commit e96538a66e14d90a7bd2448850500c484824e01f
author Alexander Afanasyev <aa@cs.fiu.edu> Wed Jun 13 20:32:53 2018 -0400
committer Alexander Afanasyev <aa@cs.fiu.edu> Fri Jun 15 13:57:36 2018 -0400
tree ea9c1195281b469ce322d409a123a058a17e5bcc
parent 0db0feb3b4b71de09fb506dce14d3b5cd393f919

Access Manager

Change-Id: I5febe225dc8ba2f7967dabb5e1bf0bab6428d6c2

docs/spec.rst

diff --git a/docs/spec.rst b/docs/spec.rst
index 30e398d..9701dd6 100644
--- a/docs/spec.rst
+++ b/docs/spec.rst
@@ -1,7 +1,9 @@
 NAC Specification
 =================
 
-TBD
+.. figure:: _static/nac-overview.png
+   :alt: Overview of NAC entities
+   :align: center
 
 Terminology
 -----------
@@ -25,7 +27,7 @@
 +-----------------+------------------------------------------------------------------------------------------+
 
 EncryptedContent
------------------
+----------------
 
 The ``EncryptedContent`` element contains encrypted blob, optional Initial Vector (for AES CBC encryption),
 optional EncryptedPayloadKey, and Name elements.
@@ -34,11 +36,54 @@
 
      EncryptedContent ::= ENCRYPTED-CONTENT-TYPE TLV-LENGTH
                             EncryptedPayload
-                            InitialVector
-                            EncryptedPayloadKey
-                            Name
+                            InitialVector?
+                            EncryptedPayloadKey?
+                            Name?
 
      InitialVector ::= INITIAL-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
      EncryptedPayload ::= ENCRYPTED-PAYLOAD-TYPE TLV-LENGTH(=N) BYTE{N}
      EncryptedPayloadKey ::= ENCRYPTED-PAYLOAD-KEY-TYPE TLV-LENGTH(=N) BYTE{N}
      InitialVector ::= INITIAL-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N}
+
+
+Access Manager
+--------------
+
+.. figure:: _static/access-manager.png
+   :alt: Access Manager
+   :align: center
+
+Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private keys) key pairs.
+
+KEK is published as a single data packet with name ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``, following the following format:
+
+::
+
+   Kek ::= DATA-TYPE TLV-LENGTH
+             Name (= /[access-namespace]/NAC/[dataset]/KEK/[key-id])
+             MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour)
+             KekContent
+             SignatureInfo
+             SignatureValue
+
+   KekContent ::= CONTENT-TYPE-TLV TLV-LENGTH
+                    BYTE* (= BER of public key /[access-namespace]/NAC/[dataset]/KEY/[key-id])
+
+
+Different versions of KDK are published, encrypted by the public key of the individual authorized member, following naming convention: ``/[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id]``.  KDK is published in the following format:
+
+::
+
+   Kdk ::= DATA-TYPE TLV-LENGTH
+             Name (= /[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id])
+             MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour)
+             KdkContent
+             SignatureInfo
+             SignatureValue
+
+   KdkContent ::= CONTENT-TYPE-TLV TLV-LENGTH
+                    EncryptedContent (=
+                      .EncryptedPayload = SafeBag with private key /[access-namespace]/NAC/[dataset]/KEY/[key-id]
+                      .EncryptedPayloadKey = password for SafeBag, encrypted by public key /<authorized-member>/KEY/[member-key-id]
+                      // .InitialVector and .Name not set
+                    )