Technical description of the platform
The Waves Enterprise platform gives an opportunity to choose a cryptographic algorithm depending on peculiarities of a project.
Hash coding is performed consequently by the functions Blake2b256 and Keccak256 or the “Streebog” function in accordance with the GOST R 34.11-2012 Information Technology – Cryptographic Information Security – Hash Function . Size of an output data block is 256 bits.
Algorithms for key generation, producing and checking of electronic signatures are based on the Curve25519 elliptic curve (ED25519 with X25519 keys) or correspond with the GOST R 34.10-2012 Information Technology – Cryptographic Information Security – Signature and verification processes of electronic digital signature.
The platform supports data encryption with the use of session keys on the basis of the Diffie–Hellman protocol. This operation is used for encryption of any text information, for instance, data of smart contracts that should not be available for other blockchain participants. Encryption can be performed individually for every recipient with generation of a unique cipher text, as well as with generation of a unified cipher text for a group of recipients.
The algorithms used for symmetric encryption correspond with the AES standard or the GOST R 34.12-2015 Information Technology – Cryptographic Information Security – Block ciphers.
Here you can see the scheme of the text data encryption procedure based on the Diffie-Hellman protocol:
Symmetric CEK and KEK keys are used for encryption and decryption.
CEK (Content Encryption Key) is used for text data encryption. KEK (Key Encryption Key) is used for encryption of a CEK.
A CEK is randomly generated by a blockchain node with the use of corresponding hash coding algorithms. A KEK is generated by a node on the basis of the Diffie-Hellman algorithm with the use of public and private ktys of a sender and recipients, this key is used for encryption of a CEK.
A symmetric CEK is unavailable for reading and is not demonstrated during the encryption process. It is transferred from a sender to a recipient in an encrypted format (wrappedKey) via insecure channels together with an encrypted message. An example of such insecure channel is a data transaction 112 for recording of data into a blockchain or smart contract state. A KEK will not be transferred from a sender to a recipient: it is restored by a recipient on the basis of his closed key and a known public key of a sender (Diffie-Hellman key exchange algorithm).
Learn more about encryption woth the use of gRPC methods.
In order to encrypt network channels, the TLS v. 1.2 (AES-256 CBC SHA) algorithm is used. If the GOST encryption is used, the protocol establishes a TLS-like connection with the use of the ‘Kuznyechik’ encryption algorithm.