One document matched: draft-abiggs-saag-key-management-service-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC5280 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
<!ENTITY RFC5869 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml">
<!ENTITY RFC7159 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7159.xml">
<!ENTITY I-D.ietf-jose-json-web-encryption SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-jose-json-web-encryption.xml">
<!ENTITY I-D.ietf-jose-json-web-key SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-jose-json-web-key.xml">
<!ENTITY I-D.ietf-jose-json-web-signature SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-jose-json-web-signature.xml">
<!ENTITY I-D.ietf-jose-json-web-algorithms SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-jose-json-web-algorithms.xml">
<!ENTITY RFC4949 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4949.xml">
<!ENTITY RFC6749 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml">
<!ENTITY RFC6125 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6125.xml">
<!ENTITY RFC2822 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2822.xml">
<!ENTITY RFC7231 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7231.xml">
<!ENTITY RFC3339 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3339.xml">
<!ENTITY I-D.barnes-pervasive-problem SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.barnes-pervasive-problem.xml">
<!ENTITY I-D.newton-json-content-rules SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.newton-json-content-rules.xml">
<!ENTITY RFC5246 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY RFC4301 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml">
<!ENTITY RFC5652 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5652.xml">
<!ENTITY RFC4880 SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4880.xml">
<!ENTITY I-D.ietf-xmpp-posh SYSTEM "http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-xmpp-posh.xml">
]>
<rfc ipr="trust200902" docName="draft-abiggs-saag-key-management-service-00" category="std">
<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<front>
<title abbrev="key-management-service">Key Management Service Architecture</title>
<author initials="A." surname="Biggs" fullname="Andrew Biggs">
<organization>Cisco Systems</organization>
<address>
<email>adb@cisco.com</email>
</address>
</author>
<author initials="S." surname="Cooley" fullname="Shaun Cooley">
<organization>Cisco Systems</organization>
<address>
<email>shcooley@cisco.com</email>
</address>
</author>
<date year="2014" month="November" day="17"/>
<abstract>
<t>In the interest of addressing pervasive threats to the confidentiality and integrity of online communications identified by the Internet community <xref target="I-D.barnes-pervasive-problem"/> this specification introduces an open architecture for the establishment, management, and secure distribution of cryptographic keys for use in the end-to-end (E2E) encryption of online communications and shared content. This architecture allows for the independent deployment of dedicated key management services in a manner that supports the adoption of third-party communications and data sharing services by individuals and organizations that require full and exclusive discretion over the confidentiality of their data. </t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>Providers of cloud-based services commonly secure user data at the transport level using established protocols such as TLS <xref target="RFC5246"/> or IPSec <xref target="RFC4301"/>. These protocols can be effective in protecting transmitted user data from third party tampering and eavesdropping; however, by themselves these protocols do not secure user data from abuses, negligence, or coerced behavior on the part of the cloud provider. This is a concern for individuals and organizations that wish to take advantage of cloud-based communications and collaboration but cannot accept the risk of trusting cloud providers with unfettered access to the contents of their communications.</t>
<t>E2E encryption describes a category of solutions that can be employed to address this problem by establishing secure channels among clients. To the extent that a user can trust their collaboration client software, E2E encryption mitigates exposure of user data to untrusted parties by ensuring that intermediaries never possess unencrypted user data or have access to the keying material necessary to decrypt it.</t>
<t>Existing E2E strategies such as ECS <xref target="RFC5652"/>, PGP <xref target="RFC4880"/>, and Off-the-Record Messaging <xref target="OTR"/> can be effective at securing two-party communications. However, E2E encryption for the growing domain of multiparty communications and online content sharing remains a generally unsolved problem to which these existing approaches do not readily adapt. In particular, a core challenge exists in providing for the secure distribution and rotation of E2E encryption keys among an arbitrary and potentially dynamic set of communicating clients. In cases where the communications to be secured are persistent or archived, the additional challenge exists for providing trusted long-term storage and retrieval of these keys.</t>
<t>Equally problematic is the paucity of E2E encryption options that satisfy common organizational obligations such as regulatory compliance and legal discovery. Entities that must operate within such frameworks require mechanisms by which they (and they alone) may recover the keys used to secure their communications. Existing E2E encryption solutions are not, by themselves, well suited for this purpose.</t>
<t>In the interest of addressing these challenges this document presents an architecture for the deployment of E2E encryption key management services (KMS). In this architecture a KMS service provides to its users a means by which their communications clients may securely create, share, rotate, and store E2E encryption keying material. It does so in a fashion that permits the decoupling of such services from the communications media, thereby permitting the former to reside under the direct control of the communicating parties or the organizations within which they do business.</t>
<section anchor="terminology" title="Terminology">
<t>This document uses the terminology from <xref target="I-D.ietf-jose-json-web-signature"/>, <xref target="I-D.ietf-jose-json-web-encryption"/>, <xref target="I-D.ietf-jose-json-web-key"/>, and <xref target="I-D.ietf-jose-json-web-algorithms"/> when discussing JOSE technologies.</t>
<t>This document makes use of the following terminology, and additionally adopts nomenclature defined in <xref target="I-D.barnes-pervasive-problem"/> for the purpose of describing aspects of pervasive attacks.</t>
<t>communications resource</t>
<t><list style='empty'>
<t>A communications resource is any uniquely identifiable continuous data channel or discrete shared content that represents an exchange of personal communications between two or more users.</t>
</list></t>
<t>communications resource client </t>
<t><list style='empty'>
<t>A communications resource client consumes communications resources on behalf of a user and, when deployed in conformance with the KMS architecture, consumes the services of KMS server(s) to facilitate the E2E encryption of those communications resources.</t>
</list></t>
<t>communications resource server </t>
<t><list style='empty'>
<t>A communications resource server is a provider of services through which communications resources are made available. </t>
</list></t>
<t>cloud provider</t>
<t><list style='empty'>
<t>An individual or organization responsible for, and in control of, one or more communications resource servers.</t>
</list></t>
<t>E2E encryption</t>
<t><list style='empty'>
<t>Shorthand for end-to-end encryption, as defined in <xref target="RFC4949"/>, particularly as it applies to the establishment of confidentiality and integrity of communications resources.</t>
</list></t>
<t>KMS server</t>
<t><list style='empty'>
<t>A key management server (KMS) is responsible for creating, storing, and providing access to E2E encryption keying material by communications resource clients. </t>
</list></t>
<t>KMS protocol</t>
<t><list style='empty'>
<t>The protocol through which communications resource clients interoperate with KMS servers.</t>
</list></t>
<t>KMS provider</t>
<t><list style='empty'>
<t>An individual or organization responsible for, and in control of, a KMS server deployment.</t>
</list></t>
<t>KMS transport</t>
<t><list style='empty'>
<t>Any service or protocol that provides the basic transport over which KMS protocol messages are exchanged.</t>
</list></t>
<t>resource client</t>
<t><list style='empty'>
<t>See communications resource client. </t>
</list></t>
<t>resource server</t>
<t><list style='empty'>
<t>See communications resource server.</t>
</list></t>
<t>trusted party</t>
<t><list style='empty'>
<t>A trusted party is an individual or organization that is trusted by one or more communicating users to maintain the confidentiality and integrity of their communications resources.</t>
</list></t>
</section>
<section anchor="security-terms" title="Security Terms">
