Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address idnits feedback #56

Merged
merged 2 commits into from
Aug 23, 2024
Merged

Address idnits feedback #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bcebc32
Address idnits feedback
sander Aug 23, 2024
ec8345d
Switch to ASCII
sander Aug 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ hdk.pdf:
"<title>Hierarchical Deterministic Keys for the European Digital Identity Wallet</title>" \
"<meta charset=utf-8>" \
> build/hdk.html
npx -p @mermaid-js/mermaid-cli mmdc -i draft-dijkhuis-cfrg-hierarchical-deterministic-keys.md -o build/keys.md -e svg -t neutral -w 400
npx -p @mermaid-js/mermaid-cli mmdc -i draft-dijkhuis-cfrg-hdkeys.md -o build/keys.md -e svg -t neutral -w 400
cat README.md | \
sed -e "s/# Hierarchical Deterministic Keys for the European Digital Identity Wallet/# Introduction to Hierarchical Deterministic Keys/g" | \
sed -e "s/keys.md/#hierarchical-deterministic-keys/g" | \
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ Expert participants from Potential:

## Contents

To address challenges 5 and 6, this repository contains a freely accessible, unencumbered specification of **[Hierarchical Deterministic Keys](draft-dijkhuis-cfrg-hierarchical-deterministic-keys.md)**. This enables an EU Digital Identity Wallet deployment that distributes key management efficiently:
To address challenges 5 and 6, this repository contains a freely accessible, unencumbered specification of **[Hierarchical Deterministic Keys](draft-dijkhuis-cfrg-hdkeys.md)**. This enables an EU Digital Identity Wallet deployment that distributes key management efficiently:

![A wallet architecture using Hierarchical Deterministic Keys associated with keys protected using a wallet secure cryptographic device, optionally using Asynchronous Remote Key Generation (ARKG).](media/deployment.svg)

Expand Down
97 changes: 48 additions & 49 deletions ...s-cfrg-hierarchical-deterministic-keys.md → draft-dijkhuis-cfrg-hdkeys.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: Hierarchical Deterministic Keys
abbrev: HDK
category: info
docname: draft-dijkhuis-cfrg-hierarchical-deterministic-keys-latest
docname: draft-dijkhuis-cfrg-hdkeys-latest
submissiontype: independent
v: 3
area: IRTF
Expand Down Expand Up @@ -31,17 +31,15 @@ normative:
- organization: National Institute of Standards and Technology (NIST)
date: 2012-06
ISO18013-5:
title: "Personal identification ISO-compliant driving licence Part 5: Mobile driving licence (mDL) application"
title: "Personal identification - ISO-compliant driving licence - Part 5: Mobile driving licence (mDL) application"
target: https://www.iso.org/standard/69084.html
seriesinfo:
ISO/IEC: 18013-5:2021
author:
- organization: ISO/IEC
date: 2019-09
RFC2119:
RFC7800:
RFC8017:
RFC8174:
RFC9380:
SEC2:
title: "SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0"
Expand Down Expand Up @@ -151,31 +149,32 @@ Solutions MAY omit application of the asynchronous remote key generation functio
The following example illustrates the use of key derivation. An HDK tree is defined by an initial public key and a seed value, which is a byte array containing sufficient entropy. Now tree nodes are constructed as follows.

~~~
┌────────────────────────┐
│Confidential static data│
│┌─────────┐ ┌────┐ │
││pk_device│ │seed│ │
│└────┬────┘ └──┬─┘ │
└─────┼─────────┼────────┘
┌─────────────────┼─────────┼───────────────────────────┐
│Level 0 ▼ ▼ │
│┌─────────────────────────────────────────────────────┐│
││(pk0, sdk0, salt0) = hdk0 = HDK-Root(pk_device, seed)││
│└────┬────────────────────────────────────────────────┘│
└─────┼─────────────────────────────────────────────────┘
Level 1 ▼
┌─────────────────────────┐┌────────────────────────┐┌─────────────────────────┐
│(pk1, sk1, salt1) = ││HDK-Derive-Local(hd0, 1)││HDK-Derive-Local(hdk0, 2)│
│HDK-Derive-Local(hdk0, 0)││ ││ │
└───────────┬────────┬────┘└────────────────────────┘└─────────────────────────┘
│ └────────────────────────┐
│ │
┌───────────┼─────────────────────────────────┼──────────────────────────────┐
│Level 2 ▼ ▼ │
│┌────────────────────────────────────┐┌────────────────────────────────────┐│
││HDK-Derive-Local((pk1,sk1,salt1), 0)││HDK-Derive-Local((pk1,sk1,salt1), 1)││
│└────────────────────────────────────┘└────────────────────────────────────┘│
└────────────────────────────────────────────────────────────────────────────┘
+------------------------+
|Confidential static data|
|+---------+ +----+ |
||pk_device| |seed| |
|+----+----+ +--+-+ |
+-----+---------+--------+
+-----------------+---------+---------------------------+
|Level 0 v v |
|+-----------------------------------------------------+|
||(pk0, sdk0, salt0) = hdk0 = HDK-Root(pk_device, seed)||
|+----+------------------------------------------------+|
+-----+-------------------------------------------------+
Level 1 v
+-------------------------++-----------------++-----------------+
|(pk1, sk1, salt1) = ||HDK-Derive-Local(||HDK-Derive-Local(|
|HDK-Derive-Local(hdk0, 0)|| hdk0, 1) || hdk0, 2) |
+-----------+--------+----++-----------------++-----------------+
| +---------------+
| |
+-----------+------------------------+--------------------+
|Level 2 v v |
|+-----------------------++-----------------------+ |
||HDK-Derive-Local( ||HDK-Derive-Local( | |
|| (pk1,sk1,salt1), 0)|| (pk1,sk1,salt1), 1)| |
|+-----------------------++-----------------------+ |
+---------------------------------------------------------+
~~~

