The TSM can be deployed in different ways with different choices of active and passive nodes as well as node ownership.
In the basic scenario we have n (e.g. 3) active MPC nodes all controlled by the same SDK.
- The SDK is available in Go and as a shared library
- The connection between the SDK and a node is over http or https (the latter recommended) and is authenticated.
- The connection between the nodes is over TLS using public key pinning
- Each MPC Node is deployed as described below
- The connection can be protected using TLS (depends on the database configuration)
- The data is protected using a master key, MK, which can be used and protected in different ways. Both our current choice has a Key Encryption Key (KEK) and MK stored in the DB as EKEK(MK):
a) KEK is derived from a (strong) password stored in the MPC Node configuration file using PBKDF2.
b) KEK is derived from a key file using SHA-256.
Updated 6 days ago