Add SeqNum as an the external_aad in CryptoPayload
Introduce sequence number in Secretkeeper packets to prevent replay of
packets with a session.
Bug: 316126411
Test: VTS
Change-Id: I20a5d8489e988bdcbe9058495ab56ed18a07b946
diff --git a/security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl b/security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl
index 3d08078..3f823df 100644
--- a/security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl
+++ b/security/secretkeeper/aidl/android/hardware/security/secretkeeper/SecretManagement.cddl
@@ -3,10 +3,11 @@
; The input parameter to the `processSecretManagementRequest` operation in
; `ISecretkeeper.aidl` is always an encrypted request message, CBOR-encoded as a
; COSE_Encrypt0 object. The encryption uses the first of the keys agreed using
-; the associated AuthGraph instance, referred to as `KeySourceToSink`.
-ProtectedRequestPacket = CryptoPayload<RequestPacket, KeySourceToSink>
+; the associated AuthGraph instance, referred to as `KeySourceToSink`. Additionally,
+; an external aad is used - RequestSeqNum.
+ProtectedRequestPacket = CryptoPayload<RequestPacket, KeySourceToSink, RequestSeqNum>
-CryptoPayload<Payload, Key> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2]
+CryptoPayload<Payload, Key, SeqNum> = [ ; COSE_Encrypt0 (untagged), [RFC 9052 s5.2]
protected: bstr .cbor {
1 : 3, ; Algorithm: AES-GCM mode w/ 256-bit key, 128-bit tag
4 : bstr ; key identifier set to session ID produced
@@ -17,7 +18,7 @@
},
ciphertext : bstr ; AES-GCM-256(Key, bstr .cbor Payload)
; AAD for the encryption is CBOR-serialized
- ; Enc_structure (RFC 9052 s5.3) with empty external_aad.
+ ; Enc_structure (RFC 9052 s5.3) with SeqNum as the external_aad.
]
; Once decrypted, the request packet is an encoded CBOR array holding:
@@ -58,10 +59,18 @@
SecretId = bstr .size 64 ; Unique identifier of the secret.
Secret = bstr .size 32 ; The secret value.
+; A monotonically incrementing number is associated with each RequestPacket to prevent replay
+; of messages within a session. This starts with 0 and is incremented (by 1) for each request
+; in a session. Secretkeeper implementation must maintain an expected RequestSeqNum for each
+; session (increasing it by 1 for each SecretManagement request received). This will be used in
+; in decryption (external_aad).
+RequestSeqNum = bstr .cbor uint ; Encoded in accordance with Core Deterministic Encoding
+ ; Requirements [RFC 8949 s4.2.1]
+
; The return value from a successful `processSecretManagementRequest` operation is a
; response message encrypted with the second of the keys agreed using the associated
; AuthGraph instance, referred to as `KeySinkToSource`.
-ProtectedResponsePacket = CryptoPayload<ResponsePacket, KeySinkToSource>
+ProtectedResponsePacket = CryptoPayload<ResponsePacket, KeySinkToSource, ResponseSeqNum>
; Once decrypted, the inner response message is encoded as a CBOR array holding:
; - An initial integer return code value.
@@ -100,3 +109,8 @@
StoreSecretResult = ()
GetSecretResult = (secret : Secret)
+
+; Analogous to RequestSeqNum, Secretkeeper must maintain ResponseSeqNum for each session.
+; This will be input to the encryption (ProtectedResponsePacket) as external_aad.
+ResponseSeqNum = bstr .cbor uint ; Encoded in accordance with Core Deterministic Encoding
+ ; Requirements [RFC 8949 s4.2.1]