| The article is relevant for all io.vault and io.network subscriptions, except where otherwise stated. |
Introduction to io.vault technology
io.vault is a self-custody product, which enables a company or group of individuals to securely hold and transact with digital assets while simultaneously removing any required single point of trust or failure.
io.vault clients are provided the ability to directly distribute cryptographic signing material (secret shares) across multiple individuals within their organization and to determine a threshold of those secret shares required before a transaction can be successfully approved.
This approach provides a customizable, secure and scalable way to manage an organization's or individual's digital assets. To accomplish this, io.vault relies upon robust cryptographic technologies called Multi-Party Computation (MPC) and Threshold Signature Schemes (TSS). io.finnet has developed its own architecture called trustlessMPC (tMPC) which offers enhanced security by physically distributing weighted signing power across multiple participants, rather than relying purely upon server based infrastructure for cryptographic signature generation.
What is io.vault and what can I do with it?
io.vault is for any organization that would like to interact with Bitcoin, Ethereum or Ethereum-based digital assets, as well as private assets issued on io.network (ERC-20 tokens). io.vault enables you to securely hold and transact with your digital assets. It is particularly advantageous to organizations who are transacting with digital assets and would like an audited, scalable and secure way to authorize transactions. Additional assets and networks will be supported in the future.
Public private key pairs
When holding digital assets directly in self-custody (i.e. not via an exchange or 3rd party custodian) the blockchain does not know your name - just a “public address” and your balance of assets is “owned” by this address.
To transfer your assets anywhere else, you need the corresponding "private key" of the public address. This key is used to cryptographically "sign" for any transfer, the result of which is validated by the blockchain network prior to the execution of the transfer.
This private key is simply a string of characters (e.g. 310fe2e677a3ad28acb91d2645bb33882f015ab11e59dce9d2a72905979e3cb6) that is used to cryptographically prove ownership of its corresponding public address through cryptographic functions (i.e. “signing”).
The issues arise around ownership, since there is no name attached to your public address and it is only controlled by the private key. Anyone who manages to gain access to this private key can take complete control of any assets associated with your public address and send them anywhere they like.
MPC-TSS
TSS (threshold signature schemes) technology eliminates the use of a single private key and instead uses a customizable number of “secret shares” to accomplish the same feat of signing a transaction for a corresponding public address. In addition to being able to customize the number of secret shares you can also set a “threshold” which determines how many secret shares are required in order to generate a valid signature.
This means that you could have many different secret shares held in different locations, with different people, and if one of them was stolen the assets would still be safe as the threshold could not be reached by the attacker.
The Multi Party Computation (MPC) technology allows devices that contain their own secret shares to communicate with one another and produce a signature trustlessly, without ever disclosing to the other devices their own secret share.
The end result is a technology which allows us to eliminate the single point of failure normally associated with holding self-custody of digital assets. In addition, it allows users of our product to determine for themselves the level of security for each vault (number of shares, and required threshold) and distribute signing power across multiple employees instead of relying upon one trusted person who may not be available.
How is io.vault different from other self-custody and wallet products?
io.vault is one of the only products on the market that offers a MPC-TSS based custody solution where the end user has direct control and physical possession of the underlying cryptographic material which controls the assets in custody. io.finnet has no access or method to move or prevent access to the digital assets held by users of the product.
Is io.vault audited?
Yes, io.vault has undergone extensive audits. Both the underlying cryptographic implementation and the traditional web and mobile app security have been evaluated by multiple third-party auditors, including Kudelski Security. Additionally, io.finnet has successfully completed its SOC 2 Type 2 audit, highlighting the company's commitment to robust data security and the protection of user privacy.
How do you protect data?
All sensitive cryptographic material is encrypted, secured locally on user devices by Apple's Secure Enclave hardware. The FIPS-140 level 2 compliant HSMis specifically designed to keep sensitive user data secure and is physically isolated from the main processor to provide an additional layer of security.
How secure is io.vault?
io.vault was built with security as the top priority to provide the highest level of safety and comfort to its users. Utilizing proven, open-source MPC-TSS cryptography, both the cryptographic implementation and traditional mobile and web application security have been audited by independent third-party firms, including Kudelski Security. The cryptographic material required for signing transactions is generated and secured locally across multiple users' devices and is never accessible by io.finnet, ensuring there is never a single point of failure.
What is io.network?
io.network enables 24/7/365 multi-currency fiat and digital asset settlements for clients of the network in a safe, secure & compliant environment by leveraging our permissioned blockchain with self-custody technology via our io.vault solution.
io.network leverages our exclusive and innovative suite of technologies:
- io.vault: a cryptographically enforced signing and self-custody technology solution that offers the network users the highest level of security and scalability for digital asset transactions
- io.chain: the permissioned blockchain on which the bank will issue and manage its own private digital assets for their clients.
How is io.network different from other blockchain based networks, such as Ethereum or Bitcoin?
Unlike Ethereum or Bitcoin, which are public decentralized networks that allow anyone to participate pseudo-anonymously, io.network is a private and permissioned distributed network allowing asset issuers (principal members) complete control over who may view or interact with their issued assets.
Who is io.network for and what can I do with it?
io.network is for regulated institutions and their underlying clients to facilitate efficient transactions in a safe, secure & compliant environment. io.network allows regulated asset issuers (Principal Members) to issue and administer assets in a private and permissioned distributed ledger environment where they retain the ability to control who may or may not see and interact with their issued assets.
Is io.network audited?
io.network is built upon an open-source private and permissioned enterprise ledger technology (https://consensys.net/quorum/). The io.vault product used to interact with the network is built upon open source cryptography and has had its traditional web and mobile app security as well as the underlying cryptographic implementation audited by independent firms like Kudelski Security and regular audits are conducted.
io.finnet achieved SOC-2 Type 2 compliance in 2024. Read more here.
For more information or to review the full report please contact our Customer Office here.
How secure is io.network?
io.network is built upon open-source distributed ledger technology that has been used to successfully facilitate the transfer of trillions of dollars in value. The ledger itself relies upon the proven, decades old, security of public<>private key cryptography and interaction with the network is facilitated via our audited multi-party computation (MPC) based io.vault product to ensure that an organization's associated private key is never compromised.
How do you encrypt the data?
All sensitive information is encrypted both during transmission and when at rest. The encryption at rest is secured by Apple's Secure Enclave. The FIPS-140 level 2 certified HSM is isolated from the main processor to provide an additional layer of security, and it is specifically designed to keep sensitive user data secure. In the Virtual Signer, we utilize Intel SGX technology. During transmission, we employ hardened TLS and end-to-end asymmetric encryption.