Aspectos de seguridad

En la autocustodia, la responsabilidad sobre la seguridad de los activos digitales recae en su totalidad en el custodio.
Por tanto, necesitas hacerte de herramientas y procedimientos bajo las mejores prácticas de la industria que refuercen
cada uno de los aspectos de la seguridad informática para conseguir el mejor resguardo posible.

En este apartado hacemos hincapié en todos los aspectos de seguridad que Cuvex ha pulido por ti , fortaleciendo
enormemente tu hoja de ruta para que consigas tu cometido.

Aspectos de seguridad

En la autocustodia, la responsabilidad sobre la seguridad de los activos digitales recae en su totalidad en el custodio. Por tanto, necesitas hacerte de herramientas y procedimientos bajo las mejores prácticas de la industria que refuercen cada uno de los aspectos de la seguridad informática para conseguir el mejor resguardo posible. En este apartado hacemos hincapié en todos los aspectos de seguridad que Cuvex ha pulido por ti , fortaleciendo enormemente tu hoja de ruta para que consigas tu cometido.
1

Almacenamiento

The storage strategy you choose depends on the type of operation you conduct. A holder's use case is very different from a trader's. It's also different to store the keys to your Bitcoin wealth compared to storing the keys to your NFTs or other crypto assets. You'll need to craft an ad-hoc strategy, and the market offers numerous options tailored to your needs. However, there is a common factor: the seed phrase. As its name implies, it is the origin of the keys with which you control your crypto assets, so it's where you must focus the most on storage security. ​If you think about it for a moment, the seed is the true key to your crypto assets. With it in your possession, you can move wherever you want. Any wallet, any platform, you will still have sovereign control over what is yours. Both the master private key and the master public key derive from this and therefore depend on it. If you don't protect the seed, anyone who gets hold of it will gain access to your keys and hence your wealth. Therefore, securely storing your seed is a "must-have." And here is where Cuvex offers you something no one else does: the ability to encrypt your seed offline and store it securely. ​The Cuvex device provides a completely offline encryption flow, which, based on the AES256 GCM symmetric cryptography algorithm, converts the seed (or the data you want) into a cryptogram stored on an NFC card. As a result, you have a military-grade data protection system that makes any attack seeking to obtain the secret impractical. The device stores nothing inside, and just by disconnecting the power, any data that might have been processed is lost. The actual storage of the cryptogram is the NFC card, an easy-to-carry storage medium with an estimated lifespan of 10 years. It is also worth noting that the encryption algorithm is implemented at the hardware level. This means that the software does not intervene in this process, thus eliminating more risk vectors.
semilla
1

Almacenamiento

The storage strategy you choose depends on the type of operation you conduct. A holder's use case is very different from a trader's. It's also different to store the keys to your Bitcoin wealth compared to storing the keys to your NFTs or other crypto assets. You'll need to craft an ad-hoc strategy, and the market offers numerous options tailored to your needs. However, there is a common factor: the seed phrase. As its name implies, it is the origin of the keys with which you control your crypto assets, so it's where you must focus the most on storage security. ​If you think about it for a moment, the seed is the true key to your crypto assets. With it in your possession, you can move wherever you want. Any wallet, any platform, you will still have sovereign control over what is yours. Both the master private key and the master public key derive from this and therefore depend on it. If you don't protect the seed, anyone who gets hold of it will gain access to your keys and hence your wealth. Therefore, securely storing your seed is a "must-have." And here is where Cuvex offers you something no one else does: the ability to encrypt your seed offline and store it securely. ​The Cuvex device provides a completely offline encryption flow, which, based on the AES256 GCM symmetric cryptography algorithm, converts the seed (or the data you want) into a cryptogram stored on an NFC card. As a result, you have a military-grade data protection system that makes any attack seeking to obtain the secret impractical. The device stores nothing inside, and just by disconnecting the power, any data that might have been processed is lost. The actual storage of the cryptogram is the NFC card, an easy-to-carry storage medium with an estimated lifespan of 10 years. It is also worth noting that the encryption algorithm is implemented at the hardware level. This means that the software does not intervene in this process, thus eliminating more risk vectors.
semilla
20363d_ed62a80f2870420bbaa620ef95e07850_mv2