<t>Most security-related terms in this document are to be understood in the sense defined in <xref target="RFC4949"/>; such terms include, but are not limited to, “attack”, “authentication”, “authorization”, “certification authority”, “certification path”, “certificate”, “credential”, “identity”, “self-signed certificate”, “trust”, “trust anchor”, “trust chain”, “validate”, and “verify”.</t>
</section>
<section anchor="notational-conventions" title="Notational Conventions">
<t>In this document, the key words “MUST”, “MUST NOT”, “REQUIRED”,
“SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”,
and “OPTIONAL” are to be interpreted as described in BCP 14, RFC 2119
<xref target="RFC2119"/>.</t>
</section>
</section>
<section anchor="architectural-overview" title="Architectural Overview">
<t>The architectural reference model for this specification is illustrated in <xref target="reference-model"/>. Central to this model is the <spanx style="emph">communications resource server</spanx> which is presumed to be operated by a <spanx style="emph">cloud provider</spanx> for the purpose of offering some form of communications service. The nature of this service is not prescribed by this specification and may take the form of any of a variety of communications or collaboration services including file sharing, messaging, and VoIP. Consuming the services of the communications resource server are <spanx style="emph">communications resource clients</spanx> which may be supplied by the cloud provider or developed by third parties. </t>
<figure title="KMS Architecture Reference Model" anchor="reference-model"><artwork><![CDATA[
+-----------------+
| Communications |
+-------------------| Resource Server |-------------------+
| | (Cloud Provider)| |
| +-----------------+ |
| |
| |
| +-----------------+ |
| +-----------| KMS Transport |-----------+ |
| | +-----------------+ | |
| | | | |
| | Untrusted | | |
- - -|- - - -|- - - - - - - - - - | - - - - - - - - - -|- - - -|- - -
| | Trusted | | |
| | | | |
+-----------------+ +-----------------+ +-----------------+
| Communications | | KMS Server | | Communications |
| Resource Client | | (KMS Provider) | | Resource Client |
+-----------------+ +-----------------+ +-----------------+
| |
+-----------------+ +-----------------+
| Alice | | Bob |
+-----------------+ +-----------------+
]]></artwork></figure>
<t>In addition to the familiar elements described above, this model also includes a key management server, or <spanx style="emph">KMS</spanx>, operated by a <spanx style="emph">KMS provider</spanx>. The KMS server exposes an API through which clients may securely establish and share cryptographic keying material used for the E2E encryption of content that is transited through the cloud provider’s services. This API is secured in such a way as to ensure these keys are visible to none but the KMS server itself and the clients authorized to consume the content they protect. This highlights an important distinction between the KMS provider and the cloud provider: while the KMS provider is necessarily a <spanx style="emph">trusted party</spanx>, the cloud provider need not be. </t>
<t>It is an explicit objective of this specification to promote an ecosystem of providers of KMS implementations and KMS services that are distinct and independent of the cloud providers over whose services users communicate. To that end, this specification seeks to standardize a KMS service protocol though which clients and KMS servers interoperate. This protocol provides for the establishment of a confidential and authenticated channel between each client and KMS server, and defines an API of request and response messages to be exchanged over this secure channel for the purpose of creating, retrieving, and exchanging keys. </t>
<t>While the KMS service protocol constitutes a central focus of this specification, the means by which this protocol is transported is expressly out of scope. This role may be readily addressed through either standards-based or proprietary protocols, and so we refer to this simply as the <spanx style="emph">KMS transport</spanx> for the remainder of this document. Over this transport, the communication paths between clients and KMS server are encrypted using keys established through an authenticated ephemeral key agreement. As such, the KMS transport provider need not be regarded as a trusted party, and in fact may be the cloud provider itself.</t>
<t>An important non-goal of this specification is the standardization of any aspect of the cloud provider’s services or the means by which clients utilize shared keys for the E2E encryption of data transiting those services. By avoiding the application of constraints on the communications services and protocols we enable the use of this specification in the context of existing service deployments, both standards-based and proprietary. It is similarly a non-goal of this specification to enable federation of secure communications between vendors of different cloud services, as that is the realm of standardized application protocols. The scope of this specification is intended to be narrowly focused on the task of separating E2E encryption key management from the communications services they secure, thereby facilitating the broadest possible adoption of secure communications though existing services.</t>
</section>
<section anchor="use-cases" title="Use Cases">
<t>The use cases described in this section are non-normative examples meant to illustrate how the KMS architecture may be deployed to provide E2E encryption of different types of communications resources. These use cases differ in detail, but generally follow a common logical sequence as given below.</t>
<t>Note that all requests to the KMS server are via the KMS transport which, for clarity, has been omitted from the sequence diagrams included in this section.</t>
<figure title="Nominal Use Case" anchor="nominal-usecase"><artwork><![CDATA[
Resource Resource Resource KMS
Client B Client A Server Server
| | | |
| | | (1) |
| |-----------------|---------------->|
| | (2) | |
| |---------------->| |
| | | (3) |
| |-----------------|---------------->|
| | (4) | |
|-----------------|---------------->| |
| | | |
(5) | | | |
| | | (6) |
|-----------------|-----------------|---------------->|
| | | |
(7) | | | |
| | | |
]]></artwork></figure>
<t><list style="numbers">
<t>Client A requests the generation of a new unbound key from the KMS.</t>
<t>Client A encrypts a communications resource using the unbound KMS key and shares it via a resource server.</t>
<t>Client A requests the creation of a new KMS resource object (KRO) to represent the communications resource. Client A also instructs the KMS to bind the KMS key used in step (2) to the new KRO and to authorize user B to retrieve keys bound to the KRO.</t>
<t>Client B accesses the communications resource shared by client A and receives the encrypted data.</t>
<t>Client B obtains, through some means not defined by this specification, the URL of the KMS key used to encrypt the communications resource.</t>
<t>Client B requests the KMS key from the KMS server. The KMS server, recognizing user B as authorized on the KRO to which the key is bound, returns the KMS key.</t>
<t>Client B decrypts the communications resource using the KMS key.</t>
</list></t>
<section anchor="securing-an-http-file-sharing-service" title="Securing an HTTP File Sharing Service">
<t>Let A be a user that wishes to share a file with users B and C through some HTTP based file sharing service. In the context of the KMS architecture we may regard the file sharing provider’s HTTP API as the resource server and the users’ HTTP clients as the resource clients. </t>
<t>For this scenario we also assume that the file sharing service is trusted by user A with the role of providing a file sharing service but is not necessarily trusted to adequately protect the confidentiality of the file contents. User A’s concerns may then be addressed through the introduction of an HTTP based KMS transport (not shown) and KMS server deployed by an entity that A regards as a trusted party.</t>
<figure title="File Sharing Use Case" anchor="fileshare-usecase"><artwork><![CDATA[
HTTP HTTP HTTP HTTP File KMS
Client C Client B Client A Share Server Server
| | | | |
| | | | (1) |
| | |--------------|------------>|
| | | (2) | |
| | |------------->| |
| (3) | (3) | | |
|<-------------|<-------------|--------------| |
| | | | (4) |
| | |--------------|------------>|
| | | (5) | |
| |--------------|------------->| |
| | | | (6) |
| |--------------|--------------|------------>|
| | | | |
| (7) | | | |
| | | | |
(8) | | | | |
| | | | |
]]></artwork></figure>
<t>This sequence begins with the assumption that each client has, at some point, already established a secure channel to the KMS via authenticated key agreement.</t>
<t><list style="numbers">
<t>Client A requests from the KMS some number of unbound KMS keys.</t>
<t>Client A selects an unbound key from the set of keys obtained step (1), encrypts the file to be shared, and posts the encrypted content to the file sharing service. The file sharing service responds with a URL that uniquely identifies the shared file.</t>
<t>Clients B and C learn of the newly shared file from the file sharing service (the mechanism by which this occurs is out of scope for this specification).</t>
