Changes

Jump to navigation Jump to search
666 bytes added ,  22:44, 4 October 2017
no edit summary
Line 64: Line 64:  
| 0xC3000012 || [2.0.0+] GenerateRsaKek || ||
 
| 0xC3000012 || [2.0.0+] GenerateRsaKek || ||
 
|}
 
|}
 +
 +
The overall concept here is the following:
 +
* All key material (AES and RSA) is stored in userspace, but it's encrypted with random AES kek's ("key encryption key").
 +
* Each kek is generated as a function of an access key (picked at random).
 +
* The kek is generated differently depending on the [[#CryptoUsecase]] the key is used for.
 +
** This means: Each key is "locked" to the [[#CryptoUsecase]] it was designated for.
 +
** You can use a key for a different usecase, but you will only get garbage output.
 +
* After the kek has been generated, it is wrapped with a session-specific key and given back to userspace.
 +
** This means: Plaintext kek keys never leave TrustZone.
    
=== GenerateAesKek ===
 
=== GenerateAesKek ===

Navigation menu