Select release
PowerAuth Specification

Overview

Activation

Activation Principles

Activation via Activation Code

Activation via Recovery Code

Activation via Custom Credentials

Key Derivation

Checking Activation Status

Signatures

Signatures

MAC Token Based Authentication

Encryption

End-To-End Encryption

Other Chapters

Basic Definitions

Activation Code Format

Additional Activation OTP

Implementation Details

List of Used Keys

Tutorials

Authentication in Mobile Banking Apps (SCA)

Verifying PowerAuth Signatures On The Server

API Reference

PowerAuth Standard RESTful API

Deployment

Architecture Overview

Deployment Checklist

Applications

PowerAuth Server

Enrollment Server

PowerAuth Admin

PowerAuth Push Server

PowerAuth CMD Tool

PowerAuth Mobile SDK

PowerAuth RESTful API SDK

PowerAuth Web Flow

Development

Development

Reporting Issues

Releases

List of Releases

List of Used Keys

Edit on Github Send Feedback v1.8.0

The following keys are used in the PowerAuth cryptography scheme.

Application Scoped Keys

name created as purpose
KEY_SERVER_MASTER_PRIVATE ECDH - private key Embedded on server, used to assure authenticity of data during the transfer from server to client during application scoped use-cases (i.e., device activation).
KEY_SERVER_MASTER_PUBLIC ECDH - public key Embedded in client app, used to verify authenticity of data while transferring from server to client during application scoped use-cases (i.e., device activation).
APP_KEY Application version key Shared random ID between the server and client app, used to identify specific application version. The value travels in plain form over HTTPS channel.
APP_SECRET Application version secret Shared random secret key between the server and client app, used to authenticate specific application version. Used in digest and MAC values.

Activation Scoped Keys

name created as purpose
KEY_DEVICE_PRIVATE ECDH - private key Generated on client to allow construction of KEY_MASTER_SECRET.
KEY_DEVICE_PUBLIC ECDH - public key Generated on client to allow construction of KEY_MASTER_SECRET.
KEY_SERVER_PRIVATE ECDH - private key Generated on server to allow construction of KEY_MASTER_SECRET.
KEY_SERVER_PUBLIC ECDH - public key Generated on server to allow construction of KEY_MASTER_SECRET.
KEY_MASTER_SECRET ECDH - pre-shared A key deduced using ECDH derivation, KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC) and then reduced with ByteUtils.convert32Bto16B().
KEY_SIGNATURE_POSSESSION KDF derived key from KEY_MASTER_SECRET A signing key associated with the possession, factor deduced using KDF derivation with INDEX = 1, KEY_SIGNATURE_POSSESSION = KDF.derive(KEY_MASTER_SECRET, 1), used for subsequent request signing.
KEY_SIGNATURE_KNOWLEDGE KDF derived key from KEY_MASTER_SECRET A key associated with the knowledge factor, deduced using KDF derivation with INDEX = 2, KEY_SIGNATURE_KNOWLEDGE = KDF.derive(KEY_MASTER_SECRET, 2), used for subsequent request signing.
KEY_SIGNATURE_BIOMETRY KDF derived key from KEY_MASTER_SECRET A key associated with the biometry factor, deduced using KDF derivation with INDEX = 3, KEY_SIGNATURE_BIOMETRY = KDF.derive(KEY_MASTER_SECRET, 3), used for subsequent request signing.
KEY_TRANSPORT KDF derived key from KEY_MASTER_SECRET A key deduced using KDF derivation with INDEX = 1000, KEY_TRANSPORT = KDF.derive(KEY_MASTER_SECRET, 1000), used for encrypted data transport. This key is used as master transport key for end-to-end encryption key derivation.
KEY_ENCRYPTION_VAULT KDF derived key from KEY_MASTER_SECRET A key deduced using KDF derivation with INDEX = 2000, KEY_ENCRYPTION_VAULT = KDF.derive(KEY_MASTER_SECRET, 2000), used for encrypting a vault that stores the secret data, such as KEY_DEVICE_PRIVATE.
KEY_TRANSPORT_IV KDF derived key from KEY_TRANSPORT A key deduced using KDF derivation with INDEX = 3000, KEY_ENCRYPTION_IV = KDF.derive(KEY_TRANSPORT, 3000), used for derivation of initial vector, that encrypts activation status blob.
KEY_TRANSPORT_CTR KDF derived key from KEY_TRANSPORT A key deduced using KDF derivation with INDEX = 4000, KEY_TRANSPORT_CTR = KDF.derive(KEY_TRANSPORT, 4000), used for computing hash from current value of hash-based counter.
Last updated on Jun 10, 2024 (09:20) Edit on Github Send Feedback
On this page:
Search

1.8.x

PowerAuth Java Crypto