Skip to content

Asymmetric Wrapped Key Exchange

Wesley Miaw edited this page Jul 15, 2016 · 3 revisions

Asymmetric wrapped key exchange uses a generated ephemeral asymmetric key pair for key exchange. It will typically be used when there is no other data or keys from which to base secure key exchange.

This mechanism provides perfect forward secrecy but does not guarantee that session keys will only be available to the requesting entity if the requesting MSL stack has been modified to perform the operation on behalf of a third party.

This scheme is identified by the string ASYMMETRIC_WRAPPED.

Key Request Data

keydata = {
  "#mandatory" : [ "keypairid", "mechanism", "publickey" ],
  "keypairid" : "string",
  "mechanism" : "string",
  "publickey" : "binary"
}
Field Description
keypairid key pair ID
mechanism asymmetric key type
publickey public key

Key Pair ID

The key pair ID is included as a sanity check.

Mechanism & Public Key

The following mechanisms are associated public key formats are currently supported.

Field Public Key Format Description
RSA SPKI RSA-OAEP encrypt/decrypt
ECC SPKI ECIES encrypt/decrypt
JWEJS_RSA SPKI RSA-OAEP JSON Web Encryption JSON Serialization
JWE_RSA SPKI RSA-OAEP JSON Web Encryption Compact Serialization
JWK_RSA SPKI RSA-OAEP JSON Web Key
JWK_RSAES SPKI RSA PKCS#1 JSON Web Key

Key Response Data

keydata = {
  "#mandatory" : [ "keypairid", "encryptionkey", "hmackey" ],
  "keypairid" : "string",
  "encryptionkey" : "binary",
  "hmackey" : "binary"
}
Field Description
encryptionkey wrapped encryption key
hmackey wrapped HMAC key
keypairid key pair ID

Mechanisms

RSA-OAEP & ECIES

The responding MSL stack will generate random encryption and HMAC keys. The raw binary form of the keys will be encrypted using RSA/ECB/OAEPPadding or ECIES with the RSA or ECC public key.

RSA-OAEP JSON Web Encryption (Compact and JSON Serialization)

The responding MSL stack will generate random encryption and HMAC keys. The keys will be encapsulated within JSON Web Keys with the appropriate algorithm and usage values and extractable set to false. JSON Web Encryption will be used to encrypt the JWKs using a randomly generated AES-128-GCM content encryption key (CEK), and the CEK will be encrypted using the RSA/ECB/OAEPPadding algorithm with the RSA-OAEP public key.

RSA-OAEP & RSA PKCS#1 JSON Web Key

The responding MSL stack will generate random encryption and HMAC keys. The keys will be encapsulated within JSON Web Keys with the appropriate algorithm and usage values and extractable set to false. The JWK will be encrypted using the RSA/ECB/OAEPPadding or RSA/ECB/PKCS1Padding algorithm with the RSA public key.

Clone this wiki locally