Hyperledger Ursa code review

June 1, 2022

Active and Completed Projects

Cybersecurity, Digital Identity, Hyperledger

Rooted in a “trust but verify” mindset, several Canadian public sector entities sponsored a project at the IDLab to perform a security and cryptography code review.

Hyperledger Ursa is a shared cryptographic library used to avoid duplicating cryptographic related code. The library is an opt-in repository (for Hyperledger and non Hyperledger projects) to place and use crypto.

Broad deployment of digital identity will depend on strong security to deliver the high levels of assurance required in many consumer transactions with their governments, their financial institutions, and other trusted organisations.

Leading advancements in decentralized identity, several originating in Canada, rely on the Hyperledger family of technologies. As such, Hyperledger Ursa is a central component depended upon to provide the security overlay for decentralized identity.

Rooted in a “trust but verify” mindset, several Canadian public sector entities and Interac (Canada’s interbank network) sponsored a project at the Digital Identity Laboratory of Canada (IDLab) to perform a security and cryptography code review of Hyperledger Ursa  (full report is available here).

Those commissioning this project deemed it important to have an arms-length third party assessment of this foundational component of the Hyperledger family to understand the risks (if any) being assumed with the deployment and use of Hyperledger-base technology in the domain of decentralized identity.

Overview of Hyperledger Ursa library code review scope:

  • A code review that examined:
    • Entry points
    • Coding standards
    • Data storage and transfer
    • APIs and their security
    • Third party library usage
    • Programming language issues
    • Logic flaws
  • Cryptography best practices including examination of:
    • Cryptography and key management
    • Entropy
    • Best practice cryptography usage

The review did not include an assessment of the cryptographic algorithms foundation themselves, or their suitability. Examination was limited to assessment of sound implementation within Ursa.

Following the code review and the findings documented, the IDLab team worked closely with key Ursa contributors and members of the Hyperledger Foundation community to review and assess results. As a result, a number of enhancements were identified to address report findings.

Ultimately, the exercise concluded that Ursa provides a solid security footing for projects dependent on the Hyperledger family of technologies applicable to digital identity.


Review findings summary:

In general, the review noted a few relatively minor security defects, some implementation guidance, and some general observations for library improvement.

These can be briefly described as follows:

  • Minor build issues
  • Cautions to consider when building, primarily with third party libraries or integrations
  • Minor issues related to lack of support for message augmentation
  • Minor issues related to subgroup validation
  • An issue related to public key validation

If you have any questions about Hyperledger Ursa, you can engage with the community on the Hyperledger Foundation’s Discord server for Ursa.