Private key generation
During activation, the key is generated on the card or ring using a hardware random number generator. The entropy for the random number is taken from the chip’s physical sensors. This means that no one can ever know or replicate your private key. The hardware random number generator is a component of the Samsung-produced chip. You can read the safety assessment document via this link.
Private key backup
When creating a backup, a secure communication channel is established between the Tangem devices using the Diffie-Hellman key exchange protocol, after which the keys are transferred from one device to the other. This mechanism is fully protected against man-in-the-middle attacks since the first step involves the cards authenticating each other with a two-way attestation. The encryption uses a 256-bit key, making it highly secure. The application is unable to decrypt the keys.