Cryptnox Hardware Wallet Technical Specifications

Cryptnox Hardware Wallet technical specifications

Application characteristics

Phone application characteristics

Mobile platform available

iOS
Android

Supported blockchain networks

Bitcoin
Most Ethereum Virtual Machine based networks and corresponding smart contracts. Networks and ERC20 can be manually added.

Signature provider functionalities (via mobile app)

QR hardware wallet compatible with Metamask QR code communication (EIP 4527)
Web3 Dapp connection with WalletConnect

Kiosk mode

Application can be converted into a card “point of sale” terminal

Card initialisations options

Dual Card Init (default), identical BIP32 seed generation via secure channel (Diffie Hellmann & shared secret)
Single Card BIP 39 seed injection (mnemonic). 12 to 24 words
Internal single key generation form TRNG source (most secure). Beware: in this case, the BIP 32 seed is only present in one single card, with no possibility of extraction or backup.

Card administrations

Change PIN
Change PUK
Reset card

Number of card parings

256 cards max

Number of card parings

256 cards max

Desktop application characteristics

Application for desktop

Command line interface for Windows, MacOS and Linux (including Ubuntu Core)

Card technical specifications

Authentication

PIN (4 to 9 digits) / PUK (12 characters). Card power cycle needed after 3 wrong PIN. Card locked after 12 wrong PIN (4×3). Can be unlocked with the PUK.
Slot NIST256 R1 signature authentication (mobile phone secure element or PIV) x 1
Slot RSA2048 (Windows Hello TPM) x 1
Slot for Webauthn/FIDO2 x 1
Option to set a dedicated derivation path which doesn’t require the PIN to sign.
Possibility to disable auth by PIN once a key slot is filled.

Secure channel

AES256 from Hash (ECDH, PairingKey)
With MAC
256 bits pairing key
Key in the card certificate tree

Custom user data

At initialisations : 20 + 60 bytes user data filed (email/name)
6 custom bytes provided at SELECT
3600 bytes private data buffer

Digital signature

ECDSA on “Koblitz Bitcoin” 256 k1 curve
ECDSA on NIST P256 r1 curve
BIP 340 “Schnorr” signature (256k1)
EOS 32 bytes loop option

Key deviation

BIP 32 key derivation function, with SLIP10 standard for NIST 256R1 curve. Max derivation depth is 8 levels.

Random number generation

True Random Number Generator (AIS31 compliant)

Encryption/ Decryption

ECIES using an EC key in the BIP32 tree. Based on DECipher from OpenPGP.

Authenticity

Dynamic card key authentication. Card is loaded with a unique card certificate signed by the factory root key.

Logging

Counter of number of signatures (4 bytes)
History of last 149 signed hash

Reset function

With PUK only

Communication Interfaces

ISO/IEC 14443 (NFC Contactless)
ISO/IEC 7816 (Contact)

Chipset and Base Operating System Certifications:

Common Criteria EAL 6+
FIPS 140-2