List of used keys

---

PowerAuth Cryptography documentation has been moved to: https://developers.wultra.com/docs/develop/powerauth-crypto/List-of-Used-Keys

Please use the new developer portal to access documentation.

---

Following keys are used in the PowerAuth 2.0 cryptography scheme.

name	created as	purpose
KEY_DEVICE_PRIVATE	ECDH - private key	Generated on client to allow construction of KEY_MASTER_SECRET
KEY_DEVICE_PUBLIC	ECDH - public key	Generated on client to allow construction of KEY_MASTER_SECRET
KEY_SERVER_PRIVATE	ECDH - private key	Generated on server to allow construction of KEY_MASTER_SECRET
KEY_SERVER_PUBLIC	ECDH - public key	Generated on server to allow construction of KEY_MASTER_SECRET
KEY_SERVER_MASTER_PRIVATE	ECDH - private key	Stored on server, used to assure authenticity of KEY_DEVICE_PUBLIC while transferring from server to client
KEY_SERVER_MASTER_PUBLIC	ECDH - public key	Stored on client, used to assure authenticity of KEY_DEVICE_PUBLIC while transferring from server to client
ACTIVATION_OTP	Random OTP	A 16b random OTP generated during activation, AES encrypts/decrypts data sent from server to client and vice versa
KEY_MASTER_SECRET	ECDH - pre-shared	A key deduced using ECDH derivation, KEY_MASTER_SECRET = ECDH.phase(KEY_DEVICE_PRIVATE,KEY_SERVER_PUBLIC) = ECDH.phase(KEY_SERVER_PRIVATE,KEY_DEVICE_PUBLIC)
KEY_SIGNATURE_POSSESSION	KDF derived key from KEY_MASTER_SECRET	A signing key associated with the possession, factor deduced using KDF derivation with INDEX = 1, KEY_SIGNATURE_POSSESSION = KDF.expand(KEY_MASTER_SECRET, INDEX), used for subsequent request signing
KEY_SIGNATURE_KNOWLEDGE	KDF derived key from KEY_MASTER_SECRET	A key associated with the knowledge factor, deduced using KDF derivation with INDEX = 2, KEY_SIGNATURE_KNOWLEDGE = KDF.expand(KEY_MASTER_SECRET, INDEX), used for subsequent request signing
KEY_SIGNATURE_BIOMETRY	KDF derived key from KEY_MASTER_SECRET	A key associated with the biometry factor, deduced using KDF derivation with INDEX = 3, KEY_SIGNATURE_BIOMETRY = KDF.derive(KEY_MASTER_SECRET, INDEX), used for subsequent request signing
KEY_TRANSPORT	KDF derived key from KEY_MASTER_SECRET	A key deduced using KDF derivation with INDEX = 1000, KEY_TRANSPORT = KDF.expand(KEY_MASTER_SECRET, INDEX), used for encrypted data transport. This key is used as master transport key for end-to-end encryption key derivation.
KEY_TRANSPORT_PARTIAL	KDF derived key from KEY_TRANSPORT using random 16B long SESSION_INDEX as index.	A base key used for encrypted transport key derivation, deduced using KDF_INTERNAL derivation with INDEX = SESSION_INDEX = Generator.randomBytes(16), KEY_TRANSPORT_PARTIAL = KDF_INTERNAL.derive(KEY_TRANSPORT, INDEX)
KEY_TRANSPORT_ENCRYPTION	KDF derived key from KEY_TRANSPORT_PARTIAL using random 16B long AD_HOC_INDEX as index.	A key used for particular data encryption, deduced using KDF_INTERNAL derivation with INDEX = AD_HOC_INDEX = Generator.randomBytes(16), KEY_TRANSPORT_ENCRYPTION = KDF_INTERNAL.derive(KEY_TRANSPORT_PARTIAL, INDEX)
KEY_ENCRYPTION_VAULT	KDF derived key from KEY_MASTER_SECRET	A key deduced using KDF derivation with INDEX = 2000, KEY_ENCRYPTION_VAULT = KDF.expand(KEY_MASTER_SECRET, 2000), used for encrypting a vault that stores the secret data, such as KEY_DEVICE_PRIVATE.
KEY_ENCRYPTION_VAULT_TRANSPORT	KDF derived key from KEY_TRANSPORT using CTR as index.	A one-time key used for encrypted transport of the key vault encryption, deduced using KDF derivation with INDEX = CTR, KEY_ENCRYPTION_VAULT_TRANSPORT = KDF.derive(KEY_TRANSPORT, INDEX)