The solution instance computes the Level 0 HDK at the root node using a deterministic function called HDK-Root. The HDK consists of a key pair `(pk0, sk0)`, and a byte string `salt0` to derive next-level keys.
Expand All @@ -198,23 +197,23 @@ In this example, a document is issued in such a way that it can be presented wit
In secure
cryptographic
device
┌───────────┐
sk_device ┼─────────────┐
└───────────┘
─────────────
HDK in
solution
instance ┌───────────┐
┌───────────┐ HDK-Authenticate─►│device_data
pk └───────────┘
└───────────┘
┌───────────┐
sk ┼───────┘
└───────────┘
─────────────
┌───────────┐
reader_data┼─────────────┘
└───────────┘
+-----------+
|sk_device +-------------+
+-----------+ |
------------- |
HDK in |
solution |
instance v +-----------+
+-----------+ HDK-Authenticate->|device_data|
|pk | ^ ^ +-----------+
+-----------+ | |
+-----------+ | |
|sk +-------+ |
+-----------+ |
------------- |
+-----------+ |
|reader_data+-------------+
+-----------+
~~~

Blinding methods can be constructed such that the secure cryptographic device does not need to be designed for it. In such cases, `sk_device` does not contain the value of the private device key but a reference to it.
Expand Down Expand Up @@ -341,7 +340,7 @@ A solution instance authenticates the device by creating a blinded proof applyin
Inputs:
- sk_device, a (reference to a) device private key.
- sk_hdk, an HDK private key.
- reader_data, a byte string of solution instance-specific reader data.
- reader_data, a byte string of solution instance-specific data.

Outputs:
- device_data, a byte string of device data for proving possession.
Expand Down Expand Up @@ -537,15 +536,15 @@ The solution proposal discussed herein works in all four WSCD architectures that
- P-256 EC-SDSA key pair generation
- P-256 EC-SDSA signature creation

The other HDK operations can be performed in the WI running on any UD, including hostile ones with limited sandboxing capabilities, such as in a smartphones rich execution environment or in a personal computer web browser.
The other HDK operations can be performed in the WI running on any UD, including hostile ones with limited sandboxing capabilities, such as in a smartphone's rich execution environment or in a personal computer web browser.

If the user enters the PIN in the WI instead of on the WSCD directly, the WI MUST process it directly after entering, the WI MUST keep the plaintext PIN confidential, and the WI MUST delete the PIN from memory as soon as the encrypted PIN or data derived from the PIN is passed over the SCI.

The rate-limiting of the PIN check MUST be managed within the WSCD or on securely managed SCI infrastructure. In particular, the rate-limiting MUST NOT be managed solely in local WI software since it is aassumed that attackers could modify this without detection.

## Trust evidence

Some issuers could require evidence from a solution provider of the security of the holders cryptographic device. This evidence is in the context of [EU2024-1183] divided into initial Wallet Trust Evidence and related Issuer Trust Evidence. Each is a protected document that contains a trust evidence public key associated with a private key that is protected in the secure cryptographic device. In HDK, these public keys are specified as follows.
Some issuers could require evidence from a solution provider of the security of the holder's cryptographic device. This evidence is in the context of [EU2024-1183] divided into initial "Wallet Trust Evidence" and related "Issuer Trust Evidence". Each is a protected document that contains a trust evidence public key associated with a private key that is protected in the secure cryptographic device. In HDK, these public keys are specified as follows.

### Wallet Trust Evidence

Expand Down
Loading