Technical description of the platform
Cryptography¶
On the Waves Enterprise platform you can select the cryptographic algorithm to use depending on the specifics of your project. Two types of cryptography are available: Waves and GOST. The table below lists the cryptographic functions used when you select one or the other type of cryptography.
Cryptography type |
Waves |
GOST |
---|---|---|
Functionality |
||
Hash coding |
Blake2b256 and Keccak256 functions consequently |
The Streebog function in accordance with the GOST R 34.10-2012 «Information Technology – Cryptographic Information Security – Hash Function» standard |
Digital signature |
Based on the Curve25519 elliptic curve (ED25519 with X25519 keys) |
In accordance with the GOST R 34.10-2012 «Information Technology – Cryptographic Information Security Electronic digital signature generation and verification processes» standard |
Data encryption |
AES symmetric data encryption |
In accordance with the GOST Р 34.12-2015 «Information Technology – Cryptographic Information Security Block ciphers» standard – Kuznyechik symmetric block cipher algorithm |
Confidential data encryption |
TLS v1.2 with cryptoset TLS_RSA_WITH_AES_256_CBC_SHA |
TLS v1.2 for GOST cryptography with the following cryptosets:
|
PKI support¶
The Waves Enterprise platform implements the Public Key Infrastructure (PKI). PKI infrastructure is used only with the GOST cryptography.
The PKI has three modes of operation:
off
– PKI is disabled,
on
– PKI is enabled. In this case
the platform verifies that TLS is enabled at the network level, i.e. the
node.network.tls
parameter in the node.conf file is set totrue
;a number of API methods, which imply working with the private key on a node, are not available:
methods of signing transactions via node API,
encryption methods,
methods of sending confidential data (privacy).
test mode
– PKI infrastructure is functioning in test mode. The following API methods, which involve working with a private key on a node, are available:
REST API methods:
transaction signing methods: transactions/sign and transactions/signAndBroadcast;
encryption methods: crypto/encryptCommon, crypto/encryptSeparate, crypto/decrypt;
confidential data (privacy) exchange methods: /privacy/sendData, /privacy/sendDataV2 and /privacy/sendLargeData;
methods for signing messages on the blockchain: addresses/sign and addresses/signText;
/pki/sign method of generating an electronic data signature;
gRPC API methods:
confidential data (privacy) exchange methods: PrivacyPublicService.SendData and PrivacyPublicService.SendLargeData.
PKI mode is configured in the crypto.pki.mode section of the node configuration file.
Hash coding¶
As indicated in the table above, hash coding is performed consequently by the Blake2b256 and Keccak256 functions (for Waves cryptography) or the «Streebog» function in accordance with the GOST R 34.11-2012 «Information Technology – Cryptographic Information Security – Hash Function» standard (for GOST cryptography).
The size of an output data block is 256 bits.
Electronic signature¶
As shown in the table above, algorithms for key generation, and digital signatures forming and verifying are implemented on the basis of the Curve25519 elliptic curve (ED25519 with X25519 keys) for Waves cryptography, or in accordance with the GOST R 34.10-2012 «Information Technology – Cryptographic Information Security – Signature and verification processes of electronic digital signature» standard for GOST cryptography.
Learn more about the digital signatures generation and verification with the use of the gRPC and REST API methods in the following sections: gRPC: generation and checking of data digital signatures (PKI) и REST API: generation and checking of data digital signatures (PKI).
Protecting confidential data¶
On the Waves Enterprise platform you can use the TLS protocol to protect data transmitted between nodes. The supported protocols are listed in the table above.
To enable TLS, set the node.network.tls
parameter to true
in the node.conf node configuration file.
If the TLS protocol is not used to create connections between nodes (the node.network.tls
parameter is set to false
), a TLS-like end-to-end encryption scheme using session keys based on the Diffie-Hellman protocol is used to protect transmitted confidential data (privacy). This protection will only be applied to confidential data when transmitted between nodes peer-to-peer, i.e. between two network members.
Here you can see the scheme of the text data encryption procedure based on the Diffie-Hellman protocol:
Note
The platform also uses theTLS protocol when working with smart contracts for the following connections:
connection with the Docker-host (Docker-TLS);
connection from a smart contract to a node via gRPC and REST API.
TLS setup and usage in these cases are documented in the General platform configuration: execution of smart contracts section.