Skip to content

Selective Cryptographic Integrity Verification of High-Value Payloads [LOW] #1610

Description

@HayimShaul

Description
The store services currently make no integrity guarantees: they store what they receive. Architects should explicitly decide, for each asset class, whether to verify cryptographic integrity before persistence, on retrieval, or not at all -- and document that decision as a security posture choice. At minimum, the highest-value assets warrant verification: endorsement ack signatures (TransactionEndorseAck.sigma) should be verified against the endorser's public key before insertion; serialized token request bytes should be checked for valid deserialization and a matching pp_hash before storage; identity bytes should be verified against a known public key before being written to IdentityInfo or Signers. For lower-value or high-volume assets (movements, locks, metadata), the cost-benefit trade-off may favour deferred or sampled verification. The key architectural requirement is that the API surface makes its verification guarantees explicit -- "we store what you give us, unverified" is an acceptable posture only if callers are required to perform verification themselves before calling.

Summary
Need to add the defense-in-depth checks in the table below.

Check Operation Cost
1. Endorsement Signature Verification Verify signature is valid for claimed endorser Medium (1 DB read + crypto verify ~1-5ms)
2. Token Request Integrity Verify data deserializes and hash matches Low (deserialize + hash ~0.1-1ms)
3. Identity Validation Verify identity contains valid public key Low (key format check ~0.1ms)
4. Signer Registration Validation Verify signer's public key matches identity Low (key comparison ~0.1ms)

Also,
5. Remove NoOp Bypass: Eliminate option to skip verification

Crypto related data should be checked when inserted to the database and when retrieved. This can be time consuming. We need to find the checks that protect against systemic failures and check only those.

Metadata

Metadata

Assignees

Labels

Type

Fields

No fields configured for Task.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions