The details below intend to be informative fo the user application services that targets a specific security compliance or standards. Cryptographic operations used in the core enclave services are based on NIST standards and guidelines.
Cryptographic operations that are broadly used in the enclave services are
- Symmetric Encryption - Block Cipher operations
- Asymmetric Encryption
- Secure Random
- Digital Signature
The symmetric key cipher used for an end-to-end payload encryption is one of the core cryptographic mechanisms. The following scheme is used
Algorithm : AES
Block Size : 2048 bytes
Enclave services key exchange currently supports
Our team is working on supporting Diffie-Hellman and ECC based key exchange.
There is NO plan to support DSA. However, if there is a strong use-case to support DSA, please write to us at firstname.lastname@example.org and we will endeavour to add it to our roadmap.
SHA algorithms with bit size greater than or equal to 256 are used for hashing within the enclave core services. User applications are recommended to use SHA256 or stronger SHA algorithms for hashing.
Digital signatures used for key exchange is based on above cryptography operations and their specifications.
Secure Random Numbers
Secure random numbers used within the enclave are generated by the NSM lib provided by AWS.
Enclave Services endpoint accepts TLS connection. Clients are expected to support TLS v1.2 protocol and the following ECC-based cipher suites to make successful TLS connections to enclave endpoints
Internal data transfer which employs TLS uses DH and ECC-based DH PKI schemes only.
The above standards are maintained by the implementation of the enclave internal proxy and the client side cli proxy. These do not need to be specifically implemented by applications which communicate to the enclave via the Oblivious provided tools.