Cryptnox Hardware Wallet technical specifications

Application characteristics

Phone application characteristics

Mobile platform available

Supported blockchain networks

  • Bitcoin
  • Most Ethereum Virtual Machine based networks and corresponding smart contracts. Networks and ERC20 can be manually added.

Signature provider functionalities (via mobile app)

  • QR hardware wallet compatible with Metamask QR code communication (EIP 4527)
  • Web3 Dapp connection with WalletConnect

Kiosk mode

  • Application can be converted into a card “point of sale” terminal

Card initialisations options

  • Dual Card Init (default), identical BIP32 seed generation via secure channel (Diffie Hellmann & shared secret)
  • Single Card BIP 39 seed injection (mnemonic). 12 to 24 words
  • Internal single key generation form TRNG source (most secure). Beware: in this case, the BIP 32 seed is only present in one single card, with no possibility of extraction or backup.

Card administrations

  • Change PIN
  • Change PUK
  • Reset card

Number of card parings

  • 256 cards max

Desktop application characteristics

Application for desktop

  • Command line interface for Windows, MacOS and Linux (including Ubuntu Core)

Card technical specifications

Authentication

  • PIN (4 to 9 digits) / PUK (12 characters). Card power cycle needed after 3 wrong PIN. Card locked after 12 wrong PIN (4×3). Can be unlocked with the PUK.
  • Slot NIST256 R1 signature authentication (mobile phone secure element or PIV) x 1
  • Slot RSA2048 (Windows Hello TPM) x 1
  • Slot for Webauthn/FIDO2 x 1
  • Option to set a dedicated derivation path which doesn’t require the PIN to sign.
  • Possibility to disable auth by PIN once a key slot is filled.

Secure channel

  • AES256 from Hash (ECDH, PairingKey)
  • With MAC
  • 256 bits pairing key
  • Key in the card certificate tree

Custom user data

  • At initialisations : 20 + 60 bytes user data filed (email/name)
  • 6 custom bytes provided at SELECT
  • 3600 bytes private data buffer

Digital signature

  • ECDSA on “Koblitz Bitcoin” 256 k1 curve
  • ECDSA on NIST P256 r1 curve
  • BIP 340 “Schnorr” signature (256k1)
  • EOS 32 bytes loop option

Key deviation

  • BIP 32 key derivation function, with SLIP10 standard for NIST 256R1 curve. Max derivation depth is 8 levels.

Random number generation

  • True Random Number Generator (AIS31 compliant)

Encryption/ Decryption

  • ECIES using an EC key in the BIP32 tree. Based on DECipher from OpenPGP.

Authenticity

  • Dynamic card key authentication. Card is loaded with a unique card certificate signed by the factory root key.

Logging

  • Counter of number of signatures (4 bytes)
  • History of last 149 signed hash

Reset function

  • With PUK only

Communication Interfaces

  • ISO/IEC 14443 (NFC Contactless)
  • ISO/IEC 7816 (Contact)

Chipset and Base Operating System Certifications:

  • Common Criteria EAL 6+
  • FIPS 140-2