Security

Cryptography

  • All ocapi instances are hosted behind an HTTPS load balancer.
  • All challenges are identified by a random unique UUID.
  • Partner authentication using Json Web tokens, with algorithm HS512 (HMAC using SHA-512 hash algorithm).
  • No cryptography primitive is implemented by Teklia, we rely on well known and supported libraries.

Challenge validation

Each challenge we send to a user (transcriptions or classification mode) has 2 types of data: - annotated data, where we already know the answer, - unknown data, where we do not know the answer.

This means that we validate the user's challenge on a subset of data sent to him: - for a classification challenge, we know at least 50% of the classes, - for a transcription challenge, we know one of the two images.

A user should not be able to easily cheat this system as he has no way of knowing which images are already annotated. A potential attack vector here is to request a lot of challenges and statistically identify which images are the most frequent; this would require a lot of time, and could be avoided by a rate-limiting system on our side.

Risks

System downtime

If the Ocapi backend server is down (no responses at all), a few things will happened: - no challenge will be issued, - the Javascript payload (served from an independent CDN) will display an error message, - the partner website must support this case and either: - reject all form queries until the Ocapi instance is reachable again (usually the default behaviour) - allow all form queries until the Ocapi instance is reachable again

For reference, we had an uptime of 99.95% over the year 2020 (meaning 21m maximum of downtime per month).

Private key lost or compromised by partner

If the partner's private key is lost or exposed (should not happen until a leak happens on the partner's infrastructure), an attacker can simply check the state of known challenges (enumerating UUIDs would be practically impossible).

No write action is allowed to partners on the Ocapi instance.

Furthermore, we can easily revoke and re-create a new private key once contacted about the issue. The leaked private key would become immediately inoperable.

Tracking

We do not track the end users: - every challenge is assigned an anonymous ID. - we do not fingerprint users through our Javascript payload. - we do not store any geographic location or IP address, even hashed.