Encryptor
Change-Id: Ie9d12038160ec17489a6dae5e6002728d6815ddf
diff --git a/docs/_static/encryptor.png b/docs/_static/encryptor.png
new file mode 100644
index 0000000..249bd20
--- /dev/null
+++ b/docs/_static/encryptor.png
Binary files differ
diff --git a/docs/figures/encryptor.pptx b/docs/figures/encryptor.pptx
new file mode 100644
index 0000000..48772d9
--- /dev/null
+++ b/docs/figures/encryptor.pptx
Binary files differ
diff --git a/docs/spec.rst b/docs/spec.rst
index 9701dd6..2dfc33f 100644
--- a/docs/spec.rst
+++ b/docs/spec.rst
@@ -17,7 +17,7 @@
+-----------------+------------------------------------------------------------------------------------------+
| CK | Content Key (AES symmetric key) |
+-----------------+------------------------------------------------------------------------------------------+
-| CK data | Data packet carrying a KDK-encrypted CK as payoad |
+| CK data | Data packet carrying a KDK-encrypted CK as payload |
+-----------------+------------------------------------------------------------------------------------------+
| Access Manager | (Data Owner) Entity that control access to the data associated with the namespace |
+-----------------+------------------------------------------------------------------------------------------+
@@ -36,14 +36,13 @@
EncryptedContent ::= ENCRYPTED-CONTENT-TYPE TLV-LENGTH
EncryptedPayload
- InitialVector?
+ InitializationVector?
EncryptedPayloadKey?
Name?
- InitialVector ::= INITIAL-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
EncryptedPayload ::= ENCRYPTED-PAYLOAD-TYPE TLV-LENGTH(=N) BYTE{N}
+ InitializationVector ::= INITIALIZATION-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
EncryptedPayloadKey ::= ENCRYPTED-PAYLOAD-KEY-TYPE TLV-LENGTH(=N) BYTE{N}
- InitialVector ::= INITIAL-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
Access Manager
@@ -53,7 +52,7 @@
:alt: Access Manager
:align: center
-Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private keys) key pairs.
+Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private key) key pair.
KEK is published as a single data packet with name ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``, following the following format:
@@ -61,7 +60,7 @@
Kek ::= DATA-TYPE TLV-LENGTH
Name (= /[access-namespace]/NAC/[dataset]/KEK/[key-id])
- MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour)
+ MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour default value)
KekContent
SignatureInfo
SignatureValue
@@ -76,7 +75,7 @@
Kdk ::= DATA-TYPE TLV-LENGTH
Name (= /[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id])
- MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour)
+ MetaInfo (= .ContentType = BLOB, .FreshnessPeriod = 1 hour default value)
KdkContent
SignatureInfo
SignatureValue
@@ -85,5 +84,39 @@
EncryptedContent (=
.EncryptedPayload = SafeBag with private key /[access-namespace]/NAC/[dataset]/KEY/[key-id]
.EncryptedPayloadKey = password for SafeBag, encrypted by public key /<authorized-member>/KEY/[member-key-id]
- // .InitialVector and .Name not set
+ // .InitializationVector and .Name are not set
+ )
+
+Encryptor
+---------
+
+.. figure:: _static/encryptor.png
+ :alt: Encryptor
+ :align: center
+
+Encryptor encrypts (synchronous operation) the requested content and returns an ``EncryptedContent`` element with values:
+
+::
+
+ EncryptedPayload = AES CBC encrypted blob
+ InitializationVector = Random initial vector for AES CBC encryption
+ EncryptedPayloadKey (not set)
+ Name = Prefix of ContentKey (CK) data packet [ck-prefix]/CK/[ck-id]
+
+During initialization or when requested by the application, the Encryptor (re-)generates a random key for AES CBC encryption.
+The encrypted version of this key is published (asynchronous operation, contingent on successful retrieval and validation of KEK) as a data packet, following the naming convention: ``/[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id]``. CK data is published in the following format:
+
+::
+
+ CkData ::= DATA-TYPE TLV-LENGTH
+ Name (= /[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id])
+ MetaInfo (= .ContentType = BLOB, .FreshnessPeriod = 1 hour default value)
+ CkContent
+ SignatureInfo
+ SignatureValue
+
+ CkContent ::= CONTENT-TYPE-TLV TLV-LENGTH
+ EncryptedContent (=
+ .EncryptedPayload = ContentKey encrypted by public key /[access-namespace]/NAC/[dataset]/KEK/[key-id]
+ // .InitializationVector, .EncryptedPayloadKey, and .Name are not set
)