<t>Client A requests the creation of a KMS resource object (KRO) on the KMS to represent the shared file. In this message the client also requests that the key from step (2) be bound to the newly created KRO and that the users of clients B and C be authorized to retrieve keys bound to the KRO. </t>
<t>Client B retrieves the shared file from the file sharing service.</t>
<t>Client B requests from the KMS all keys bound to the KRO associated with the shared file’s URL. Recognizing client B as authorized on the KRO, the KMS returns the key bound to the KRO by client A in step (4).</t>
<t>Client B decrypts the shared file using the key obtained in step (6).</t>
<t>Client C performs steps (5) through (7) in the same fashion as client B.</t>
</list></t>
<t>It is worth noting that a race condition does exist where step (6) could occur before step (4) completes. This will result in a client being temporarily denied access to the key used to encrypt the shared file.</t>
</section>
<section anchor="securing-an-xmpp-multi-user-chat" title="Securing an XMPP Multi-User Chat">
<t>Let A, B and C be users that wish to engage in secure chat through an existing XMPP multi-user chat room. In the context of the KMS architecture we may regard the XMPP MUC service as the resource server, the users’ XMPP clients as the resource clients, and the XMPP service itself (not shown) as the KMS transport. </t>
<figure title="Multi-User Chat Use Case" anchor="muc-usecase"><artwork><![CDATA[
XMPP XMPP XMPP XMPP MUC KMS
Client C Client B Client A Server Server
| | | | |
| | | | (1) |
| | |--------------|------------>|
| | | | (2) |
| | |--------------|------------>|
| | | (3) | |
| | |------------->| |
| (4) | (4) | | |
|<-------------|<-------------|--------------| |
| | | | (5) |
| |--------------|--------------|------------>|
| | | | |
| (6) | | | |
| | | | |
(7) | | | | |
]]></artwork></figure>
<t>This sequence begins with the assumption that a MUC room already exists on the MUC server and that each client has already established a secure channel to the KMS via authenticated key agreement. All messages are transmitted over XMPP.</t>
<t><list style="numbers">
<t>Client A requests from the KMS some number of unbound KMS keys. Client A selects one of these keys for encrypting MUC room messages.</t>
<t>Client A requests the creation of a KMS resource object (KRO) on the KMS to represent the MUC room. In this message the client also requests that the key selected in step (1) be bound to the newly created KRO and that the users of clients B and C be authorized to retrieve keys bound to the KRO. </t>
<t>Client A encrypts a message with the key selected in step (1) and sends it to the MUC room.</t>
<t>The MUC service delivers client A’s encrypted message to clients B and C.</t>
<t>Client B requests from the KMS all keys bound to the KRO associated with the MUC room’s URI. Recognizing client B as authorized on the KRO, the KMS returns the key bound to the KRO by client A in step (2).</t>
<t>Client B decrypts the shared file using the key selected in step (1).</t>
<t>Client C performs steps (5) and (6) in the same fashion as client B.</t>
</list></t>
</section>
<section anchor="kms-to-kms-key-federation" title="KMS to KMS Key Federation">
<t>This use case illustrates two KMS instances federating keys associated with a resource. As KMS servers are deployed to serve groups of users it is inevitable that users will want to share resources across groups or organizations. This cross-organization sharing of keys leads to several problems. First, each user is only known to and only knows of one logical KMS. Second, each organization might have very different archiving requirements due to differing legal compliance regulations due to jurisdiction or industry differences. Lastly, one or both of the users might be employees of enterprises that need to be able to respond to legal discovery requests. To address these issues, KMS servers may federate in such a way as to allow for limited copying of keys from one KMS to another. This permits each KMS’ owning organization the ability to control the ongoing policy regarding access to keys for which their respective users are authorized.</t>
<t>Let Alice@DomainA and Bob@DomainB be users of a common file sharing service and who happen to use different KMS servers to secure their communications. Assume then that Alice wishes to share a file with Bob and therefore relies on KMS server federation to facilitate the key exchange.</t>
<figure title="File Sharing with KMS Federation Use Case" anchor="fed-usecase"><artwork><![CDATA[
HTTP Client HTTP Client HTTP File KMS Server KMS Server
Bob@DomainB Alice@DomainA Share Server DomainA DomainB
| | | (1) | |
| |--------------|------------->| |
| | (2) | | |
| |------------->| | |
| (3) | | | |
|<-------------|--------------| | |
| | | (4) | |
| |--------------|------------->| |
| | (5) | | |
|--------------|------------->| | |
| | | | (6) |
|--------------|--------------|--------------|------------>|
| | | | (7) |
| | | |<------------|
| | | | (8) |
| | | |<------------|
| | | | |
| | | | | (9)
| | | | |
(10) | | | | |
| | | | |
]]></artwork></figure>
<t>This sequence begins with the assumption that each client has, at some point, already established a secure channel to their respective KMS via authenticated key agreement.</t>
<t><list style="numbers">
<t>Alice@DomainA requests from the DomainA KMS some number of unbound KMS keys. Each KMS key is uniquely identified by a URL.</t>
<t>Alice@DomainA selects a key from the set of KMS keys obtained in step (1), uses that key to encrypt the file to be shared, and posts the encrypted content to the file sharing service. The file sharing service responds with a URL that uniquely identifies the shared file.</t>
<t>Bob@DomainB is notified of the newly shared file URL and corresponding KMS key URL through a notification from the file sharing service (or potentially some other means, such an an email from Alice).</t>
<t>Alice@DomainA requests the creation of a KMS resource object (KRO) on the DomainA KMS to represent the shared file. In this message Alice also requests that the KMS key from step (2) be bound to the newly created KRO and that the user Bob@DomainB be authorized to retrieve KMS keys bound to the KRO. </t>
<t>Bob@DomainB retrieves the shared file from the file sharing service.</t>
<t>Using the KMS key URL obtained in step (3), Bob@DomainB requests the KMS key from the DomainB KMS.</t>
<t>The DomainB KMS recognizes the KMS key URL as actually hosted by the DomainA KMS. The DomainB KMS establishes a secure and mutually authenticated channel with the DomainA KMS via the KMS transport.</t>
<t>The DomainB KMS requests from the DomainA KMS the KRO object to which the KMS key is bound, along with all DomainB user authorizations and other KMS keys that have been bound to that KRO. The DomainA KMS recognizes that the DomainB KMS is authorized to retrieve all KMS keys for which users in the DomainB domain have been authorized. It then recognizes that at least one DomainB user (Bob) has been authorized on the KRO created in step (4). The DomainA KMS therefore decides the DomainB KMS is authorized to make this request and returns the requested information. </t>
<t>Using the information received from the DomainA KMS, the DomainB KMS verifies that Bob@DomainB is authorized on the KRO, and satisfies the request from step (6) by returning the KMS key to Bob@DomainB. </t>
<t>Client Bob@DomainB decrypts the shared file using the key obtained in step (9).</t>
</list></t>
<t>Note that in step (9) the DomainB KMS is enforcing authorization policy for the KRO hosted on the DomainA KMS as it pertains to DomainB users. This is a necessary consequence of KMS federation, where the act of authorizing access to a KRO by a user residing in a federated domain engenders an implicit trust of the KMS server that controls the federated domain. For that reason, a KMS provider should restrict federation of its KMS servers to domains that the KMS provider regards as trusted. </t>
</section>
</section>
<section anchor="kms-protocol" title="KMS Protocol">
<t>The KMS protocol is composed of a message oriented request and response API and a secure channel over which those messages are exchanged. The API provides clients with the ability to generate E2E encryption keys, associate those keys with communications resources, and explicitly manage access authorizations on those keys. The secure channel provides a mutually authenticated and E2E encrypted channel over which the clients and KMS server may exchange API messages securely. The API and secure channel are described in detail through the remainder of this section.</t>
<section anchor="secure-channel" title="Secure Channel">
<t>The secure channel is an encrypted and mutually authenticated communication path between each client and the KMS server. It transits the KMS transport which, in the context of this document, represents any service or protocol that may be utilized for the relaying of KMS API request and response messages. This specification presumes the KMS transport to be untrusted.</t>
<figure title="Establishment of a Secure Channel" anchor="establish-secure-channel"><artwork><![CDATA[
(3) Secure Channel
+===================================================+
V V
+-----------------+ (2) +---------------+ (1) +---------------+
