Skip to content

Commit 3a7f9b5

Browse files
jann0kjann0k
committed
Update README.md: re-arrange secret and password scenarios
1 parent ce7058d commit 3a7f9b5

File tree

1 file changed

+18
-17
lines changed

1 file changed

+18
-17
lines changed

README.md

Lines changed: 18 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,24 @@ sender public key).
103103
capsule that contains encrypted KEK
104104
11. *Follow steps from RSA-OAEP scenario steps 12-15*
105105

106+
### CDOC2 with symmetric key from secret
107+
108+
Similar to ECDH scenario, but KEK is derived from symmetric key (secret) identified by key_label using HKDF algorithm.
109+
110+
1. Sender and recipient have a pre shared secret identified by key_label
111+
2. Sender derives key encryption key (KEK) from symmetric key, key_label and salt (generated
112+
using secure random) using HKDF algorithm
113+
3. *Follow steps from ECDH scenario 4-6*
114+
4. Sender adds encrypted FMK with key_label to CDoc header
115+
5. *Follow steps from ECDH scenario 8-10*
116+
6. Recipient searches CDoc header for key_label and finds salt and encrypted FMK
117+
7. Recipient derives encryption key (KEK) from salt, key_label and pre-shared symmetric key (secret)
118+
8. Recipient decrypts FMK using KEK.
119+
9. *Follow steps from ECDH scenario 13-15*
120+
121+
cdoc2-java-ref-impl does not provide solution for securely storing the secret, but most password managers
122+
can do that.
123+
106124
### CDOC2 with symmetric key from password
107125

108126
Similar to Symmetric Key scenario, but symmetric key is derived from password and salt using PBKDF2 algorithm.
@@ -121,23 +139,6 @@ Similar to Symmetric Key scenario, but symmetric key is derived from password an
121139
cdoc2-java-ref-impl does not provide solution for securely storing the password, but most password managers
122140
can do that.
123141

124-
### CDOC2 with symmetric key from secret
125-
126-
Similar to ECDH scenario, but KEK is derived from symmetric key (secret) identified by key_label using HKDF algorithm.
127-
128-
1. Sender and recipient have a pre shared secret identified by key_label
129-
2. Sender derives key encryption key (KEK) from symmetric key, key_label and salt (generated
130-
using secure random) using HKDF algorithm
131-
3. *Follow steps from ECDH scenario 4-6*
132-
4. Sender adds encrypted FMK with key_label to CDoc header
133-
5. *Follow steps from ECDH scenario 8-10*
134-
6. Recipient searches CDoc header for key_label and finds salt and encrypted FMK
135-
7. Recipient derives encryption key (KEK) from salt, key_label and pre-shared symmetric key (secret)
136-
8. Recipient decrypts FMK using KEK.
137-
9. *Follow steps from ECDH scenario 13-15*
138-
139-
cdoc2-java-ref-impl does not provide solution for securely storing the secret, but most password managers
140-
can do that.
141142

142143

143144
## Structure

0 commit comments

Comments
 (0)