Skip to content

Pre shared Keys or Model Group Keys Entity Authentication

Jump to bottom
Bertrand Mollinier Toublet edited this page Mar 26, 2015 · 4 revisions

The pre-shared keys and model group keys entity authentication schemes provide encryption and authentication using a pair of AES-128-CBC and HMAC-SHA256 keys. A third AES-128-KeyWrap key is also available. The keys are unique per entity identity, usually permanent, and shared out-of-band.

The pre-shared encryption and authentication keys are randomly generated and named Kpe and Kph respectively. The wrapping key is named Kpw.

The model group encryption and authentication keys are derived and named Kde and Kdh respectively. The wrapping key is named Kdw.

The model group keys Kde and Kdh are derived from the entity identity and a model group master key. A model group is defined as a group of similar devices and each model group has its own master key Kmgm, which is either an AES-128-ECB or 3DES-ECB key. Access to Kmgm allows the keys to be derived on demand, as the entity identity is not secret. For this reason access to Kmgm should be strictly controlled.

bytes = encrypt(Kmgm, SHA-384(identity))
Kde = bytes[0...15]
Kdh = bytes[16...47]

For increased strength against potential key collision attacks, the following options may be used instead:

  • PBKDF2 with a fixed unique salt per model and Kmgm as the password.
  • HKDF with a fixed unique salt per model and Kmgm as the HMAC key.
  • AES-CBC or 3DES-CBC with a fixed unique initialization vector per model and Kmgm as the encryption key.

For both pre-shared keys and model group keys the wrapping key is derived from the encryption and HMAC keys as follows.

salt = 02 76 17 98 4f 62 27 53 9a 63 0b 89 7c 01 7d 69
info = 80 9f 82 a7 ad df 54 8d 3e a9 dd 06 7f f9 bb 91
wrappingKey = trunc_128(HMAC-SHA256(HMAC-SHA256(salt, encryptionKey||hmacKey), info))

These schemes are identified by the strings PSK and MGK for pre-shared keys and model group keys repsectively.

Authentication Data Representation

authdata = {
  "#mandatory" : [ "identity" ],
  "identity" : "string"
}

Encryption

The encryption algorithm is AES/CBC/PKCS5Padding and the initialization vector is randomly chosen. Ciphertext is encapsulated within a version 1 MSL ciphertext envelope.

Authentication

The authentication algorithm is HmacSHA256 and is computed over the binary representation of the encryption envelope and included as raw bytes within a version 1 MSL signature envelope.

A Netflix Original Production
Tech Blog | Twitter @NetflixOSS | Jobs

Clone this wiki locally