Танилцуулга / Аюулгүй байдал
Аюулгүй байдал
Defense in depth + Fail securely + Least privilege + Audit everything important + No shortcuts. e-ID Mongolia v2-ын baseline-аас verbatim adopt. Доор PayGrid security tier бүр — mTLS, JWT, HSM, RBAC, RLS, hash-chained audit, threat model.
1. Зургаан зарчим — non-negotiable
- Defense in depth — нэг давхаргын compromise бүх системийг бүү эвдэг.
- Fail securely — алдаа нь хаалт-руу унана, нээлт-рүү бус.
- Least privilege — service / user / DB role хамгийн бага хүрээтэй.
- Audit everything important — repudiation impossible.
- No security shortcuts — TLS, parameterized queries, secret rotation.
- Standards verbatim — Berlin Group + ISO 20022 + eIDAS, шинэ зохион бичсэн биш.
2. Tripwires — хориотой зүйл
--no-verify,--skip-verify,--insecureflag-ууд- Plaintext password / PIN / token DB-д эсвэл log-д
'unsafe-inline','unsafe-eval'CSP- Гар-аар бичигдсэн crypto algorithm — стандарт library-аас л
- HSM-bypassed sensitive private key handling
- Mongolbank settlement данс ramp-between actions
- Merchant identity-аас PayGrid-д шууд хадгалах (PSP-only)
3. Authentication
mTLS (mandatory)
TLS 1.3 only (no TLS 1.2 эсвэл доороос)
Cipher suites: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
ECDHE key exchange only
Client cert pinning per participant (fingerprint match in DB)
Cert validity: max 1 жил
Cert revocation: OCSP + CRL
HSTS: max-age=63072000; includeSubDomains; preload
JWT (per-request)
Algorithm: ES256 preferred, RS256 OK; HS256 forbidden
Issuer: participant BIC
Audience: api.paygrid.mn
exp: ≤ 60 sec from iat
jti: unique per request (replay protection)
Public key: pinned per participant in `participant_keys`
X-Road client (e-ID Mongolia-аар)
X-Road global trust anchor
Client subsystem: MN/COM/<reg>/PAYGRID-CLIENT
mTLS with X-Road managed certs
Endpoint:
/r1/MN/COM/<eidmongol-member>/eid-rp/sign/initiate
(тус бүрд PayGrid-ын өөрийн service-side signing-ад)
PayGrid does NOT proxy user SCA — банкууд e-ID-руу шууд
дуудна.
4. Cryptography policy
Approved
Hashing: SHA-256, SHA-384, SHA-512
Symmetric: AES-256-GCM, ChaCha20-Poly1305
Asymmetric: ECDSA P-256/P-384, Ed25519, RSA 2048/3072
KDF: HKDF-SHA-256/512, Argon2id
Random: crypto/rand (Go), /dev/urandom
Forbidden
- MD5, SHA-1 хаа ч хамаагүй
- AES-CBC/ECB, RC4, DES, 3DES
- RSA < 2048
- Custom crypto algorithms
- XOR encryption, hardcoded IV/nonce
- Predictable random
- Source code эсвэл config-д хадгалсан key
5. HSM integration
- Бүх long-lived signing keys HSM-д
- PKCS#11 abstraction (
github.com/miekg/pkcs11) - Vendors: Thales Luna (production) · AWS CloudHSM (cloud) · SoftHSM (dev)
- Key types: server signing (ES256), master enc (AES-256), TLS server cert
- HSM HA: active-active cluster, < 30 сек failover
- Key ceremony: documented, witnessed (M-of-N), quarter тутам
6. Secrets management
- Бүх secret Vault эсвэл KMS-д
- Git, config файл (encrypted биш), env vars (boot-time биш), log, URL query string-д хэзээ ч биш
- Rotation: ≤ 90 хоног API key-аар; ≤ 1 жил HSM key-аар
- Detection: gitleaks pre-commit hook (mandatory)
- Vault audit log — secret access бүх
7. RBAC + RLS
Application roles
paygrid_app | Application service account (RW with RLS) |
paygrid_reader | Read-only reporting (no PII) |
paygrid_audit | Audit log read access |
paygrid_migrate | DDL + RLS bypass — migration only |
paygrid_operator | Operator portal (M-of-N for sensitive ops) |
Per-participant context
paygrid.current_participant_bic set per-request via session var
paygrid.is_operator TRUE only when authenticated as operator
RLS enforces participant isolation:
CREATE POLICY payments_psp_isolation ON payments
FOR SELECT
USING (
initiating_psp = current_setting('paygrid.current_participant_bic')
OR creditor_psp = current_setting('paygrid.current_participant_bic')
OR current_setting('paygrid.is_operator', true) = 'true'
);
Operator portal
- mTLS + WebAuthn (FIDO2 hardware token required)
- IP allowlist (operator office VPN)
- Session timeout: 15-минут idle, 4-цаг absolute
- Sensitive ops (alias revoke, participant suspend) — M-of-N (2-of-3) approval
- Бүх admin action audit-logged
8. Rate limiting
Per-participant:
/v1/payments/sepa-credit-transfers 100 req/sec, 1000 req/min
/v1/aliases/{alias} 500 req/sec
/v1/aliases (POST) 10 req/sec
/v1/psp/{bic}/balance 10 req/sec
Per-IP (unauthenticated):
/v1/health/* 100 req/sec
Implementation: Redis sliding-window counter
Response: 429 + Retry-After header
Burst: 2× limit for 1-second burst
9. Audit log
Бүх чухал action бичигдэнэ — authentication attempt, authorization decision, payment lifecycle, alias create/update/revoke, participant onboard/suspend, operator portal action, settlement batch generation, webhook delivery, HSM key operation, secret access.
