Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Adds sid to KeyAccess objects #32

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

✨ Adds sid to KeyAccess objects #32

wants to merge 2 commits into from
+314 −4

Conversation

dmihalcik-virtru
Copy link
Member

Proposed Changes

  • This allows both copies and spits for keys.
  • Adds a section on how they are to be used, with samples

Checklist

  • A clear description of the change has been included in this PR.
  • A clear description of whether this change is a Major, Minor, Patch or cosmetic change as per the Versioning Guidelines has been included in this PR.
  • All schema validation tests have been updated appropriately and are passing.
  • MAJOR/MINOR VERSION CHANGES ONLY: This PR should be made in branches prefixed with draft-<change>
  • MAJOR/MINOR VERSION CHANGES ONLY: A link to a reference implementation (PR or set of PRs) of the change has been included in this PR.
  • MAJOR/MINOR VERSION CHANGES ONLY: A writeup has been included discussing the motivation and impact of this change.
  • MAJOR/MINOR VERSION CHANGES ONLY: The minimum wait time has elapsed.
  • DRAFT MERGE ONLY: Draft Semver has been updated in the VERSION file (optional)
  • DRAFT MERGE ONLY: Tagged this branch with new semver version and an annotation describing the change (ex: git tag -s 4.1.0 -m "Spec version 4.1.0 - did a thing")
  • DRAFT MERGE ONLY: Version numbers have been updated as per the Versioning Guidelines.
  • This change otherwise adheres to the project Contribution Guidelines.

@dmihalcik-virtru
✨ Adds split id to KeyAccess objects
5cd4507 
This allows both copies and spits for keys.

Also, adds a section on how they are to be used, with samples
@dmihalcik-virtru dmihalcik-virtru requested a review from a team as a code owner November 17, 2023 14:46
@strantalis
Copy link
Member

@dmihalcik-virtru Is this the right way to think about this.

No Split ID

Same DEK is shared and not split

Same Split IDs

DEK is XOR'd

Group'd Split IDs

DEK is XOR'd once per group of split ids.

So you could have group kas working in group a but you might need to use local.hsm in group b?

@dmihalcik-virtru
Copy link
Member Author

yes. A weakness of the proposed approach is you have to have there is the same split for different sets of KASes you want to share them with. Thus the 'hybrid' example still has to do two rewraps and an xor for accessing the DEK via the local server, even though that provides no additional security.

@dmihalcik-virtru dmihalcik-virtru requested a review from a team as a code owner April 11, 2024 17:23
@dmihalcik-virtru dmihalcik-virtru changed the title ✨ Adds split id to KeyAccess objects ✨ Adds sid to KeyAccess objects Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@biscoe916 biscoe916 Awaiting requested review from biscoe916

@sujankota sujankota Awaiting requested review from sujankota

@strantalis strantalis Awaiting requested review from strantalis

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dmihalcik-virtru @strantalis