-
Notifications
You must be signed in to change notification settings - Fork 79
Key Exchange
When using master token authentication session keys are used to encrypt and authenticate messages. These session keys are established by performing key exchange between two entities. The master token entity will use the session keys once key exchange is complete. In addition, trusted services network servers will also use the session keys for message encryption and authentication. Since the session keys are stored in the master token, any entity capable of decrypting the master token has access to the session keys.
The key types, algorithms and modes used by the session keys, and number of session keys may differ between key exchange schemes.
The following lists some examples of session key exchange schemes and their mechanism for the secure exchange of keys. A more detailed description of key exchange schemes is documented in the Configuration Guide.
| Scheme | Exchange Mechanism |
|---|---|
| Asymmetric Wrapped | Key response containing new session keys encrypted with the requesting entity’s public key. |
| Diffie-Hellman | Exchange of Diffie-Hellman public keys with pre-determined parameters. |
keyrequestdata = {
"#mandatory" : [ "scheme", "keydata" ],
"scheme" : "string",
"keydata" : object
}| Field | Description |
|---|---|
| keydata | scheme-specific key data |
| scheme | key exchange scheme |
The request key data must contain enough data for the receiving entity to successfully perform the key exchange and generate new session encryption and HMAC keys.
Some key exchange schemes may require the inclusion of data that can be used to re-authenticate the entity. This would allow for the periodic confirmation that the entity is still in possession of the entity authentication credentials and that the credentials have not been revoked. The minimum frequency of such confirmation is equal to the master token expiration, should be chosen to achieve a balance between confidence of an entity’s identity and the cost of performing key exchange, and should be enforced by the entity that receives the message.
keyresponsedata = {
"#mandatory" : [ "mastertoken", "scheme", "keydata" ],
"mastertoken" : mastertoken,
"scheme" : "string",
"keydata" : object
}| Field | Description |
|---|---|
| keydata | scheme-specific key data |
| mastertoken | master token (mastertoken) |
| scheme | key exchange scheme |
The new master token issued by the sender of the key response data.
The response key data must contain enough data for the master token entity to successfully complete the key exchange and determine the new session encryption and HMAC keys associated with the new master token.
A Netflix Original Production
Tech Blog | Twitter @NetflixOSS | Jobs
- Introduction
- Encoding & Normalization
- Cryptography
- Versioning
- MSL Networks
- Entity Authentication
- User Authentication
- Key Exchange
- Service Tokens
- Messages
- Error Messages
- Application Security Requirements
- Protocol Implementation
- Configuration Guide