Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Doc and Security Whitepaper with ECC Integration #335

Merged
merged 2 commits into from
Jul 16, 2024
Merged

Update Doc and Security Whitepaper with ECC Integration #335

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
637a05e
update security whitepaper
AssahBismarkabah Jul 15, 2024
94d034b
update security whitepaper with release note
AssahBismarkabah Jul 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions SECURITY.WHITEPAPER.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,59 @@ CMS Encryption:
* [RSAES-PKCS1-v1_5](#RSAES-PKCS1-v1_5) - key derivation algorithm for shared files (use public key);
* [SHA256withRSA](#SHA256withRSA) - for public keys.

## ECC Update

With the latest release, Datasafe has transitioned from RSA to Elliptic Curve Cryptography (ECC) to enhance security and performance. This section details the new ECC implementation:

#### Encryption and Signing

- **Encryption Algorithm**: ECDH (Elliptic Curve Diffie-Hellman) with curve `secp256r1`.
- **Signing Algorithm**: SHA256withECDSA (Elliptic Curve Digital Signature Algorithm) with curve `secp256r1`.

#### Benefits of ECC

- **Security**: ECC offers stronger security per bit compared to RSA, making it more resistant to cryptographic attacks.
- **Performance**: ECC algorithms generally require less computational power and are faster.
- **Key Size**: ECC achieves comparable security to RSA with much smaller key sizes (256 bits for ECC vs. 2048 bits for RSA), resulting in reduced storage and transmission requirements.

#### Implementation Details
<details>
<summary>Dynamically choosing between RSA and ECC</summary>

```java
private RecipientInfoGenerator getRecipientInfoGenerator(PublicKeyIDWithPublicKey keyWithId, KeyPair senderKeyPair) {
if ("RSA".equals(keyWithId.getPublicKey().getAlgorithm())) {
return new JceKeyTransRecipientInfoGenerator(keyWithId.getKeyID().getValue().getBytes(), keyWithId.getPublicKey());
}
if (Set.of("ECDH", "EC").contains(keyWithId.getPublicKey().getAlgorithm())) {
return getJceKeyAgreeRecipientInfoGenerator(senderKeyPair, keyWithId);
}
return null;
}
```
in the updated implementation, the getRecipientInfoGenerator method dynamically chooses between RSA and ECC based on the algorithm associated with the public key. For ECC, it uses ECDH for encryption and SHA256withECDSA for signing.

</details>

## Release Notes

##### ECC Integration

#### Added
- **Elliptic Curve Cryptography (ECC)**:
- Implemented ECC for improved security and performance.
- Encryption Algorithm: ECDH (Elliptic Curve Diffie-Hellman) with curve `secp256r1`.
- Signing Algorithm: SHA256withECDSA (Elliptic Curve Digital Signature Algorithm) with curve `secp256r1`.

#### Changed
- **Encryption and Signing**:
- Transitioned from RSA to ECC, enhancing security and reducing key sizes.

#### Improved
- **Security**:
- ECC offers stronger security per bit compared to RSA.
- **Key Size Reduction**:
- ECC achieves comparable security to RSA with much smaller key sizes, reducing storage and transmission requirements.
## General information
Datasafe is a flexible encryption library. It uses different encryption algorithms. They can be
configured by client application. Under the hood Datasafe uses BouncyCastle library to perform encryption.
Expand Down