27 KiB
27 KiB
KMS Security Architecture
Table of Contents
- Security Overview
- Multi-Layered Security Model
- Authentication Security
- Token Security Models
- Authorization Framework
- Data Protection
- Security Middleware Chain
- Threat Model
- Security Controls
- Compliance Framework
Security Overview
The KMS implements a comprehensive security architecture based on defense-in-depth principles. Every layer of the system includes security controls designed to protect against both external threats and insider risks.
Security Objectives
- Confidentiality: Protect sensitive data and credentials
- Integrity: Ensure data accuracy and prevent tampering
- Availability: Maintain service availability under attack
- Accountability: Complete audit trail of all operations
- Non-repudiation: Cryptographic proof of operations
Security Principles
- Zero Trust: Verify every request regardless of source
- Fail Secure: Safe defaults when systems fail
- Defense in Depth: Multiple security layers
- Least Privilege: Minimal permission grants
- Security by Design: Security integrated into architecture
Multi-Layered Security Model
graph TB
subgraph "External Threats"
DDoS[DDoS Attacks]
XSS[XSS Attacks]
CSRF[CSRF Attacks]
Injection[SQL Injection]
AuthBypass[Auth Bypass]
TokenReplay[Token Replay]
BruteForce[Brute Force]
end
subgraph "Security Perimeter"
subgraph "Load Balancer Security"
NginxSec[Nginx Security<br/>- Rate limiting<br/>- SSL termination<br/>- Request filtering]
end
subgraph "Application Security Layer"
SecurityMW[Security Middleware]
subgraph "Security Headers"
HSTS[HSTS Header<br/>max-age=31536000]
ContentType[Content-Type-Options<br/>nosniff]
FrameOptions[X-Frame-Options<br/>DENY]
XSSProtection[XSS-Protection<br/>1; mode=block]
CSP[Content-Security-Policy<br/>Restrictive policy]
end
subgraph "CORS Protection"
Origins[Allowed Origins<br/>Whitelist validation]
Methods[Allowed Methods<br/>GET, POST, PUT, DELETE]
Headers[Allowed Headers<br/>Authorization, Content-Type]
Credentials[Credentials Policy<br/>Same-origin only]
end
subgraph "CSRF Protection"
CSRFToken[CSRF Token<br/>Double-submit cookie]
CSRFHeader[X-CSRF-Token<br/>Header validation]
SameSite[SameSite Cookie<br/>Strict policy]
end
end
subgraph "Rate Limiting Defense"
GlobalLimit[Global Rate Limit<br/>100 RPS per IP]
EndpointLimit[Endpoint-specific<br/>Limits per route]
BurstControl[Burst Control<br/>200 request burst]
Backoff[Exponential Backoff<br/>Failed attempts]
end
subgraph "Authentication Security"
MultiAuth[Multi-Provider Auth<br/>Header, JWT, OAuth2, SAML]
subgraph "Token Security"
JWTSigning[JWT Signing<br/>RS256 Algorithm]
TokenExpiry[Token Expiration<br/>Configurable TTL]
TokenRevocation[Token Revocation<br/>Blacklist in Redis]
TokenRotation[Token Rotation<br/>Refresh mechanism]
end
subgraph "Static Token Security"
HMACValidation[HMAC Validation<br/>SHA-256 signature]
TimestampCheck[Timestamp Validation<br/>5-minute window]
ReplayProtection[Replay Protection<br/>Nonce tracking]
KeyRotation[Key Rotation<br/>Configurable schedule]
end
subgraph "Session Security"
SessionEncryption[Session Encryption<br/>AES-256-GCM]
SessionTimeout[Session Timeout<br/>Idle timeout]
SessionFixation[Session Fixation<br/>Protection]
end
end
subgraph "Authorization Security"
RBAC[Role-Based Access<br/>Hierarchical permissions]
PermissionCheck[Permission Validation<br/>Request-level checks]
ScopeValidation[Scope Validation<br/>Token scope matching]
PrincipleOfLeastPrivilege[Least Privilege<br/>Minimal permissions]