| Resource Client |<------>| KMS Transport |<------>| KMS Server |
+-----------------+ +---------------+ +---------------+
| |
Trusted | Untrusted | Trusted
]]></artwork></figure>
<t>At a high level, the communication path between a resource client and KMS is established as follows.</t>
<t><list style="numbers">
<t>The KMS actively connects to the KMS transport. The protocol used for this connection is out of scope for this document, however it MUST support the asynchronous flow of encrypted KMS request and response messages between the KMS and KMS transport. </t>
<t>A resource client connects to the KMS transport. The protocol used for this connection is out of scope for this document, however it MUST support the flow of encrypted KMS request and response messages between the resource client and the KMS transport.</t>
<t>Through an elliptic curve Diffie-Helman key exchange, augmented by server and client authentication, the resource client and KMS establish a shared secret and derived ephemeral key. This is discussed in greater detail in <xref target="proto-ecdhe"/>.</t>
</list></t>
<t>On successful mutual authentication and ephemeral key agreement, the resource client and KMS communicate through the exchange of sequenced request and response messages encrypted using the ephemeral key.</t>
</section>
<section anchor="proto-user-identity" title="User Identity">
<t>Central to the KMS server’s role as a key store is its ability to restrict access to stored keying material to only authorized users. This requires robust user authentication and a means for the unambiguous and unique identification of each user.</t>
<t>Conforming KMS architecture deployments MUST rely on an identity provider that supports the generation of OAuth 2.0 <xref target="RFC6749"/> access tokens. The KMS server MUST rely on same identity provider for the purpose of validating access tokens received from the client. Access tokens used by clients to demonstrate identity and authorization for access to KMS resources MUST NOT be used for any other service. Any exposure of a KMS recognized access token to third parties (such as providers of other services) jeopardizes the security of all KMS keys for which the user whose identity is represented by the token is authorized. </t>
<t>The identity provider on which the KMS server relies MAY be the same identity provider as relied upon by the resource server(s) whose communications resources are encrypted with keys managed by the KMS server. Note, however, the reliable authentication and authorization of clients to the KMS server is critical to the security of the KMS keys it holds. The identity provider on which the KMS relies must therefore necessarily be regarded as a trusted party within the context of the KMS architecture.</t>
<t>Access tokens MUST be conveyed to the KMS server as part of the payload of encrypted KMS API requests as described in <xref target="proto-basic-request-payload"/> and MUST NOT be conveyed in any other manner. </t>
</section>
<section anchor="kms-identity" title="KMS Identity">
<t>Given the untrusted nature of the KMS transport by both the KMS and clients, it is critical for clients to be able to verify the identity of their KMS and ensure that no MITM attacks are carried out on client to KMS or KMS to client communications. Therefore, the KMS MUST make use of at least one PKIX certificate <xref target="RFC5280"/> and clients MUST validate the PKIX certificate presented by the KMS through the comparison of the certificate’s common name (CN) or subject alternative name (SAN) <xref target="RFC6125"/> fields to the Internet domain portion of the user’s Addr-spec <xref target="RFC2822"/> formatted unique identifier using the procedures defined in section 6 of <xref target="RFC6125"/>. An acceptable alternative to direct CN or SAN validation is defined in <xref target="I-D.ietf-xmpp-posh"/>.</t>
<t>PKIX certificates presented by the KMS can be issued by either a public or private certification authority with the stipulation that clients MUST be able to validate the KMS’s entire certificate path through the pre-established trust of the root certificate used to anchor the certificate path. The mechanism for establishing trust of the root certificate is out of scope for this specification, but it is usually carried out through pre-installed trusted root certificates on various operating systems for public certification authorities or through enterprise endpoint management solutions or manual installation tasks for private certification authorities.</t>
</section>
<section anchor="object-types" title="Object Types">
<t>The KMS protocol defines three object types: resources, keys, and authorizations. It is through the creation and manipulation of instances of these object types that clients interact with the KMS.</t>
<t>Resource</t>
<t><list style='empty'>
<t>A resource is an object that represents, within the KMS object model, a communications resource as defined in <xref target="terminology"/>. Keys and user authorizations are associated (bound) to the resource object as a means of representing their logical association with that communications resource.</t>
</list></t>
<t>Key</t>
<t><list style='empty'>
<t>A key is an object representing symmetric keying material generated and made available to authorized clients by the KMS. A key may exist in one of two states: “bound”, and “unbound”. An unbound key is not associated with any resource, whereas a bound key is associated with exactly one resource. </t>
</list></t>
<t>Authorization</t>
<t><list style='empty'>
<t>An authorization is the association of a user with a particular resource. When such an association exists between a user and a resource this implies that the user is entitled to retrieve any key that is bound to that resource, and to add or remove authorizations for other users on the same resource. </t>
</list></t>
<t>The KMS protocol is composed from representations of these fundamental object types. These representations are defined in the following sections.</t>
<section anchor="kms-key-objects" title="KMS Key Objects">
<t>The JSON representations for KMS key objects is defined as follows using JSON content rules <xref target="I-D.newton-json-content-rules"/>.</t>
<figure><artwork><![CDATA[
jwk : ; see [JWK]
kmsUri (
"uri" : uri relative
)
keyRep {
kmsUri,
"jwk" : jwk,
"userId" : string,
"clientId" : string,
"createDate" : date-time,
"expirationDate" : date-time,
?"resourceUri" : kmsUri,
?"bindDate" : date-time
}
key (
"key" : keyRep
)
keys (
"keys" : [ *keyRep ]
)
keyUris (
"keyUris" : [ *kmsUri ]
)
]]></artwork></figure>
<t>The attributes of a KMS key object are defined as follows.</t>
<t>uri</t>
<t><list style='empty'>
<t>A standard definition for KMS object identifiers.</t>
</list></t>
<t>jwk</t>
<t><list style='empty'>
<t>Symmetric keying material represented as a JWK object (see <xref target="I-D.ietf-jose-json-web-key"/>).</t>
</list></t>
<t>userId</t>
<t><list style='empty'>
<t>The authenticated unique identifier of the user that created the key.</t>
</list></t>
<t>clientId</t>
<t><list style='empty'>
<t>An opaque unique identifier provided by the client that created the key.</t>
</list></t>
<t>createDate</t>
<t><list style='empty'>
<t>The point in time when the key was created, in RFC-3339 date-time format.</t>
</list></t>
<t>expirationDate</t>
<t><list style='empty'>
<t>The point in time after which the key may no longer be bound (if unbound) or may no longer be used for encrypting data (if bound or an ephemeral key).</t>
</list></t>
<t>resourceUri</t>
<t><list style='empty'>
<t>The uri of the KMS resource object to which the key is bound.</t>
</list></t>
<t>bindDate</t>
<t><list style='empty'>
<t>The point in time when the key was bound, in RFC-3339 date-time format.</t>
</list></t>
</section>
<section anchor="kms-authorization-objects" title="KMS Authorization Objects">
<t>The JSON representations for KMS authorization objects is defined as follows using JSON content rules with references to rules defined in previous sections.</t>
<figure><artwork><![CDATA[
authorizationRep {
kmsUri,
"userId" : string,
"resourceUri" : kmsUri,
}
authorization (
"authorization" : authorizationRep
)
authorizations (
"authorizations" : [ *authorizationRep ]
)
authorizationUris (
"authorizationUris" : [ *kmsUri ]
)
]]></artwork></figure>
<t>The attributes of a KMS authorization object are defined as follows.</t>
<t>uri</t>
<t><list style='empty'>
<t>A standard definition for KMS object identifiers.</t>
</list></t>
<t>userId</t>
<t><list style='empty'>
<t>The unique identifier of the user that is authorized.</t>
</list></t>
<t>resourceUri</t>
<t><list style='empty'>
<t>The object identifier of the resource to which the authorization applies.</t>
</list></t>
<t>Note, with respect to this specification user identifiers are opaque, however they MUST map to unique identifiers provided as part of user authentication.</t>
</section>
<section anchor="kms-resource-objects-kro" title="KMS Resource Objects (KRO)">
<t>The JSON representation for KMS resource objects is defined as follows using JSON content rules with references to rules defined in previous sections.</t>
<figure><artwork><![CDATA[
resourceRep {
kmsUri,
keys / keyUris,
authorizations / authorizationUris
}
resource (
