Is it meaningful to benchmark the throughput of digital signature primitives?
Actually their performance is very well understood since they are mathematically well defined. DSA has a very good performance for signing (with default values) while RSA would have a way lower throughput but it can also be used for encryption not just for digital signing.
Related
It seems that both trusted computing and confidential computing can protect data in use.
Is trusted computing based on TPM and confidential computing based on Intel SGX?
Any other difference?
This is a good question since both terms are a bit ambiguous used interchangeably.
The short answer is they mean the same in most cases.
Trusted Computing was probably the term that appeared first.
It tries to put the emphasis on the reduced "trusted parties/components", called the Trusted Computing Base (TCB), that modern processor technologies as Intel SGX, AMD SEV, ARM TrustZone provide.
They all have in common that code and data are separated and protected at all times during execution in so-called Trusted Execution Environments (TEE).
Trusted Computing doesn't necessarily need to be backed by hardware features, it could also be provided by Hypervisor technologies as Hyper-V VBS or AWS Nitro Enclaves. Naturally, the TCB is bigger on such Hypervisor TEEs.
Is trusted computing based on TPM and confidential computing based on Intel SGX?
No, SGX is probably the most prominent example of trusted computing technology.
TPMs of course can also be used to establish a root-of-trust, but they typically not able to create complete TEEs for protecting data at runtime.
They are more commonly used for secure/trusted key generation and storage, or crypto calculations. To be precise a TPM is physically isolated while a TEE resides on the same chip. See also TPM vs. TEE vs. SE
Confidential Computing is a relatively new term.
It was probably established to have a bit more business-friendly term.
"Trusted" might be harder to sell than "Confidential";-)
The term puts more emphasis on the application of TEEs and tries to address a wider audience by describing not only the technologies but the applications and business cases in general.
In the words of the Confidential Computing Consortium
Confidential Computing is the protection of data in use using
hardware-based Trusted Execution Environments. Through the use of
Confidential Computing, we are now able to provide protections against
many of the threats described in the previous section.
With both terms floating around. "Confidential Computing" got much more traction and mainstream adoption, while Trusted Computing feals more niche.
Trusted Computing will probably disappear as a general term and only be used when describing hardware features and TEEs in more technical detail.
I'm considering doing multisig with one of signatures using iOS Secure Enclave. However it only supports NIST P-256 curve.
I know it's not supported on protocol level, but is it possible to implement it in Rust smart contract? If so – where do I start?
Currently even if you can verify inside the smart contract NIST P-256 curve (here are libraries for verification, for example - https://github.com/RustCrypto/elliptic-curves/tree/master/p256), you would still need to sign the transaction with some ED25519 or SECP-256K1 key first to actually get blockchain to accept it before the contract code will be execute.
My understanding is that right now you can just store sequence of bytes in secure enclave and read it out and sign any function in user land. Here how it can be done securely - https://github.com/AlphaWallet/alpha-wallet-ios/pull/1272
If this is an important consideration to support iOS secure enclave singing, you can create a spec change proposal to add SECP-256P1 (which is NIST P-256) as an alternative key type to NEAR. It would have obvious downsides, but this is a clear upside as well and it's optional so each individual user can decide which curve they prefer to use.
I was researching on various key generation algorithms used in different kinds of blockchains out there in market.
I wanted to know which algorithms are used to generate public/private key pairs in following blockchains:
Ethereum
Hyperledger-Fabric
R3 Corda
Can someone help me with this?
I can't comment on the signature schemes supported by Ethereum or Hyperledger Fabric.
Corda is cryptographically agile, with multiple signature schemes available based on the desired trade-offs between cryptographic strength, compatibility with various HSM vendors, algorithm standardisation, variety of cryptographic primitives, business demand, option for post-quantum resistance, side channel security, efficiency and degree of testing.
As of version 3, Corda supports five signature schemes:
1. Pure EdDSA using the ed25519 curve and SHA-512
EdDSA is the current state of the art in mainstream cryptography. It implements elliptic curve cryptography with deterministic signatures, a fast implementation, explained constants, side channel resistance and many other
desirable characteristics. However, it is relatively new and not widely supported. For example, you can’t use it in TLS yet (a draft RFC exists but is not standardised yet).
This is the default signature scheme for the node's well-known and confidential identities, and for the network bootstrapper.
2. ECDSA using the NIST P-256 curve (secp256r1) and SHA-256
This is the default choice for most systems that support elliptic curve cryptography today and is recommended by NIST. It is also supported by the majority of the HSM vendors.
This is the default signature scheme for the root network certificate authority, the doorman, the node certificate authority (which issues the node's identity and TLS keys), the node's TLS keys, and the network map on the Corda Network.
3. ECDSA using the Koblitz k1 curve (secp256k1) and SHA-256
secp256k1 is the curve adopted by Bitcoin and as such there is a wealth of infrastructure, code and advanced algorithms designed for use with it. This curve is standardised by NIST as part of the “Suite B” cryptographic algorithms and as such is more widely supported than ed25519. By supporting it, Corda gains access to the ecosystem of advanced cryptographic techniques and devices pioneered by the Bitcoin community.
4. RSA (3072bit) PKCS#1 and SHA-256
RSA is well supported by any sort of hardware or software as a signature algorithm no matter how old. For example, legacy HSMs will support this, as will obsolete operating systems. RSA is using bigger keys than ECDSA and thus it is recommended for inclusion only for its backwards compatibility properties, and only for usage where legacy constraints or government regulation forbids the usage of more modern approaches.
