Blobs
Blob Concepts
A blob or key blob consists of a key, its ACL and application data encrypted in some way. A variety of encryption schemes are used depending on the type of security world and the purpose of the blob.
The most frequently used blobs are working blobs.
These are for day-to-day use: an application may start by loading one or more keys from their working blobs.
Working blobs may be encrypted either under a module key or a logical token (i.e. an OCS or softcard).
The module key or logical token functions both to keep the application key confidential and to authorize its use.
These blobs always use the Module or Token format and creating them is authorized by Act_MakeBlob.
Even public keys are encrypted in working blobs, but the well-known module key is used, so no confidentiality is provided.
Recovery blobs encrypt the key (and ACL, etc.) under an asymmetric key (usually an RSA key).
Since encryption uses the public key, KRE need not be loaded during the generation of recoverable application keys, but must be loaded to recover them.
In the recovery process confidentiality and authorization are partially split:
KRE provides confidentiality and the authorization to use open permission groups in the keys' ACL, while KNSO provides authorization to use the 'trump operations' group.
These blobs use the Indirect format (in DES3 worlds) or UserKey (in AES worlds) and creating them is authorized by Act_MakeArchiveBlob.
Temporary blobs are used during ACS replacement.
These blobs use the Direct format (in DES3 worlds) or UserKey (in AES worlds) and creating them is authorized by Act_MakeArchiveBlob.
The mechanisms used are discussed in the sections below.
AES Worlds
In AES worlds, key blobs are made using one of the 'new' blob encryption mechanisms:
| Mechanism | Key encapsulation | KDF | PRF | Encryption | MAC |
|---|---|---|---|---|---|
BlobCryptv2kHasheRijndaelCBC0hSHA1mSHA1HMAC |
Symmetric |
Proprietary |
SHA-1 |
AES-CBC |
HMAC-SHA1 |
BlobCryptv2kRSAeRijndaelCBC0hSHA1mSHA1HMAC |
RSA SVP |
Proprietary |
SHA-1 |
AES-CBC |
HMAC-SHA1 |
BlobCryptv2kDHeRijndaelCBC0hSHA1mSHA1HMAC |
DH |
Proprietary |
SHA-1 |
AES-CBC |
HMAC-SHA1 |
BlobCryptv2kHasheDES3CBC0hSHA1mSHA1HMAC |
None |
Proprietary |
SHA-1 |
DES3-CBC |
HMAC-SHA1 |
BlobCryptv2kRSAeDES3CBC0hSHA1mSHA1HMAC |
RSA SVP |
Proprietary |
SHA-1 |
DES3-CBC |
HMAC-SHA1 |
BlobCryptv2kDHeDES3CBC0hSHA1mSHA1HMAC |
DH |
Proprietary |
SHA-1 |
DES3-CBC |
HMAC-SHA1 |
BlobCryptv2kHasheRijndaelCBC0hSHA256mSHA256HMAC |
Symmetric |
Proprietary |
SHA-256 |
AES-CBC |
HMAC-SHA256 |
BlobCryptv2kRSAeRijndaelCBC0hSHA256mSHA256HMAC |
RSA SVP |
Proprietary |
SHA-256 |
AES-CBC |
HMAC-SHA256 |
BlobCryptv2kDHeRijndaelCBC0hSHA256mSHA256HMAC |
DH |
Proprietary |
SHA-256 |
AES-CBC |
HMAC-SHA256 |
BlobCryptv2kHasheRijndaelCBC0hSHA512mSHA512HMAC |
Symmetric |
Proprietary |
SHA-512 |
AES-CBC |
HMAC-SHA512 |
BlobCryptv2kRSAeRijndaelCBC0hSHA512mSHA512HMAC |
RSA SVP |
Proprietary |
SHA-512 |
AES-CBC |
HMAC-SHA512 |
BlobCryptv2kDHeRijndaelCBC0hSHA512mSHA512HMAC |
DH |
Proprietary |
SHA-512 |
AES-CBC |
HMAC-SHA512 |
BlobCryptv3kNoneeAESCBC0dCTRCMACmSHA256HMAC |
Symmetric |
SP800-108 |
AES-CMAC |
AES-CBC |
HMAC-SHA256 |
BlobCryptv3kRSAOAEPeAESCBC0dCTRCMACmSHA256HMAC |
RSA OAEP |
SP800-108 |
AES-CMAC |
AES-CBC |
HMAC-SHA256 |
BlobCryptv3kNoneeAESCBC0dCTRCMACmSHA512HMAC |
Symmetric |
SP800-108 |
AES-CMAC |
AES-CBC |
HMAC-SHA512 |
BlobCryptv3kRSAOAEPeAESCBC0dCTRCMACmSHA512HMAC |
RSA OAEP |
SP800-108 |
AES-CMAC |
AES-CBC |
HMAC-SHA512 |
BlobCryptv4kECDHeAESmCTRhSHA256mSHA256HMAC |
ECIES |
SP800-56Ar2 |
SHA-256 |
AES-CTR |
HMAC-SHA256 |
BlobCryptv4kECDHeAESmCTRhSHA512mSHA512HMAC |
ECIES |
SP800-56Ar2 |
SHA-512 |
AES-CTR |
HMAC-SHA512 |
The blobbing key might be a module key, a logical token or an application key.