"resource" : resourceRep
)
resources (
"resources" : [ *resourceRep ]
)
resourceUris (
"resourceUris" : [ *kmsUri ]
)
]]></artwork></figure>
<t>The attributes of a KMS resource object are defined as follows.</t>
<t>uri</t>
<t><list style='empty'>
<t>A standard definition for KMS object identifiers.</t>
</list></t>
<t>keys</t>
<t><list style='empty'>
<t>An array of key object representations, one for each key bound to the resource.</t>
</list></t>
<t>keyUris</t>
<t><list style='empty'>
<t>An array of key object identifiers, one for each key bound to the resource. Only one of either keys or keyUris may be present in a resource object representation.</t>
</list></t>
<t>authorizations</t>
<t><list style='empty'>
<t>An array of authorization object representations, one for each authorization on the resource.</t>
</list></t>
<t>authorizationUris</t>
<t><list style='empty'>
<t>An array of authorization object identifiers, one for each authorization on the resource. Only one of either authorizations or authorizationUris may be present in a resource object representation.</t>
</list></t>
</section>
</section>
<section anchor="request-types" title="Request Types">
<t>The KMS protocol defines four types of requests: create, retrieve, update, delete, each of which may be applied to one of the three KMS object types. Note that not all object types support all requests types. A KMS need only support those combinations of request type and object type explicitly defined in this document.</t>
<t>Create</t>
<t><list style='empty'>
<t>A create operation acts upon an object type, creating one or more new instances of that object type. </t>
</list></t>
<t>Retrieve</t>
<t><list style='empty'>
<t>A retrieve operation acts upon an object or object type, returning in the response a representation of one or more object instances.</t>
</list></t>
<t>Update</t>
<t><list style='empty'>
<t>An update operation acts upon an object, altering mutable properties of that object.</t>
</list></t>
<t>Delete</t>
<t><list style='empty'>
<t>A delete operation acts upon an object, removing that object from the KMS.</t>
</list></t>
</section>
<section anchor="message-structure" title="Message Structure">
<t>Every KMS request and response message is composed of a JSON <xref target="RFC7159"/> formatted payload encapsulated within either a JWE <xref target="I-D.ietf-jose-json-web-encryption"/> or JWS <xref target="I-D.ietf-jose-json-web-signature"/> object. These messages may be divided into three types.</t>
<t>Common Messages</t>
<t><list style='empty'>
<t>Common messages include all those which do not meet the definition of either key agreement message or error message. Common messages are encrypted as JWE objects using the shared ephemeral key established during initial key agreement between the client and KMS (see <xref target="proto-ecdhe"/>). The value of the JWE header “kid” attribute of a common message MUST match that of the KMS ephemeral key object URI attribute established during initial key agreement.</t>
</list></t>
<t>Ephemeral Key Agreement Messages</t>
<t><list style='empty'>
<t>Ephemeral key agreement messages are those exchanged between the client and KMS for the purpose of establishing a new shared ephemeral key (see <xref target="proto-ecdhe"/>). Key agreement request payloads are encrypted as JWE objects using the authenticated and validated static public key of the KMS. Key agreement response payloads are signed as JWS objects using the static private key of the KMS.</t>
</list></t>
<t>Error Messages</t>
<t><list style='empty'>
<t>Error messages are those originated by the KMS to indicate a failed request. Error messages are composed in the same fashion as common messages; however, in the event that the KMS does not recognize the ephemeral key used in the request, or that key is determined to have expired, the KMS MUST respond with an unencrypted message composed as a JWS, with a payload as described in <xref target="proto-error"/>, and signed using the KMS server’s static public key.</t>
</list></t>
<t>The basic JSON representations for the request and response payloads are defined in the following sections.</t>
<section anchor="proto-basic-request-payload" title="Basic Request Payload">
<t>The basic JSON representation for KMS request message payloads is defined as follows using JSON content rules with references to rules defined in previous sections.</t>
<figure><artwork><![CDATA[
sequence (
"sequence" : integer
)
credential {
"userId": string
"bearer": string / "jwk": jwk
}
client {
"clientId": string,
"credential": credential
)
method: string /create|retrieve|update|delete/
request (
"client" : client,
"method" : method,
kmsUri,
sequence
)
]]></artwork></figure>
<t>The attributes of a KMS request message payload are defined as follows.</t>
<t>sequence</t>
<t><list style='empty'>
<t>An integer selected by the client and provided in a monotonically increasing order with each request, beginning with the initial create ephemeral key request.</t>
</list></t>
<t>userId</t>
<t><list style='empty'>
<t>The unique identifier of the user making the request. </t>
</list></t>
<t>bearer</t>
<t><list style='empty'>
<t>An <xref target="RFC6749"/> access token issued by the client’s identity provider and validated by the KMS in cooperation with the identity provider. See <xref target="proto-user-identity"/>.</t>
</list></t>
<t>jwk</t>
<t><list style='empty'>
<t>A JWK object, in JSON format as defined in <xref target="I-D.ietf-jose-json-web-key"/>, containing the public key of the client (presumably a server). This JWK MUST contain an x5c header with a certificate chain that may be used to positively validate the public key.</t>
</list></t>
<t>clientId</t>
<t><list style='empty'>
<t>An opaque unique identifier provided by the client (not used for authentication, only to assist multiple clients of a single user in differentiating between their respective unbound keys).</t>
</list></t>
<t>method</t>
<t><list style='empty'>
<t>Indicates the request type: create, retrieve, update, or delete.</t>
</list></t>
<t>uri</t>
<t><list style='empty'>
<t>The KMS object or object type to which the request applies.</t>
</list></t>
<t>The JSON content rules above are used in conjunction with additional request type specific rules, defined later in this document, to produce the full request payload definition for each KMS operation.</t>
</section>
<section anchor="proto-basic-response-payload" title="Basic Response Payload">
<t>The basic JSON representation for KMS request message payloads is defined as follows using JSON content rules with references to rules defined in previous sections.</t>
<figure><artwork><![CDATA[
response (
"status" : integer,
?"reason" : string
sequence
)
]]></artwork></figure>
<t>The attributes of a KMS request message payload are defined as follows.</t>
<t>status</t>
<t><list style='empty'>
<t>Indicates the success or failure of the request. The value returned in a response status attribute SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the success or failure condition of the KMS request.</t>
</list></t>
<t>reason</t>
<t><list style='empty'>
<t>An optional natural language string to describe the response status in terms that are useful for tracing and troubleshooting the API. </t>
</list></t>
<t>sequence</t>
<t><list style='empty'>
<t>An echo of the sequence number provided in the request.</t>
</list></t>
<t>The JSON content rules above are used in conjunction with additional response type specific rules, defined later in this document, to produce the full response payload definition for each KMS operation.</t>
</section>
<section anchor="proto-error" title="Error Response Payload">
<t>The JSON representation for KMS error response message payloads is defined as follows using JSON content rules with references to rules defined in previous sections.</t>
<t>Error response payload definition:</t>
<figure><artwork><![CDATA[
root {
response
}
]]></artwork></figure>
<t>Error response message example:</t>
<figure><artwork><![CDATA[
JWS(K_kms_priv, {
"status": 403,
"reason": "The ephemeral key used in the request has expired.",
"sequence": 7
})
]]></artwork></figure>
</section>
</section>
<section anchor="requests" title="Requests">
<t>The following sections provide detailed descriptions for each of the request and response operations that may occur between a resource client and the KMS.</t>
<section anchor="proto-ecdhe" title="Create Ephemeral Key">
<t>The first operation between a client and KMS MUST be the establishment of a shared secret and derived ephemeral key. This is necessary as all other requests and responses are encrypted with the ephemeral key. </t>
<t>The client request for creating an ephemeral key conforms to the basic request message payload, where the method is “create” and the uri is “/ecdhe”. In addition to the basic payload, the client provides a jwk attribute for which the value is a JWK object <xref target="I-D.ietf-jose-json-web-key"/> containing the public part of an EC key pair generated by the client. Unlike a basic request message, however, the request payload is encrypted as the content of a JWE <xref target="I-D.ietf-jose-json-web-key"/> secured with the static public key of the KMS server (K_kms_pub) as obtained from the server’s validated PKIX certificate <xref target="RFC5280"/>.</t>