Redundancia

When it comes to the seed phrase, Cuvex makes it easy for you to strengthen this aspect. Just "clone" as many copies as you deem necessary. The more and better distributed they are, the greater your ability to handle any unforeseen event. In any case, you have to be very disciplined. Here are some aspects to consider:

 * When encrypting, use a verbose alias to help you identify your cards.

 * Define separate locations to diversify risk points (theft, floods, fires, etc.).

 * Perform periodic verification tasks on your backups. This not only helps you monitor their status but also helps you practice the scheme you've implemented. 

* Do not mix secrets; use different cards for each one.

These good practices should also be replicated on any other device you have included in your security setup (hardware wallet, hardware signer, etc.). Depending on the manufacturer of each device, you should evaluate the redundancy options it offers. If it doesn't offer anything in this regard, you can always use Cuvex to store those secrets (wallet keys, passphrases, exchange keys, etc.).
20363d_9992cca70bdf48d4be22de69a1e9f998_mv2

Integridad física

As you might imagine, you don't need a vault or safe for your Cuvex card. A thief will find your cryptogram useless without the password to access it. And this, my friend, is only in your mind. You’re light years ahead of banks and have done it with just a few bucks. However, you should consider protecting your cards from electromagnetic interference, current induction, or electrical disturbances. You can achieve this using a Faraday cage. There are plenty of options on the market, although we recommend ours. Check out the options available in our store.

Regarding the Cuvex device, physical connection to the electronic circuits is factory-restricted. That means physical access to the microcontrollers for debugging or modification is not possible. Once the software component called "Bootloader" is installed in our factory, we cannot modify anything on the circuit, not even access these components. If something goes wrong, we can only discard the device's electronics as it becomes irrecoverable.
20363d_ed62a80f2870420bbaa620ef95e07850_mv2_ead689a0-fd60-44e8-930a-e8f671820ead

Redundancia

When it comes to the seed phrase, Cuvex makes it easy for you to strengthen this aspect. Just "clone" as many copies as you deem necessary. The more and better distributed they are, the greater your ability to handle any unforeseen event. In any case, you have to be very disciplined. Here are some aspects to consider:

 * When encrypting, use a verbose alias to help you identify your cards.

 * Define separate locations to diversify risk points (theft, floods, fires, etc.).

 * Perform periodic verification tasks on your backups. This not only helps you monitor their status but also helps you practice the scheme you've implemented. 

* Do not mix secrets; use different cards for each one.

These good practices should also be replicated on any other device you have included in your security setup (hardware wallet, hardware signer, etc.). Depending on the manufacturer of each device, you should evaluate the redundancy options it offers. If it doesn't offer anything in this regard, you can always use Cuvex to store those secrets (wallet keys, passphrases, exchange keys, etc.).
20363d_9992cca70bdf48d4be22de69a1e9f998_mv2

Integridad física

As you might imagine, you don't need a vault or safe for your Cuvex card. A thief will find your cryptogram useless without the password to access it. And this, my friend, is only in your mind. You’re light years ahead of banks and have done it with just a few bucks. However, you should consider protecting your cards from electromagnetic interference, current induction, or electrical disturbances. You can achieve this using a Faraday cage. There are plenty of options on the market, although we recommend ours. Check out the options available in our store.

Regarding the Cuvex device, physical connection to the electronic circuits is factory-restricted. That means physical access to the microcontrollers for debugging or modification is not possible. Once the software component called "Bootloader" is installed in our factory, we cannot modify anything on the circuit, not even access these components. If something goes wrong, we can only discard the device's electronics as it becomes irrecoverable.
as

Actualización de software

20363d_8588ac649d644c4ab4a9c9a61aecc26e_mv2
This is a measure that must be executed rigorously; it is essential to always keep all software within your implemented scheme updated. This helps prevent and protect against known vulnerabilities exploited by hackers. 

