Merge pull request #335 from adorsys/update-doc-rnote-security-whitep…

…aper-with-new-ecc Update Doc and Security Whitepaper with ECC Integration
adorsys · Jul 16, 2024 · 824abf7 · 824abf7
2 parents 5edf83e + 94d034b
commit 824abf7
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/SECURITY.WHITEPAPER.md b/SECURITY.WHITEPAPER.md
@@ -23,6 +23,59 @@ CMS Encryption:
 * [RSAES-PKCS1-v1_5](#RSAES-PKCS1-v1_5) - key derivation algorithm for shared files (use public key);
 * [SHA256withRSA](#SHA256withRSA) - for public keys.
 
+## ECC Update
+
+With the latest release, Datasafe has transitioned from RSA to Elliptic Curve Cryptography (ECC) to enhance security and performance. This section details the new ECC implementation:
+
+#### Encryption and Signing
+
+- **Encryption Algorithm**: ECDH (Elliptic Curve Diffie-Hellman) with curve `secp256r1`.
+- **Signing Algorithm**: SHA256withECDSA (Elliptic Curve Digital Signature Algorithm) with curve `secp256r1`.
+
+#### Benefits of ECC
+
+- **Security**: ECC offers stronger security per bit compared to RSA, making it more resistant to cryptographic attacks.
+- **Performance**: ECC algorithms generally require less computational power and are faster.
+- **Key Size**: ECC achieves comparable security to RSA with much smaller key sizes (256 bits for ECC vs. 2048 bits for RSA), resulting in reduced storage and transmission requirements.
+
+#### Implementation Details
+<details>
+<summary>Dynamically choosing between RSA and ECC</summary>
+
+```java
+private RecipientInfoGenerator getRecipientInfoGenerator(PublicKeyIDWithPublicKey keyWithId, KeyPair senderKeyPair) {
+ if ("RSA".equals(keyWithId.getPublicKey().getAlgorithm())) {
+ return new JceKeyTransRecipientInfoGenerator(keyWithId.getKeyID().getValue().getBytes(), keyWithId.getPublicKey());
+ }
+ if (Set.of("ECDH", "EC").contains(keyWithId.getPublicKey().getAlgorithm())) {
+ return getJceKeyAgreeRecipientInfoGenerator(senderKeyPair, keyWithId);
+ }
+ return null;
+}
+```
+in the updated implementation, the getRecipientInfoGenerator method dynamically chooses between RSA and ECC based on the algorithm associated with the public key. For ECC, it uses ECDH for encryption and SHA256withECDSA for signing.
+
+</details>
+
+## Release Notes
+
+##### ECC Integration
+
+#### Added
+- **Elliptic Curve Cryptography (ECC)**:
+ - Implemented ECC for improved security and performance.
+ - Encryption Algorithm: ECDH (Elliptic Curve Diffie-Hellman) with curve `secp256r1`.
+ - Signing Algorithm: SHA256withECDSA (Elliptic Curve Digital Signature Algorithm) with curve `secp256r1`.
+
+#### Changed
+- **Encryption and Signing**:
+ - Transitioned from RSA to ECC, enhancing security and reducing key sizes.
+
+#### Improved
+- **Security**:
+ - ECC offers stronger security per bit compared to RSA.
+- **Key Size Reduction**:
+ - ECC achieves comparable security to RSA with much smaller key sizes, reducing storage and transmission requirements.
 ## General information
 Datasafe is a flexible encryption library. It uses different encryption algorithms. They can be 
 configured by client application. Under the hood Datasafe uses BouncyCastle library to perform encryption.