<t>Note, the client MUST generate a new EC key pair for every create ephemeral key request sent to the KMS server.</t>
<t>Request payload definition:</t>
<figure><artwork><![CDATA[
root {
request,
jwk
}
]]></artwork></figure>
<t>Request message example:</t>
<figure><artwork><![CDATA[
JWE(K_kms_pub, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
},
"method": "create",
"uri": "/ecdhe",
"sequence": 0,
"jwk" : {
"kty": "EC",
"crv": "P-256",
"x": "VoFkf6Wk5kDQ1ob6csBmiMPHU8jALwdtaap35Fsj20M",
"y": "XymwN6u2PmsKbIPy5iij6qZ-mIyej5dvZWB_75lnRgQ"
}
})
]]></artwork></figure>
<t>On receiving the ephemeral key creation request, the KMS server MUST verify the credential provided in the request. If a bearer token is provided, the KMS MUST validate the token in cooperation with the identity provider. If a jwk is provided, the KMS MUST validate the included PKIX certificate chain against the KMS server’s trust root. In either case, the identity of the requesting client MUST be authenticated and verified to correspond to either an authorized user of the KMS or an authorized trusted service. If verification fails, the KMS MUST NOT use the server response to continue with key agreement.</t>
<t>Upon successful authentication and authorization of the request, the KMS responds by generating its own EC key pair using the same curve as indicated in the “crv” attribute of the request message JWK. The KMS server returns the public part of this key pair to the resource client in the form of a KMS key object within the response payload. The KMS also generates and includes within the response payload a universally unique identifier to be regarded by both client and KMS as the key identifier of the agreed upon ephemeral key. The response payload is returned to the resource client as the content of a JWS <xref target="I-D.ietf-jose-json-web-signature"/> signed using the static private key of the KMS server (K_kms_priv).</t>
<t>Response payload definition:</t>
<figure><artwork><![CDATA[
root {
response,
key
}
]]></artwork></figure>
<t>Response message example:</t>
<figure><artwork><![CDATA[
JWS(K_kms_priv, {
"status": 201,
"sequence": 0,
"key": {
"uri": "/ecdhe/ea9f3858-1240-4328-ae22-a15f6072306f",
"jwk" : {
"kty": "EC",
"crv": "P-256",
"x": "8mdasnEZac2LWxMwKExikKU5LLacLQlcOt7A6n1ZGUC",
"y": "lxs7ln5LtZUE_GE7yzc6BZOwBxtOftdsr8HVh-14ksS"
},
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"createDate": "2014-10-09T15:54:48Z",
"expirationDate": "2014-10-09T16:54:48Z"
}
})
]]></artwork></figure>
<t>If successful, the KMS response to a create ephemeral key request MUST have a status of 201. In the case of a request failure, the KMS response status SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the failure condition. In addition, the ephemeral key SHOULD have the createDate assigned as the current time and an expirationDate assigned as the latest point in time before which the key may be used for encrypting messages (both in <xref target="RFC3339"/> date-time format).</t>
<t>On receiving the ephemeral key creation response, the resource client MUST verify the received JWS against the KMS server’s validated static public key. If verification fails, the client MUST NOT use the server response to continue with key agreement.</t>
<t>To generate the shared secret, both resource client and KMS server use ECDH shared secret derivation with the private part of the local EC key pair and the public part of the remote EC key pair. The shared secret is then provided as input to HKDF (with both extract and expand, and empty salt) <xref target="RFC5869"/> to generate the ephemeral key (K_ephemeral). </t>
<t>The ephemeral key generated by this operation is used to encrypt all subsequent KMS requests submitted by the requesting resource client. The encryption of subsequent requests takes the form of a JWE object for which the kid attribute value MUST be the key object URI provided by the KMS in the response message described above. </t>
<t>The KMS SHOULD accept messages encrypted with the ephemeral key up to and until the key expiration date as provided in the response message described above. On expiration of the ephemeral key, the KMS MUST reject all further requests submitted using this key, and a client wishing to submit further requests to the KMS MUST re-establish the secure channel by requesting the creation of a new ephemeral key.</t>
</section>
<section anchor="delete-ephemeral-key" title="Delete Ephemeral Key">
<t>In the event that a resource client’s ephemeral key has become compromised, a client SHOULD submit a request to the KMS to delete the ephemeral key.</t>
<t>The request message conforms to the basic request message structure, where the method is “delete”, and the uri is that of the ephemeral key to be deleted.</t>
<t>Request payload definition:</t>
<figure><artwork><![CDATA[
root {
request
}
]]></artwork></figure>
<t>Request message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "delete",
"uri": "/ecdhe/ea9f3858-1240-4328-ae22-a15f6072306f",
"sequence": 7
})
]]></artwork></figure>
<t>The response message conforms to the basic response message structure, and MUST NOT include a representation of the deleted ephemeral key.</t>
<t>Response payload definition:</t>
<figure><artwork><![CDATA[
root {
response
}
]]></artwork></figure>
<t>Response message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"status": 204,
"sequence": 7
})
]]></artwork></figure>
<t>If successful, the KMS response to a delete ephemeral key request MUST have a status of 204. In the case of a request failure, the KMS response status SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the failure condition.</t>
<t>On successful deletion of an ephemeral key, the KMS MUST NOT, from that time forward, accept any requests encrypted with that ephemeral key.</t>
</section>
<section anchor="create-resource" title="Create Resource">
<t>When a client intends to initiate E2E encryption of a communications resource, it begins by requesting the creation of a KMS resource object. This resource object logically represents the communications resource within the KMS data model. </t>
<t>As part of a create resource request, a KMS server MUST create at least one authorization object on the newly created resource object to explicitly authorize the user making the request. A client MAY request the immediate creation of one or more additional authorizations such that corresponding users may be immediately authorized to access and operate on the new resource object. If for any reason one or more requested authorizations cannot be applied to the new resource object, the entire create resource request MUST be failed by the KMS.</t>
<t>As part of a create resource request, a client MAY request the immediate binding of one or more unbound KMS keys to the new resource object. If any key indicated in the request is already bound, or is otherwise invalid (e.g. expired), the entire create resource request MUST be failed by the KMS.</t>
<t>The request message conforms to the basic request message structure, where the method is “create”, the uri is “/resources”, and additional user identifiers and/or key URIs are provided in a manner consistent with the following.</t>
<t>Request payload definition:</t>
<figure><artwork><![CDATA[
userIds (
"userIds" : [ *string ]
)
root {
request,
?userIds,
?keyUris
}
]]></artwork></figure>
<t>Request message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "create",
"uri": "/resources",
"sequence": 7,
"userIds": [
"b46e8124-b6e8-47e0-af0d-e7f1a2072dac",
"39d56a84-c6f9-459e-9fd1-40ab4ad3e89a"
],
"keyUris": [
"/keys/b4cba4da-a984-4af2-b54f-3ca04acfe461",
"/keys/2671413c-ab80-4f19-a0a4-ae07e1a94e90"
]
})
]]></artwork></figure>
<t>The response message conforms to the basic response message structure, and includes a representation of the created KMS resource object.</t>
<t>Response payload definition:</t>
<figure><artwork><![CDATA[
root {
response,
resource
}
]]></artwork></figure>
<t>Response message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"status": 201,
"sequence": 7,
"resource": {
"uri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094",
"authorizationUris": [
"/authorizations/50e9056d-0700-4919-b55f-84cd78a2a65e",
"/authorizations/db4c95ab-3fbf-42a8-989f-f53c1f13cc9a"
],
"keyUris": [
"/keys/b4cba4da-a984-4af2-b54f-3ca04acfe461",
"/keys/2671413c-ab80-4f19-a0a4-ae07e1a94e90"
]
}
})
]]></artwork></figure>
<t>If successful, the KMS response to a create resource request MUST have a status of 201. In the case of a request failure, the KMS response status SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the failure condition.</t>
</section>
<section anchor="create-unbound-keys" title="Create Unbound Keys">
<t>When a client requires a symmetric key for use in the E2E encryption of a communications resource, it begins by requesting the creation of one or more unbound keys from the KMS. A client may submit this request at any time, even before the communications resource exists. The keys returned by this request are unbound, which is to say not yet associated with any KMS resource object.</t>
<t>The request message conforms to the basic request message structure, where the method is “create”, the uri is “/keys”, and an additional count attribute is introduced to indicate the number of keys to be created.</t>