Regarding Cuvex, the update process is designed to ensure proper software maintenance at all times without compromising encryption operations or the isolation of the secure element. The only communication channel chosen for the update is the Bluetooth protocol, using a one-way temporary link implementation. The mobile application acts as an air gap to the internet to download the Firmware and then synchronously sends it to the Cuvex device via BLE. Each time a new update is available, you will receive a Push notification on your mobile so that, when you decide, you can proceed to download and then install it on the device.

It is worth noting that the Bluetooth technology is isolated in a memory partition governed by the Bootloader, whose function is to manage and preserve the integrity of the device's Firmware. Therefore, it is impossible to use that channel from the Firmware itself, which implements all functional processes (encryption, decryption, card writing, etc.). In other words, even if an attacker managed to connect via Bluetooth, they would not be able to modify or capture any functional process, as the channel only communicates with the Bootloader partition, which only allows Firmware updates.
20363d_8588ac649d644c4ab4a9c9a61aecc26e_mv2

Actualización de software

This is a measure that must be executed rigorously; it is essential to always keep all software within your implemented scheme updated. This helps prevent and protect against known vulnerabilities exploited by hackers. 

Regarding Cuvex, the update process is designed to ensure proper software maintenance at all times without compromising encryption operations or the isolation of the secure element. The only communication channel chosen for the update is the Bluetooth protocol, using a one-way temporary link implementation. The mobile application acts as an air gap to the internet to download the Firmware and then synchronously sends it to the Cuvex device via BLE. Each time a new update is available, you will receive a Push notification on your mobile so that, when you decide, you can proceed to download and then install it on the device.

It is worth noting that the Bluetooth technology is isolated in a memory partition governed by the Bootloader, whose function is to manage and preserve the integrity of the device's Firmware. Therefore, it is impossible to use that channel from the Firmware itself, which implements all functional processes (encryption, decryption, card writing, etc.). In other words, even if an attacker managed to connect via Bluetooth, they would not be able to modify or capture any functional process, as the channel only communicates with the Bootloader partition, which only allows Firmware updates.
as
20363d_01b2b07238c24ef681d7b06a424ebf9c_mv2_7b48d921-afda-470a-8f90-88d59ffadeb9

Robos y amenazas

Many people don't take this aspect of security seriously, dismissing the possibility that it could happen to them. Some even flaunt it: posting relevant information about their crypto assets on social media, putting their Hardware Wallet sticker on their car window, etc. The truth is, robbing a self-custodian can be very lucrative, and the statistics are growing exponentially. It's wise to be physically and mentally prepared for this eventuality, including measures in your designed scheme. 

When it comes to hardware wallets, more and more offer the ability to manage “secondary wallets,” allowing you to keep the real one hidden and a superficial one to mislead the attacker. Additionally, if you create a passphrase when defining your seed, you add an extra layer of security that will allow you to control a threat situation where you are forced to hand over the keys. 

As an additional measure, Cuvex offers multi-signature when creating your cryptogram. This greatly strengthens your scheme by allowing you to diversify the ownership of the key to your secret. Even if the thief threatens you with a wrench, they will have to settle for the fact that you are only a fragment of the key that opens the chest. 

If your implementation also involves cyberspace, you need to be even more careful. The main avenue of theft and threats is here, and any measure you take is not too much. The best practice is to designate a computer exclusively for this purpose, not use any unknown software, and always connect via VPN, preferably through TOR. 

