3.7.4 Key Management

The DGT network adopts a decentralized model in which keys are distinct from the transaction verification process. Key generation in DGT follows the ECDSA (Elliptic Curve Digital Signature Algorithm) method, involving the generation of a large random number as the private key. From this private key, a public key is derived using a specific algorithm. Transaction addresses are then calculated based on this public key.

Figure 48 Asymmetric Keys and Address Generation Scheme (Elliptic Curve Digital Signature Algorithms)

Key Management in DGT is crucial for maintaining the security and integrity of the blockchain network. It involves the generation, storage, and usage of cryptographic keys that play a vital role in signing and verifying transactions:

• Key Generation:

  • Private Key Generation: DGT utilizes secure algorithms to generate strong cryptographic private keys. These keys are randomly generated and should be kept confidential.

  • Public Key Derivation: Public keys are derived from their corresponding private keys using cryptographic algorithms. These public keys are shared publicly and used for verifying signatures.

• Key Storage:

  • Secure Storage: Secure Storage of keys is a critical aspect of key management in DGT. Private keys must be securely stored to prevent unauthorized access. The responsibility for secure key storage lies with the applications utilizing the DGT network rather than the network itself. To ensure the protection of private keys from unauthorized access, DGT recommends employing robust storage mechanisms such as hardware security modules (HSMs), secure key vaults, or other secure storage solutions.

  • Default Key Location: At the node level, the generated keys are stored by default at the /project/peer/keys/ path. The keys are stored in plain files with ‘.priv’ and ‘.pub’ extensions. However, the storage format can be customized, and users have the flexibility to use the PKCS#12 format or other secure storage mechanisms for enhanced protection.

  • Key Backup: It is essential to have a reliable backup mechanism for private keys to avoid data loss or potential loss of access to the associated assets. Regular backups should be performed and securely stored in separate locations.

• Key Usage:

  • Transaction Signing: Private keys are used to digitally sign transactions, providing authenticity and integrity. DGT ensures that the private keys remain secure and are only accessible by authorized parties.

  • Signature Verification: Public keys are utilized to verify the signatures of transactions and blocks. Nodes in the DGT network can independently validate the authenticity of transactions using the corresponding public keys.

• Key Rotation and Revocation:

  • Key Rotation: Regular key rotation is recommended to enhance security. By periodically generating new private-public key pairs and migrating to the new keys, the risk of compromised keys can be mitigated.

  • Key Revocation: In case of a compromised key or a lost private key, proper revocation procedures should be followed to invalidate the compromised key and prevent unauthorized usage.

• Key Distribution and Access Control:

  • Client Responsibility: In DGT, key generation is the responsibility of the client. Clients can use the DGT SDK, compatible libraries, or the DGT transaction family keygen tool to generate their private and public keys securely.

  • Notary Node Certificate Storage: For Notary Nodes, a solution such as HashiCorp can be utilized for storing X.509 certificates. This allows linking the public key (or address) with a person or organization ID, enabling a robust and secure identity management system.

  • Access Control: Proper access control measures should be implemented to ensure that only authorized individuals or entities have access to the private keys. Access controls can be enforced at the operating system or file level to restrict access to the key files and prevent unauthorized usage or tampering.