Cryptographic Operations
The details below intend to be informative fo the user application services that targets a specific security compliance or standards. Cryptographic operations used in the core enclave services are based on NIST standards and guidelines.
Cryptographic operations that are broadly used in the enclave services are
- Symmetric Encryption - Block Cipher operations
- Asymmetric Encryption
- Hashing
- Secure Random
- Digital Signature
- TLS
Symmetric Encryption
The symmetric key cipher used for an end-to-end payload encryption is one of the core cryptographic mechanisms. The following scheme is used
Algorithm : AES
Block Size : 2048 bytes
Asymmetric Encryption
Enclave services key exchange currently supports
Our team is working on supporting Diffie-Hellman and ECC based key exchange.
There is NO plan to support DSA. However, if there is a strong use-case to support DSA, please write to us at security@oblivious.ai and we will endeavour to add it to our roadmap.
Hashing
SHA algorithms with bit size greater than or equal to 256 are used for hashing within the enclave core services. User applications are recommended to use SHA256 or stronger SHA algorithms for hashing.
Digital Signature
Digital signatures used for key exchange is based on above cryptography operations and their specifications.
Secure Random Numbers
Secure random numbers used within the enclave are generated by the NSM lib provided by AWS.
TLS
Enclave Services endpoint accepts TLS connection. Clients are expected to support TLS v1.2 protocol and the following ECC-based cipher suites to make successful TLS connections to enclave endpoints
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
Internal data transfer which employs TLS uses DH and ECC-based DH PKI schemes only.
note
The above standards are maintained by the implementation of the enclave internal proxy and the client side cli proxy. These do not need to be specifically implemented by applications which communicate to the enclave via the Oblivious provided tools.