Changes

Jump to navigation Jump to search
67 bytes added ,  22:47, 4 October 2017
Line 66: Line 66:     
The overall concept here is the following:
 
The overall concept here is the following:
* All key material (AES and RSA) is stored in userspace, but it's encrypted with random AES kek's ("key encryption key").
+
* All key material (AES and RSA) is stored in userspace, but it's encrypted with random AES kek's ("key encryption keys").
 
* Each kek is generated as a function of an access key (picked at random).
 
* Each kek is generated as a function of an access key (picked at random).
 
* The kek is generated differently depending on the [[#CryptoUsecase]] the key is used for.
 
* The kek is generated differently depending on the [[#CryptoUsecase]] the key is used for.
Line 73: Line 73:  
* After the kek has been generated, it is wrapped with a session-specific key and given back to userspace.
 
* After the kek has been generated, it is wrapped with a session-specific key and given back to userspace.
 
** This means: Plaintext kek keys never leave TrustZone.
 
** This means: Plaintext kek keys never leave TrustZone.
 +
** Further, this means: Actual AES/RSA keys never leave TrustZone.
    
=== GenerateAesKek ===
 
=== GenerateAesKek ===
Line 134: Line 135:  
| 3 || CryptoUsecase_RsaWrappedAesKey
 
| 3 || CryptoUsecase_RsaWrappedAesKey
 
|}
 
|}
      
== Id 1 ==
 
== Id 1 ==

Navigation menu