Threat Model & Mitigation
CRYMBO Oracle is designed to operate in adversarial, permissionless environments while ensuring the security, privacy, and integrity of sensitive identity data. This document outlines key threat vectors and the corresponding mitigation strategies employed.
🚨 Threats & Risks​
1. Unauthorized Data Access​
- Risk: A malicious party gains access to encrypted PII
- Mitigation:
- Hybrid encryption (AES + X25519)
- EncryptedKey only decryptable by intended receiver
- No private keys ever shared with CRYMBO
2. Private Key Leakage (Receiver)​
- Risk: Receiver's private key is compromised
- Mitigation:
- VASP-side secure storage (HSM, Vault)
- Key rotation API
- Auditable key versioning
3. Tampering with Payloads​
- Risk: Encrypted payload is modified in transit
- Mitigation:
- AES-GCM ensures authenticated encryption
- Invalid tampered ciphertext is automatically rejected
4. Replay Attacks​
- Risk: Resubmitting old payload to trigger unintended effects
- Mitigation:
- Timestamp-based nonce validation
- On-chain txHash linkage
5. Man-in-the-Middle (MITM)​
- Risk: Interception of key exchange or encrypted message
- Mitigation:
- TLS 1.3 on API endpoints
- No direct key negotiation — registry provides keys
- Cryptographic integrity validation
6. Malicious Sender​
- Risk: Sending corrupted or misleading PII payloads
- Mitigation:
- PII validation via KYC validators
- Scoring system based on receiver feedback
🔒 Zero-Trust Principles​
- CRYMBO infrastructure never holds private keys
- All sensitive operations occur on the Bussiness/ institution side
- Encrypted data flows are verifiable but unreadable by the network
✅ Security by Design​
- Hybrid encryption
- Key rotation and audit trail
- End-to-end encrypted delivery
- Minimal trust in CRYMBO components
CRYMBO's threat model aligns with ISO/IEC 27001, NIST 800-53, and GDPR principles for secure, decentralized identity data exchange.