Format of Key Blobs

Key blobs are encode in a simple, TLV encoded key blob format. Each item is encoded as follows:

Tag	Lengh	Value
2 bytes	4 bytes	Length bytes

Note

Length fields are encoded in big endian notation.

Items can also encapsulate other items.

Currently two types of key blobs are defined:

• Simple Blob
  This format is returned by the Cxi::key_export method.
  It contains the key properties and key components.
  The key components may be encrypted by another wrapping key.

  Note

  Use class KeyBlob to construct Simple Blobs or retrieve values from them.
  
  

• Backup Blob
  This format is returned by the Cxi::key_backup method.
  It basically contains information about the blob itself, the key properties, the public and secret key parts and a check value.
  The secret key part is always encrypted with a key derived from the CryptoServer's Master Backup Key (MBK).
  The check value is a MAC over all preceding blob data, calculated with another key derived from the MBK.
  

  Note

  As the key check value is verified when restoring the key, a Backup Blob may not be modified.

  The class Key is used to deal with Backup Blobs.

Format of Simple Blobs

---

A Simple Blob is encoded as follows:

Simple Blob
"KB"	length(KB)	Blob Header					Key Components
		"BH"	length(BH)	Property List			"KC"	length(KC)	Components
				"PL"	length(PL)	Properties

The currently defined properties and their format is described here: Key Properties

RSA key blobs may contain the following key component items:

Item	Tag
Public Exponent	"PE"
Modulus	"MO"
Secret (Private) Exponent	"SE"
Prime P	"P "
Prime Q	"Q "
U := Q^-1 mod P	"U "
dP := D mod P-1	"DP"
dQ := D mod Q-1	"DQ"

ECDSA key blobs may contain the following key component items:

Item	Tag
Public Key	"PK"
Secret (Private) Key	"SK"

On DES or AES key blobs the key components directly contain the key value.

Format of Backup Blobs

---

A current Backup Blob is encoded as follows:

Backup Blob
"BB"	length(BB)	Info item			Property List			Public Key			Initialization Vector			Secret Key			MAC
		"BI"	length(BI)	Blob Info	"PL"	length(PL)	Properties	"PK"	length(PK)	Public Key	"IV"	length(IV)	IV for encryption of SK	"SK"	length(SK)	Secret (Private) Key	"CV"	length(CV)	Check Value

The Blob Info item contains information about the blob format, the MBK used to create the backup, the key derivation used for the backup keys and a timestamp.

A legacy Backup Blob (created by CXI firmware modules up to version 2.2.2.2) is encoded as follows:

Backup Blob
"KB"	length(KB)	Property List			Public Key			Secret Key			MAC
		"PL"	length(PL)	Properties	"PK"	length(PK)	Public Key	"SK"	length(SK)	Secret (Private) Key	"CV"	length(CV)	Check Value