It's worth reminding you that regarding Cuvex, none of the device's processes require an internet connection. Even the firmware update is done without an internet connection; the app is responsible for downloading the update and then sending it through a secure one-way Bluetooth channel.
20363d_fc0903a8fd0a4ad59171d083665fae1f_mv2

Suplantación y estafas

Continuing from the measures outlined in the previous point, be aware of the potential scams you could fall victim to. Cyberspace is full of traps seeking to steal your wealth. Pay special attention to the details from the sites you visit, check sources, look for proof of authenticity, investigate, and above all, do not provide any personal information or anything related to your crypto assets. 

On the physical side, the devices you choose should have mechanisms that allow you to verify their integrity and authenticity, and of course, always buy directly from the manufacturer. Regarding Cuvex, both the packaging and the device are sealed with a security label that lets you see at a glance if it has been tampered with. Additionally, you can validate the shipping traceability using the service offered by the Cuvex App, where by entering the label codes, you confirm the authenticity of what you have received.

Regarding the communications between the device and the App for the software update process, pairing requires OTP validation and certificate exchange. This prevents third parties from using this connection and ensures the authorship of the update. 

Lastly, at the software level, it is worth noting that the Cuvex device only allows the installation of original firmware signed by Cuvex. The bootloader does this through asymmetric authentication of the RSA signature of the software to be installed (Firmware). Thus, even if any described process fails, the device will authenticate the firmware to be installed and eliminate any attempt to install spoofed software.
20363d_01b2b07238c24ef681d7b06a424ebf9c_mv2_7b48d921-afda-470a-8f90-88d59ffadeb9

Robos y amenazas

Many people don't take this aspect of security seriously, dismissing the possibility that it could happen to them. Some even flaunt it: posting relevant information about their crypto assets on social media, putting their Hardware Wallet sticker on their car window, etc. The truth is, robbing a self-custodian can be very lucrative, and the statistics are growing exponentially. It's wise to be physically and mentally prepared for this eventuality, including measures in your designed scheme. 

When it comes to hardware wallets, more and more offer the ability to manage “secondary wallets,” allowing you to keep the real one hidden and a superficial one to mislead the attacker. Additionally, if you create a passphrase when defining your seed, you add an extra layer of security that will allow you to control a threat situation where you are forced to hand over the keys. 

As an additional measure, Cuvex offers multi-signature when creating your cryptogram. This greatly strengthens your scheme by allowing you to diversify the ownership of the key to your secret. Even if the thief threatens you with a wrench, they will have to settle for the fact that you are only a fragment of the key that opens the chest. 

If your implementation also involves cyberspace, you need to be even more careful. The main avenue of theft and threats is here, and any measure you take is not too much. The best practice is to designate a computer exclusively for this purpose, not use any unknown software, and always connect via VPN, preferably through TOR. 

It's worth reminding you that regarding Cuvex, none of the device's processes require an internet connection. Even the firmware update is done without an internet connection; the app is responsible for downloading the update and then sending it through a secure one-way Bluetooth channel.
20363d_fc0903a8fd0a4ad59171d083665fae1f_mv2

Suplantación y estafas

Continuing from the measures outlined in the previous point, be aware of the potential scams you could fall victim to. Cyberspace is full of traps seeking to steal your wealth. Pay special attention to the details from the sites you visit, check sources, look for proof of authenticity, investigate, and above all, do not provide any personal information or anything related to your crypto assets. 

On the physical side, the devices you choose should have mechanisms that allow you to verify their integrity and authenticity, and of course, always buy directly from the manufacturer. Regarding Cuvex, both the packaging and the device are sealed with a security label that lets you see at a glance if it has been tampered with. Additionally, you can validate the shipping traceability using the service offered by the Cuvex App, where by entering the label codes, you confirm the authenticity of what you have received.

Regarding the communications between the device and the App for the software update process, pairing requires OTP validation and certificate exchange. This prevents third parties from using this connection and ensures the authorship of the update. 