end
subgraph "Data Protection"
Encryption[Data Encryption]
subgraph "Encryption at Rest"
DBEncryption[Database Encryption<br/>AES-256 column encryption]
KeyStorage[Key Management<br/>Environment variables]
SaltedHashing[Salted Hashing<br/>BCrypt cost 14]
end
subgraph "Encryption in Transit"
TLS13[TLS 1.3<br/>All communications]
CertPinning[Certificate Pinning<br/>OAuth2/SAML providers]
MTLS[Mutual TLS<br/>Service-to-service]
end
end
subgraph "Input Validation"
JSONValidation[JSON Schema<br/>Request validation]
SQLProtection[SQL Injection<br/>Parameterized queries]
XSSProtectionValidation[XSS Protection<br/>Input sanitization]
PathTraversal[Path Traversal<br/>Prevention]
end
subgraph "Monitoring & Detection"
SecurityAudit[Security Audit Log<br/>All operations logged]
FailureDetection[Failure Detection<br/>Failed auth attempts]
AnomalyDetection[Anomaly Detection<br/>Unusual patterns]
AlertSystem[Alert System<br/>Security incidents]
end
end
subgraph "Database Security"
DBSecurity[PostgreSQL Security<br/>- Connection encryption<br/>- User isolation<br/>- Query logging<br/>- Backup encryption]
end
subgraph "Infrastructure Security"
ContainerSecurity[Container Security<br/>- Non-root user<br/>- Minimal images<br/>- Security scanning]
NetworkSecurity[Network Security<br/>- Internal networks<br/>- Firewall rules<br/>- VPN access]
end
%% Threat Mitigation Connections
DDoS -.->|Mitigated by| NginxSec
XSS -.->|Prevented by| SecurityMW
CSRF -.->|Blocked by| CSRFToken
Injection -.->|Stopped by| JSONValidation
AuthBypass -.->|Blocked by| MultiAuth
TokenReplay -.->|Prevented by| TimestampCheck
BruteForce -.->|Limited by| GlobalLimit
%% Security Layer Flow
NginxSec --> SecurityMW
SecurityMW --> GlobalLimit
GlobalLimit --> MultiAuth
MultiAuth --> RBAC
RBAC --> Encryption
Encryption --> JSONValidation
JSONValidation --> SecurityAudit
SecurityAudit --> DBSecurity
SecurityAudit --> ContainerSecurity
%% Styling
classDef threat fill:#ffcdd2,stroke:#d32f2f,stroke-width:2px
classDef security fill:#c8e6c9,stroke:#388e3c,stroke-width:2px
classDef auth fill:#e1bee7,stroke:#7b1fa2,stroke-width:2px
classDef data fill:#fff9c4,stroke:#f57f17,stroke-width:2px
classDef infra fill:#e3f2fd,stroke:#1976d2,stroke-width:2px
class DDoS,XSS,CSRF,Injection,AuthBypass,TokenReplay,BruteForce threat
class SecurityMW,HSTS,ContentType,FrameOptions,XSSProtection,CSP,Origins,Methods,Headers,Credentials,CSRFToken,CSRFHeader,SameSite security
class MultiAuth,JWTSigning,TokenExpiry,TokenRevocation,TokenRotation,HMACValidation,TimestampCheck,ReplayProtection,KeyRotation,SessionEncryption,SessionTimeout,SessionFixation,RBAC,PermissionCheck,ScopeValidation,PrincipleOfLeastPrivilege auth
class Encryption,DBEncryption,KeyStorage,SaltedHashing,TLS13,CertPinning,MTLS,JSONValidation,SQLProtection,XSSProtectionValidation,PathTraversal,SecurityAudit,FailureDetection,AnomalyDetection,AlertSystem,DBSecurity data
class ContainerSecurity,NetworkSecurity,NginxSec,GlobalLimit,EndpointLimit,BurstControl,Backoff infra
Security Layer Breakdown
- Perimeter Security: Load balancer, rate limiting, DDoS protection
- Application Security: Security headers, CORS, CSRF protection
- Authentication Security: Multi-provider authentication with strong cryptography
- Authorization Security: RBAC with hierarchical permissions
- Data Protection: Encryption at rest and in transit
- Input Validation: Comprehensive input sanitization and validation
- Monitoring: Security event detection and alerting
Authentication Security
