Our Precious: Cryptographic Support for WASIX

WASIX now supports cryptographic operations and TLS and as you may have guessed from the title, we will talk about the ring, what makes it so precious and how it is used with WASIX.

Cryptograhy for WebAssembly System Interface/Extended (WASI/WASIX)

The cryptographic enhancements for WASI/WASIX have been eagerly anticipated. Currently, WASI is considering a proposal named WASI Crypto, championed by Frank Denis and Daiki Ueno, which is in the Phase 1 - Feature Proposal (CG) stage. As WebAssembly's future holds promising new avenues, Wasmer is committed to rapid innovation, ensuring that WebAssembly consistently leads in secure and optimized computing.

Why Cryptographic Support is Essential:

The implementation of cryptographic libraries like OpenSSL or BoringSSL in systems provides a foundational layer of security and functionality. Here's what these libraries bring to the table:

1. Secure Communication: These libraries enable secure communication protocols like TLS/SSL, which are used by web browsers, email clients, VPNs, and many other applications to encrypt data in transit. This ensures that sensitive data, such as login credentials or personal information, is protected.

2. Data Encryption: They provide tools for encrypting data at rest. This includes encrypting user data, databases, or entire filesystems, ensuring data confidentiality even if physical storage is compromised.

3. Digital Signatures: These libraries support the creation and verification of digital signatures, ensuring data integrity and non-repudiation.

4. Secure Random Number Generation: Cryptographically secure random number generation is essential for many security-related tasks, such as generating encryption keys or nonces.

5. VPN Support: Cryptographic libraries are fundamental for VPN (Virtual Private Network) functionality, allowing secure and private communication over public networks.

6. Standardization and Interoperability: By implementing standardized cryptographic algorithms and protocols, these libraries ensure compatibility and interoperability between different systems and applications.

Implementation for WASI/WASIX

The library that makes it all possible for cryptographic communication in WASI/WASIX is ring a library focused on the implementation, testing, and optimization of a core set of cryptographic operations. This library is small and fast, and was the perfect candidate as there was some current work being done to compile it for WASI in these PRs:

• #1499
• #1568

However, our attempts were unsuccessful. But, this was not the end of the road. It caught our interest again when Frank Denis compiled ring for WASI and WASIX in his ring-wasi. This was really exciting and we started testing it out. We quickly forked the repo and started testing it out in WASIX. Sadly, it didn't work but it got us to a 99% working implementation.

So, after sleepless nights and lots of coffee we successfully integrated our fork of ring with WASIX. This was a huge milestone for us and we were really excited to share it with the community. But compiling standalone ring isn't enough. It's just like giving people a key to a door that doesn't exist. We needed applications, and for applications we needed libraries. So we started making libraries compatible with WASIX and our fork of ring.

Libraries that we made compatible with WASIX:

• rustls
• tokio-rustls
• hyper
• hyper-rustls
• reqwest
• webpki-roots
• webpki
• sct

The libraries mentioned above make all sorts of applications and use cases possible in WASIX. First and foremost being bringing TLS to WASIX.

TLS in WASIX

TLS was one of the most rewqested feature. (pun intended)

TLS is a cryptographic protocol that provides end-to-end encryption and authentication over the internet. Many protocols such as HTTPS, FTP over TLS, MQTT etc. use TLS to secure their communication.

TLS works by using a handshake protocol to establish a secure connection between two parties. This handshake protocol is implemented by any cryptographic library such as OpenSSL, LibreSSL, BoringSSL, etc.

Enablement of TLS using ring means WASIX can now be used for outbound HTTPS requests, external API calls, etc. This opens up a lot of use cases for WASIX.

1. Secure Access to APIs: Many modern APIs require a client to communicate over HTTPS. With TLS support, WASIX applications can securely access these APIs directly.
2. Secure Database Connections: WASIX applications can use TLS to connect securely to databases that support encrypted connections. This ensures that sensitive data is protected during transit.
3. Secure Third-Party Integrations: If your WASIX applications need to interact with third-party services (like payment gateways, OAuth providers, etc.), TLS client support allows these interactions to occur securely.
4. Ingress and Egress Data Security: Implementing TLS clients ensures that both incoming and outgoing data from the application is secure, a significant benefit in complex systems where both ingress and egress points need to be equally secure.
5. CDN and Edge Computing: TLS client support can ensure secure communication with Content Delivery Networks (CDNs) and edge computing resources, protecting data integrity and confidentiality while improving content delivery speed.
6. Confidential Computing: With TLS client support, applications can securely retrieve and use confidential data, cryptographic keys, or certificates from remote secure servers or key management systems.
7. IoT Applications: In IoT applications, devices often need to communicate with a central server. TLS client support can be used to ensure these communications are secure.

The benefits of having a cryptographic library like ring in WASIX doesn't simply end at TLS. It opens up a lot of other use cases as well.

Other Cryptographic Use Cases

1. Hashing and Data Integrity: WASIX applications can compute cryptographic hashes of data, ensuring its integrity. This is especially useful for verifying the integrity of downloaded files or validating data before processing.
2. Zero-Knowledge Proofs: WASIX applications can implement zero-knowledge proofs, allowing one party to prove to another that a statement is true without revealing any specific information about the statement itself.
3. Enhanced Privacy: Cryptographic techniques such as homomorphic encryption can be implemented, allowing WASIX applications to perform computations on encrypted data without decrypting it. This ensures data privacy even during processing.
4. Secure Key Management: Applications can generate, store, and manage cryptographic keys securely within the WebAssembly environment, reducing the risk of key exposure or compromise.
5. Secure Multi-Party Computation: With crypto support, WASIX can facilitate secure multi-party computations, allowing multiple parties to collaboratively compute a function over their inputs while keeping those inputs private.

Conclusion

The inclusion of cryptographic library ring in WASIX brings in support for TLS, SSL, and all other cryptographic operations and opens up a lot of use cases and possibilities for the community to build upon almost anything.

You can try out our starter tutorial for outbound proxies here. More examples will follow suit.

We would also like to extend our gratitude to Frank Denis for his work on the ring-wasi implementation.

If you have any questions, feel free to reach out to us on Discord.