Security Architecture

How Vaultium protects your credentials

Vaultium is designed around multiple independent security layers. Each layer operates independently, so compromising one does not weaken the others.

01

Physical Device Authentication

Access to your vault requires tapping a physical Vaultium device. Without the device, the vault cannot be opened.

02

Dual-Layer Encryption Strategy

Vaultium employs a two-tier defense. Your vault is protected by AES-256 hardware-accelerated encryption on your smartphone, while physical access is secured by the NTAG 424 DNA chip using AES-128 for instantaneous, clone-proof authentication.

03

Hardware Anti-Cloning (AES-128)

Vaultium devices are built on NXP NTAG 424 DNA chips, utilizing EV2 3-pass mutual authentication (ISO 9797-1) and AES-128-CBC for instantaneous, hardware-level clone protection.

04

Fully Offline Architecture

The Vaultium app operates without any internet connection. No data is transmitted to external servers, eliminating remote attack vectors entirely.

05

Automatic Session Lock

The vault locks automatically after a defined period of inactivity. Codes are not accessible once the session expires.

06

Screen Capture Prevention

While the vault is open, the app prevents screenshots and screen recording at the operating system level.

07

Hardware-Backed Key Storage

Cryptographic keys are stored in the device’s secure enclave — iOS Keychain or Android Keystore — protected by the device passcode and biometrics.

08

Authenticated NFC Write Access

Writing to a Vaultium device requires cryptographic authentication. Unauthorized applications cannot modify the data stored on the card.

Comparison

Vaultium vs. standard authenticators

Most authenticator apps provide no protection for stored secrets.

FeatureVaultiumOthers
Encryption at rest
Physical device required
Fully offline
Hardware anti-cloning
Screen capture prevention
Automatic session lockPartial
No cloud dependency
Per-device key derivation
Hardware-backed key storage
Authenticated NFC writes
Technical Protocol

Engineering specifications

For security experts and developers who want to understand the underpinnings of the Vaultium security model.

NFC Protocol Stack

  • AuthenticateEV2First (3-pass mutual auth)
  • Session Key Derivation (AN12196)
  • CMAC-128 (RFC 4493) with 8-byte truncation
  • ISO 9797-1 Padding

Application Security Layer

  • App-layer AES-GCM Encryption
  • HKDF with hardware UID binding
  • Secure Enclave/Keystore integration
  • Per-card unique key derivation

Memory Management

  • Encrypted File 02 Read/Write
  • Authenticated DF access (D276000085010100h)
  • Local SQLCipher AES-256 storage
  • Encrypted CRC32 key updates