CloudServices/Sagrada/TokenServer: Difference between revisions

CloudServices/Sagrada/TokenServer (view source)

Revision as of 00:07, 12 January 2012

791 bytes added , 12 January 2012

→‎Shared Secrets File

Rfkelly

Confirmed users

358

edits

@@ Line 185: / Line 185: @@
 '''The metadata token is encrypted'''
-== Shared Secrets File ==
+== Secrets ==
-Each Service Node has a unique secret per Node it serves, it shares with the Login Server. A secret is a timestamp rounded to the second, followed by a column, and a pseudo-random hex string of 256 chars from [a-f0-9].
+Each Service Node has a unique Master Secret per Node it serves, it shares with the Login Server. A Master Secret is a timestamp rounded to the second, followed by a column, and a pseudo-random hex string of 256 chars from [a-f0-9].
 Example of generating such string:
@@ Line 194: / Line 194: @@
    >>> print '%d:%s' % (int(time.time()), binascii.b2a_hex(os.urandom(256))[:256])
    1326322983:646dc48...4ad86dca82d
+(XXX crypto review required, not sure if this is the best/correct way to use HKDF for this purpose)
+The Master Secret is used to derive keys for various cryptographic routines.  At startup time, the Login Server and Node should pre-calculate and cache the signing key and encryption key as follows:
+* sig-secret:  HKDF(master-secret, salt=None, info="SIGNING", size=digest-length)
+* enc-secret:  HKDF(master-secret, salt=None, info="ENCRYPTION", size=aes-key-length)
+By using a no salt (or a fixed salt) these secrets can be calculated once and then used for each request.
+When issuing or checking an Auth Token, the corresponding Token Secret is calculated as:
+* token-secret:  HKDF(master-secret, salt=token-salt, info=auth-token, size=digest-length)
+=== Shared Secrets File ===
 Ops create secrets for each Node, and maintain for each cluster a file containing all secrets. The file is deployed on the Login Server and on each Service Node. The Login Server has all clusters files.