Lastly, at the software level, it is worth noting that the Cuvex device only allows the installation of original firmware signed by Cuvex. The bootloader does this through asymmetric authentication of the RSA signature of the software to be installed (Firmware). Thus, even if any described process fails, the device will authenticate the firmware to be installed and eliminate any attempt to install spoofed software.
20363d_482125430fa9485383e0c458f80def72_mv2

Riesgo de contraparte

What happens if we disappear tomorrow and your Cuvex breaks? Nothing, because you have all the source code published and can set up your own implementation of the solution. Of course, this implies a technical task you will have to face, but the good news is that it is entirely in your hands; you remain completely independent. We are just facilitators of this technique that makes your mission more comfortable, but if one day we are gone (God forbid), your self-custody scheme will prevail. 

Verifiable, visible and editable source code. 
Cuvex code can be compiled by yourself.

You should look for this virtue in any other device you include in your scheme. Also, choose the technologies you use carefully; there are solutions that disguise themselves as self-custody support, but if this involves sharing part of the key to the treasure... well, you know. The list of false prophets in the crypto industry continues to grow and will keep doing so until it matures. Avoid those counterparty risks; do not place your security solely on the trust of words that are not yours.
20363d_80eb1493380d4fd791d4ba8c0afe8353_mv2

Privacidad

Aunque este aspecto lo hemos tratado en puntos anteriores, merece mención aparte debido al alto riesgo que supone no cuidar de él. La recomendación que te podemos hacer para esto es: mantener siempre un perfil bajo. Las amenazas de terceros suelen llegar gracias a información que las propias víctimas comparten de forma imprudente en redes sociales y otros medios. La mejor forma de fortalecer este aspecto de la seguridad es pasando desapercibido ante los criminales. No compartas información sobre tus tenencias de criptomonedas en línea y si te ves obligado a pasar por algún KYC, piénsatelo dos veces. Elige bien las empresas en las que das tus datos, cada una de ellas supone una potencial vulnerabilidad en tu esquema de autocustodia. Y esto no sólo aplica a Exchanges y fabricantes de dispositivos, piensa que hasta los estados puede pedirte información sensible sobre tus criptoactivos, y ya más de una administración ha demostrado no cuidar bien el apartado de ciberseguridad.
20363d_482125430fa9485383e0c458f80def72_mv2

Riesgo de contraparte

What happens if we disappear tomorrow and your Cuvex breaks? Nothing, because you have all the source code published and can set up your own implementation of the solution. Of course, this implies a technical task you will have to face, but the good news is that it is entirely in your hands; you remain completely independent. We are just facilitators of this technique that makes your mission more comfortable, but if one day we are gone (God forbid), your self-custody scheme will prevail. 

Verifiable, visible and editable source code. 
Cuvex code can be compiled by yourself.

You should look for this virtue in any other device you include in your scheme. Also, choose the technologies you use carefully; there are solutions that disguise themselves as self-custody support, but if this involves sharing part of the key to the treasure... well, you know. The list of false prophets in the crypto industry continues to grow and will keep doing so until it matures. Avoid those counterparty risks; do not place your security solely on the trust of words that are not yours.
20363d_80eb1493380d4fd791d4ba8c0afe8353_mv2

Privacidad

Aunque este aspecto lo hemos tratado en puntos anteriores, merece mención aparte debido al alto riesgo que supone no cuidar de él. La recomendación que te podemos hacer para esto es: mantener siempre un perfil bajo. Las amenazas de terceros suelen llegar gracias a información que las propias víctimas comparten de forma imprudente en redes sociales y otros medios. La mejor forma de fortalecer este aspecto de la seguridad es pasando desapercibido ante los criminales. No compartas información sobre tus tenencias de criptomonedas en línea y si te ves obligado a pasar por algún KYC, piénsatelo dos veces. Elige bien las empresas en las que das tus datos, cada una de ellas supone una potencial vulnerabilidad en tu esquema de autocustodia. Y esto no sólo aplica a Exchanges y fabricantes de dispositivos, piensa que hasta los estados puede pedirte información sensible sobre tus criptoactivos, y ya más de una administración ha demostrado no cuidar bien el apartado de ciberseguridad.
20363d_17b89e959b634e27958e7e53fd6c15ad_mv2_e33179a1-e719-401e-a517-99572c8d2d30

