44. Architecture

This section provides an in-depth look at the wFabricSecurity architecture, design patterns, and implementation details.




44.1. Overview

wFabricSecurity is built on a layered architecture that separates concerns and provides modular, testable components:


digraph LayeredArchitecture { rankdir=TB; size="8,10"; subgraph cluster_presentation { label="Presentation Layer"; style="rounded"; color="#667eea"; fontcolor="#667eea"; node [style="filled,rounded", fillcolor="#E3F2FD"]; CLI ["CLI Tool"]; API ["API Gateway"]; } subgraph cluster_application { label="Application Layer"; style="rounded"; color="#764ba2"; fontcolor="#764ba2"; node [style="filled,rounded", fillcolor="#F3E5F5"]; FS ["FabricSecurity"]; FSS ["FabricSecuritySimple"]; } subgraph cluster_security { label="Security Services Layer"; style="rounded"; color="#4CAF50"; fontcolor="#4CAF50"; node [style="filled,rounded", fillcolor="#E8F5E9"]; IV ["IntegrityVerifier"]; PM ["PermissionManager"]; MM ["MessageManager"]; RL ["RateLimiter"]; } subgraph cluster_crypto { label="Cryptographic Layer"; style="rounded"; color="#FF9800"; fontcolor="#FF9800"; node [style="filled,rounded", fillcolor="#FFF3E0"]; HS ["HashingService"]; SS ["SigningService"]; IM ["IdentityManager"]; } subgraph cluster_fabric { label="Hyperledger Fabric Layer"; style="rounded"; color="#2196F3"; fontcolor="#2196F3"; node [style="filled,rounded", fillcolor="#E3F2FD"]; GW ["FabricGateway"]; NW ["FabricNetwork"]; CT ["FabricContract"]; } subgraph cluster_storage { label="Storage Layer"; style="rounded"; color="#607D8B"; fontcolor="#607D8B"; node [style="filled,rounded", fillcolor="#ECEFF1"]; LS ["LocalStorage"]; FSs ["FabricStorage"]; } CLI -> API -> FS -> IV & PM & MM & RL; IV -> HS & SS; SS -> IM; FS -> GW -> NW & CT; FS -> LS & FSs; }


44.2. Components


44.2.1. FabricSecurity (Main Class)

The central orchestrator that coordinates all security services.


digraph FabricSecurity { rankdir=LR; size="10,6"; FS [label="FabricSecurity", shape=box, style="rounded,filled", fillcolor="#764ba2", fontcolor="white"]; subgraph cluster_internal { label="Internal Services"; style="dashed"; IV [label="IntegrityVerifier"]; PM [label="PermissionManager"]; MM [label="MessageManager"]; RL [label="RateLimiter"]; } subgraph cluster_crypto { label="Cryptographic Services"; style="dashed"; HS [label="HashingService"]; SS [label="SigningService"]; IM [label="IdentityManager"]; } subgraph cluster_fabric { label="Fabric Services"; style="dashed"; GW [label="FabricGateway"]; NW [label="FabricNetwork"]; CT [label="FabricContract"]; } subgraph cluster_storage { label="Storage Services"; style="dashed"; LS [label="LocalStorage"]; FSs [label="FabricStorage"]; } FS -> IV & PM & MM & RL; IV -> HS & SS; SS -> IM; FS -> GW -> NW & CT; FS -> LS & FSs; }

Key Responsibilities:

  • Initialize and configure all security services

  • Coordinate inter-service communication

  • Provide unified API for security operations

  • Manage lifecycle of security components


44.2.2. Cryptographic Layer


Component

Description

HashingService

SHA-256 hash computation for code and message integrity

SigningService

ECDSA (secp256k1) signing and verification operations

IdentityManager

X.509 certificate management and identity verification


digraph CryptoFlow { rankdir=LR; size="10,4"; Input [label="Input Data", shape=ellipse, fillcolor="#E3F2FD"]; Hash [label="SHA-256 Hash", shape=box, fillcolor="#FF9800", fontcolor="white"]; Sign [label="ECDSA Sign", shape=box, fillcolor="#4CAF50", fontcolor="white"]; Output [label="Digital Signature", shape=ellipse, fillcolor="#E3F2FD"]; Input -> Hash -> Sign -> Output; }


44.2.3. Security Services


44.2.3.1. IntegrityVerifier

Verifies code integrity using SHA-256 hashes stored on the Fabric ledger.




44.2.3.2. PermissionManager

Manages communication permissions between participants.


Permission Type

Description

BIDIRECTIONAL

Full bidirectional communication

OUTBOUND

Only outgoing messages allowed

INBOUND

Only incoming messages allowed

NONE

No communication allowed


44.2.3.3. MessageManager

Handles secure message creation, signing, and verification.




44.2.3.4. RateLimiter

Implements token bucket algorithm for rate limiting.


