Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Member recovery shares encryption with RSA-OAEP-256 #1841

Merged
merged 20 commits into from
Oct 30, 2020
Merged

Member recovery shares encryption with RSA-OAEP-256 #1841

merged 20 commits into from
Oct 30, 2020

Conversation

jumaffre
Copy link
Contributor

@jumaffre jumaffre commented Oct 29, 2020
edited
Loading

Resolves #1720

Member recovery shares are now encrypted in the public:ccf.shares table with RSA, using (as opposed to NaCl's crypto box).

This has the following implications:

  • The network's encryption key is no longer required (as we only encrypt with the target's - i.e. member's - public key).
  • The submit_recovery_share.sh script has been updated and step-cli is no longer required (openssl does RSA-OAEP-256 key unwrapping fine).
  • The 25519 and crypto box specific code has been removed.
  • New RSAKeyPair class that can be used for unwrapping and corresponding RSAPublicKey for unwrapping (see tls/rsa_key_pair.h).

Also:

  • Renamed keyshare in the public:ccf.members table to encryption_pub_key, as the previous name was confusing.

Next:

  • Update js_generic.cpp to use new tls::RSAPublicKey to wrap keys.

@jumaffre jumaffre requested a review from a team as a code owner October 29, 2020 16:29
@jumaffre
Copy link
Contributor Author

This has been tested manually with AKV and the steps to wrap/unwrap a key are available here: #1720 (comment). The unwrapping operation is performed by the submit_recovery_share.sh script using openssl.

@ccf-bot
Copy link
Collaborator

ccf-bot commented Oct 29, 2020
edited
Loading

rsa_encryption@14965 aka 20201030.15 vs master ewma over 50 builds from 14436 to 14954
images

achamayou
achamayou reviewed Oct 29, 2020
View reviewed changes
tests/start_network.py Outdated Show resolved Hide resolved
achamayou
achamayou approved these changes Oct 29, 2020
View reviewed changes
Copy link
Member

@achamayou achamayou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

API schema needs to be updated

@jumaffre jumaffre merged commit b0df355 into microsoft:master Oct 30, 2020
@jumaffre jumaffre mentioned this pull request Oct 30, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@achamayou achamayou achamayou approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Member recovery share encryption should support RSA encryption
3 participants
@jumaffre @ccf-bot @achamayou