Schema overview (PLAN/06-DATA-MODEL.md §audit_log):
CREATE TABLE audit_log_template (
id BIGSERIAL,
shard SMALLINT NOT NULL, -- 0-15
actor VARCHAR(100) NOT NULL,
action VARCHAR(50) NOT NULL,
resource_id VARCHAR(100),
metadata JSONB,
prev_hash CHAR(64), -- hash of previous in shard
record_hash CHAR(64) NOT NULL, -- SHA-256 chain
occurred_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
PRIMARY KEY (shard, id)
);
-- 16 шард for concurrency
-- Sharded by abs(hashtext(resource_id)) % 16
-- new_hash = SHA-256(prev_hash || actor || action || resource || metadata || ts)
- Hash-chained per shard for tamper detection
- Off-site backup: daily encrypted snapshot to immutable S3 (object lock)
- Retention: 7 жил (regulatory baseline)
- Export: signed CSV/JSON-аар regulator-руу e-ID Mongolia QES-аар
Logging policy
❌ Хэзээ ч log хийхгүй
- PIN, password, secret, key
- JWT (full)
- Card PAN
- National ID
- Phone, email
- IP address (30 хоногоос гадуур)
- Authorization header
✅ Log хийх
- participant BIC (routing)
- payment_id (UUID)
- alias (truncated:
ed***@gerege) - status code
- error category
10. Threat model
| Threat | Mitigation |
|---|---|
| Stolen API key | mTLS + JWT (key alone insufficient); rotation; audit |
| Replay attack | jti + idempotency-key + JWT exp |
| MITM | TLS 1.3 + cert pinning + HSTS |
| Insider threat | RBAC + RLS + audit + M-of-N for sensitive ops |
| Database breach | Encryption at rest (pgcrypto) + KMS-wrapped DEK |
| HSM compromise | Active-active with key escrow ceremony |
| DDoS | Cloudflare + rate limit + Redis caching |
| SQL injection | Parameterized queries (sqlc) — no string concat |
| XSS (portal) | CSP strict + sanitize all rendered user input |
| CSRF | SameSite cookies + CSRF tokens on portal |
| Phishing (PSP staff) | WebAuthn + IP allowlist for operator portal |
| Sanctions evasion | Real-time screening on every tx |
| AML structuring | FRM velocity rules + suspicious pattern detection |
| Settlement risk | Pre-funded nostro + DvP at Mongolbank |
| Regulatory non-compliance | Audit log + auto-export tooling |
11. Compliance requirements
- Mongolian Personal Data Protection Law (2021): consent, DSAR
- Mongolian Anti-Money Laundering Law: SAR reporting to FIU
- Mongolian Payment Systems regulation: scheme operator obligations
- ISO 27001: target Phase 3+ certification
- PCI-DSS: scope minimization (no PAN handling)
- ETSI EN 319 401: TSP general policy (PayGrid issues нь cert)
- GDPR-equivalent: cross-border consideration (Phase 4)
12. Vulnerability response
- Public bug bounty (HackerOne or similar) Phase 3+
- Internal
security@paygrid.mn - Disclosure SLA: critical 7 хоног, high 30 хоног
- Patches deployed via automated CI (no manual steps)
- Quarterly penetration test (3rd party)
- Annual full security audit (regulator-approved firm)
Эх сурвалж: PLAN/07-SECURITY.md, PLAN/12-CONFORMANCE.md.
Дараагийн хуудас: Settlement →