- Overview
- Tutorials
- How Tos
- Download
- Install
- Configure
- Secure
- TLS API Configuration
- Configure API Authentication and Authorization with JWT
- Configure API Limits
- Set Resource Limits
- Crypto key management
- Restrict key usage
- Namespace Key Management
- Key management service (KMS) configuration
- Optimize
- Observe
- Operate
- Initializing node identity manually
- Canton Console
- Synchronizer connections
- High Availability Usage
- Manage Daml packages and archives
- Participant Node pruning
- Party Management
- Party Replication
- Decentralized party overview
- Setup an External Party
- Ledger API User Management
- Node Traffic Management
- Identity Management
- Upgrade
- Decommission
- Recover
- Troubleshoot
- Explanations
- Reference
Supported Cryptographic Schemes¶
Within Canton, we use the cryptographic primitives of signing, symmetric encryption, and asymmetric encryption, with the following supported cryptographic schemes. For asymmetric signing and encryption, each scheme is divided into a key and an algorithm specification.
Note
Legend for the following tables:
S = Supported
P¹ = Partially supported — only supports signature verification, not signing with a private key
P² = Partially supported — only supports encryption, not decryption with a private key
Values in brackets ([<scheme>]) indicate the configuration strings to use in Canton
Key Spec |
JCE |
KMS |
Purpose |
|---|---|---|---|
EC-Curve25519 [ec-curve-25519] |
S |
P¹ |
Signing |
EC-P256 [ec-p-256] |
S |
S |
Signing, Encryption |
EC-P384 [ec-p-384] |
S |
S |
Signing |
EC-Secp256k1 [ec-secp-256k-1] |
S |
S |
Signing |
RSA-2048 [rsa-2048] |
S |
S |
Encryption |
Algorithm |
JCE |
KMS |
Supported Key Specs |
|---|---|---|---|
Ed25519 [ed-25519] |
S |
P¹ |
EC-Curve25519 |
EC-DSA-SHA256 [ec-dsa-sha-256] |
S |
S |
EC-P256, EC-Secp256k1 |
EC-DSA-SHA384 [ec-dsa-sha-384] |
S |
S |
EC-P384 |
Algorithm |
JCE |
KMS |
Supported Key Specs |
|---|---|---|---|
ECIES-HMAC-SHA256-AES128-GCM [ecies-hkdf-hmac-sha-256-aes-128-gcm] |
S |
P² |
EC-P256 |
ECIES-HMAC-SHA256-AES128-CBC [ecies-hkdf-hmac-sha-256-aes-128-cbc] |
S |
P² |
EC-P256 |
RSA-OAEP-SHA256 [rsa-oaep-sha-256] |
S |
S |
RSA-2048 |
Crypto provider |
JCE Default Scheme |
KMS Default Scheme |
|---|---|---|
Signing key specification |
EC-Curve25519 |
EC-P256 |
Signing algorithm specification |
Ed25519 |
EC-DSA-SHA256 |
Asymmetric encryption key specification |
EC-P256 |
RSA-2048 |
Asymmetric encryption algorithm |
ECIES with HMAC-SHA256 and AES128-GCM |
RSA with OAEP and SHA-256 |
Symmetric encryption scheme [1] |
AES128-GCM |
Same as JCE |
Hash Algorithm [2] |
SHA-256 |
Same as JCE |
PBKDF [3] |
Argon2id |
Same as JCE |
Provider |
SIGNING |
ENCRYPTION |
|---|---|---|
AWS |
|
|
GCP |
|
|
Driver |
|
|