Plan contra desastres

Si algún día por lo que sea, tiran abajo tus torres gemelas, debes tener la capacidad de salir adelante. Nada es infalible, por eso debes trazar un plan ante una eventualidad de magnitudes catastróficas. Ya sea porque los gobiernos persiguen al fabricante que elegiste, o porque un fenómeno natural arrasa con todo, debes plantear que hacer ante esa situación y no verte en una posición descontrolada. Está claro que este aspecto debe reforzarse con lo tratado en los puntos anteriores, pero debes dedicar un tiempo específico a pensar en cómo harías ante el fallo de cualquiera de los elementos de tu solución. Aquí lápiz y papel serán tus mejores aliados. Investiga a fondo las virtudes que te ofrece cada proveedor elegido y elimina los vectores de riesgo que identifiques. Haz las preguntas necesarias a quien corresponda y apóyate en tu circulo de confianza para sacar provecho de aspectos ta tratados, como la redundancia y la multi-firma.
20363d_99fdbbcac218481b9504cc418306897c_mv2

Aprendizaje Continuo

Finally, although it may seem repetitive, continuous study of your scheme is mandatory. Technology advances at a rapid pace, and you can't rest on your laurels. What is a strength today can become a weakness tomorrow. You must stay up to date at all times; there is no other option. 

And of course, you should demand the same from every company you decide to include in your scheme. A provider that shows no signs of life is a red flag on your dashboard. If you notice that the technology you use is being abandoned or is not heading in the desired direction, don't be the last to jump ship. 

And don't forget the community, one of the greatest virtues of this industry. Just like Cuvex, any other technology you include should be open to the community. This allows you to verify that they do what they claim to do and to enrich and strengthen the virtues of that technology. Open-source code is undoubtedly a strong asset for cybersecurity.
20363d_17b89e959b634e27958e7e53fd6c15ad_mv2_e33179a1-e719-401e-a517-99572c8d2d30

Plan contra desastres

Si algún día por lo que sea, tiran abajo tus torres gemelas, debes tener la capacidad de salir adelante. Nada es infalible, por eso debes trazar un plan ante una eventualidad de magnitudes catastróficas. Ya sea porque los gobiernos persiguen al fabricante que elegiste, o porque un fenómeno natural arrasa con todo, debes plantear que hacer ante esa situación y no verte en una posición descontrolada. Está claro que este aspecto debe reforzarse con lo tratado en los puntos anteriores, pero debes dedicar un tiempo específico a pensar en cómo harías ante el fallo de cualquiera de los elementos de tu solución. Aquí lápiz y papel serán tus mejores aliados. Investiga a fondo las virtudes que te ofrece cada proveedor elegido y elimina los vectores de riesgo que identifiques. Haz las preguntas necesarias a quien corresponda y apóyate en tu circulo de confianza para sacar provecho de aspectos ta tratados, como la redundancia y la multi-firma.
20363d_99fdbbcac218481b9504cc418306897c_mv2

Aprendizaje Continuo

Finally, although it may seem repetitive, continuous study of your scheme is mandatory. Technology advances at a rapid pace, and you can't rest on your laurels. What is a strength today can become a weakness tomorrow. You must stay up to date at all times; there is no other option. 

And of course, you should demand the same from every company you decide to include in your scheme. A provider that shows no signs of life is a red flag on your dashboard. If you notice that the technology you use is being abandoned or is not heading in the desired direction, don't be the last to jump ship. 

And don't forget the community, one of the greatest virtues of this industry. Just like Cuvex, any other technology you include should be open to the community. This allows you to verify that they do what they claim to do and to enrich and strengthen the virtues of that technology. Open-source code is undoubtedly a strong asset for cybersecurity.