Galileo leverages end-to-end encryption between senders and receivers of data as well as a secure architecture connecting the components of the application.
Galileo Installation Security and Certifications
Microsoft Code Signing Certificate
Hyperdyne, Inc. holds a Microsoft Inc. Code Signing Certificate. This certificate authenticates Hyperdyne, Inc. as the producer and publisher of your local version of Galileo every time it is downloaded and executed. This ensures receipt of the code developed at Hyperdyne, Inc., a business entity registered in the state of Delaware and an authorized Windows developer.
Apple Developer Program
Hyperdyne, Inc. is authorized for app development on Apple-branded products through Apple’s Custom App Distribution authorization. For the time being, Hyperdyne, Inc. distributes its authorized apps outside of the App Store and Apple Business Manager.
Data Handling, Security & Privacy
Galileo is composed of three main parts:
- Front-end interface (GUI, CLI, API)
- Middleware daemon
- Back-end server hosted on Google Cloud
While the front-end and middleware are often run on the same machine, it is, in some cases, useful for them to run on different machines. For this reason, Hyperdyne, Inc. architected secure communication between these components with a mix of HTTPS (HTTP over TLS) and WSS (WebSockets over TLS). TLS, Transfer Layer Security, is a time-tested and industry standard cryptographic protocol, widely used for internet communications and online transactions, that provides end-to-end communications security over networks. In this way, communications are rendered decipherable to the intended recipient alone. The middleware communicates with the back-end through a combination of HTTPS and WSS, as well.
An explanation of secure communications between front-end and back-end is non applicable because they seldom communicate directly. If the front-end is non-graphical (CLI, API), then it may perform authentication directly with the back-end via HTTPS (secure as per the explanation above). Aside from this one instance, the front-end never communicates with the back-end. All communications with the back-end are hashed (256-bit SHA3) and signed (2048-bit RSA, RSASSA-PSS) to ensure message integrity and authenticity.
Three types of data transfer may occur between users:
- Data Sets
- Jobs: instructions regarding where to execute code and what Data Set(s)
- Job Results: data & metadata generated after code execution
In all cases the information is encrypted end-to-end between sender and receiver via the following process:
- Sender middleware encrypts the data using AES-CTR (256-bit key, 128-bit unique counter block).
- Sender middleware sends the encrypted data to the server to await retrieval.
- Sender middleware sends an encrypted message containing the AES key to the server to await retrieval. This message is encrypted with the Double Ratchet Algorithm.
- Receiver middleware retrieves the encrypted message from the server and decrypts it to attain the AES key. This message is decrypted with the Double Ratchet Algorithm.
- Receiver middleware retrieves the encrypted data and decrypts it using the AES key.
Hyperdyne, Inc. uses the following implementations in its security stack: