Security Architecture

UFG implements a robust security model based on asymmetric cryptography to ensure confidentiality, integrity, and authenticity of all messages.

Security Mechanisms

1. Asymmetric Encryption (RSA-2048)

We use RSA-OAEP with SHA-256 for end-to-end encryption.

• Confidentiality: Only the intended recipient can decrypt the message.
• Key Management: Each member generates their own RSA-2048 key pair.
  • Public Keys: Uploaded to the UFG Portal for other members to use for encryption.
  • Private Keys: Kept strictly confidential on the member's server.

Flow:

Payload → Encrypt(ReceiverPublicKey) → UFG → Decrypt(ReceiverPrivateKey)

2. Digital Signatures (SHA256withRSA)

All messages are signed to ensure authenticity and non-repudiation.

• Integrity: Ensures the message has not been altered in transit.
• Authenticity: Verifies the identity of the sender.
• Verification: UFG verifies the signature before routing.

Flow:

Sign(PrivateKey, Header + EncryptedPayload) → Base64 Signature

3. Timestamp Validation

To prevent Replay Attacks, all requests must include a Unix timestamp (x-timestamp header).

• Validity Window: UFG rejects messages that are older than 5 minutes (configurable).
• Clock Synchronization: Members must ensure their server clocks are synchronized (e.g., using NTP).

4. Idempotency Check

To prevent Double-Processing, each request requires a unique identifier.

• Message ID: The MsgId field in the ISO 20022 header must be unique.
• Enforcement: UFG and Custody Bank track processed IDs and reject duplicates.

Security Flow Diagram

Best Practices

Private Key Security

NEVER share your Private Key with anyone, including UFG support. If your private key is compromised, revoke it immediately via the UFG Portal.

• Key Rotation: Rotate your keys periodically (e.g., every 6 months).
• Secure Storage: Store private keys in a Hardware Security Module (HSM) or a secure secrets manager.
• Network Security: Whitelist UFG IP addresses on your firewall.