Overview API Downloads
NotesHash verification

Hash verification draft

Condensation's security model relies on the verification of hashes when retrieving objects from a store. If hashes are not verified, malicious data modification will remain unnoticed.

However, hash verification also entails a computational overhead. While SHA256 is a fairly fast and efficient algorithm, hash verification will consume additional energy and time.

Hence, hash verification (e.g. through chaining a hash verification store) should be used consideredly. As a rule of thumb, hash verification should be done for remote stores, but not for local stores.

Local stores

Hash verification will not add any security if the attacker has access to the private key. This is typically the case on the applications's device, where the application – by design – needs to have access to the private key.

Exceptions are high-security settings, where the private key remains in a protected area, while the store is easily accessible. Conceptually, one could consider this a remote store (relative to the private key).

Remote stores

For remote stores, hashes should always be verified inside the application.

Condensation is free and open. You may use all contents of this website under the terms of the CC BY 4.0 license, attributing the work to condensation.io. Source code is available under the MIT license.
This website is work in progress. If you have suggestions, or want to talk about Condensation, please get in touch with us.
Page status: unknown