668
edits
BrowserID Key Wrapping: Difference between revisions
Jump to navigation
Jump to search
→Architecture
| Line 36: | Line 36: | ||
== Architecture == | == Architecture == | ||
BrowserID generates a new key for each email address it verifies. We call this the user key. | === Crypto Preliminaries === | ||
We don't ever do raw encryption. We perform encryption-and-MAC. We do this by encrypting the plaintext, then HMACing the ciphertext. The decryption process first checks the HMAC, and decrypts only if it is valid. In the following description, every time we talk about a single key, we really mean two keys: one for encryption, and one for HMACing. We use AES in CBC mode for encryption, and HMAC-SHA256 for MACs. | |||
Wrapping a key means encrypting (and HMACing) a data structure that contains the key and some optional tags. We denote this | |||
WRAP(wrapper_key, wrapped_key, {key1: val1, key2: val2}) | |||
=== User Key === | |||
BrowserID generates a new key for each email address it verifies. We call this the user key UK. BrowserID encrypts UK with a password-key (PWK) derived from the user's password. When the user changes their password, UK is unwrapped and rewrapped appropriately with a new PWK'. If the user loses their password completely, in the current specification, UK is unrecoverable and may as well be deleted. | |||
[[Image:Browserid-userkeys.png]] | [[Image:Browserid-userkeys.png]] | ||
=== Wrapping === | |||
Once a user key is established within BrowserID for a given email address, a site can generate a key SK, then ask BrowserID to wrap it. BrowserID will do so using UK, including an authenticated tag | |||