CWS is written purely in Java 11 / Jakarta EE 8. It is thus relying on very solid and proven Java Server components, which is frequently seeing security updates. By not relying on anything else, the security problems have been minimized.
All data stored in CWS is encrypted using a combination of a MasterKey and a CircleKey. Both of these are AES based Symmetric keys, and CircleKeys are protected using a RSA based Asymmetric key. The entire setup is build around the notion that control of keys and data belongs to the owners.
This also means that CWS is the perfect companion for anyone requiring a secure storage to be GDPR compliant.
CWS, is designed as a standalone component, which runs in any Jakarta EE 8 based container. It is not relying on any third-party dependencies and via the REST based Web Services, it is possible to embed CWS into other systems as a Microservice or use it as a backend component for other applications, websites, or mobile apps.
Since CWS is build around Jakarta EE and thus relies on JPA (Java Persistence API) for database communication, any RDBMS will work. For the cryptographic operations, JCE (Java Cryptography Extension) is used, so problems or errors in this will be corrected by the Java system.
CWS is based on a the following use cases:
Use Case 1: Two or more parties wishes to securely share data.
Use Case 2: A Web shop needs a secure way to store customer data, so only the relevant parties can access it.
Introducing "Circles of Trust", a simple concept, build around the same principles as PGP (Pretty Good Privacy). Any member can create a Circle, and add other members to it. CWS will then create a CircleKey, which is used to encrypt and decrypt all the data, which the members wishes to exchange.
For installation instructions, see the Readme file provided along the cws sources on github.
For developers, there is a full documentation of the API available.
CWS was created initially, as a way to add an extra security layer into existing web-based applications. It uses JCE, Java Cryptography Extension, for all cryptographic operations, meaning that it will work independently of what is offered by Hosting or Cloud Providers.
If you are using a Hosting or Cloud Provider for your Web-based Application, CWS may improve your security. Even if you aren't using a Hosting or Cloud Provider, CWS may still improve the data stored, by adding an additional encryption layer. This way, if your server is compromised your data may still be secure.
The old paper Reflections on trusting trust shows that perfect security is an illusion. For any system running, there is simply too many aspects to consider. From flaws in servers, missing security patches, undisclosed bugs - or flaws and bugs in your own Application.
Generally, there are 3 areas where the security will come up short:
Of the above mentioned shortcomings, the first two will be the easiest to compromise, and also the easiest to add processes to prevent. Meaning, that the last one may both sound and appear as the worst. However, if this is something that is of concern, you may reconsider using a Provider for your Application, as nothing will be able to give you the level of trust you requires except hosting the servers yourself. And even if you host the servers yourself, CWS may still give you an additional security layer as your stored data is encrypted so even if someone compromises your system, the data and keys should still be secure, as it is stored encrypted.
Security is one of the most important aspects of CWS, and although extensive efforts has been made to remove all problems, security issues may still sneak in. If you have discovered a security issue, please send an e-mail to the the core developers. JavaDog.io uses ProtonMail for all e-mail communication, and their support for PGP is limited, so please use this key to send us an e-mail at cws at haugr.net, with an OpenPGP encrypted message inline, with as many details as possible.
Latest stable version of CWS.
Tests has been performed using WildFly 23,
with Java 11 - 17 as Runtime Environments,
and PostgreSQL as RDBMS
Release Notes | Apache 2.0 License