Multi-Provider Authentication Framework
The KMS supports four authentication providers, each with specific security controls:
Header-based Authentication
// File: internal/auth/header_validator.go:42
func (hv *HeaderValidator) ValidateAuthenticationHeaders(r *http.Request) (*ValidatedUserContext, error)
Security Features:
- HMAC-SHA256 Signatures: Request integrity validation
- Timestamp Validation: 5-minute window prevents replay attacks
- Constant-time Comparison: Prevents timing attacks
- Email Format Validation: Prevents injection attacks
Implementation Details:
// HMAC signature validation with constant-time comparison
func (hv *HeaderValidator) validateSignature(userEmail, timestamp, signature string) bool {
mac := hmac.New(sha256.New, []byte(signingKey))
mac.Write([]byte(signingString))
expectedSignature := hex.EncodeToString(mac.Sum(nil))
return hmac.Equal([]byte(signature), []byte(expectedSignature))
}
JWT Authentication
// File: internal/auth/jwt.go:47
func (j *JWTManager) GenerateToken(userToken *domain.UserToken) (string, error)
Security Features:
- RSA Signatures: Strong cryptographic signing
- Token Revocation: Redis-backed blacklist
- Secure JTI Generation: Cryptographically secure token IDs
- Claims Validation: Complete token verification
Token Structure:
{
"iss": "kms-api-service",
"sub": "user@example.com",
"aud": ["app-id"],
"exp": 1642781234,
"iat": 1642694834,
"nbf": 1642694834,
"jti": "secure-random-id",
"user_id": "user@example.com",
"app_id": "app-id",
"permissions": ["app.read", "token.create"],
"token_type": "user",
"max_valid_at": 1643299634
}
OAuth2 Authentication
// File: internal/auth/oauth2.go
Security Features:
- Authorization Code Flow: Secure OAuth2 flow implementation
- State Parameter: CSRF protection for OAuth2
- Token Exchange: Secure credential handling
- Provider Validation: Certificate pinning support
SAML Authentication
// File: internal/auth/saml.go
Security Features:
- XML Signature Validation: Assertion integrity verification
- Certificate Validation: Provider certificate verification
- Attribute Extraction: Secure claim processing
- Replay Protection: Timestamp and nonce validation
Token Security Models
Static Token Security (HMAC-based)
stateDiagram-v2
[*] --> TokenRequest: Client requests token
state TokenRequest {
[*] --> ValidateApp: Validate app_id
ValidateApp --> ValidatePerms: Check permissions
ValidatePerms --> GenerateToken: Create token
GenerateToken --> [*]
}
TokenRequest --> StaticToken: type=static
state StaticToken {
[*] --> GenerateHMAC: Generate HMAC key
GenerateHMAC --> HashKey: BCrypt hash (cost 14)
HashKey --> StoreDB: Store in static_tokens table
StoreDB --> GrantPerms: Assign permissions
GrantPerms --> Active: Token ready
Active --> Verify: Incoming request
Verify --> ValidateHMAC: Check HMAC signature
ValidateHMAC --> CheckTimestamp: Replay protection
CheckTimestamp --> CheckPerms: Validate permissions
CheckPerms --> Authorized: Permission check
CheckPerms --> Denied: Permission denied
Active --> Revoke: Admin action
Revoke --> Revoked: Update granted_permissions.revoked=true
}
Authorized --> TokenResponse: Success response
Denied --> ErrorResponse: Error response
Revoked --> [*]: Token lifecycle end
note right of StaticToken
Static tokens use HMAC signatures
- Timestamp-based replay protection
- BCrypt hashed storage
- Permission-based access control
- No expiration (until revoked)
end note
Token Format
Format: {PREFIX}_{BASE64_DATA}
Example: ABC_xyz123base64encodeddata...
