Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 73f66600 authored by Shikha Panwar's avatar Shikha Panwar
Browse files

Add SeqNum as an the external_aad in CryptoPayload

Introduce sequence number in Secretkeeper packets to prevent replay of
packets with a session.

Bug: 316126411
Test: VTS
Change-Id: I20a5d8489e988bdcbe9058495ab56ed18a07b946
parent 91664b85
Loading
Loading
Loading
Loading
+19 −5
Original line number Diff line number Diff line
@@ -3,10 +3,11 @@
; The input parameter to the `processSecretManagementRequest` operation in
; `ISecretkeeper.aidl` is always an encrypted request message, CBOR-encoded as a
; COSE_Encrypt0 object.  The encryption uses the first of the keys agreed using
; the associated AuthGraph instance, referred to as `KeySourceToSink`.
ProtectedRequestPacket = CryptoPayload<RequestPacket, KeySourceToSink>
; the associated AuthGraph instance, referred to as `KeySourceToSink`. Additionally,
; an external aad is used - RequestSeqNum.
ProtectedRequestPacket = CryptoPayload<RequestPacket, KeySourceToSink, RequestSeqNum>

CryptoPayload<Payload, Key> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2]
CryptoPayload<Payload, Key, SeqNum> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2]
    protected: bstr .cbor {
        1 : 3,                  ; Algorithm: AES-GCM mode w/ 256-bit key, 128-bit tag
        4 : bstr                ; key identifier set to session ID produced
@@ -17,7 +18,7 @@ CryptoPayload<Payload, Key> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2]
    },
    ciphertext : bstr           ; AES-GCM-256(Key, bstr .cbor Payload)
                                ; AAD for the encryption is CBOR-serialized
                                ; Enc_structure (RFC 9052 s5.3) with empty external_aad.
                                ; Enc_structure (RFC 9052 s5.3) with SeqNum as the external_aad.
]

; Once decrypted, the request packet is an encoded CBOR array holding:
@@ -58,10 +59,18 @@ GetSecretParams = (
SecretId = bstr .size 64        ; Unique identifier of the secret.
Secret = bstr .size 32          ; The secret value.

; A monotonically incrementing number is associated with each RequestPacket to prevent replay
; of messages within a session. This starts with 0 and is incremented (by 1) for each request
; in a session. Secretkeeper implementation must maintain an expected RequestSeqNum for each
; session (increasing it by 1 for each SecretManagement request received). This will be used in
; in decryption (external_aad).
RequestSeqNum = bstr .cbor uint     ; Encoded in accordance with Core Deterministic Encoding
                                    ; Requirements [RFC 8949 s4.2.1]

; The return value from a successful `processSecretManagementRequest` operation is a
; response message encrypted with the second of the keys agreed using the associated
; AuthGraph instance, referred to as `KeySinkToSource`.
ProtectedResponsePacket = CryptoPayload<ResponsePacket, KeySinkToSource>
ProtectedResponsePacket = CryptoPayload<ResponsePacket, KeySinkToSource, ResponseSeqNum>

; Once decrypted, the inner response message is encoded as a CBOR array holding:
; - An initial integer return code value.
@@ -100,3 +109,8 @@ GetVersionResult = (version : uint)
StoreSecretResult = ()

GetSecretResult = (secret : Secret)

; Analogous to RequestSeqNum, Secretkeeper must maintain ResponseSeqNum for each session.
; This will be input to the encryption (ProtectedResponsePacket) as external_aad.
ResponseSeqNum = bstr .cbor uint    ; Encoded in accordance with Core Deterministic Encoding
                                    ; Requirements [RFC 8949 s4.2.1]