From e08dd67291dcc0b790160fbc6bfc2396b8c6f499 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Tue, 17 Sep 2024 17:49:59 +0200 Subject: [PATCH] Fix #642: Add exact list of used cryptographic standards --- docs/List-of-Used-Algorithms.md | 28 +++++++++++++++++++ docs/_Sidebar.md | 1 + .../powerauth/crypto/lib/util/ByteUtils.java | 2 -- .../crypto/server/util/DataDigest.java | 2 +- .../PowerAuthRequestCanonizationUtils.java | 2 +- 5 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 docs/List-of-Used-Algorithms.md diff --git a/docs/List-of-Used-Algorithms.md b/docs/List-of-Used-Algorithms.md new file mode 100644 index 000000000..1fd025445 --- /dev/null +++ b/docs/List-of-Used-Algorithms.md @@ -0,0 +1,28 @@ +# List of Used Algorithms + +The following algorithms are used in the PowerAuth cryptography scheme. + +## PowerAuth 3 Protocol + +- Current protocol version: `3.3` + +### Cryptographic Primitives + +| Algorithm | Impacts | Note | +|---------------|----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `AES-128` | mobile, server | Symmetric encryption with 128 bit keys. Used in `AES/CBC/PKCS7Padding` or `AES/CBC/NoPadding`, depending on use-case. | +| `Argon2` | server | Iterative hash used for storing recovery PUK values associated with recovery codes (`argon2i`). | +| `CRC-16` | mobile, server | Checksum algorithm, used to add a validation to the activation code (2 bytes out of 12 are allocated for checksum). | +| `ECDH` | mobile, server | Key agreement algorithm for ECC-based Diffie-Hellman, uses `secp256r1` curve. | +| `ECDSA` | mobile, server | Asymmetric signatures based on ECC, with `secp256r1` curve and `SHA256` hash function (`SHA256withECDSA`). | +| `ECIES` | mobile, server | Asymmetric encryption scheme based on ECC, with `secp256r1` and `X9.63` (`SHA256`) KDF function. | +| `HMAC-SHA256` | mobile, server | MAC algorithm with `SHA256` as underlying has function. Used in various situations across the protocol. | +| `HMAC-SHA512` | server | MAC algorithm with `SHA256` as underlying has function. Currently only used when validating TOTP in proximity OTP feature. | +| `PBKDF2` | mobile | Derivation function, used with `HMAC-SHA1` algorithm (`PBKDF2WithHmacSHA1`) and 10 000 iterations. _Note: Used exclusively for deriving a symmetric encryption key from PIN code on a mobile device, and hence strength of the algorithm is unimportant._ | +| `SHA256` | mobile, server | Hash function. Used in various situations across the protocol. | +| `X9.63` | mobile, server | Key derivation function with `SHA256`. Used for deriving keys with random index. | + +### Algorithm Providers + +- Server-Side: [Bouncy Castle](https://www.bouncycastle.org/) +- Client-Side: [OpenSSL](https://openssl-library.org/) (libCrypto) \ No newline at end of file diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 46ead8980..a653a6ac0 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -27,6 +27,7 @@ - [Activation Code Format](./Activation-Code.md) - [Additional Activation OTP](./Additional-Activation-OTP.md) - [Implementation Details](./Implementation-notes.md) +- [List of Used Algorithms](./List-of-Used-Algorithms.md) - [List of Used Keys](./List-of-used-keys.md) **Tutorials** diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/ByteUtils.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/ByteUtils.java index 985ce0d2f..a4e785fa7 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/ByteUtils.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/lib/util/ByteUtils.java @@ -43,9 +43,7 @@ public static byte[] concat(byte[]... arrays) { /** * Concatenate multiple byte arrays, including each component size. - * * Sample output byte array structure: [size1][array1][size2][array2] - * * In case byte array is empty, each empty component is encoded as: [0] * * @param arrays Byte arrays to join. diff --git a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/util/DataDigest.java b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/util/DataDigest.java index 9ff71068b..bff3d5a17 100644 --- a/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/util/DataDigest.java +++ b/powerauth-java-crypto/src/main/java/io/getlime/security/powerauth/crypto/server/util/DataDigest.java @@ -108,7 +108,7 @@ public DataDigest(int length) throws GenericCryptoException { * @return Digest fo provided data, including seed used to compute that digest. */ public Result generateDigest(List items) { - if (items.size() == 0) { + if (items.isEmpty()) { return null; } try { diff --git a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthRequestCanonizationUtils.java b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthRequestCanonizationUtils.java index bb317a52b..ddaf17e87 100644 --- a/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthRequestCanonizationUtils.java +++ b/powerauth-java-http/src/main/java/io/getlime/security/powerauth/http/PowerAuthRequestCanonizationUtils.java @@ -95,7 +95,7 @@ public static String canonizeGetParameters(String queryString) { signatureBaseString.append(URLEncoder.encode(val, StandardCharsets.UTF_8)); } - return signatureBaseString.length() > 0 ? signatureBaseString.toString() : null; + return !signatureBaseString.isEmpty() ? signatureBaseString.toString() : null; } }