Security Architecture
Stratos Vault implements a defense-in-depth security model designed for enterprise requirements.
Overview
Traditional crypto wallets rely on seed phrases - a fundamentally flawed security model for enterprise use:
| Traditional Approach | Problem |
|---|---|
| Seed phrases | Users write them down, lose them, or get phished |
| Passwords | Weak passwords, credential stuffing, phishing |
| Hardware wallets | Poor UX, lost devices, complex backup |
| Custodial solutions | Counterparty risk, regulatory complexity |
Stratos Vault eliminates these issues with WebAuthn passkey authentication.
WebAuthn Authentication
How It Works
┌──────────────────┐ ┌──────────────────┐
│ User Device │ │ Stratos Vault │
│ ┌────────────┐ │ │ │
│ │ Passkey │ │ │ │
│ │ (Biometric │◄─┼─────────┼─── Challenge │
│ │ or Key) │ │ │ │
│ └─────┬──────┘ │ │ │
│ │ │ │ │
│ Sign Challenge │ │ │
│ │ │ │ │
│ └─────────┼────────>│ Verify Signature │
│ │ │ │
└──────────────────┘ └──────────────────┘- User initiates login - Scans fingerprint or uses security key
- Cryptographic challenge - Server sends random challenge
- Hardware signing - Device signs with private key (never leaves device)
- Server verification - Public key verifies signature
Security Properties
| Property | Benefit |
|---|---|
| Phishing-resistant | Credential is bound to origin - fake sites can't use it |
| No shared secrets | Server only has public key - breach doesn't expose credentials |
| Hardware-backed | Private key in secure enclave or security key |
| User-friendly | Touch fingerprint instead of typing passwords |
| Cross-platform | Works on any modern device |
Key Derivation
Blockchain keys are derived from WebAuthn credentials using the PRF extension:
┌─────────────────────────────────────────────────────────────┐
│ User Authentication │
│ │ │
│ WebAuthn PRF Extension │
│ │ │
│ PRF Output │
│ (32 bytes) │
│ │ │
│ ┌───────────┴───────────┐ │
│ │ │ │
│ Master Seed Encryption Key │
│ (BIP-39) (Local Storage) │
│ │ │
│ BIP-32/44 Derivation │
│ │ │
│ ┌─────────┼─────────┬─────────┬─────────┐ │
│ │ │ │ │ │ │
│ EVM Solana Bitcoin TRON TON │
│ m/44'/60' m/44'/501' m/84'/0' m/44'/195' │
└─────────────────────────────────────────────────────────────┘Key Properties
- Deterministic - Same passkey always derives same addresses
- No backup required - Re-derive from any device with same passkey
- Device-bound - Keys only accessible with biometric/security key
- Memory-only - Keys exist only during signing, then cleared
Session Security
JWT Token Management
- httpOnly cookies - Not accessible to JavaScript
- Secure flag - Only transmitted over HTTPS
- Short expiry - Sessions expire after configured period
- Server-side invalidation - Can revoke sessions immediately
Session Lifecycle
Register → Create Credential → Issue JWT → Active Session → Expire/Logout
↑
Re-authenticate to extendData Protection
Database Isolation
Each Stratos Vault instance has a completely separate database:
| Data | Storage | Encryption |
|---|---|---|
| User profiles | D1 Database | At-rest encryption |
| WebAuthn credentials | D1 Database | Public keys only |
| Sessions | D1 Database | Signed JWTs |
| Private keys | Never stored | Derived on-demand |
No Server-Side Keys
Stratos Vault never stores private keys:
- No encrypted key vaults
- No HSM key storage
- No multi-party computation
- Keys exist only in client memory during signing
Attack Resistance
Phishing
Traditional: User enters credentials on fake site → Attacker captures credentials
Stratos Vault: Passkey is origin-bound → Fake site gets cryptographic error, not credentials
Credential Stuffing
Traditional: Attacker tries leaked passwords → Some accounts compromised
Stratos Vault: No passwords to stuff → Attack vector eliminated
Server Breach
Traditional: Attacker gets encrypted keys → Offline brute-force possible
Stratos Vault: Server has only public keys → No private material to steal
Man-in-the-Middle
Traditional: Attacker intercepts session → Can replay or hijack
Stratos Vault: Challenge-response with hardware signing → Replay impossible
Device Theft
Traditional: Seed phrase on paper stolen → All funds lost
Stratos Vault: Passkey requires biometric → Thief can't authenticate
Compliance Considerations
Stratos Vault's architecture supports common compliance requirements:
| Requirement | How Stratos Vault Helps |
|---|---|
| MFA | Passkeys are inherently multi-factor (possession + biometric) |
| Audit Trail | All admin actions logged with timestamps |
| Access Control | Role-based permissions (user/admin) |
| Data Residency | Deploy in specific Cloudflare regions |
| Key Management | Keys never leave user devices |
Canton Network for Regulated Assets
For regulated financial instruments, Canton Network provides:
- Privacy - Data visible only to authorized parties
- Auditability - Complete transaction history for regulators
- Determinism - Predictable smart contract execution
- Interoperability - Controlled sharing between institutions
Security Best Practices
For Administrators
- Use hardware security keys for admin accounts
- Limit admin count to essential personnel
- Review access logs regularly
- Configure appropriate session timeouts
- Use dedicated RPC endpoints (not public nodes)
For Users
- Register passkeys on multiple devices for backup
- Use platform authenticators (device biometric) or security keys
- Verify transaction details before signing
- Report suspicious activity immediately
Next Steps
- Platform Overview - Full platform capabilities
- Canton Integration - Regulated smart contracts
- Deployment Model - How instances are deployed