Skip to content

Commit

Permalink
Fix #642: Add exact list of used cryptographic standards
Browse files Browse the repository at this point in the history
  • Loading branch information
petrdvorak committed Sep 17, 2024
1 parent ff4e82d commit e08dd67
Show file tree
Hide file tree
Showing 5 changed files with 31 additions and 4 deletions.
28 changes: 28 additions & 0 deletions docs/List-of-Used-Algorithms.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# List of Used Algorithms

The following algorithms are used in the PowerAuth cryptography scheme.

## PowerAuth 3 Protocol

- Current protocol version: `3.3`

### Cryptographic Primitives

| Algorithm | Impacts | Note |
|---------------|----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `AES-128` | mobile, server | Symmetric encryption with 128 bit keys. Used in `AES/CBC/PKCS7Padding` or `AES/CBC/NoPadding`, depending on use-case. |
| `Argon2` | server | Iterative hash used for storing recovery PUK values associated with recovery codes (`argon2i`). |
| `CRC-16` | mobile, server | Checksum algorithm, used to add a validation to the activation code (2 bytes out of 12 are allocated for checksum). |
| `ECDH` | mobile, server | Key agreement algorithm for ECC-based Diffie-Hellman, uses `secp256r1` curve. |
| `ECDSA` | mobile, server | Asymmetric signatures based on ECC, with `secp256r1` curve and `SHA256` hash function (`SHA256withECDSA`). |
| `ECIES` | mobile, server | Asymmetric encryption scheme based on ECC, with `secp256r1` and `X9.63` (`SHA256`) KDF function. |
| `HMAC-SHA256` | mobile, server | MAC algorithm with `SHA256` as underlying has function. Used in various situations across the protocol. |
| `HMAC-SHA512` | server | MAC algorithm with `SHA256` as underlying has function. Currently only used when validating TOTP in proximity OTP feature. |
| `PBKDF2` | mobile | Derivation function, used with `HMAC-SHA1` algorithm (`PBKDF2WithHmacSHA1`) and 10 000 iterations. _Note: Used exclusively for deriving a symmetric encryption key from PIN code on a mobile device, and hence strength of the algorithm is unimportant._ |
| `SHA256` | mobile, server | Hash function. Used in various situations across the protocol. |
| `X9.63` | mobile, server | Key derivation function with `SHA256`. Used for deriving keys with random index. |

### Algorithm Providers

- Server-Side: [Bouncy Castle](https://www.bouncycastle.org/)
- Client-Side: [OpenSSL](https://openssl-library.org/) (libCrypto)
1 change: 1 addition & 0 deletions docs/_Sidebar.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
- [Activation Code Format](./Activation-Code.md)
- [Additional Activation OTP](./Additional-Activation-OTP.md)
- [Implementation Details](./Implementation-notes.md)
- [List of Used Algorithms](./List-of-Used-Algorithms.md)
- [List of Used Keys](./List-of-used-keys.md)

**Tutorials**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,7 @@ public static byte[] concat(byte[]... arrays) {

/**
* Concatenate multiple byte arrays, including each component size.
*
* Sample output byte array structure: [size1][array1][size2][array2]
*
* In case byte array is empty, each empty component is encoded as: [0]
*
* @param arrays Byte arrays to join.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ public DataDigest(int length) throws GenericCryptoException {
* @return Digest fo provided data, including seed used to compute that digest.
*/
public Result generateDigest(List<String> items) {
if (items.size() == 0) {
if (items.isEmpty()) {
return null;
}
try {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ public static String canonizeGetParameters(String queryString) {
signatureBaseString.append(URLEncoder.encode(val, StandardCharsets.UTF_8));
}

return signatureBaseString.length() > 0 ? signatureBaseString.toString() : null;
return !signatureBaseString.isEmpty() ? signatureBaseString.toString() : null;
}

}

0 comments on commit e08dd67

Please sign in to comment.