multipaz/org.multipaz.securearea.cloud/CloudSecureAreaProtocol/E2EESetupResponse1

E2EESetupResponse1

data class E2EESetupResponse1(val eCloudKey: CoseKey, val signature: EcSignature, val serverState: ByteArray) : CloudSecureAreaProtocol.Command

This is sent in response to E2EESetupRequest1:

E2EESetupResponse1 = {
  "type" : "E2EESetupResponse1",
  "eCloudKey" : COSE_Key,
  "signature" : EcSignature,
  "serverState" : bstr
}

where eCloudKey, signature, and serverState are all described in the E2EESetupRequest1 message.

Upon receiving this message the device builds up DataSignedByServer and checks the signature was made by CloudBindingKey (as received during registration phase). If the check fails the device shall discard any received state and report an error to the application.

On success, both the server and the device are now able to calculate session encryption keys. Let ZAB be the output of ECKA-DH (Elliptic Curve Key Agreement Algorithm – Diffie-Hellman) as defined in BSI TR-03111 where the inputs shall be EDeviceKey and ECloudKey.pub on the device side and ECloudKey and EDeviceKey.pub on the server side.

SKDevice shall be derived using HKDF as defined in RFC 5869 with the following parameters:

Hash: SHA-256
IKM: ZAB
salt: SHA-256(E2EESetupTranscript)
info: "SKDevice" (encoded as a UTF-8 string without the quotes)
Length: 32 octets

SKCloud shall be derived using HKDF as defined in RFC 5869 with the following parameters:

Hash: SHA-256
IKM: ZAB
salt: SHA-256(E2EESetupTranscript)
info: "SKCloud" (encoded as a UTF-8 string without the quotes)
Length: 32 octets

where E2EESetupTranscript is defined as bytes of CBOR conforming to the following CDDL

E2EESetupTranscript = [
  cloudNonce,
  deviceNonce
]

Constructors

E2EESetupResponse1

constructor(eCloudKey: CoseKey, signature: EcSignature, serverState: ByteArray)

Properties

eCloudKey

val eCloudKey: CoseKey

serverState

val serverState: ByteArray

signature

val signature: EcSignature