In blobcryptv2 and later, the blob itself is encrypted and then protected with a MAC under single-use session keys derived from the blobbing key (in the symmetric case) or encrypted under it (asymmetric), rather than using the blobbing key directly.
Application key blobs are stored in the privblob member of the NFKM_Key structure, or pubblob for public keys.
Recovery blobs are stored in the privblobrecov member of the NFKM_Key structure.
Module Key Blobs
For module-protected keys, the blobbing key is KM; for public keys it is KMWK.
The mechanism is selected automatically (and will be the 'working' mechanism listed above).
The key to be blobbed must have a MakeBlob action in its ACL with the following characteristics:
-
It must include the
AllowKmOnlyflag. -
If the module key is not
KM0, it must include theAllowNonKM0flag. -
The flags must not include
AllowNullKMToken. This flag only applies to logical token blobs. -
If
kmhashis present in the ACL, it must match the hash of the module key.
Logical Token Blobs
For application keys the blobbing key is the LTU from an OCS or softcard; for security world administrator keys it is a logical token from the ACS.
The mechanism is selected automatically (and will be the 'working' mechanism listed above).
The key to be blobbed must have a MakeBlob action in its ACL with the following characteristics:
-
If the logical token is associated with a null module key, the flags must include
AllowNullKMToken. -
If the logical token is associated with any module key other than
KM0, the flags must includeAllowNonKM0. -
If
kmhashand/orkthashare present in the ACL, they must match the hash of the module and/or logical token respectively. -
If
ktparamsis present in the ACL, it must be compatible with the characteristics of the logical token (see below).
A logical token is compatible with a TokenParams structure (in an ACL) if all the following are true:
-
All the flags present in the structure are present in the logical token
-
The logical token has at least as big a quorum (
sharesneeded) as given in the structure. -
The logical token has no more total shares than given in the structure.
-
If the structure specifies a time limit, the token has a time limit which is no higher than the one in the structure.
Application Key Blobs
The blobbing key is a second application key, which must have the UseAsBlobKey permission.
This is used for recovery blobs, using KRE.
The mechanism is specified in the command (and in a security world, will be the 'recovery' mechanism listed above,
or during ACS recovery the 'temporary' mechanism).
The key to be blobbed must have a MakeArchiveBlob action in its ACL with the following characteristics:
-
Either a mechanism of
Mech_Any, or the same mechanism requested in the command. -
If
kahashis present in the ACL, it must match the hash of the application key. -
If
blobfileis present in the ACL, it must be compatible with theblobfilein the command.
Public Key Blobs
In DLf1024s160mDES3, DLf1024s160mRijndael and DLf3072s256mRijndael worlds, public key blobs always use the DES3 KMWK and the old blobbing scheme.
In DLf3072s256mAEScSP800131Ar1 worlds they use the AES KMWK and the working blob mechanism for that world.
PIN (Passphrase) Recovery Blobs
PIN recovery blobs consist of the hash of the PIN, encrypted using an RSA key. These are not key blobs and the module has no special knowledge about their format – they are simply encrypted messages created by the NFKM library. So the term "blob" is a bit misleading in this context.
-
In
DLf3072s256mRijndaelandDLf3072s256mAEScSP800131Ar1worlds, OAEP is used. -
In
ECp521mAESworlds, ECIES is used.