From 9065d608631efcdd7eae9cb3123e819ababc5c12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Dvo=C5=99=C3=A1k?= Date: Mon, 10 Jun 2024 10:20:26 +0100 Subject: [PATCH] Fix #616: Add a note on built-in keys to the list of used keys (#617) * Fix #616: Add a note on built-in keys to the list of used keys * Fix table formatting --- .gitignore | 1 + docs/.gitignore | 1 + docs/List-of-used-keys.md | 14 ++++++++++++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 29c47e3cc..31dd84ab6 100644 --- a/.gitignore +++ b/.gitignore @@ -18,4 +18,5 @@ ## Directory-based project format: .idea/ .mvn +.vscode/ dist/ diff --git a/docs/.gitignore b/docs/.gitignore index 29c47e3cc..31dd84ab6 100644 --- a/docs/.gitignore +++ b/docs/.gitignore @@ -18,4 +18,5 @@ ## Directory-based project format: .idea/ .mvn +.vscode/ dist/ diff --git a/docs/List-of-used-keys.md b/docs/List-of-used-keys.md index 21d63e49c..11b322b2f 100644 --- a/docs/List-of-used-keys.md +++ b/docs/List-of-used-keys.md @@ -2,14 +2,24 @@ The following keys are used in the PowerAuth cryptography scheme. +## Application Scoped Keys + +| name | created as | purpose | +|-----------------------------|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key | Embedded on server, used to assure authenticity of data during the transfer from server to client during application scoped use-cases (i.e., device activation). | +| `KEY_SERVER_MASTER_PUBLIC` | ECDH - public key | Embedded in client app, used to verify authenticity of data while transferring from server to client during application scoped use-cases (i.e., device activation). | +| `APP_KEY` | Application version key | Shared random ID between the server and client app, used to identify specific application version. The value travels in plain form over HTTPS channel. | +| `APP_SECRET` | Application version secret | Shared random secret key between the server and client app, used to authenticate specific application version. Used in digest and MAC values. | + + +## Activation Scoped Keys + | name | created as | purpose | |-----------------------------|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `KEY_DEVICE_PRIVATE` | ECDH - private key | Generated on client to allow construction of `KEY_MASTER_SECRET`. | | `KEY_DEVICE_PUBLIC` | ECDH - public key | Generated on client to allow construction of `KEY_MASTER_SECRET`. | | `KEY_SERVER_PRIVATE` | ECDH - private key | Generated on server to allow construction of `KEY_MASTER_SECRET`. | | `KEY_SERVER_PUBLIC` | ECDH - public key | Generated on server to allow construction of `KEY_MASTER_SECRET`. | -| `KEY_SERVER_MASTER_PRIVATE` | ECDH - private key | Stored on server, used to assure authenticity of `KEY_DEVICE_PUBLIC` while transferring from server to client | -| `KEY_SERVER_MASTER_PUBLIC` | ECDH - public key | Stored on client, used to assure authenticity of `KEY_DEVICE_PUBLIC` while transferring from server to client | | `KEY_MASTER_SECRET` | ECDH - pre-shared | A key deduced using ECDH derivation, `KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC)` and then reduced with `ByteUtils.convert32Bto16B()`. | | `KEY_SIGNATURE_POSSESSION` | KDF derived key from `KEY_MASTER_SECRET` | A signing key associated with the possession, factor deduced using KDF derivation with `INDEX = 1`, `KEY_SIGNATURE_POSSESSION = KDF.derive(KEY_MASTER_SECRET, 1)`, used for subsequent request signing. | | `KEY_SIGNATURE_KNOWLEDGE` | KDF derived key from `KEY_MASTER_SECRET` | A key associated with the knowledge factor, deduced using KDF derivation with `INDEX = 2`, `KEY_SIGNATURE_KNOWLEDGE = KDF.derive(KEY_MASTER_SECRET, 2)`, used for subsequent request signing. |