Description
The store services currently make no integrity guarantees: they store what they receive. Architects should explicitly decide, for each asset class, whether to verify cryptographic integrity before persistence, on retrieval, or not at all -- and document that decision as a security posture choice. At minimum, the highest-value assets warrant verification: endorsement ack signatures (TransactionEndorseAck.sigma) should be verified against the endorser's public key before insertion; serialized token request bytes should be checked for valid deserialization and a matching pp_hash before storage; identity bytes should be verified against a known public key before being written to IdentityInfo or Signers. For lower-value or high-volume assets (movements, locks, metadata), the cost-benefit trade-off may favour deferred or sampled verification. The key architectural requirement is that the API surface makes its verification guarantees explicit -- "we store what you give us, unverified" is an acceptable posture only if callers are required to perform verification themselves before calling.
Summary
Need to add the defense-in-depth checks in the table below.
| Check |
Operation |
Cost |
| 1. Endorsement Signature Verification |
Verify signature is valid for claimed endorser |
Medium (1 DB read + crypto verify ~1-5ms) |
| 2. Token Request Integrity |
Verify data deserializes and hash matches |
Low (deserialize + hash ~0.1-1ms) |
| 3. Identity Validation |
Verify identity contains valid public key |
Low (key format check ~0.1ms) |
| 4. Signer Registration Validation |
Verify signer's public key matches identity |
Low (key comparison ~0.1ms) |
Also,
5. Remove NoOp Bypass: Eliminate option to skip verification
Crypto related data should be checked when inserted to the database and when retrieved. This can be time consuming. We need to find the checks that protect against systemic failures and check only those.
Description
The store services currently make no integrity guarantees: they store what they receive. Architects should explicitly decide, for each asset class, whether to verify cryptographic integrity before persistence, on retrieval, or not at all -- and document that decision as a security posture choice. At minimum, the highest-value assets warrant verification: endorsement ack signatures (
TransactionEndorseAck.sigma) should be verified against the endorser's public key before insertion; serialized token request bytes should be checked for valid deserialization and a matchingpp_hashbefore storage; identity bytes should be verified against a known public key before being written toIdentityInfoorSigners. For lower-value or high-volume assets (movements, locks, metadata), the cost-benefit trade-off may favour deferred or sampled verification. The key architectural requirement is that the API surface makes its verification guarantees explicit -- "we store what you give us, unverified" is an acceptable posture only if callers are required to perform verification themselves before calling.Summary
Need to add the defense-in-depth checks in the table below.
Also,
5. Remove NoOp Bypass: Eliminate option to skip verification
Crypto related data should be checked when inserted to the database and when retrieved. This can be time consuming. We need to find the checks that protect against systemic failures and check only those.