DEV Community: Andriy Fedotov

Does it matter how the cryptographic keys stored?

Andriy Fedotov — Fri, 22 Mar 2019 16:57:08 +0000

Private key storing

Security just tells you to encrypt everything but won't tell you how to achieve that in your particular software stack. You have to store the encryption key in a protected manner. It could be stored at an HSM, a smartcard, a crypto token, at the server hard disk, even written in a paper (split and stored in vaults). The key can be unencrypted (in the clear) or encrypted with another key. If you are talking about encryption keys that are part of your business application, you have to store them encrypted but your software should be able to decrypt it without manual intervention.

Public key storing

But what about the public key? Verification of digital certificates fails even more often than users loss their private keys because CA is a much bigger and interesting target for cybercriminals. As an alternative to a traditional system of chain of trust, blockchain provides a permanent and trusted timestamp by design. To undermine this timestamp would require massive computational effort — rewriting the entire blockchain . This ultimately gives Issuers the ability to rotate their issuing keys without undermining the ability of 3rd parties to reliably verify transactions. The blockchain is a distributed ledger that does not depend on any trusted party like a Certificate Authority. The effect is improved availability, the capacity to independently verify, and redundancy that avoids single points of failure.

Securing IoT devices connections with blockchain: does it make sense?

Andriy Fedotov — Fri, 01 Feb 2019 12:39:11 +0000

Case Study:

Company X deploys a fleet of connected IoT devices with capabilities of Hardware Root of Trust, in which the private keys are integrated into the devices.

The System Administrator of Company X has an account registered on the blockchain.
He will need to install a special firmware (or just modify an existing version of it) on the IoT device (i.e.: a CCTV camera). It should generate a pair of keys in the device.
At this point, the SysAdmin obtains device public-key and stores it on the blockchain using his account. The device is able to send the public-key by itself, but it needs access to the account. As an alternative, this could be done via a service where blockchain account keys are pre-installed.
Now the SysAdmin is able to set up a secure encrypted connection with all the CCTV cameras that he needs. In case he needs to revoke camera's public keys, he can do so by using the private key of his blockchain account.

The blockchain account

It has a pair of the public/private keys which the user generates with one of the project libraries on his device. The account enables to store public key on the blockchain as well as revoking them. Using the pair of keys of just one account, you may store on the blockchain as many public keys as you need. In blockchain technology, there are several ways to secure access to your account, for example, multi-signature.

Why should devices trust each other without a CA signature?

In this scenario, the Admin will send a request to the blockchain for storing the public keys of each of the two devices and will install private keys on each of them respectively. This way the admin is responsible for providing the correct public key connecting two devices/applications. Nobody can store a public key which was previously added to the blockchain.

What do you think about the case described? Are there any weaknesses which hackers can spot?

And what's about a service that can help to provide such certificates for admins and developers who are not willing to interact with the blockchain directly? Would you use such a service, if it were available?

Here you can have a look at a protocol able to perform the services described, other than a Public Key Infrastructure.

Documentation as a key to the strong tech community

Andriy Fedotov — Tue, 27 Nov 2018 16:21:59 +0000

I believe that all great projects were started with clear documentation. My project is a new open-source protocol that is searching to build a community around the concept of digital certificates that are secured by blockchain network. I see that our idea attract interest on the hackathons, meetups and tech chats, but it is essential to transmit those activities on the GitHub as well.

We have prepared Q&A page as well as simple project documentation http://docs.remme.io. But now I see a necessity to work more on our GitHub repository readme file. As I understood we need to add more about the problem that our code challenges, current features, contribution policy and left some info about the development team. I saw on the Internet a considerable number of advice about gifs, colorful buttons, and tables, but not sure that it wouldn't irritate our repo guests.

What else should we add on our core protocol page to make it closer to open source community and attract it to contribute to the project? I have added the link here:

Remmeauth / remme-core

Distributed Public Key Infrastructure (dPKI) protocol

REMME Core

REMME is a blockchain-based protocol used for issuing and management of public keys to resolve issues related to cybersecurity, IoT connectivity, data integrity, digital copyright protection, transparency etc.

Remme core is built on Hyperledger Sawtooth platform, allowing to be flexible in language choice during the development process.`Remme core exposes application programming interface based on RPC API.

Remme also supports JS and .NET programming libraries that wrap its application programming interface, so that you could easily embed the protocol in your project.

🔖 Documentation

🔖 Architecture overview

🔖 Docs & tutorials

🔖 REMME use case for IoT

🔖 Blog & talks

How to build on REMME Core

REMChain is one of the components of our solution and a basic layer of our distributed Public Key Infrastructure — PKI(d) protocol. In a nutshell, it’s a multi-purpose blockchain that acts as a distributed storage for a certificate’s hash, state (valid or…

View on GitHub