List of Used Keys
The following keys are used in the PowerAuth cryptography scheme.
Application Scoped Keys
| name | created as | purpose |
|---|---|---|
KEY_SERVER_MASTER_PRIVATE |
ECDH - private key | Embedded on server, used to assure authenticity of data during the transfer from server to client during application scoped use-cases (i.e., device activation). |
KEY_SERVER_MASTER_PUBLIC |
ECDH - public key | Embedded in client app, used to verify authenticity of data while transferring from server to client during application scoped use-cases (i.e., device activation). |
APP_KEY |
Application version key | Shared random ID between the server and client app, used to identify specific application version. The value travels in plain form over HTTPS channel. |
APP_SECRET |
Application version secret | Shared random secret key between the server and client app, used to authenticate specific application version. Used in digest and MAC values. |
KEY_ENC_TEMPORARY |
Temporary encryption key pair | Temporary encryption key pair used in end-to-end encryption in application scope. The key pair enhances security by ensuring forward secrecy for encrypted data. |
Activation Scoped Keys
| name | created as | purpose |
|---|---|---|
KEY_DEVICE_PRIVATE |
ECDH - private key | Generated on client to allow construction of KEY_MASTER_SECRET. |
KEY_DEVICE_PUBLIC |
ECDH - public key | Generated on client to allow construction of KEY_MASTER_SECRET. |
KEY_SERVER_PRIVATE |
ECDH - private key | Generated on server to allow construction of KEY_MASTER_SECRET. |
KEY_SERVER_PUBLIC |
ECDH - public key | Generated on server to allow construction of KEY_MASTER_SECRET. |
KEY_MASTER_SECRET |
ECDH - pre-shared | A key deduced using ECDH derivation, KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE, KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE, KEY_DEVICE_PUBLIC) and then reduced with ByteUtils.convert32Bto16B(). |
KEY_SIGNATURE_POSSESSION |
KDF derived key from KEY_MASTER_SECRET |
A signing key associated with the possession, factor deduced using KDF derivation with INDEX = 1, KEY_SIGNATURE_POSSESSION = KDF.derive(KEY_MASTER_SECRET, 1), used for subsequent request signing. |
KEY_SIGNATURE_KNOWLEDGE |
KDF derived key from KEY_MASTER_SECRET |
A key associated with the knowledge factor, deduced using KDF derivation with INDEX = 2, KEY_SIGNATURE_KNOWLEDGE = KDF.derive(KEY_MASTER_SECRET, 2), used for subsequent request signing. |
KEY_SIGNATURE_BIOMETRY |
KDF derived key from KEY_MASTER_SECRET |
A key associated with the biometry factor, deduced using KDF derivation with INDEX = 3, KEY_SIGNATURE_BIOMETRY = KDF.derive(KEY_MASTER_SECRET, 3), used for subsequent request signing. |
KEY_TRANSPORT |
KDF derived key from KEY_MASTER_SECRET |
A key deduced using KDF derivation with INDEX = 1000, KEY_TRANSPORT = KDF.derive(KEY_MASTER_SECRET, 1000), used for encrypted data transport. This key is used as master transport key for end-to-end encryption key derivation. |
KEY_ENCRYPTION_VAULT |
KDF derived key from KEY_MASTER_SECRET |
A key deduced using KDF derivation with INDEX = 2000, KEY_ENCRYPTION_VAULT = KDF.derive(KEY_MASTER_SECRET, 2000), used for encrypting a vault that stores the secret data, such as KEY_DEVICE_PRIVATE. |
KEY_TRANSPORT_IV |
KDF derived key from KEY_TRANSPORT |
A key deduced using KDF derivation with INDEX = 3000, KEY_ENCRYPTION_IV = KDF.derive(KEY_TRANSPORT, 3000), used for derivation of initial vector, that encrypts activation status blob. |
KEY_TRANSPORT_CTR |
KDF derived key from KEY_TRANSPORT |
A key deduced using KDF derivation with INDEX = 4000, KEY_TRANSPORT_CTR = KDF.derive(KEY_TRANSPORT, 4000), used for computing hash from current value of hash-based counter. |
KEY_ENC_TEMPORARY |
Temporary encryption key pair | Temporary encryption key pair used in end-to-end encryption in activation scope. This key pair enhances security by ensuring forward secrecy for encrypted data. |
Last updated on Oct 03, 2024 (07:08)
Edit on Github
Send Feedback