search

SWAN-community / owid

Open Web Id (OWID) - a open source cryptographically secure shared web identifier schema
Apache License 2.0
2 stars 1 forks source link

Signature length/algorithm #1

Closed ekr closed 3 years ago

ekr commented 3 years ago

The current document states that signature is 64 bytes but also that it is RSA. This would correspond to a 512-bit RSA signature, which is very weak.

If size is an issue, then you should use EC signatures, which are much stronger at an equivalent length (64 bytes). If there is a very strict size constraint, you could use BLS which allows for aggregating multiple signatures from different signers.

jwrosewell commented 3 years ago

Thank you. We will switch to EC signatures with 64 byte length prior to commercial trials to improve the solution. We'll update this issue when the documentation and code has been modified. The reference implementation will use the EC implementation from Go and within the Crypto API of web browsers.

As a reminder for those new to SWAN. The OWIDs will be transmitted and stored many trillions of times a day. As such there is a primary requirement to reduce the number of bytes used considering the risks associated with spoofing, and the other non technical methods available to uncover bad acts and actors.

jwrosewell commented 3 years ago

The solution and trials have been switched to ECDSA P-256. @ekr Do you consider this change addresses the issue related to the cryptographic method used to sign OWIDs?

ekr commented 3 years ago

Obviously I can't say for sure without looking in detail, but it should fix the one we flagged.

On Thu, Sep 9, 2021 at 8:08 AM James Rosewell @.***> wrote:

The solution and trials have been switched to ECDSA P-256. @ekr https://github.com/ekr Do you consider this change addresses the issue related to the cryptographic method used to sign OWIDs?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/SWAN-community/owid/issues/1#issuecomment-916187561, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIPLIKDRZGJQ2EVPUZHA7TUBDEXLANCNFSM5BNXPFAQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

jwrosewell commented 3 years ago

Understood. Thank you. I'll close the issue.

Note: For those that read this n the future here are the links to the interfaces used.

Go .NET JavaScript