commit 1a21e1092b92b573ea90040b44e659c9133de625
author Alexander Afanasyev <aa@cs.fiu.edu> Wed Jun 13 20:33:21 2018 -0400
committer Alexander Afanasyev <aa@cs.fiu.edu> Mon Jun 18 11:13:01 2018 -0400
tree 8894992b2cd6b26bd8a838a95796de975e5431cf
parent e96538a66e14d90a7bd2448850500c484824e01f

Encryptor

Change-Id: Ie9d12038160ec17489a6dae5e6002728d6815ddf

docs/spec.rst

diff --git a/docs/spec.rst b/docs/spec.rst
index 9701dd6..2dfc33f 100644
--- a/docs/spec.rst
+++ b/docs/spec.rst
@@ -17,7 +17,7 @@
 +-----------------+------------------------------------------------------------------------------------------+
 | CK              |  Content Key (AES symmetric key)                                                         |
 +-----------------+------------------------------------------------------------------------------------------+
-| CK data         |  Data packet carrying a KDK-encrypted CK as payoad                                       |
+| CK data         |  Data packet carrying a KDK-encrypted CK as payload                                      |
 +-----------------+------------------------------------------------------------------------------------------+
 | Access Manager  |  (Data Owner) Entity that control access to the data associated with the namespace       |
 +-----------------+------------------------------------------------------------------------------------------+
@@ -36,14 +36,13 @@
 
      EncryptedContent ::= ENCRYPTED-CONTENT-TYPE TLV-LENGTH
                             EncryptedPayload
-                            InitialVector?
+                            InitializationVector?
                             EncryptedPayloadKey?
                             Name?
 
-     InitialVector ::= INITIAL-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
      EncryptedPayload ::= ENCRYPTED-PAYLOAD-TYPE TLV-LENGTH(=N) BYTE{N}
+     InitializationVector ::= INITIALIZATION-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
      EncryptedPayloadKey ::= ENCRYPTED-PAYLOAD-KEY-TYPE TLV-LENGTH(=N) BYTE{N}
-     InitialVector ::= INITIAL-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
 
 
 Access Manager
@@ -53,7 +52,7 @@
    :alt: Access Manager
    :align: center
 
-Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private keys) key pairs.
+Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private key) key pair.
 
 KEK is published as a single data packet with name ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``, following the following format:
 
@@ -61,7 +60,7 @@
 
    Kek ::= DATA-TYPE TLV-LENGTH
              Name (= /[access-namespace]/NAC/[dataset]/KEK/[key-id])
-             MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour)
+             MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour default value)
              KekContent
              SignatureInfo
              SignatureValue
@@ -76,7 +75,7 @@
 
    Kdk ::= DATA-TYPE TLV-LENGTH
              Name (= /[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id])
-             MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour)
+             MetaInfo (= .ContentType = BLOB, .FreshnessPeriod = 1 hour default value)
              KdkContent
              SignatureInfo
              SignatureValue
@@ -85,5 +84,39 @@
                     EncryptedContent (=
                       .EncryptedPayload = SafeBag with private key /[access-namespace]/NAC/[dataset]/KEY/[key-id]
                       .EncryptedPayloadKey = password for SafeBag, encrypted by public key /<authorized-member>/KEY/[member-key-id]
-                      // .InitialVector and .Name not set
+                      // .InitializationVector and .Name are not set
+                    )
+
+Encryptor
+---------
+
+.. figure:: _static/encryptor.png
+   :alt: Encryptor
+   :align: center
+
+Encryptor encrypts (synchronous operation) the requested content and returns an ``EncryptedContent`` element with values:
+
+::
+
+     EncryptedPayload      = AES CBC encrypted blob
+     InitializationVector         = Random initial vector for AES CBC encryption
+     EncryptedPayloadKey (not set)
+     Name                  = Prefix of ContentKey (CK) data packet [ck-prefix]/CK/[ck-id]
+
+During initialization or when requested by the application, the Encryptor (re-)generates a random key for AES CBC encryption.
+The encrypted version of this key is published (asynchronous operation, contingent on successful retrieval and validation of KEK) as a data packet, following the naming convention: ``/[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id]``.  CK data is published in the following format:
+
+::
+
+   CkData ::= DATA-TYPE TLV-LENGTH
+                Name (= /[ck-prefix]/CK/[ck-id]/ENCRYPTED-BY/[access-namespace]/NAC/[dataset]/KEK/[key-id])
+                MetaInfo (= .ContentType = BLOB, .FreshnessPeriod = 1 hour default value)
+                CkContent
+                SignatureInfo
+                SignatureValue
+
+   CkContent ::= CONTENT-TYPE-TLV TLV-LENGTH
+                    EncryptedContent (=
+                      .EncryptedPayload = ContentKey encrypted by public key /[access-namespace]/NAC/[dataset]/KEK/[key-id]
+                      // .InitializationVector, .EncryptedPayloadKey, and .Name are not set
                     )