SaFi Bank Space : VIDA PKI

Created by Norbert Bérci (Unlicensed), last modified on Nov 29, 2022

VIDA is a provider of digital signature solutions.

Solution High Level Overview

Child Pages

Schedule & Deliverables

Latest schedule (29. Aug.)

All the deliverables and documentation are available here: https://drive.google.com/drive/folders/1hXAOb_iWxcySKrzTF54aRKsJJRgWBxhB?usp=sharing

Latest (please note that the folder name is different, the content has been updated)

27 Oct, 2022: BE

31 Oct, 2022: Android

18 Nov, 2022: iOS

Planned features

service to register arbitrary pubkeys
VIDA has plans to allow mTLS in the Partner BE - VIDA communication
VIDA has plans to replace the Shared Secret with tokens in the VDA CDK - VIDA BE communication

Planned delivery is end of November.

Flows

Register Device

Sign Message

Change Password

Enable / Disable biometrics

SDK Security Assessment

Please confirm that the SDK uses a hw backed secure store for key generation, storage and for executing the signature computation algorithm on both Android and iOS if hw support is available.

Yes. We use the platform backed hardware secure store for all the operations wherever available.

Please detail what happens if hw support is not available. Does the SDK still use platform provided crypto APIs for generating, storing the private key and for executing the signature computation algorithm?

The SDK utilizes the platform provided crypto APIs. So the platform default behavior prevails in such cases.

Please detail for each platform (iOS, Android) the restrictions in place (if there is any) that limits the attacker to use brute force to figure out the password that protects the key. Is there any limitation on the number of retries or the time interval between the retries? Is this limitation VIDA SDK based, platform based or hw based?

We have not implemented any additional restrictions. We will review if such restrictions can be configured in the platforms and if the application developers can configure these as a security setting for their applications.

Is there any protection to limit the biometric authentication retries if this is used to protect the key?

We rely on the platform for these and do not configure anything specific to override the platform defaults. We will review if applications can set up any parameters to configure these in the platform.

Attachments:

VIDA-Proposal-PushSign.pdf (application/pdf)

Push Registration And Offline Sign.pdf (application/pdf)

Schedule - VIDA Auth - Confluence.pdf (application/pdf)

Push Registration And Offline Sign (1).pdf (application/pdf)

~drawio~6203b4b4e5caff0070e2aa9c~PKI User Presence Auth Points.drawio.tmp (application/vnd.jgraph.mxfile)

PKI User Presence Auth Points.drawio (application/vnd.jgraph.mxfile)

PKI User Presence Auth Points.drawio.png (image/png)

Push Registration And Offline Sign (2).pdf (application/pdf)

Push Registration And Offline Sign v3.pdf (application/pdf)

PushsigningSDKflow v1.pdf (application/pdf)

delivery - 12 Aug.zip (application/zip)

delivery - 6 Aug.zip (application/zip)

ProposedPushsigningSDKflow-V2.pdf (application/pdf)

Push Registration And Offline Sign v5.pdf (application/pdf)

ProposedPushsigningSDKflow-V2.pdf (application/pdf)

Push Registration And Offline Sign v4.pdf (application/pdf)

PushsigningSDKflow v2.pdf (application/pdf)

Push Registration And Offline Sign - Revised Schedule - 260822.pdf (application/pdf)

delivery - 26 Aug - BE.zip (application/zip)

delivery - 26 Aug - iOS.zip (application/zip)

delivery - 29 Aug - Android.zip (application/zip)

Screenshot 2022-11-16 at 18.50.12.png (image/png)

Push Registration And Offline Sign v5.pdf (application/pdf)

ProposedPushsigningSDKflow-V2_1.pdf (application/pdf)

CDK-security.pdf (application/pdf)

Screenshot 2022-11-24 at 12.02.54.png (image/png)

Screenshot 2022-11-24 at 12.03.39.png (image/png)

Screenshot 2022-11-24 at 12.04.38.png (image/png)

Screenshot 2022-11-24 at 12.05.12.png (image/png)

Screenshot 2022-11-24 at 12.06.31.png (image/png)