Security

Didit incorporates robust security measures to protect user data and maintain the highest levels of privacy and security. Its approach involves using hardware vaults for encryption and signing JWT to ensure optimal security for all parties.

User data NEVER leaves Didit or is decrypted without user authorization.

Key Management and Cryptography

  • Asymmetric Key: ECC_NIST_P256 is used for key generation, providing strong security for sensitive data.

  • Signature Algorithm: ECDSA_SHA_256 is used for signing JSON Web Tokens (JWT).

  • Encryption Algorithm: AES-256-GCM is used for encrypting user data on the authorization server and databases.

Hardware Vault Integration

Hardware vaults are used for encryption and signing operations, adding an additional layer of security to the protocol. The keys used for signing JWT tokens and encrypting data are securely stored within the hardware vault and cannot be extracted.

Double Encryption of User Data

User data is protected using a two-step encryption process:

  1. Authorization Server Encryption: Each user claim is encrypted on the authorization server using the AES-256-GCM symmetric encryption algorithm, provided by the hardware vault.

  2. Database Encryption: The database itself employs another encryption using a new symmetric key from the hardware vault.

This dual encryption method ensures the safety of user data, even in the event of a database breach. Strong policies are also in place, so only the authorization server can decrypt the requested claims.

Asymmetric Cryptography and Signatures

Asymmetric cryptography (public-key cryptography) is used to sign the JWT tokens. The ECC_NIST_P256 asymmetric key and the ECDSA_SHA_256 signing algorithm provide strong security for data protection and authentication.

Replay attacks protection

To prevent replay attacks, Didit implements unique challenges and one-time-use codes for each authentication request. This approach ensures that intercepted or reused authentication requests cannot be successfully executed by malicious actors.

  1. Unique Challenges: During the authentication process, Didit generates a unique challenge for each request. The challenge must be solved by the user or their device to validate the authenticity of the request. This mechanism prevents attackers from resubmitting a previously captured authentication request.

  2. One-Time-Use Codes: Didit issues single-use codes for authentication. Once a code has been used, it becomes invalid, preventing any attempts to reuse it for unauthorized access.

By employing these security measures, Didit effectively mitigates the risk of replay attacks and maintains the integrity of the authentication process.

Ongoing Security Enhancements

Didit team is continuously researching and implementing new security features. Upcoming versions of the protocol will focus on enabling users to encrypt data using their digital wallets before sending it to Didit, further strengthening privacy and security.

In conclusion, Didit employs multiple layers of security measures, including asymmetric cryptography, hardware vault integration, and double encryption of user data, to protect user information and maintain privacy.

Compliance and Audits

  • Pentest Audit: Regular penetration testing audits are conducted to identify and address potential vulnerabilities.

  • GDPR: Didit is fully compliant with GDPR, ensuring user data protection and privacy.

  • ISO 27001: This certification affirm our commitment to information security management standards.

Last updated