Validation: HMAC-SHA256(request_data, hmac_key)
Storage: BCrypt hash (cost 14)
Lifetime: No expiration (until revoked)
Security Implementation
// File: internal/crypto/token.go:95
func (tg *TokenGenerator) HashToken(token string) (string, error) {
hash, err := bcrypt.GenerateFromPassword([]byte(token), tg.bcryptCost)
if err != nil {
return "", fmt.Errorf("failed to hash token with bcrypt cost %d: %w", tg.bcryptCost, err)
}
return string(hash), nil
}
User Token Security (JWT-based)
stateDiagram-v2
[*] --> UserTokenRequest: User requests token
state UserTokenRequest {
[*] --> AuthUser: Authenticate user
AuthUser --> GenerateJWT: Create JWT with claims
GenerateJWT --> SetExpiry: Set expires_at, max_valid_at
SetExpiry --> StoreSession: Store user session
StoreSession --> Active: JWT issued
}
UserTokenRequest --> UserToken: type=user
state UserToken {
Active --> Verify: Incoming request
Verify --> ValidateJWT: Check JWT signature
ValidateJWT --> CheckExpiry: Verify expiration
CheckExpiry --> CheckRevoked: Check revocation list
CheckRevoked --> Authorized: Valid token
CheckRevoked --> Denied: Token invalid
CheckExpiry --> Expired: Token expired
Active --> Renew: Renewal request
Renew --> CheckRenewal: Within renewal window?
CheckRenewal --> GenerateNew: Issue new JWT
CheckRenewal --> Denied: Renewal denied
GenerateNew --> Active: New token active
Active --> Logout: User logout
Logout --> Revoked: Add to revocation list
Expired --> Renew: Attempt renewal
}
Authorized --> TokenResponse: Success response
Denied --> ErrorResponse: Error response
Revoked --> [*]: Token lifecycle end
note right of UserToken
User tokens are JWT-based
- Configurable expiration
- Renewable within limits
- Session tracking
- Hierarchical permissions
end note
Token Format
Format: {CUSTOM_PREFIX}UT-{JWT_TOKEN}
Example: ABC123UT-eyJhbGciOiJSUzI1NiIs...
Validation: RSA signature + claims validation
Storage: Revocation list in Redis
Lifetime: Configurable with renewal window
Security Features
- RSA-256 Signatures: Strong cryptographic validation
- Token Revocation: Redis blacklist with TTL
- Renewal Controls: Limited renewal window
- Session Tracking: Database session management
Authorization Framework
Role-Based Access Control (RBAC)
The KMS implements a hierarchical permission system with role-based access control:
Permission Hierarchy
admin
├── app.admin
│ ├── app.read
│ ├── app.write
│ │ ├── app.create
│ │ ├── app.update
│ │ └── app.delete
├── token.admin
│ ├── token.read
│ │ └── token.verify
│ ├── token.write
│ │ ├── token.create
│ │ └── token.revoke
├── permission.admin
│ ├── permission.read
│ ├── permission.write
│ │ ├── permission.grant
│ │ └── permission.revoke
└── user.admin
├── user.read
└── user.write
Role Definitions
// File: internal/auth/permissions.go:151
func (h *PermissionHierarchy) initializeDefaultRoles() {
defaultRoles := []*Role{
{
Name: "super_admin",
Description: "Super administrator with full access",
Permissions: []string{"admin"},
Metadata: map[string]string{"level": "system"},
},
{
Name: "app_admin",
Description: "Application administrator",
Permissions: []string{"app.admin", "token.admin", "user.read"},
Metadata: map[string]string{"level": "application"},
},
// Additional roles...