<t>Request payload definition:</t>
<figure><artwork><![CDATA[
root {
request,
"count": integer
}
]]></artwork></figure>
<t>Request message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "create",
"uri": "/keys",
"sequence": 7,
"count": 2
})
]]></artwork></figure>
<t>The response message conforms to the basic response message structure with the addition of an array of key object representations, one for each unbound key created.</t>
<t>Response payload definition:</t>
<figure><artwork><![CDATA[
root {
response,
keys / keyUris
}
]]></artwork></figure>
<t>Response message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"status": 201,
"sequence": 7,
"keys": [
{
"uri": "/keys/52100fa4-c222-46d0-994d-1ca885e4a3a2",
"jwk": {
"kid": "52100fa4-c222-46d0-994d-1ca885e4a3a2",
"kty": "oct",
"k": "ZMpktzGq1g6_r4fKVdnx9OaYr4HjxPjIs7l7SwAsgsg"
}
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"createDate": "2014-10-09T15:54:48Z",
"expirationDate": "2014-10-09T16:04:48Z"
},
{
"uri": "/keys/fed33890-f9fa-43ad-a9f8-ab55a983a543",
"jwk": {
"kid": "fed33890-f9fa-43ad-a9f8-ab55a983a543",
"kty": "oct",
"k": "q2znCXQpbBPSZBUddZvchRSH5pSSKPEHlgb3CSGIdpL"
}
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"createDate": "2014-10-09T15:54:48Z",
"expirationDate": "2014-10-09T16:04:48Z"
}
]
})
]]></artwork></figure>
<t>Each key object in the response to a create unbound keys request includes a single JWK <xref target="I-D.ietf-jose-json-web-key"/> representing a new symmetric key of 256 bits generated by a cryptographically secure PRNG. Note that, as unbound keys, the resourceUri attribute of each key is either undefined or null. All keys SHOULD have the createDate assigned as the current time and an expirationDate assigned as the latest point in time before which the key may be bound to a resource (both in <xref target="RFC3339"/> date-time format).</t>
<t>The clientId attribute of each created key MUST be the clientId provided by the client in the client.clientId attribute of the request.</t>
<t>As shown in the response payload definition, the KMS MUST return either an array of key object representations or an array of key object uris. It is at the KMS server’s discretion which of these is returned.</t>
<t>If successful, the KMS response to a create unbound keys request MUST have a status of 201. In the case of a request failure, the KMS response status SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the failure condition.</t>
</section>
<section anchor="update-unbound-key-bind" title="Update Unbound Key (Bind)">
<t>To initiate the use of an unbound KMS key in securing a communications resource, a client will create a corresponding KMS resource object and subsequently bind the unbound key to that resource. A client MAY begin using an unbound KMS key to encrypt a communications resource prior to the binding of that key.</t>
<t>The request message conforms to the basic request message structure, where the method is “update”, the uri is that of the key to be bound, and an additional resourceUri attribute is introduced to indicate the KMS resource object to which the key is to be bound. If the user making a bind unbound key request does not have an authorization on the resource indicated by the resourceUri, or is not the user for whom the unbound key was originally created, the KMS MUST fail the request. The KMS SHOULD fail the request if the clientId of the request does not match that of the unbound key.</t>
<t>Request payload definition:</t>
<figure><artwork><![CDATA[
root {
request,
"resourceUri" : kmsUri
}
]]></artwork></figure>
<t>Request message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "update",
"uri": "/keys/52100fa4-c222-46d0-994d-1ca885e4a3a2",
"sequence": 7,
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094"
})
]]></artwork></figure>
<t>The response message conforms to the basic response message structure, and includes a representation of the full state of the newly bound key.</t>
<t>Response payload definition:</t>
<figure><artwork><![CDATA[
root {
response,
key
}
]]></artwork></figure>
<t>Response message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
{
"status": 200,
"sequence": 7,
"key": {
"uri": "/keys/52100fa4-c222-46d0-994d-1ca885e4a3a2",
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"jwk": {
"kid": "52100fa4-c222-46d0-994d-1ca885e4a3a2",
"kty": "oct",
"k": "ZMpktzGq1g6_r4fKVdnx9OaYr4HjxPjIs7l7SwAsgsg"
}
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"createDate": "2014-10-09T15:54:48Z",
"bindDate": "2014-10-09T15:55:34Z",
"expirationDate": "2014-10-10T15:55:34Z",
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094"
}
})
]]></artwork></figure>
<t>On successfully binding a formerly unbound KMS key to a resource object, the state of the KMS key object MUST reflect the updated resourceUri attribute, MUST reflect a bindDate as the current time, and MUST reflect an expirationDate as the time after which clients MUST NOT use this key for encryption as provided by KMS policy. Subsequently, the KMS MUST regard the key as bound to the KMS resource object identified by the resourceUri and MUST reject subsequent requests to bind the same key to any other resource object.</t>
<t>If successful, the KMS response to a bind unbound key request MUST have a status of 200. In the case of a request failure, the KMS response status SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the failure condition.</t>
</section>
<section anchor="retrieve-keys" title="Retrieve Keys">
<t>Clients engaging in E2E encryption require a means for retrieving keys from the KMS. A key request may take one of three forms, it may be</t>
<t><list style="symbols">
<t>a request for a specific key,</t>
<t>a request all keys bound to a particular resource, or</t>
<t>a request for a subset of keys bound to a particular resource.</t>
</list></t>
<t>In all cases, the request message conforms to the basic request message structure with “retrieve” as the value for the method attribute. </t>
<t>To retrieve an individual key, the uri of the request is that of the key object to be retrieved. If the key is unbound, the KMS MUST reject the request unless it originates from the user that requested the key’s creation, and SHOULD reject the request unless it originates from the same clientId that requested the key’s creation. If the key is bound, the KMS MUST reject the request unless the request originates from a user for which there exists a corresponding authorization on the resource to which the requested key is bound.</t>
<t>To retrieve all keys bound to a particular resource, the uri of the request is that of the resource concatenated with “/keys”. To retrieve a select subset of keys bound to a particular resource, the client constructs a request for all keys and augments this with the additional attributes “count” and “prefer”. The count attribute specifies the maximum number of keys that the KMS may return in the response message, and the prefer attribute is a token indicating a preference criterion. Defined preference criteria are:</t>
<t><list style="symbols">
<t>recently-bound</t>
<t>recently-requested</t>
</list></t>
<t>The recently-bound criterion prefers keys that have been most recently bound to the resource. The recently-requested criterion prefers keys that have been most recently requested by their specific uri (including requests made by other clients). The KMS MUST reject the request unless the request originates from a user for which there exists a corresponding authorization on the resource from which bound keys are being requested.</t>
<t>Request payload definition:</t>
<figure><artwork><![CDATA[
root {
request,
?(
"prefer": string /recently-bound|recently-requested/,
"count": integer
)
}
]]></artwork></figure>
<t>Request message example (individual key):</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "retrieve",
"uri": "/keys/52100fa4-c222-46d0-994d-1ca885e4a3a2",
"sequence": 7
})
]]></artwork></figure>
<t>Request message example (all keys bound to a resource):</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "retrieve",
"uri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094/keys",
"sequence": 7
})
]]></artwork></figure>
<t>Request message example (10 keys most recently bound to a resource):</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "retrieve",
"uri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094/keys",
"sequence": 7,
"prefer": "recently-bound",
"count": 10
})
]]></artwork></figure>
<t>The response message conforms to the basic response message structure and includes a representation of the key or keys selected by the request. In the case of a request for a specific individual key, the response will contain a representation of a single key. In the case of a request for all keys bound to a resource, the response will contain an array representing all KMS keys currently bound to the resource.</t>
<t>In the case of a request for a select subset of keys bound to a resource, the response will contain an array representing the set of KMS keys currently bound to the resource and which most closely satisfy the preference criterion indicated in the request. In this case, the size of the keys array in the response MUST NOT exceed the count as given in the request.</t>
<t>Response payload definition:</t>
