Skip to main content

Cryptographic Operations

The details below intend to be informative fo the user application services that targets a specific security compliance or standards. Cryptographic operations used in the core enclave services are based on NIST standards and guidelines.

Cryptographic operations that are broadly used in the enclave services are

Symmetric Encryption

The symmetric key cipher used for an end-to-end payload encryption is one of the core cryptographic mechanisms. The following scheme is used

Algorithm : AES
Block Size : 2048 bytes

Asymmetric Encryption

Enclave services key exchange currently supports

Our team is working on supporting Diffie-Hellman and ECC based key exchange.

There is NO plan to support DSA. However, if there is a strong use-case to support DSA, please write to us at security@oblivious.ai and we will endeavour to add it to our roadmap.

Hashing

SHA algorithms with bit size greater than or equal to 256 are used for hashing within the enclave core services. User applications are recommended to use SHA256 or stronger SHA algorithms for hashing.

Digital Signature

Digital signatures used for key exchange is based on above cryptography operations and their specifications.

Secure Random Numbers

Secure random numbers used within the enclave are generated by the NSM lib provided by AWS.

TLS

Enclave Services endpoint accepts TLS connection. Clients are expected to support TLS v1.2 protocol and the following ECC-based cipher suites to make successful TLS connections to enclave endpoints

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384

Internal data transfer which employs TLS uses DH and ECC-based DH PKI schemes only.

note

The above standards are maintained by the implementation of the enclave internal proxy and the client side cli proxy. These do not need to be specifically implemented by applications which communicate to the enclave via the Oblivious provided tools.