Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 73f66600 authored by Shikha Panwar's avatar Shikha Panwar
Browse files

Add SeqNum as an the external_aad in CryptoPayload 

Introduce sequence number in Secretkeeper packets to prevent replay of
packets with a session.

Bug: 316126411
Test: VTS
Change-Id: I20a5d8489e988bdcbe9058495ab56ed18a07b946
parent 91664b85

security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl

+19 −5
Original line number Diff line number Diff line
@@ -3,10 +3,11 @@ 
; The input parameter to the `processSecretManagementRequest` operation in

; `ISecretkeeper.aidl` is always an encrypted request message, CBOR-encoded as a

; COSE_Encrypt0 object.  The encryption uses the first of the keys agreed using

; the associated AuthGraph instance, referred to as `KeySourceToSink`.

ProtectedRequestPacket = CryptoPayload<RequestPacket, KeySourceToSink>

; the associated AuthGraph instance, referred to as `KeySourceToSink`. Additionally,

; an external aad is used - RequestSeqNum.

ProtectedRequestPacket = CryptoPayload<RequestPacket, KeySourceToSink, RequestSeqNum>



CryptoPayload<Payload, Key> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2]

CryptoPayload<Payload, Key, SeqNum> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2]

    protected: bstr .cbor {

        1 : 3,                  ; Algorithm: AES-GCM mode w/ 256-bit key, 128-bit tag

        4 : bstr                ; key identifier set to session ID produced
@@ -17,7 +18,7 @@ CryptoPayload<Payload, Key> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2] 
    },

    ciphertext : bstr           ; AES-GCM-256(Key, bstr .cbor Payload)

                                ; AAD for the encryption is CBOR-serialized

                                ; Enc_structure (RFC 9052 s5.3) with empty external_aad.

                                ; Enc_structure (RFC 9052 s5.3) with SeqNum as the external_aad.

]



; Once decrypted, the request packet is an encoded CBOR array holding:
@@ -58,10 +59,18 @@ GetSecretParams = ( 
SecretId = bstr .size 64        ; Unique identifier of the secret.

Secret = bstr .size 32          ; The secret value.



; A monotonically incrementing number is associated with each RequestPacket to prevent replay

; of messages within a session. This starts with 0 and is incremented (by 1) for each request

; in a session. Secretkeeper implementation must maintain an expected RequestSeqNum for each

; session (increasing it by 1 for each SecretManagement request received). This will be used in

; in decryption (external_aad).

RequestSeqNum = bstr .cbor uint     ; Encoded in accordance with Core Deterministic Encoding

                                    ; Requirements [RFC 8949 s4.2.1]



; The return value from a successful `processSecretManagementRequest` operation is a

; response message encrypted with the second of the keys agreed using the associated

; AuthGraph instance, referred to as `KeySinkToSource`.

ProtectedResponsePacket = CryptoPayload<ResponsePacket, KeySinkToSource>

ProtectedResponsePacket = CryptoPayload<ResponsePacket, KeySinkToSource, ResponseSeqNum>



; Once decrypted, the inner response message is encoded as a CBOR array holding:

; - An initial integer return code value.
@@ -100,3 +109,8 @@ GetVersionResult = (version : uint) 
StoreSecretResult = ()



GetSecretResult = (secret : Secret)



; Analogous to RequestSeqNum, Secretkeeper must maintain ResponseSeqNum for each session.

; This will be input to the encryption (ProtectedResponsePacket) as external_aad.

ResponseSeqNum = bstr .cbor uint    ; Encoded in accordance with Core Deterministic Encoding

                                    ; Requirements [RFC 8949 s4.2.1]