}
}
Permission Evaluation
// File: internal/auth/permissions.go:201
func (pm *PermissionManager) HasPermission(ctx context.Context, userID, appID, permission string) (*PermissionEvaluation, error) {
// Cache lookup first
cacheKey := cache.CacheKey(cache.KeyPrefixPermission, fmt.Sprintf("%s:%s:%s", userID, appID, permission))
// Evaluate permission with hierarchy
evaluation := pm.evaluatePermission(ctx, userID, appID, permission)
// Cache result for 5 minutes
pm.cacheManager.SetJSON(ctx, cacheKey, evaluation, 5*time.Minute)
return evaluation, nil
}
Authorization Controls
Resource Ownership
// File: internal/authorization/rbac.go:100
func (a *AuthorizationService) AuthorizeApplicationOwnership(userID string, app *domain.Application) error {
// System admins can access any application
if a.isSystemAdmin(userID) {
return nil
}
// Check if user is the owner
if a.isOwner(userID, &app.Owner) {
return nil
}
return errors.NewForbiddenError("You do not have permission to access this application")
}
Token Scoping
// File: internal/services/token_service.go:400
func (s *tokenService) verifyStaticToken(ctx context.Context, req *domain.VerifyRequest, app *domain.Application) (*domain.VerifyResponse, error) {
// Get granted permissions for this token
permissions, err := s.grantRepo.GetGrantedPermissionScopes(ctx, domain.TokenTypeStatic, matchedToken.ID)
// Check specific permissions if requested
if len(req.Permissions) > 0 {
permissionResults, err := s.grantRepo.HasAnyPermission(ctx, domain.TokenTypeStatic, matchedToken.ID, req.Permissions)
// Validate all requested permissions are granted
}
}
Data Protection
Encryption at Rest
Database Encryption
-- Sensitive data encryption in PostgreSQL
CREATE TABLE applications (
app_id VARCHAR(100) PRIMARY KEY,
hmac_key TEXT, -- Encrypted with application-level encryption
created_at TIMESTAMP DEFAULT NOW()
);
CREATE TABLE static_tokens (
id UUID PRIMARY KEY,
key_hash TEXT NOT NULL, -- BCrypt hashed with cost 14
created_at TIMESTAMP DEFAULT NOW()
);
BCrypt Hashing
// File: internal/crypto/token.go:22
const BcryptCost = 14 // 2025 security standards (minimum 14)
func (tg *TokenGenerator) HashToken(token string) (string, error) {
hash, err := bcrypt.GenerateFromPassword([]byte(token), tg.bcryptCost)
if err != nil {
return "", fmt.Errorf("failed to hash token with bcrypt cost %d: %w", tg.bcryptCost, err)
}
return string(hash), nil
}
Encryption in Transit
TLS Configuration
// TLS 1.3 configuration for all communications
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS13,
CipherSuites: []uint16{
tls.TLS_AES_256_GCM_SHA384,
tls.TLS_CHACHA20_POLY1305_SHA256,
tls.TLS_AES_128_GCM_SHA256,
},
}
Certificate Pinning
// OAuth2/SAML provider certificate pinning
func (o *OAuth2Provider) validateCertificate(cert *x509.Certificate) error {
expectedFingerprints := o.config.GetStringSlice("OAUTH2_CERT_FINGERPRINTS")
fingerprint := sha256.Sum256(cert.Raw)
fingerprintHex := hex.EncodeToString(fingerprint[:])
for _, expected := range expectedFingerprints {
if fingerprintHex == expected {
return nil
}
}
return fmt.Errorf("certificate fingerprint mismatch")
}
Security Middleware Chain
Middleware Processing Order
- Request Logger: Structured logging with security context
- Security Headers: XSS, clickjacking, MIME-type protection
- CORS Handler: Cross-origin request validation
- CSRF Protection: Double-submit token validation
- Rate Limiter: DDoS and abuse protection
- Authentication: Multi-provider authentication
- Authorization: Permission validation
- Input Validation: Request sanitization and validation
Rate Limiting Implementation
// File: internal/middleware/security.go:48
func (s *SecurityMiddleware) RateLimitMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
clientIP := s.getClientIP(r)
limiter := s.getRateLimiter(clientIP)
if !limiter.Allow() {
s.logger.Warn("Rate limit exceeded",
zap.String("client_ip", clientIP),
zap.String("path", r.URL.Path))
s.trackRateLimitViolation(clientIP)
http.Error(w, `{"error":"rate_limit_exceeded"}`, http.StatusTooManyRequests)
return
}
next.ServeHTTP(w, r)
})
}
Brute Force Protection
// File: internal/middleware/security.go:365
func (s *SecurityMiddleware) checkAndBlockIP(clientIP string) {
var count int
err := s.cacheManager.GetJSON(ctx, key, &count)
maxFailures := s.config.GetInt("MAX_AUTH_FAILURES")
if maxFailures <= 0 {
maxFailures = 5 // Default
}
if count >= maxFailures {
// Block the IP for 1 hour
blockInfo := map[string]interface{}{
"blocked_at": time.Now().Unix(),
