Security

Network Security

Nodes providing resources to the network operate over an overlay network that is isolated from the public internet. This network implements a modern cryptographic mesh network with the following security features:

• Cryptographic Node Identity: Each node maintains a persistent cryptographic identity using public-key cryptography, ensuring secure peer authentication. The node identity is linked to its Time Tower for building availability proofs.
• Secure Key Exchange: The network employs state-of-the-art elliptic curve cryptography for key exchange, providing perfect forward secrecy.
• Encrypted Tunnels: All inter-node communication occurs through encrypted tunnels using ChaCha20 for encryption with Poly1305 for authentication.
• UDP-based Transport: The network operates over UDP, enabling better performance and simpler implementation compared to TCP-based VPNs.

The mesh network can achieve speeds of up to 10 Gbps and is designed to be highly available and fault-tolerant with unique like hardware acceleration for UDP GSO (Generic Segmentation Offload) and GRO (Generic Receive Offload).

Storage Security

Persistent storage volumes provide two levels of security:

Data Encryption In Transit

All data transmitted between the node and the S3 storage provider is encrypted using TLS/SSL.

Data Encryption At Rest

When uploading, all data undergoes encryption using industry-standard AES-GCM and RSA algorithms, preventing unauthorized access and data leakage. Users can access their encrypted files transparently through mount points, with encryption and decryption processes happening seamlessly in the background.

Data Encryption At Rest combines symmetric encryption and asymmetric encryption, which requires user to create a global RSA private key M for the file system. Each object stored in the object storage will have its own random symmetric key S. The stored data is encrypted using AES-GCM algorithm with the symmetric key S, while S is encrypted with the global RSA private key M. At last, the RSA key is encrypted using a user-specified passphrase.

The detailed process of data encryption is as follows:

1. Compress data blocks using LZ4 or Zstandard compression
2. Generate a unique 256-bit AES key (S) and nonce (N) for each block
3. Encrypt the data block with AES-GCM using key S and nonce N
4. Protect the AES key by encrypting S with the master RSA key (M)
5. Store the encrypted data, encrypted AES key, and nonce as a single object

To decrypt the data:

1. Retrieve the encrypted object from storage
2. Extract the encrypted AES key, nonce, and encrypted data
3. Use RSA key M to decrypt the AES key S
4. Decrypt the data using AES-GCM with key S and nonce N
5. Decompress the decrypted data block

Performance

Modern CPUs implement TLS, HTTPS, and AES-256 very efficiently, so enabling encryption does not significantly impact file system performance. Due to the relatively low performance of the RSA algorithm, it is recommended to use 2048-bit RSA keys for storage encryption, as using 4096-bit keys may significantly impact reading performance.

Compute Security

StateMesh provides a secure execution environment for containers, ensuring that applications are isolated from each other and the host system. The platform uses a combination of hardware and software security features to protect against various types of attacks:

• Hardware Isolation: Each workload runs in a separate lightweight VM, providing hardware-level isolation from other containers and the host system.
• TPM and vTPM (Trusted Platform Module): Hardware TPM or software vTPM is used to securely store cryptographic keys and perform secure boot verification.
• Secure Boot: UEFI Secure Boot ensures that the system boots only with trusted firmware and software.
• Memory-mapped files: Sensitive files are never saved on disk, but are instead stored in random memory locations that are encrypted and decrypted on the fly using transient cryptographic keys.