-
Notifications
You must be signed in to change notification settings - Fork 78
Asymmetric Wrapped Key Exchange
Asymmetric wrapped key exchange uses a generated ephemeral asymmetric key pair for key exchange. It will typically be used when there is no other data or keys from which to base secure key exchange.
This mechanism provides perfect forward secrecy but does not guarantee that session keys will only be available to the requesting entity if the requesting MSL stack has been modified to perform the operation on behalf of a third party.
This scheme is identified by the string ASYMMETRIC_WRAPPED
.
keydata = {
"#mandatory" : [ "keypairid", "mechanism", "publickey" ],
"keypairid" : "string",
"mechanism" : "string",
"publickey" : "binary"
}
Field | Description |
---|---|
keypairid | key pair ID |
mechanism | asymmetric key type |
publickey | public key |
The key pair ID is included as a sanity check.
The following mechanisms are associated public key formats are currently supported.
Field | Public Key Format | Description |
---|---|---|
RSA | SPKI | RSA-OAEP encrypt/decrypt |
ECC | SPKI | ECIES encrypt/decrypt |
JWEJS_RSA | SPKI | RSA-OAEP JSON Web Encryption JSON Serialization |
JWE_RSA | SPKI | RSA-OAEP JSON Web Encryption Compact Serialization |
JWK_RSA | SPKI | RSA-OAEP JSON Web Key |
JWK_RSAES | SPKI | RSA PKCS#1 JSON Web Key |
keydata = {
"#mandatory" : [ "keypairid", "encryptionkey", "hmackey" ],
"keypairid" : "string",
"encryptionkey" : "binary",
"hmackey" : "binary"
}
Field | Description |
---|---|
encryptionkey | wrapped encryption key |
hmackey | wrapped HMAC key |
keypairid | key pair ID |
The responding MSL stack will generate random encryption and HMAC keys. The raw binary form of the keys will be encrypted using RSA/ECB/OAEPPadding or ECIES with the RSA or ECC public key.
The responding MSL stack will generate random encryption and HMAC keys. The keys will be encapsulated within JSON Web Keys with the appropriate algorithm and usage values and extractable set to false. JSON Web Encryption will be used to encrypt the JWKs using a randomly generated AES-128-GCM content encryption key (CEK), and the CEK will be encrypted using the RSA/ECB/OAEPPadding algorithm with the RSA-OAEP public key.
The responding MSL stack will generate random encryption and HMAC keys. The keys will be encapsulated within JSON Web Keys with the appropriate algorithm and usage values and extractable set to false. The JWK will be encrypted using the RSA/ECB/OAEPPadding or RSA/ECB/PKCS1Padding algorithm with the RSA public key.
A Netflix Original Production
Tech Blog | Twitter @NetflixOSS | Jobs
- Introduction
- Encoding & Normalization
- Cryptography
- Versioning
- MSL Networks
- Entity Authentication
- User Authentication
- Key Exchange
- Service Tokens
- Messages
- Error Messages
- Application Security Requirements
- Protocol Implementation
- Configuration Guide