-
Notifications
You must be signed in to change notification settings - Fork 0
Security Model
Altug Tatlisu edited this page Dec 6, 2025
·
1 revision
Trusted:
- Institution's private key security
- Database integrity (PostgreSQL)
- Cache integrity (Redis)
Untrusted:
- Network communication
- Client software
- External observers
- Network eavesdropping
- Man-in-the-middle attacks
- Client compromise
- Double-spend attempts
- Network: TLS 1.3 encryption
- Database: At-rest encryption (operator configured)
- Keys: HSM storage recommended for production
- Signatures: RSA-3072 provides existential unforgeability
- Transactions: PostgreSQL ACID guarantees
- Messages: SHA-256 collision resistance
- Unlinkability: Blind signatures prevent linking withdrawal to spending
- Privacy: Server cannot determine which client spent which token
Redemption Request
↓
Redis Check (fast)
↓
PostgreSQL Check (reliable)
↓
Atomic Insert
Properties:
- Redis: O(1) lookup, in-memory
- PostgreSQL: ACID guarantees, persistent
- Atomic: Both succeed or both fail
PostgreSQL transaction isolation:
BEGIN TRANSACTION ISOLATION LEVEL SERIALIZABLE;
-- Check and insert
COMMIT;Attack: Create valid token without withdrawal
Defense: RSA signature unforgeability (3072-bit)
Attack: Spend same token twice
Defense: Atomic duplicate detection (Redis + PostgreSQL)
Attack: Link withdrawal to spending
Defense: Blind signature protocol unlinkability
Attack: Reuse intercepted token
Defense: Serial number recorded, second use detected
- Private key: HSM storage (production)
- Key rotation: Not implemented (future work)
- Backup: Encrypted offline storage
- Failed verification attempts
- Double-spend attempts
- Unusual withdrawal patterns
- Database replication lag
All transactions logged with:
- Transaction ID
- Timestamp
- Amount
- Token serial (after redemption)