Security Architecture

Three layers of protection. Hardware wallet-grade security.

From trusted execution isolation, secure element signing to encrypted NFC recovery, MAGNE protects digital asset ownership at the system level.

Contact Security Team View Compliance
L1 — TRUSTED EXECUTION

Trusted Execution Isolation

System-level process isolation for stronger operational control

CC EAL2+
L2 — SECURE ELEMENT

Secure Element Signing

Dedicated hardware supports private key storage and transaction signing

CC EAL6+
L3 — NFC RECOVERY

Encrypted NFC Recovery

Offline backup and physical recovery capability, extending protection beyond the device

CC EAL6+
L1

Trusted Execution Isolation

The first layer of protection operates at the system execution level. Sensitive operations are isolated in a trusted execution environment, separate from the main operating system. the isolated execution environment is designed to reduce exposure even when the main OS is under attack.

This is not software-based isolation — it is architectural separation built into the hardware foundation of the device. It defines which processes can access what, and creates hard boundaries around the most sensitive operations.

CC EAL2+ Certified TEE Environment Process Isolation
🛡️
Trusted Execution
System-level isolation
L2

Secure Element Protection

The second layer is where private keys live. Unlike software wallets where keys are stored in application memory, MAGNE's secure element is a dedicated hardware component designed specifically for cryptographic key storage and signing operations.

Private keys are designed to remain protected within the secure element during normal signing workflows. When a transaction needs to be signed, the signing operation happens inside the secure boundary — the main processor does not have access to the raw private key. This follows a hardware-backed security design philosophy similar to dedicated cryptographic security modules.

CC EAL6+ Certified Secure Key Storage Hardware Signing
🔐
Secure Element
Key isolation architecture
L3

Encrypted NFC Recovery

The third layer addresses the oldest problem in digital asset management: what happens when you lose access to your device? NFC-based encrypted backup extends protection beyond the hardware itself.

When you set up MAGNE, an encrypted backup is generated and stored on an NFC tag or another device. This backup contains the information needed to recover your assets — without exposing your private keys in plain text. Recovery is physical, offline, and does not require cloud access or a third party.

CC EAL6+ Certified NFC Encrypted Backup Offline Recovery
📡
NFC Recovery
Encrypted offline backup

Security Architecture

Three dedicated security chips, each serving a distinct role in protecting your digital assets.

L1

Trusted Execution Environment

UTEE • CC EAL2+

HLOS Android TSupplicant Storaged CAs GPTEE Client API Library Unisoc TEE API Library world switch Linux kernel trusty linux driver TIPC virtio SMC call helper world switch SML (ARM Trusted Firmware) Isolation defined by TrustZone Trusted OS Trusty Application Keymaster Gatekeeper Fingerprint FaceID KernelBootCP Production DRM IFAA/Soter Storage GPTEE Internal API Library Unisoc TEE API Library Trusted OS Framework IPC, TIPC, virtio SMC call wait thread misc syscalls world switch Tomcrypt OpenSSL TA Manager GPAPI Agent Secure Boot Firewall Crypto Engine LK (Trusted kernel) Hardware Non-Secure Peripherals Non-Secure RAM Shared RAM Secure RAM Secure Peripherals Firewall (TrustZone Protect Controller) Non-Trusted software components Trusted software components TEE<->REE Communication Components TOE
L2

HYPERSEED N60 Secure Element

NFC Controller + eSE • CC EAL6+

NFCC Near Field Communication Controller CPU CORE RAM 20KB ROM 64KB FLASH 256KB Interfaces I2C SPI GPIO SWP ×3 Contactless RF TX RX Clock: OSC + PLL Security: CRC RNG Co-proc SWP eSE Embedded Secure Element SC300 Core Debug EMMU DMAC (8-ch) Crypto Accelerators DES TDES AES SHA1 SHA256 SM PKE Memory Flash RAM Security: RNG×2 PUF Sensor Anti-tamper
L3

HYPERSEED 72B NFC Recovery Chip

Standalone Secure Element • CC EAL6+

SC000 Core ARM Cortex-M0 Secure Processor AHB Bus AES SM3 SM4 TDES DES PKE Memory Subsystem RAM FLASH APB Bus (Peripherals) Timer WDT RNG1 I2C GPIO SCI Security RNG2 Temp Sensor External Interfaces LA / LB GPIO0/1 ISO7816 (CLK/RST/IO) NFC RF

How Secure Ownership Works on MAGNE

⚙️
Create
Key generation in secure element
🔒
Isolate
Keys are designed to remain protected in secure hardware.
✍️
Sign
Signing happens inside secure element
💾
Backup
NFC encrypted recovery tag
♻️
Recover
Offline physical recovery

How MAGNE Compares to Software Wallets

Software wallets usually require a trade-off between usability and security; MAGNE provides system-level improvements for these key issues through a hardware-supported security architecture.