<figure><artwork><![CDATA[
root {
response,
key / keys
}
]]></artwork></figure>
<t>Response message example (for specific key):</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
{
"status": 200,
"sequence": 7,
"key": {
"uri": "/keys/52100fa4-c222-46d0-994d-1ca885e4a3a2",
"jwk": {
"kid": "52100fa4-c222-46d0-994d-1ca885e4a3a2",
"kty": "oct",
"k": "ZMpktzGq1g6_r4fKVdnx9OaYr4HjxPjIs7l7SwAsgsg"
}
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"createDate": "2014-10-09T15:54:48Z",
"bindDate": "2014-10-09T15:55:34Z",
"expirationDate": "2014-10-10T15:55:34Z",
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094"
}
})
]]></artwork></figure>
<t>Response message example (all keys bound to a resource):</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
{
"status": 200,
"sequence": 7,
"keys": [
{
"uri": "/keys/52100fa4-c222-46d0-994d-1ca885e4a3a2",
"jwk": {
"kid": "52100fa4-c222-46d0-994d-1ca885e4a3a2",
"kty": "oct",
"k": "ZMpktzGq1g6_r4fKVdnx9OaYr4HjxPjIs7l7SwAsgsg"
}
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"createDate": "2014-10-09T15:54:48Z",
"bindDate": "2014-10-09T15:55:34Z",
"expirationDate": "2014-10-10T15:55:34Z",
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094"
},
{
"uri": "/keys/fed33890-f9fa-43ad-a9f8-ab55a983a543",
"jwk": {
"kid": "fed33890-f9fa-43ad-a9f8-ab55a983a543",
"kty": "oct",
"k": "q2znCXQpbBPSZBUddZvchRSH5pSSKPEHlgb3CSGIdpL"
}
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"createDate": "2014-10-09T15:54:48Z",
"bindDate": "2014-10-09T15:56:43Z",
"expirationDate": "2014-10-10T15:56:43Z",
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094"
}]
})
]]></artwork></figure>
<t>If successful, the KMS response to a retrieve bound keys request MUST have a status of 200. In the case of a request failure, the KMS response status SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the failure condition.</t>
</section>
<section anchor="create-authorizations" title="Create Authorizations">
<t>An authorization establishes a relationship between a resource and a user that entitles the user to retrieve bound keys from, and bind new keys to, that resource. The KMS resource authorization model is viral in the sense that, once a user has been authorized on a resource, that user is also entitled to authorize other users on that resource. These authorizations are created through create authorization requests.</t>
<t>The request message conforms to the basic request message structure, where the method is “create”, and the uri is “/authorizations”. Additional attributes are required to indicate the resource on which authorizations are to be added, as well as the set of users for whom these new authorizations are to be created.</t>
<figure><artwork><![CDATA[
root {
request,
"resourceUri" : kmsUri,
"userIds" : [ *string ]
}
]]></artwork></figure>
<t>Request message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "create",
"uri": "/authorizations",
"sequence": 7,
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094",
"userIds": [
"119a0582-2e2b-4c0c-ba6a-753d05171803",
"557ac05d-5751-43b4-a04b-e7eb1499ee0a"
]
})
]]></artwork></figure>
<t>The response message conforms to the basic response message structure, and includes a representation of the set of KMS authorization objects created by the request.</t>
<t>Response payload definition:</t>
<figure><artwork><![CDATA[
root {
response,
authorizations
}
]]></artwork></figure>
<t>Response message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
{
"status": 201,
"sequence": 7,
"collection": [
{
"uri": "/authorizations/79a39ed9-a8e5-4d1f-9ae2-e27857fc5901",
"userId": "119a0582-2e2b-4c0c-ba6a-753d05171803",
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094"
},
{
"uri": "/authorizations/5aaca3eb-ca4c-47c9-b8e2-b20f47568b7b",
"userId": "557ac05d-5751-43b4-a04b-e7eb1499ee0a",
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094"
}]
})
]]></artwork></figure>
<t>If successful, the KMS response to a create authorizations request MUST have a status of 201. In the case of a request failure, the KMS response status SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the failure condition. If for any reason one or more requested authorizations cannot be created or applied to the resource object, the entire create authorizations request MUST be failed by the KMS.</t>
</section>
<section anchor="delete-authorization" title="Delete Authorization">
<t>To remove an authorization from a KMS resource object, any user currently authorized on the same resource object may issue a delete authorization request. The request message conforms to the basic request message structure, where the method is “delete”, and the uri is that of the authorization object to be deleted.</t>
<t>Request payload definition:</t>
<figure><artwork><![CDATA[
root {
request
}
]]></artwork></figure>
<t>Request message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
"requestId": "1234",
"client": {
"clientId": "android_a6aa012a-0795-4fb4-bddb-f04abda9e34f",
"credential": {
"userId": "842e2d82-7e71-4040-8eb9-d977fe888807",
"bearer": "ZWU5NGE2YWYtMGE2NC0..."
}
}
"method": "delete",
"uri": "/authorizations/5aaca3eb-ca4c-47c9-b8e2-b20f47568b7b"
})
]]></artwork></figure>
<t>The response message conforms to the basic response message structure, and includes a representation of the authorization object that was deleted.</t>
<t>Response payload definition:</t>
<figure><artwork><![CDATA[
root {
response,
authorization
}
]]></artwork></figure>
<t>Response message example:</t>
<figure><artwork><![CDATA[
JWE(K_ephemeral, {
{
"status": 200,
"sequence": 7,
"object": {
"uri": "/authorizations/5aaca3eb-ca4c-47c9-b8e2-b20f47568b7b",
"userId": "557ac05d-5751-43b4-a04b-e7eb1499ee0a",
"resourceUri": "/resources/7f35c3eb-95d6-4558-a7fc-1942e5f03094"
}
})
]]></artwork></figure>
<t>If successful, the KMS response to a delete authorization request MUST have a status of 200. In the case of a request failure, the KMS response status SHOULD be that of an <xref target="RFC7231"/> defined status code with semantics that correspond to the failure condition. </t>
</section>
</section>
</section>
<section anchor="mandatory-to-implement" title="Mandatory-to-Implement">
<t>Implementations MUST support the following JWK key types from <xref target="I-D.ietf-jose-json-web-algorithms"/>:</t>
<t><list style="symbols">
<t>“RSA” for the KMS static public/private key</t>
<t>“EC” for the Ephemeral Diffie Hellman exchange</t>
<t>“oct” for all symmetric keys</t>
</list></t>
<t>Implementations MUST support “PS256” (RSASSA-PSS using SHA-256 and MGF1 with SHA-256) from <xref target="I-D.ietf-jose-json-web-algorithms"/> for signatures using the KMS static public/private key for <xref target="proto-ecdhe"/>.</t>
<t>Implementations MUST support JWK Elliptic Curve type “P-256” (NIST P-256 curve) from <xref target="I-D.ietf-jose-json-web-algorithms"/> for <xref target="proto-ecdhe"/>.</t>
<t>Implementations MUST support “RSA-OAEP” (RSAES OAEP using default parameters) from <xref target="I-D.ietf-jose-json-web-algorithms"/> for key encryption using the KMS static public/private key for <xref target="proto-ecdhe"/>.</t>
<t>Implementations MUST support “dir” (Direct Key Agreement Key Management Mode) from <xref target="I-D.ietf-jose-json-web-algorithms"/> for all operations other than <xref target="proto-ecdhe"/>.</t>
<t>Implementations MUST support “A256GCM” (AES GCM using 256 bit key) from <xref target="I-D.ietf-jose-json-web-algorithms"/> for content encryption for all operations other than <xref target="proto-ecdhe"/>.</t>
</section>
<section anchor="security-considerations" title="Security Considerations">
<t>Security considerations are discussed throughout this document. Additional considerations may be added here as needed.</t>
</section>
<section anchor="appendix-a-acknowledgments" title="Appendix A. Acknowledgments">
<t>This specification is the work of several contributors. In particular, the following individuals contributed ideas, feedback, and wording that influenced this specification:</t>
<t>Cullen Jennings, Matt Miller, Suhas Nandakumar, Jonathan Rosenberg</t>
</section>
<section anchor="appendix-b-document-history" title="Appendix B. Document History">
<t>-00</t>
<t><list style="symbols">
<t>Initial draft.</t>
</list></t>
</section>
</middle>
<back>
<references title='Normative References'>
&RFC2119;
&RFC5280;
&RFC5869;
&RFC7159;
&I-D.ietf-jose-json-web-encryption;
&I-D.ietf-jose-json-web-key;
&I-D.ietf-jose-json-web-signature;
&I-D.ietf-jose-json-web-algorithms;
&RFC4949;
&RFC6749;
&RFC6125;
&RFC2822;
&RFC7231;
&RFC3339;
</references>
<references title='Informative References'>
<reference anchor="OTR" target="https://otr.cypherpunks.ca/otr-wpes.pdf">
<front>
<title>Off-the-Record Communication, or, Why Not To Use PGP</title>
<author initials="N." surname="Borisov" fullname="Nikita Borisov">
<organization></organization>
</author>
<author initials="I." surname="Goldberg" fullname="Ian Goldberg">
<organization></organization>
</author>
<author initials="E." surname="Brewer" fullname="Eric Brewer">
<organization></organization>
</author>
<date year="2012"/>
</front>
</reference>
&I-D.barnes-pervasive-problem;
&I-D.newton-json-content-rules;
&RFC5246;
&RFC4301;
&RFC5652;
&RFC4880;
&I-D.ietf-xmpp-posh;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 05:41:08 |