5. SPHINCS-256 and SHA-512 (experimental)
SPHINCS-256 is a post-quantum secure algorithm that relies only on hash functions. It is included as a hedge against the possibility of a malicious adversary obtaining a quantum computer capable of running Shor’s algorithm in future. SPHINCS is based ultimately on a clever usage of Merkle hash trees. Hash functions are a very heavily studied and well understood area of cryptography. Thus, it is assumed that there is a much lower chance of breakthrough attacks on the underlying mathematical problems. However, compared to the EdDSA, ECDSA and RSA algorithms, SPHINCS uses relatively big public keys, it is slower, and it outputs bigger signatures.
We have a business requirement to keep credit card data. What is today's (Nov 2013) state of the art algorithm to encrypt credit card data that will be saved on disk?
Additionally, I'd appreciate pointers to Java libraries that implement these algorithms
Note that we are PCI compliant and we already store credit card data. I am doing a review to make sure that our encryption method remains state-of-the-art
I recently just left the credit card industry as a developer to work in security in non PCI compliant field. BCrypt is a great choice. It allows a one way hash as well as a work parameter that forces time per attempt. This allows you to stop brut force attacks.
I would use one of the block ciphers approved by ISO/IEC 18033: AES, Camellia, and SEED.
It's hard to go wrong with AES256.
Just go ahead with AES 256 but make sure you choose right mode. I don't agree with comment "It's hard to go wrong with AES256." Check out - https://pthree.org/2012/02/17/ecb-vs-cbc-encryption/
Needless to say, you need to take care of key management and avoid any issues with IV- a message "hello world" encrypted with a key1+IV1 combination will look exactly the same in ciphertext every time you run your encryption. So make sure you are choosing your IVs randomly from a large entropy pool
From Java implementation perspective, Java has native support for AES encryption. Just make sure if you are using 256 bit encryption, you have the right unlimited strength JCE files - without these JCE files which provide crypto methods, you will be limited to 128 bit encryption.
Checkout this if you don't want to reply upon these JCE files available on server running your application.
As #gauravphoenix points out, it is actually quite easy to go wrong with AES. The AES algorithm itself can only securely encrypt exactly 16 bytes of data if you give it a totally random key. If your problem is anything other than that (and almost everyone's problem is something different than that), you need to add more pieces to it. Specifically you need to choose an appropriate mode, configure that mode correctly, properly generate a key, and protect against modification. AES does none of this for you automatically, and unfortunately, most example code on the internet does it incorrectly.
There are a few libraries that attempt to bundle all of these details for you so that you can just make the silly "please encrypt this data" call that most people would like to make. I maintain one for iOS called RNCryptor. There are a bunch of ports of the format to other languages, including a Java implementation called JNCryptor.
Another good "whole solution" AES implementation is aescrypt, which includes a Java implementation.
Note that the most important technical(*) step of securing the data is not your selection of algorithm or format. It's how you manage the keys. If you store the key on the same disk as the credit card numbers, or hard-code it into your software, then it doesn't really matter how strong your encryption is. The state of the art in key management is called an HSM (Hardware Security Module). Companies like SafeNet make them. They can be rack-mounted, plug-in cards, or even USB dongles. I've worked with the Luna, and was generally pleased with it, but there are several options on the market.
(*) While key management is IMO the most important technical step, it is by far not the most important step in securing credit cards (or anything else). The most important step is having procedures in place that encourage secure design, pre- and post-release security review, and a commitment to remediation of security findings.
I wanted to know what is the best way to encrypt storage at rest. Lets say financial information for 1000 users is on a system. Besides making sure nobody unauthorized gets to how do we encrypt the data that is being used everyday so that if god forbid they get it, it should be impossible for them to decode or read?
I believe AES is a correct measure?? How can i implement AES using PHP for phpmyadmin data?
Neither SHA nor MD5 are encryption algorithms, so forget them for now.
The answer to your question is more organizational then technical. First you need to identify what storage you plan to use for the data. If it is the DBMS, then (a) it can offer certain encryption and authentication mechanisms, and (b) you can store the files of the DB on the encrypted storage.
If you have files (either the data itself or the DB with the data), you can store them on encrypted disk. This can be an encrypted NTFS disk or virtual encrypted disk (the one which resides in a file and is mounted as a virtual disk by software).
If you create backups of the data, then backup tools usually offer encryption mechanisms too.
In all of the above cases used algorithms don't matter too much: modern algorithms, offered by above mentioned mechanisms, are secure enough given that you choose 128-bit or larger key for symmetric encryption and choose long passphrase (more than 22 characters if you only use [A-z0-9] alphabet for 128-bit symmetric encryption).
There exists symmetric encryption and public-key encryption (PKI encryption). PKI lets you encrypt the files using public keys (private key is used for decryption), and one of the benefits is that you can encrypt the data for several different private keys. This means that any of the given set of keys can be used for decryption, and the owner of one key doesn't need another key for decryption. The benefit is that you can assign keys to certain users or roles instead of sharing a single passhprase.
The above is just a small guideline and you need to learn a lot (or better involve a security specialist) before you implement the solution, cause security made wrong is worse then no security at all (cause it gives false sense of protection and this makes people careless).
That depends on your platform; most modern operating systems offer disk encryption options with various degrees of security. Note that SHA and MD5 are hash algorithms and thus unsuitable for encryption.
I'd base my choice of algorithm on the capabilities of the system that is supposed to work with the data. Some CPUs have special instructions for AES processing, which gives a significant speed boost here; also, there are harddisk controllers that include encryption support.
Dedicated hardware has two major advantages: it is significantly faster, and it is more difficult to retrieve the symmetric key as a prelude to stealing the actual disk drives.