Complying with the Guidelines for Digital Assets in Hong Kong

• “… Generating and storing seeds and private keys, including their backups, in secure and tamper-resistant environments and devices, such as hardware security module (HSM)…”
• “… generating, storing and backing up seeds and private keys in Hong Kong…”
• “…restricting access to cryptographic devices or applications on a need-to-know basis …”
• “…strong authentication methods, such as multi-factor authentication, to authenticate access to seeds and private keys; maintaining audit trail of the access to the cryptographic devices or applications…”
• “…avoid any “single point of failure” …”
• “… ensure that any smart contract used in the custody process is not subject to any contract vulnerabilities or security flaws …”

AIs can secure clients’ digital assets by storing, protecting and managing private keys and seeds of wallets with Thales Hardware Security Modules (HSM). These modules support wallet solution protocols such as BIP32 and SLIP10 and offer a range of curves including SECP256k1, curve25519, and ed25519.

• Luna Network HSMs protect the entire lifecycle of the keys to sign transactions in a FIPS 140-3 dedicated cryptographic module to secure client digital assets. Thales Luna HSMs are the first in the industry to receive the FIPS 140-3 Level 3 validation.
• ProtectServer HSMs, like the Luna Network HSMs, are designed to protect cryptographic keys against compromise while providing encryption, signing, and authentication services.
• Luna and Protect Server HSMs are certified to FIPS 140-3 and FIPS 140-2 Level 3 standards respectively, ensuring secure, tamper-resistant environments for managing cryptographic keys within Hong Kong, in compliance with data residency requirements. Access to these HSMs is tightly controlled, with strong multi-factor authentication and detailed audit trails for all operations, enhancing security and regulatory compliance.
• To avoid any single point of failure, both HSMs support the high availability, features with load balancing to protect this mission-critical environment, which aligns with the global best practices and HKMA's security expectations.

• “…adequate offsite backups and contingency arrangements for seeds and private keys, which should be subject to the same security controls as the original seeds and private keys….”
• “… Backed up seeds and private keys should be kept offline in a secure physical location that is separate from and will not be affected...”

AIs can store backups on external HSMs and manage cryptographic keys in HK with on-premises options:

• Backup easily and duplicate keys securely to the Luna Backup HSM for compliance as well as safekeeping in case of emergency, failure or disaster. Luna Backup HSM provides the highest security and compliance and offers standalone support of Quorum (MofN) multi-factor authentication for increased security.
• Thales ProtectServer HSM uses NIST FIPS 140-2 Level 3 validated smart cards to provide the highest security and administrative convenience for secure backup, recovery, and transfer of cryptographic keys. It also supports backups with MFA and MofN to further enhance the security of authentication and authorization processes.

7. Establish level of cybersecurity commensurate with traditional technology applications

Thales Luna HSMs Post-Quantum Cryptography (PQC) Functionality Module (FM) allows AIs to use the round 3 NIST finalists quantum-safe crypto mechanisms to be used today for use cases such as code-signing or others that rely on PKI.

• It enables AIs to future-proof and standardize quantum-safe digital signature algorithms.
• The PQC FM can be installed on the PCIe and Network HSM without making any hardware changes or upgrades. The tamper-resistant HSMs can securely create and manage quantum-resistant keys effectively.
• It generates digital signatures seamlessly using standardized quantum-safe public key cryptography and includes key management capabilities for stateless and stateful key types, complying with SP 800-208 requirements.
• Luna PQC FM helps validate your crypto agility by setting up quantum-safe PKI, TLS, or VPN with a wide variety of Thales technology partners.

8. Securely manage private key
“… demonstrate that robust policies and procedures are in place to provide a level of security to any private keys held or under their management that are appropriate for the nature and risks of the application, the underlying assets associated with the keys …”

AIs can manage seeds and private keys securely with Luna Network HSMs and ProtectServer HSMs. Both the HSMs support BIP32 and use Functionality Module (FM) to securely perform custom cryptography, or add custom blockchain algorithms.

• Luna Network HSMs
• ProtectServer HSMs

8. Securely manage private key
“… ensure that the associated private keys (and seeds as applicable) are securely generated, stored and backed up at all times…”

External HSMs allows AIs to store backups with options below:

• AIs can backup easily and duplicate keys securely to the Luna Backup HSM for compliance as well as safekeeping in case of emergency, failure or disaster. Luna Backup HSM provides the highest security &s; compliance and provides standalone support of Quorum (MofN) multi-factor authentication for increased security.
• Thales ProtectServer HSM uses Smart Cards which provide the highest security and administrative convenience for secure backup, recovery, and transfer of cryptographic keys.