Skip to content

Security Policy and Guidelines

Security is a critical aspect of the Evrmore Authentication system. This document outlines our security policies, best practices, and guidelines for both users and contributors.

Reporting Security Vulnerabilities

If you discover a security vulnerability in the Evrmore Authentication system, please follow these steps:

  1. Do not disclose the vulnerability publicly until it has been addressed by the maintainers.
  2. Email the details to dev@manticore.technology with the subject line "Security Vulnerability: Evrmore Authentication".
  3. Include the following information in your report:
  4. Description of the vulnerability
  5. Steps to reproduce
  6. Potential impact
  7. Suggested fix (if available)
  8. The maintainers will acknowledge receipt of your report within 48 hours.
  9. You will receive updates on the progress of addressing the vulnerability.
  10. Once the vulnerability is fixed, you will be credited for the discovery (unless you request anonymity).

Security Model

The Evrmore Authentication system is designed with the following security principles:

Authentication Flow Security

  1. Challenge-Response Mechanism: The system uses a cryptographic challenge-response mechanism to verify ownership of Evrmore addresses.
  2. Signature Verification: Signatures are verified using the Evrmore blockchain's cryptographic functions.
  3. Time-Limited Challenges: Challenges expire after a configurable time period to prevent replay attacks.
  4. Single-Use Challenges: Each challenge can only be used once for authentication.

Token Security

  1. JWT Standards: The system uses JSON Web Tokens (JWT) that follow industry standards.
  2. Configurable Expiration: Token expiration times are configurable to balance security and user experience.
  3. Token Invalidation: Tokens can be invalidated for logout or security purposes.
  4. Refresh Token Rotation: When using refresh tokens, they are rotated on each use to prevent token theft.

OAuth 2.0 Security

  1. Standard OAuth Flows: The system implements standard OAuth 2.0 flows with security best practices.
  2. PKCE Support: Support for Proof Key for Code Exchange (PKCE) to secure authorization code flow.
  3. State Parameter: Required state parameter to prevent CSRF attacks.
  4. Scope Validation: Strict validation of requested scopes.
  5. Redirect URI Validation: Strict validation of redirect URIs against registered values.

Security Best Practices for Deployment

When deploying the Evrmore Authentication system, follow these best practices:

Environment Security

  1. Use HTTPS: Always deploy the authentication server with HTTPS in production.
  2. Secure Secrets: Store JWT secrets and other sensitive configuration in secure environment variables or a secrets manager.
  3. Principle of Least Privilege: Run the service with the minimum required permissions.
  4. Firewall Configuration: Restrict network access to the authentication server as appropriate.

Configuration Security

  1. JWT Secret: Use a strong, unique secret for JWT signing or, preferably, use asymmetric keys.
  2. Token Expiration: Set appropriate token expiration times (recommended: access tokens 15-60 minutes, refresh tokens 1-14 days).
  3. Rate Limiting: Enable rate limiting to prevent brute force attacks.
  4. Database Security: Secure the database with proper authentication and encryption.

Monitoring and Logging

  1. Security Logging: Enable security event logging for authentication attempts, token issuance, and other security-relevant events.
  2. Log Protection: Ensure logs don't contain sensitive information and are protected from unauthorized access.
  3. Monitoring: Set up monitoring for unusual authentication patterns or potential attacks.
  4. Alerts: Configure alerts for suspicious activities.

Security Guidelines for Developers

If you're contributing to the Evrmore Authentication system, follow these security guidelines:

Code Security

  1. Input Validation: Validate all user inputs, including Evrmore addresses, signatures, and OAuth parameters.
  2. Output Encoding: Properly encode outputs to prevent injection attacks.
  3. Dependency Management: Keep dependencies updated and regularly check for security vulnerabilities.
  4. Code Reviews: All security-sensitive code should undergo thorough code review.

Cryptographic Practices

  1. Use Established Libraries: Use established cryptographic libraries rather than implementing custom cryptographic functions.
  2. Follow Standards: Follow cryptographic standards and best practices.
  3. Key Management: Implement proper key management practices.
  4. Avoid Hardcoding: Never hardcode secrets or keys in the source code.

Authentication and Authorization

  1. Separation of Concerns: Keep authentication and authorization logic separate.
  2. Principle of Least Privilege: Implement access controls based on the principle of least privilege.
  3. Session Management: Implement secure session management practices.
  4. Error Messages: Use generic error messages that don't reveal sensitive information.

Security Testing

The Evrmore Authentication system undergoes regular security testing:

  1. Automated Security Testing: Automated security tests are run as part of the CI/CD pipeline.
  2. Dependency Scanning: Regular scanning for vulnerabilities in dependencies.
  3. Code Scanning: Static code analysis to identify potential security issues.
  4. Penetration Testing: Periodic penetration testing by security professionals.

Security Compliance

The Evrmore Authentication system is designed to help applications comply with various security standards and regulations:

  1. OWASP Top 10: Addresses the OWASP Top 10 web application security risks.
  2. OAuth 2.0 Security Best Practices: Follows the OAuth 2.0 Security Best Current Practice.
  3. GDPR Considerations: Designed with privacy and data protection in mind.

Security FAQs

How are user credentials stored?

The Evrmore Authentication system does not store user passwords. It uses Evrmore wallet signatures for authentication, which means users prove their identity by signing messages with their private keys, which are never transmitted to the server.

How are tokens secured?

Tokens are secured using industry-standard JWT practices, including: - Digital signatures to prevent tampering - Expiration times to limit the window of opportunity for token theft - The ability to invalidate tokens if compromised

Is my data encrypted?

Sensitive data in the database is encrypted. All communication with the authentication server should be over HTTPS to ensure data in transit is encrypted.

How do I secure my client application?

For client applications: - Store tokens securely (e.g., in HttpOnly cookies for web applications) - Implement proper CSRF protection - Use HTTPS for all communication - Validate all data received from the authentication server - Implement proper error handling

What should I do if I suspect a security breach?

If you suspect a security breach: 1. Invalidate all potentially affected tokens 2. Rotate any compromised secrets 3. Contact the maintainers at dev@manticore.technology 4. Investigate the breach and take appropriate remediation steps

Security Resources

Acknowledgments

We would like to thank all security researchers and contributors who have helped improve the security of the Evrmore Authentication system.