# Security

Didit incorporates robust security measures to protect user data and maintain the highest levels of privacy and security. Its approach involves using hardware vaults for encryption and signing JWT to ensure optimal security for all parties.

{% hint style="info" %}
User data **NEVER** leaves Didit or is decrypted without user authorization.
{% endhint %}

### Key Management and Cryptography <a href="#key-management-and-cryptography" id="key-management-and-cryptography"></a>

* Asymmetric Key: `ECC_NIST_P256` is used for key generation, providing strong security for sensitive data.
* Signature Algorithm: `ECDSA_SHA_256` is used for signing JSON Web Tokens (JWT).
* Encryption Algorithm: `AES-256-GCM` is used for encrypting user data on the authorization server and databases.

### Hardware Vault Integration <a href="#hardware-vault-integration" id="hardware-vault-integration"></a>

Hardware vaults are used for encryption and signing operations, adding an additional layer of security to the protocol. The keys used for signing JWT tokens and encrypting data are securely stored within the hardware vault and cannot be extracted.

### Double Encryption of User Data <a href="#double-encryption-of-user-data" id="double-encryption-of-user-data"></a>

User data is protected using a two-step encryption process:

1. **Authorization Server Encryption**: Each user claim is encrypted on the authorization server using the `AES-256-GCM` symmetric encryption algorithm, provided by the hardware vault.
2. **Database Encryption**: The database itself employs another encryption using a new symmetric key from the hardware vault.

This dual encryption method ensures the safety of user data, even in the event of a database breach. Strong policies are also in place, so only the authorization server can decrypt the requested claims.

### Asymmetric Cryptography and Signatures <a href="#asymmetric-cryptography-and-signatures" id="asymmetric-cryptography-and-signatures"></a>

Asymmetric cryptography (public-key cryptography) is used to sign the JWT tokens. The `ECC_NIST_P256` asymmetric key and the `ECDSA_SHA_256` signing algorithm provide strong security for data protection and authentication.

### Replay attacks protection <a href="#replay-attacks-protection" id="replay-attacks-protection"></a>

To prevent replay attacks, Didit implements unique challenges and one-time-use codes for each authentication request. This approach ensures that intercepted or reused authentication requests cannot be successfully executed by malicious actors.

1. **Unique Challenges**: During the authentication process, Didit generates a unique challenge for each request. The challenge must be solved by the user or their device to validate the authenticity of the request. This mechanism prevents attackers from resubmitting a previously captured authentication request.
2. **One-Time-Use Codes**: Didit issues single-use codes for authentication. Once a code has been used, it becomes invalid, preventing any attempts to reuse it for unauthorized access.

By employing these security measures, Didit effectively mitigates the risk of replay attacks and maintains the integrity of the authentication process.

### Ongoing Security Enhancements <a href="#ongoing-security-enhancements" id="ongoing-security-enhancements"></a>

Didit team is continuously researching and implementing new security features. Upcoming versions of the protocol will focus on enabling users to encrypt data using their digital wallets before sending it to Didit, further strengthening privacy and security.

In conclusion, Didit employs multiple layers of security measures, including asymmetric cryptography, hardware vault integration, and double encryption of user data, to protect user information and maintain privacy.

### Compliance and Audits <a href="#compliance-and-audits" id="compliance-and-audits"></a>

* **Pentest Audit**: Regular penetration testing audits are conducted to identify and address potential vulnerabilities.
* **GDPR**: Didit is fully compliant with GDPR, ensuring user data protection and privacy.
* **ISO 27001**: This certification affirm our commitment to information security management standards.