Skip to content

Commit

Permalink
Fix #616: Add a note on built-in keys to the list of used keys (#617)
Browse files Browse the repository at this point in the history
* Fix #616: Add a note on built-in keys to the list of used keys

* Fix table formatting
  • Loading branch information
petrdvorak authored Jun 10, 2024
1 parent f2796e9 commit 9065d60
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 2 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,5 @@
## Directory-based project format:
.idea/
.mvn
.vscode/
dist/
1 change: 1 addition & 0 deletions docs/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,5 @@
## Directory-based project format:
.idea/
.mvn
.vscode/
dist/
14 changes: 12 additions & 2 deletions docs/List-of-used-keys.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,24 @@

The following keys are used in the PowerAuth cryptography scheme.

## Application Scoped Keys

| name | created as | purpose |
|-----------------------------|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key | Embedded on server, used to assure authenticity of data during the transfer from server to client during application scoped use-cases (i.e., device activation). |
| `KEY_SERVER_MASTER_PUBLIC` | ECDH - public key | Embedded in client app, used to verify authenticity of data while transferring from server to client during application scoped use-cases (i.e., device activation). |
| `APP_KEY` | Application version key | Shared random ID between the server and client app, used to identify specific application version. The value travels in plain form over HTTPS channel. |
| `APP_SECRET` | Application version secret | Shared random secret key between the server and client app, used to authenticate specific application version. Used in digest and MAC values. |


## Activation Scoped Keys

| name | created as | purpose |
|-----------------------------|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `KEY_DEVICE_PRIVATE` | ECDH - private key | Generated on client to allow construction of `KEY_MASTER_SECRET`. |
| `KEY_DEVICE_PUBLIC` | ECDH - public key | Generated on client to allow construction of `KEY_MASTER_SECRET`. |
| `KEY_SERVER_PRIVATE` | ECDH - private key | Generated on server to allow construction of `KEY_MASTER_SECRET`. |
| `KEY_SERVER_PUBLIC` | ECDH - public key | Generated on server to allow construction of `KEY_MASTER_SECRET`. |
| `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key | Stored on server, used to assure authenticity of `KEY_DEVICE_PUBLIC` while transferring from server to client |
| `KEY_SERVER_MASTER_PUBLIC` | ECDH - public key | Stored on client, used to assure authenticity of `KEY_DEVICE_PUBLIC` while transferring from server to client |
| `KEY_MASTER_SECRET` | ECDH - pre-shared | A key deduced using ECDH derivation, `KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC)` and then reduced with `ByteUtils.convert32Bto16B()`. |
| `KEY_SIGNATURE_POSSESSION` | KDF derived key from `KEY_MASTER_SECRET` | A signing key associated with the possession, factor deduced using KDF derivation with `INDEX = 1`, `KEY_SIGNATURE_POSSESSION = KDF.derive(KEY_MASTER_SECRET, 1)`, used for subsequent request signing. |
| `KEY_SIGNATURE_KNOWLEDGE` | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the knowledge factor, deduced using KDF derivation with `INDEX = 2`, `KEY_SIGNATURE_KNOWLEDGE = KDF.derive(KEY_MASTER_SECRET, 2)`, used for subsequent request signing. |
Expand Down

0 comments on commit 9065d60

Please sign in to comment.