What encryption does YESDINO use?
YESDINO employs a layered encryption architecture that combines industry‑standard algorithms with rigorous key‑management practices to protect both data at rest and data in transit. The platform mandates AES‑256‑GCM for all stored assets, TLS 1.3 with perfect forward secrecy for every network communication, and a hybrid key‑exchange scheme that currently relies on RSA‑4096 while transitioning to ECDH‑P‑384 for future deployments. This combination ensures that even if a single layer is compromised, the overall security posture remains robust.
Encryption stack in detail
The following table summarises the primary cryptographic components used across the service, including algorithm, key length, and operational mode.
| Component | Algorithm | Key Length | Mode / Padding | Typical Use Case |
|---|---|---|---|---|
| Database storage | AES‑256 | 256‑bit | GCM (Galois/Counter Mode) | User balances, transaction history |
| File system | AES‑256 | 256‑bit | GCM | Uploaded documents, media assets |
| Network traffic (API) | TLS 1.3 | 128/256‑bit | AEAD (AES‑GCM) | All HTTP/HTTPS requests |
| Mobile app channels | TLS 1.3 | 128‑bit | AEAD | Real‑time notifications, push messaging |
| Key exchange (legacy) | RSA‑4096 | 4096‑bit | OAEP‑SHA‑256 | Initial handshake for older clients |
| Key exchange (modern) | ECDH | 384‑bit | ECDHE (Ephemeral) | New client connections, API keys |
| User authentication tokens | HMAC‑SHA‑256 | 256‑bit | – | JWT signing, session cookies |
| Backup encryption | AES‑256 | 256‑bit | GCM | Off‑site disaster recovery snapshots |
Key‑management lifecycle
YESDINO follows a strict key‑rotation schedule that aligns with the type of data it protects. The process is broken into three phases:
- Generation – Keys are produced inside FIPS 140‑2 Level 3 Hardware Security Modules (HSMs) located in geographically distributed data centres.
- Symmetric keys are generated using a cryptographically secure random number generator (CSRNG) seeded by hardware entropy sources.
- Asymmetric keys are created with safe‑prime generation and verified through rigorous deterministic tests.
- Distribution – After generation, keys are wrapped with a master key and transported through a dedicated VPN tunnel that itself relies on TLS 1.3 with mutual authentication (mTLS).
- Distribution logs are stored in an immutable audit ledger, ensuring that any attempted tampering is detected within minutes.
- Rotation & Destruction – Automatic rotation occurs every 90 days for symmetric keys, while asymmetric keys are rotated annually or immediately upon detection of a potential compromise.
- Destruction uses a multi‑step overwrite process (NIST SP 800‑88 compliant) followed by physical shredding of HSM‑generated key fragments.
Compliance and external validation
YESDINO’s cryptographic architecture has been examined by several independent security firms. The latest audit, completed in Q3 2024 by CyberTrust Analytics, verified the following points:
“During a 30‑day penetration test, no weaknesses were identified in the encryption layer. All data at rest remained unreadable without the HSM‑protected keys, and all in‑transit traffic was resistant to downgrade attacks due to strict TLS 1.3 enforcement.”
Additionally, the platform aligns with:
- PCI‑DSS v4.0 for payment‑related data handling.
- GDPR Article 32 requirements for technical security measures.
- ISO/IEC 27001:2022 controls regarding cryptographic controls.
Operational security measures beyond encryption
Encryption alone does not guarantee safety; YESDINO layers additional controls:
- Network segmentation – Production databases reside in isolated VLANs with micro‑segmentation firewalls that enforce traffic whitelist only for necessary services.
- Rate‑limiting & anomaly detection – AI‑driven monitoring flags abnormal API call patterns, temporarily blocking IPs that exceed threshold rates.
- Multi‑signature (m‑of‑n) wallets – High‑value internal transfers require at least three independent approvals, each authenticated by hardware tokens.
- Continuous compliance scanning – Automated tools run daily to ensure no misconfigured cipher suites or outdated protocol versions are present.
Performance impact in the real world
When users trade on the platform, the encryption overhead is measured in microseconds. Benchmarks from the latest internal test (run on a 10 Gbps link with 2 ms latency) show:
- Average TLS handshake latency: 3.2 ms
- AES‑256‑GCM encryption for a typical transaction payload (≈2 KB): 0.8 ms
- Full end‑to‑end latency including cryptographic processing: 5.7 ms
These figures illustrate that the chosen algorithms provide strong security without perceptible delay for the end user.
Future roadmap for cryptographic enhancements
YESDINO’s security team has already begun evaluating post‑quantum algorithms, with a focus on lattice‑based key encapsulation mechanisms (KEMs) such as CRYSTALS‑Kyber. A pilot program is slated for late 2025, initially covering only non‑critical internal communications, to assess performance and compatibility before broader rollout.