-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #655 from /issues/654-add-temporary-keys-into-list
- Loading branch information
Showing
3 changed files
with
32 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # List of Used Keys | ||
|
|
||
| The following keys are used in the PowerAuth cryptography scheme. | ||
|
|
||
| ## Application Scoped Keys | ||
|
|
||
| | name | created as | purpose | | ||
| |-----------------------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key | Embedded on server, used to assure authenticity of data during the transfer from server to client during application scoped use-cases (i.e., device activation). | | ||
| | `KEY_SERVER_MASTER_PUBLIC` | ECDH - public key | Embedded in client app, used to verify authenticity of data while transferring from server to client during application scoped use-cases (i.e., device activation). | | ||
| | `APP_KEY` | Application version key | Shared random ID between the server and client app, used to identify specific application version. The value travels in plain form over HTTPS channel. | | ||
| | `APP_SECRET` | Application version secret | Shared random secret key between the server and client app, used to authenticate specific application version. Used in digest and MAC values. | | ||
| | `KEY_ENC_TEMPORARY` | Temporary encryption key pair | Temporary encryption key pair used in end-to-end encryption in application scope. The key pair enhances security by ensuring forward secrecy for encrypted data. | | ||
|
|
||
| ## Activation Scoped Keys | ||
|
|
||
| | name | created as | purpose | | ||
| |----------------------------|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | `KEY_DEVICE_PRIVATE` | ECDH - private key | Generated on client to allow construction of `KEY_MASTER_SECRET`. | | ||
| | `KEY_DEVICE_PUBLIC` | ECDH - public key | Generated on client to allow construction of `KEY_MASTER_SECRET`. | | ||
| | `KEY_SERVER_PRIVATE` | ECDH - private key | Generated on server to allow construction of `KEY_MASTER_SECRET`. | | ||
| | `KEY_SERVER_PUBLIC` | ECDH - public key | Generated on server to allow construction of `KEY_MASTER_SECRET`. | | ||
| | `KEY_MASTER_SECRET` | ECDH - pre-shared | A key deduced using ECDH derivation, `KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC)` and then reduced with `ByteUtils.convert32Bto16B()`. | | ||
| | `KEY_SIGNATURE_POSSESSION` | KDF derived key from `KEY_MASTER_SECRET` | A signing key associated with the possession, factor deduced using KDF derivation with `INDEX = 1`, `KEY_SIGNATURE_POSSESSION = KDF.derive(KEY_MASTER_SECRET, 1)`, used for subsequent request signing. | | ||
| | `KEY_SIGNATURE_KNOWLEDGE` | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the knowledge factor, deduced using KDF derivation with `INDEX = 2`, `KEY_SIGNATURE_KNOWLEDGE = KDF.derive(KEY_MASTER_SECRET, 2)`, used for subsequent request signing. | | ||
| | `KEY_SIGNATURE_BIOMETRY` | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the biometry factor, deduced using KDF derivation with `INDEX = 3`, `KEY_SIGNATURE_BIOMETRY = KDF.derive(KEY_MASTER_SECRET, 3)`, used for subsequent request signing. | | ||
| | `KEY_TRANSPORT` | KDF derived key from `KEY_MASTER_SECRET` | A key deduced using KDF derivation with `INDEX = 1000`, `KEY_TRANSPORT = KDF.derive(KEY_MASTER_SECRET, 1000)`, used for encrypted data transport. This key is used as master transport key for end-to-end encryption key derivation. | | ||
| | `KEY_ENCRYPTION_VAULT` | KDF derived key from `KEY_MASTER_SECRET` | A key deduced using KDF derivation with `INDEX = 2000`, `KEY_ENCRYPTION_VAULT = KDF.derive(KEY_MASTER_SECRET, 2000)`, used for encrypting a vault that stores the secret data, such as `KEY_DEVICE_PRIVATE`. | | ||
| | `KEY_TRANSPORT_IV` | KDF derived key from `KEY_TRANSPORT` | A key deduced using KDF derivation with `INDEX = 3000`, `KEY_ENCRYPTION_IV = KDF.derive(KEY_TRANSPORT, 3000)`, used for derivation of initial vector, that encrypts activation status blob. | | ||
| | `KEY_TRANSPORT_CTR` | KDF derived key from `KEY_TRANSPORT` | A key deduced using KDF derivation with `INDEX = 4000`, `KEY_TRANSPORT_CTR = KDF.derive(KEY_TRANSPORT, 4000)`, used for computing hash from current value of hash-based counter. | | ||
| | `KEY_ENC_TEMPORARY` | Temporary encryption key pair | Temporary encryption key pair used in end-to-end encryption in activation scope. This key pair enhances security by ensuring forward secrecy for encrypted data. | |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters