| Alexander Afanasyev | 6e64ac9 | 2018-06-14 17:25:38 -0400 | [diff] [blame] | 1 | NAC Specification |
| 2 | ================= |
| 3 | |
| Alexander Afanasyev | e96538a | 2018-06-13 20:32:53 -0400 | [diff] [blame^] | 4 | .. figure:: _static/nac-overview.png |
| 5 | :alt: Overview of NAC entities |
| 6 | :align: center |
| Alexander Afanasyev | 0db0feb | 2018-06-13 20:33:10 -0400 | [diff] [blame] | 7 | |
| 8 | Terminology |
| 9 | ----------- |
| 10 | |
| 11 | +-----------------+------------------------------------------------------------------------------------------+ |
| 12 | | Term | Description | |
| 13 | +=================+==========================================================================================+ |
| 14 | | KEK | Key Encryption Key (RSA public key) | |
| 15 | +-----------------+------------------------------------------------------------------------------------------+ |
| 16 | | KDK | Key Decryption Key (RSA private key) | |
| 17 | +-----------------+------------------------------------------------------------------------------------------+ |
| 18 | | CK | Content Key (AES symmetric key) | |
| 19 | +-----------------+------------------------------------------------------------------------------------------+ |
| 20 | | CK data | Data packet carrying a KDK-encrypted CK as payoad | |
| 21 | +-----------------+------------------------------------------------------------------------------------------+ |
| 22 | | Access Manager | (Data Owner) Entity that control access to the data associated with the namespace | |
| 23 | +-----------------+------------------------------------------------------------------------------------------+ |
| 24 | | Encryptor | (Producer) Entity that encrypts data based on namespace association | |
| 25 | +-----------------+------------------------------------------------------------------------------------------+ |
| 26 | | Decryptor | (Consumer) Entity that decrypts data based on namespace association | |
| 27 | +-----------------+------------------------------------------------------------------------------------------+ |
| 28 | |
| 29 | EncryptedContent |
| Alexander Afanasyev | e96538a | 2018-06-13 20:32:53 -0400 | [diff] [blame^] | 30 | ---------------- |
| Alexander Afanasyev | 0db0feb | 2018-06-13 20:33:10 -0400 | [diff] [blame] | 31 | |
| 32 | The ``EncryptedContent`` element contains encrypted blob, optional Initial Vector (for AES CBC encryption), |
| 33 | optional EncryptedPayloadKey, and Name elements. |
| 34 | |
| 35 | :: |
| 36 | |
| 37 | EncryptedContent ::= ENCRYPTED-CONTENT-TYPE TLV-LENGTH |
| 38 | EncryptedPayload |
| Alexander Afanasyev | e96538a | 2018-06-13 20:32:53 -0400 | [diff] [blame^] | 39 | InitialVector? |
| 40 | EncryptedPayloadKey? |
| 41 | Name? |
| Alexander Afanasyev | 0db0feb | 2018-06-13 20:33:10 -0400 | [diff] [blame] | 42 | |
| 43 | InitialVector ::= INITIAL-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N} |
| 44 | EncryptedPayload ::= ENCRYPTED-PAYLOAD-TYPE TLV-LENGTH(=N) BYTE{N} |
| 45 | EncryptedPayloadKey ::= ENCRYPTED-PAYLOAD-KEY-TYPE TLV-LENGTH(=N) BYTE{N} |
| 46 | InitialVector ::= INITIAL-VECTOR-TYPE TLV-LENGTH(=N) BYTE{N} |
| Alexander Afanasyev | e96538a | 2018-06-13 20:32:53 -0400 | [diff] [blame^] | 47 | |
| 48 | |
| 49 | Access Manager |
| 50 | -------------- |
| 51 | |
| 52 | .. figure:: _static/access-manager.png |
| 53 | :alt: Access Manager |
| 54 | :align: center |
| 55 | |
| 56 | Access Manager controls decryption policy by publishing granular per-namespace access policies in the form of key encryption (KEK, plaintext public) and key decryption (KDK, encrypted private keys) key pairs. |
| 57 | |
| 58 | KEK is published as a single data packet with name ``/[access-namespace]/NAC/[dataset]/KEK/[key-id]``, following the following format: |
| 59 | |
| 60 | :: |
| 61 | |
| 62 | Kek ::= DATA-TYPE TLV-LENGTH |
| 63 | Name (= /[access-namespace]/NAC/[dataset]/KEK/[key-id]) |
| 64 | MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour) |
| 65 | KekContent |
| 66 | SignatureInfo |
| 67 | SignatureValue |
| 68 | |
| 69 | KekContent ::= CONTENT-TYPE-TLV TLV-LENGTH |
| 70 | BYTE* (= BER of public key /[access-namespace]/NAC/[dataset]/KEY/[key-id]) |
| 71 | |
| 72 | |
| 73 | Different versions of KDK are published, encrypted by the public key of the individual authorized member, following naming convention: ``/[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id]``. KDK is published in the following format: |
| 74 | |
| 75 | :: |
| 76 | |
| 77 | Kdk ::= DATA-TYPE TLV-LENGTH |
| 78 | Name (= /[access-namespace]/NAC/[dataset]/KDK/[key-id]/ENCRYPTED-BY/<authorized-member>/KEY/[member-key-id]) |
| 79 | MetaInfo (= .ContentType = KEY, .FreshnessPeriod = 1 hour) |
| 80 | KdkContent |
| 81 | SignatureInfo |
| 82 | SignatureValue |
| 83 | |
| 84 | KdkContent ::= CONTENT-TYPE-TLV TLV-LENGTH |
| 85 | EncryptedContent (= |
| 86 | .EncryptedPayload = SafeBag with private key /[access-namespace]/NAC/[dataset]/KEY/[key-id] |
| 87 | .EncryptedPayloadKey = password for SafeBag, encrypted by public key /<authorized-member>/KEY/[member-key-id] |
| 88 | // .InitialVector and .Name not set |
| 89 | ) |