"failure_count": count,
"reason": "excessive_auth_failures",
}
s.cacheManager.SetJSON(ctx, blockKey, blockInfo, blockDuration)
}
}
Threat Model
External Threats
Network-based Attacks
- DDoS: Rate limiting and load balancer protection
- Man-in-the-Middle: TLS 1.3 encryption
- Packet Sniffing: End-to-end encryption
Application-level Attacks
- SQL Injection: Parameterized queries only
- XSS: Input validation and CSP headers
- CSRF: Double-submit token protection
- Session Hijacking: Secure session management
Authentication Attacks
- Brute Force: Rate limiting and account lockout
- Credential Stuffing: Multi-factor authentication support
- Token Replay: Timestamp validation and nonces
- JWT Attacks: Strong cryptographic signing
Insider Threats
Privileged User Abuse
- Audit Logging: Complete audit trail
- Role Separation: Principle of least privilege
- Session Monitoring: Abnormal activity detection
Data Exfiltration
- Access Controls: Resource-level authorization
- Data Classification: Sensitive data identification
- Export Monitoring: Large data access alerts
Security Controls
Preventive Controls
Authentication Controls
- Multi-factor authentication support
- Strong password policies (where applicable)
- Account lockout mechanisms
- Session timeout enforcement
Authorization Controls
- Role-based access control (RBAC)
- Resource-level permissions
- API endpoint protection
- Ownership validation
Data Protection Controls
- Encryption at rest (AES-256)
- Encryption in transit (TLS 1.3)
- Key management procedures
- Secure data disposal
Detective Controls
Monitoring and Logging
// Comprehensive audit logging
type AuditLog struct {
ID uuid.UUID `json:"id"`
Timestamp time.Time `json:"timestamp"`
UserID string `json:"user_id"`
Action string `json:"action"`
ResourceType string `json:"resource_type"`
ResourceID string `json:"resource_id"`
IPAddress string `json:"ip_address"`
UserAgent string `json:"user_agent"`
Metadata map[string]interface{} `json:"metadata"`
}
Security Event Detection
- Failed authentication attempts
- Privilege escalation attempts
- Unusual access patterns
- Token misuse detection
Responsive Controls
Incident Response
- Automated threat response
- Token revocation procedures
- User account suspension
- Alert escalation workflows
Recovery Controls
- Backup and restore procedures
- Disaster recovery planning
- Business continuity measures
- Data integrity verification
Compliance Framework
OWASP Top 10 Protection
- Injection: Parameterized queries, input validation
- Broken Authentication: Multi-provider auth, strong crypto
- Sensitive Data Exposure: Encryption, secure storage
- XML External Entities: JSON-only API
- Broken Access Control: RBAC, authorization checks
- Security Misconfiguration: Secure defaults
- Cross-Site Scripting: Input validation, CSP
- Insecure Deserialization: Safe JSON handling
- Known Vulnerabilities: Regular dependency updates
- Logging & Monitoring: Comprehensive audit trails
Regulatory Compliance
SOC 2 Type II Controls
- Security: Access controls, encryption, monitoring
- Availability: High availability, disaster recovery
- Processing Integrity: Data validation, error handling
- Confidentiality: Data classification, access restrictions
- Privacy: Data minimization, consent management
GDPR Compliance (where applicable)
- Data Protection by Design: Privacy-first architecture
- Consent Management: Granular consent controls
- Right to Erasure: Data deletion procedures
- Data Portability: Export capabilities
- Breach Notification: Automated incident response
NIST Cybersecurity Framework
- Identify: Asset inventory, risk assessment
- Protect: Access controls, data security
- Detect: Monitoring, anomaly detection
- Respond: Incident response procedures
- Recover: Business continuity planning
Security Metrics
Key Security Indicators
- Authentication success/failure rates
- Authorization denial rates
- Token usage patterns
- Security event frequency
- Incident response times
Security Monitoring
alerts:
- name: "High Authentication Failure Rate"
condition: "auth_failures > 10 per minute per IP"
severity: "warning"
- name: "Privilege Escalation Attempt"
condition: "permission_denied + elevated_permission"
severity: "critical"
- name: "Token Abuse Detection"
condition: "token_usage_anomaly"
severity: "warning"
This security architecture document provides comprehensive coverage of the KMS security model, suitable for security audits, compliance reviews, and security team training.