At Transmute, our core technology relies heavily on Decentralized Identifiers and Verifiable Credentials which leverage JSON Linked Data (aka JSON-LD) enabling interoperability and integration.
The authenticity and integrity of JSON Linked Data documents can be guaranteed by appending a “proof” property whose value is a digital signature of the document , following the Linked Data Signatures specification.
Any public-key based cryptosystem that provides digital signatures is fair game, and there exists currently several implementations of that spec using various widely used algorithms such as
- EdDSA with Curve25519 (aka Ed25519)
- ECDSA with curve secp256k1
- RSA signatures
An official but non exhaustive list of those implementations can be found in the CryptoSuite registry
However there are several problems with the current state of that list:
- Most implementations are written in Javascript which is excellent for proof-of-concept projects, but is a terrible idea for performance and security reasons.
- Some implementations use custom or relatively new cryptographic dependencies that haven’t been properly peer-reviewed and tested for production use.
- Most implementations have non interoperable ways of representing the keys for the cryptosystem they are using.
A potential solution: JOSE
Jose is a library for dealing with JWS (JSON Web Signatures), JWE (JSON Web Encryption), JWK (JSON Web Keys), JWT (JSON Web Token) in Node.js.
It has several desirable features for our Linked Data Signature use case:
- Abstracts all the crypto complexity into one library that is confirmed by industry standards (e.g. OAuth2.0, Open ID Connect, …)
- Lightweight: has minimal dependencies
- No custom crypto: only uses Node’s native crypto module
- Supports a wide variety of public-key cryptosystems: https://github.com/panva/jose#detailed-support-matrix
- Supports importing all key formats, and uses the JWK format which according to the did core specification can be used for every key type
Introducing “lds-jws2020”
It is a cryptosuite that uses Jose for generating verifiable Linked Data Signatures 🎉
In this library we use Jose’s JWK sub-module for dealing with keys, and the JWS sub-module for signing and verifying with any key types and cryptosystems that Jose supports !
This means that all the cryptosystems currently listed in the CryptoSuite registry are also supported by this library, and could be use in conjunction with Digital Bazaar’s “jsonld-signatures” libray to create secure Linked Data proofs.
If you’d like to get started with this library you can:
- See the documentation: https://lds.jsld.org/
- Clone the code and run the tests: https://github.com/transmute-industries/lds-jws2020
- Open an issue and contribute: https://github.com/transmute-industries/lds-jws2020/issues
Credits
Work funded by the Department of Homeland Security’s (DHS) Silicon Valley Innovation Program (SVIP). Read more about our work with DHS and Customs and Border Protection (CBP) here: https://www.dhs.gov/science-and-technology/news/2019/11/08/news-release-dhs-awards-198k-raw-material-import-tracking
