EC key in the BIP32 tree. Based on DECipher from OpenPGP

Authenticity

  • Dynamic card key authentication. Card is loaded with a unique card certificate signed by the factory root key

Logging

  • Counter of number of signatures (4 bytes)
  • History of last 149 signed hash
Reset function
  • With PUK only

Communication Interfaces

  • ISO/IEC 14443 (NFC Contactless)
  • ISO/IEC 7816 (Contact)

Chip platform certifications (NXP JCOP 4 on P71D321):

  • Common Criteria EAL 6+ augmented — NSCIB-CC-180212_3 (JCOP 4 P71 platform)
  • FIPS 140-2 Overall Level 3 with Physical Security at Level 4 — NIST CMVP certificate #3746 (P71D321)
  • AIS-31 compliant True Random Number Generator (chip-level)

Applet certifications:

  • Hardware Wallet applet — no formal Common Criteria / FIPS certification at the applet level, but the card firmware was independently audited by Cure53 (Berlin, November 2019). Cure53 returned no critical or high findings on the JavaCard applet code and concluded the firmware “mitigates attack classes common to card-based HSMs successfully — side-channels, signature malleability, and nonce reuse.”
  • Cryptnox FIDO2 applet, shipped alongside the Hardware Wallet as accessory — FIDO Alliance Certified, FIDO2 v2.1 + CTAP Level 1

Supported elliptic curves (applet-level):

  • Hardware Wallet applet: Secp256k1 (Bitcoin / Koblitz) + NIST P-256 (P-256 r1)
  • Cryptnox FIDO2 applet: NIST P-256 (P-256 r1) only