KEM_P256_HKDF_SHA256
KDF_HKDF_SHA256
AEAD_AES256GCM
turnkey_hpke
(raw bytes)EncappedPublicKey||ReceiverPublicKey
clientTargetPub
key to server.ciphertext, serverEncappedPub = ENCRYPT(plaintext, clientTargetPub)
and clears clientTargetPub
from memory.serverEncappedPub_sig_enclaveAuthPriv = SIGN(serverEncappedPub, enclaveAuthPriv)
.(ciphertext, serverEncappedPub, serverEncappedPub_sig_enclaveAuthPriv)
to client.VERIFY(serverEncappedPub, serverEncappedPub_sig_enclaveAuthPriv)
.DECRYPT(ciphertext, serverEncappedPub, clientTargetPriv)
and the client target pair is cleared from memory. If the target pair is used multiple times we increase the count of messages that an attacker with the compromised target private key can decrypt. There is no hard mechanism to prevent a faulty client from resubmitting the same target public key.serverTargetPub_sig_enclaveAuthPriv = SIGN(serverTargetPub, enclaveAuthPriv)
.(serverTargetPub, serverTargetPub_sig_enclaveAuthPriv)
to client.VERIFY(serverTargetPub, serverTargetPub_sig_enclaveAuthPriv)
.ciphertext, clientEncappedPub = ENCRYPT(plaintext, serverTargetPub)
and clears serverTargetPub from memory.(ciphertext, clientEncappedPub)
to server and the client is cleared from memory.DECRYPT(ciphertext, clientEncappedPub, clientTargetPriv)
and server target pair is cleared from memory. If the target pair is used multiple times we increase the count of messages that an attacker with the compromised target private key can decrypt.INIT_IMPORT_WALLET
or INIT_IMPORT_PRIVATE_KEY
activity. This TEK is encrypted to the enclave’s quorum key and the TEK public key is returned in the activity response, following the protocol above.
The following diagram summarizes the flow:
IMPORT_WALLET
or IMPORT_PRIVATE_KEY
activity. During this activity, the Turnkey enclave uses its key pair to decrypt and import the encrypted key material.
EXPORT_WALLET
, EXPORT_PRIVATE_KEY
, or EXPORT_WALLET_ACCOUNT
activity.
Turnkey’s enclave encrypts the private key material (wallet mnemonic or private key) to the end-user’s TEK using the protocol described in the previous section.
Once the activity succeeds, the encrypted mnemonic or private key can be decrypted by the end-user only.
INIT_OTP_AUTH
or EMAIL_AUTH
activity.
Our enclave creates a fresh P256 key pair (“credential”) and encrypts its private key to the recovering user’s TEK using the protocol above.
Once the encrypted credential is received via email, it’s decrypted where the target public key was originally created. The credential is then ready to be used to sign Turnkey activity requests.
Our OTP flows work similarly, except the bundle is not emailed to the user directly. Instead, it is returned as part of the OTP_AUTH
activity results.
OpMod Base
because the sender’s KEM private key is not long lived and thus does not need HPKE authentication. In order for this to be exploited one side’s private key data would have to be leaked or an attacker would need to spoof a message from the sender. Turnkey mitigates this attack by layering a signature from an authentication key over payloads that contain ciphertext + encappedPub. Note that in the case of client to server the authentication signature is verified by the our policy engine. Read more about HPKE asymmetric authentication here.