Aspect Software Wallets MAGNE
Key Isolation Keys stored in app memory, accessible to OS Keys isolated in dedicated secure hardware
Signing Environment Software-based signing on main processor Hardware signing inside secure element boundary
Backup Method Seed phrase (can be stolen, lost, or guessed) NFC encrypted backup — physical, offline, no seed exposure risk
Device Exposure Entire device must be trusted and secure Sensitive signing operations isolated in secure hardware, reducing main system exposure.
Recovery Mode Depends on seed phrase + third-party tools Offline NFC recovery without cloud or third-party
Certification No hardware security certification CC EAL2+ / CC EAL6+ related component-level certification reference

Security Chips and System Components

MAGNE's security architecture integrates TEE, secure elements, and offline recovery capabilities, aimed at enhancing key protection, signing processes, and asset recovery security at the device level. The following describes relevant security components and capabilities; certifications mentioned apply to corresponding components, modules, or evaluation scope, and do not represent the entire machine, complete system, or all commercial configurations have obtained the same level of certification.

COMPONENT

UTEE

UTEE is a trusted execution environment with a CC EAL2+ evaluation basis, used to isolate sensitive data and key operations from the main system, supporting encrypted keys and user data processing in a trusted environment.

COMPONENT

HYPERSEED N60

HYPERSEED N60 is a custom security solution combining secure processing capabilities with an integrated NFC module, with related security elements having CC EAL6+ certification reference. This component supports encryption operations, key isolation, and offline key recovery capabilities.

COMPONENT

HYPERSEED 72B

HYPERSEED 72B is a secure processor component with an NFC RF expansion interface, with related security elements having CC EAL6+ certification reference, used to support additional encryption and key recovery functions.

Security Certification Standards

MAGNE's security architecture references third-party security assessments and certifications at the component level, including CC EAL2+ TEE-related evaluations and CC EAL6+ secure element certifications. These certifications apply to corresponding components, modules, or evaluation scope, and do not represent that the entire machine, complete system, or all commercial configurations have obtained the same level of certification.

Relevant documents can be provided upon request for cooperation, review, or institutional due diligence.

Certification Document Access

Selected certification documents, certificate numbers, and applicable scope can be provided upon request for cooperation, review, or institutional due diligence needs. Public pages are for high-level reference only.

CERT

Trusted Execution Environment Related Assessment

Relevant documents available for further verification by partners, reviewers, and institutional contacts.

Request Access
CERT

Secure Element Related Certification

Relevant certification documents apply to corresponding components, modules, or evaluation scope.

Request Access
CERT

Offline Recovery Component Related Information

Partial technical and certification reference materials available upon due diligence needs.

Contact MAGNE

Certification documents, certificate numbers, and applicable scope can be provided upon request for cooperation, review, or institutional due diligence needs. Public pages are for high-level reference only and do not constitute a claim that the entire machine, complete system, or all configurations have obtained the same level of certification.
Contact MAGNE →

Security Certifications & Validation

MAGNE's security architecture references third-party security assessment and certification results at the component level, including CC EAL2+ TEE-related evaluations and CC EAL6+ secure element certifications. These certifications apply to corresponding components, modules, or evaluation scope, and do not represent that the entire machine, complete system, or all commercial configurations have obtained the same level of certification.

CC EAL2+

Trusted execution environment validation, ensuring process isolation

CC EAL6+

Secure element certification, supporting key storage and signing

Hardware Architecture

Dedicated secure element separate from main processor

Selected certifications and technical references available upon request

Need a deeper technical overview?

For institutional due diligence, technical partnerships, or security architecture discussions, our team is available.

Contact Security Team Explore Compliance