Parameter

Description

rate

Tokens added per second

capacity

Maximum token bucket size

consume

Tokens consumed per request


44.2.4. Fabric Integration


digraph FabricIntegration { rankdir=TB; size="8,6"; subgraph cluster_app { label="Application"; style="rounded"; FS [label="FabricSecurity", shape=box, fillcolor="#764ba2", fontcolor="white"]; } subgraph cluster_gateway { label="Fabric Gateway"; style="rounded"; GW [label="FabricGateway", shape=box, fillcolor="#2196F3", fontcolor="white"]; NW [label="FabricNetwork", shape=box, fillcolor="#2196F3", fontcolor="white"]; CT [label="FabricContract", shape=box, fillcolor="#2196F3", fontcolor="white"]; } subgraph cluster_ledger { label="Hyperledger Fabric Ledger"; style="rounded"; BC [label="Blockchain", shape=box, fillcolor="#607D8B", fontcolor="white"]; SC [label="Smart Contracts", shape=box, fillcolor="#607D8B", fontcolor="white"]; } FS -> GW -> NW & CT; NW -> BC; CT -> SC; }

Gateway Connection Flow:




44.2.5. Storage Layer


Storage Type

Description

LocalStorage

File-based storage with JSON serialization

FabricStorage

Blockchain-based storage via chaincode


digraph StorageLayer { rankdir=LR; size="8,4"; subgraph cluster_app { label="Application Layer"; FS [label="FabricSecurity"]; } subgraph cluster_storage { label="Storage Abstraction"; Abs [label="Storage Interface", shape=interface]; } subgraph cluster_impl { label="Storage Implementations"; LS [label="LocalStorage"]; Fs [label="FabricStorage"]; } FS -> Abs; Abs -> LS; Abs -> Fs; }


44.3. Design Patterns


44.3.1. Singleton Pattern

Services use singleton pattern to ensure single instance:


class HashingService:
    _instance = None

    def __new__(cls):
        if cls._instance is None:
            cls._instance = super().__new__(cls)
        return cls._instance

44.3.2. Factory Pattern

Credential creation uses factory pattern:


class IdentityFactory:
    @staticmethod
    def create_credentials(credential_type: CredentialType) -> Credentials:
        if credential_type == CredentialType.MSP:
            return MSPCredentials()
        elif credential_type == CredentialType.WALLET:
            return WalletCredentials()

44.3.3. Strategy Pattern

Rate limiting strategies:


class RateLimiter:
    def __init__(self, strategy: RateLimitStrategy):
        self.strategy = strategy

    def should_allow(self) -> bool:
        return self.strategy.should_allow()


44.4. Security Model


44.4.1. Zero Trust Principles


Principle

Implementation

Verify Explicitly

Every request is authenticated and authorized using cryptographic verification

Least Privilege Access

Participants receive minimum necessary permissions

Assume Breach

Continuous verification and monitoring


44.4.2. Threat Mitigation


Threat

Mitigation Strategy

Code Tampering

SHA-256 hash verification against Fabric ledger

Identity Spoofing

ECDSA signature verification with X.509 certificates

Message Replay

Timestamp validation and nonce usage

Man-in-the-Middle

TLS transport and message signing

Denial of Service

Rate limiting with token bucket algorithm


44.4.3. Audit & Compliance

All security operations generate audit logs:


class AuditLog:
    def __init__(self):
        self.entries: List[AuditEntry] = []

    def log(self, operation: str, participant: str, result: bool):
        self.entries.append(AuditEntry(
            timestamp=datetime.now(),
            operation=operation,
            participant=participant,
            result=result
        ))


44.5. Performance


44.5.1. Caching Strategy

Certificate caching with LRU eviction:


from functools import lru_cache

class IdentityManager:
    @lru_cache(maxsize=1024, ttl=3600)
    def get_certificate(self, participant_id: str) -> Certificate:
        """Cache certificates for 1 hour with LRU eviction."""
        return self._fetch_certificate(participant_id)


44.5.2. Optimizations

  • Batch Verification: Multiple signatures verified in parallel

  • Connection Pooling: Gateway connections reused

  • Lazy Loading: Components loaded on-demand

  • Memory Pooling: Pre-allocated buffers for crypto operations



44.6. Scalability


wFabricSecurity supports horizontal scaling through:




44.7. Deployment


digraph Deployment { rankdir=LR; size="10,5"; subgraph cluster_k8s { label="Kubernetes Cluster"; style="rounded"; color="#326CE5"; subgraph cluster_nodes { label="Nodes"; style="dashed"; Pod1 [label="wFabricSecurity Pod 1", shape=box]; Pod2 [label="wFabricSecurity Pod 2", shape=box]; Pod3 [label="wFabricSecurity Pod 3", shape=box]; } LB [label="Load Balancer", shape=ellipse, fillcolor="#4CAF50", fontcolor="white"]; } subgraph cluster_fabric { label="Hyperledger Fabric"; style="rounded"; color="#333"; ORG1 [label="Org1 Peer"]; ORG2 [label="Org2 Peer"]; ORDERER [label="Orderer"]; } LB -> Pod1 & Pod2 & Pod3; Pod1 -> ORG1; Pod2 -> ORG2; Pod3 -> ORDERER; }


Deployment Requirements:

  • Python 3.10+

  • Hyperledger Fabric 2.x or 3.x

  • Minimum 2GB RAM per instance

  • Network connectivity to Fabric peers



See also