doc/html/_provisioning.html - platform/external/epid-sdk - Git at Google

 <!-- HTML header for doxygen 1.8.10-->
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
 <meta http-equiv="X-UA-Compatible" content="IE=9"/>
 <meta name="generator" content="Doxygen 1.8.14"/>
 <title>Intel&reg; Enhanced Privacy ID SDK: Preparing a Device</title>
 <link href="tabs.css" rel="stylesheet" type="text/css"/>
 <script type="text/javascript" src="jquery.js"></script>
 <script type="text/javascript" src="dynsections.js"></script>
 <link href="navtree.css" rel="stylesheet" type="text/css"/>
 <script type="text/javascript" src="resize.js"></script>
 <script type="text/javascript" src="navtreedata.js"></script>
 <script type="text/javascript" src="navtree.js"></script>
 <script type="text/javascript">
 /* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
   $(document).ready(initResizable);
 /* @license-end */</script>
 <link href="doxygen.css" rel="stylesheet" type="text/css" />
 <link href="epidstyle.css" rel="stylesheet" type="text/css"/>
 </head>
 <body>
 <div id="top"><!-- do not remove this div, it is closed by doxygen! -->
 <div id="titlearea">
 <table cellspacing="0" cellpadding="0">
  <tbody>
  <tr style="height: 56px;">
   <td id="projectalign" style="padding-left: 0.5em;">
    <div id="projectname"><a
                             onclick="storeLink('index.html')"
                             id="projectlink"
                             class="index.html"
                             href="index.html">Intel&reg; Enhanced Privacy ID SDK</a>
 &#160;<span id="projectnumber">6.0.1</span>
 </div>
   </td>
  </tr>
  </tbody>
 </table>
 </div>
 <!-- end header part -->
 <!-- Generated by Doxygen 1.8.14 -->
 </div><!-- top -->
 <div id="side-nav" class="ui-resizable side-nav-resizable">
   <div id="nav-tree">
     <div id="nav-tree-contents">
       <div id="nav-sync" class="sync"></div>
     </div>
   </div>
   <div id="splitbar" style="-moz-user-select:none;"
        class="ui-resizable-handle">
   </div>
 </div>
 <script type="text/javascript">
 /* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
 $(document).ready(function(){initNavTree('_provisioning.html','');});
 /* @license-end */
 </script>
 <div id="doc-content">
 <div class="header">
   <div class="headertitle">
 <div class="title">Preparing a Device </div>  </div>
 </div><!--header-->
 <div class="contents">
 <div class="toc"><h3>Table of Contents</h3>
 <ul><li class="level1"><a href="#Provisioning_BulkProvisioning">Bulk Provisioning</a></li>
 <li class="level1"><a href="#Provisioning_JoinProvisioning">Dynamic Provisioning</a></li>
 <li class="level1"><a href="#SampleIssuerMaterial">Issuer Material</a><ul><li class="level2"><a href="#Provisioning_ValidatingVerifiers">Issuer Material for Verifiers</a></li>
 <li class="level2"><a href="#Provisioning_ValidatingMembers">Issuer Material for Members</a></li>
 </ul>
 </li>
 </ul>
 </div>
 <div class="textblock"><p>In order to be an Intel&reg; EPID device, members need to be provisioned with a member private key and group public key. Members can get member private keys through bulk or dynamic provisioning.</p>
 <p>For Intel&reg; EPID verifiers to function, they need access to a group public key and revocation lists.</p>
 <p>All Intel&reg; EPID keys and revocation lists are referred to collectively as issuer material.</p>
 <p>This section describes how to:</p>
 <ul>
 <li>Provision member private keys through bulk provisioning</li>
 <li>Provision member private keys through dynamic provisioning</li>
 <li>Provision members and verifiers with sample issuer material</li>
 </ul>
 <p>For information on obtaining real issuer material from iKGF (Intel Key Generation Facility), see <a class="el" href="_usingi_k_g_f.html">Managing Groups with iKGF</a>. For more general information on how the issuer provides material for members and verifiers, see <a class="el" href="_epid_overview.html">Introduction to the Intel&reg; EPID Scheme</a>.</p>
 <h1><a class="anchor" id="Provisioning_BulkProvisioning"></a>
 Bulk Provisioning</h1>
 <p><b>Bulk provisioning</b> is typically done during manufacturing.</p>
 <p>In bulk provisioning, the issuer provides complete member private keys to the device manufacturer.</p>
 <p>In bulk provisioning, the manufacturer needs to do the following:</p>
 <ul>
 <li>Request member private keys from the issuer in bulk. These are complete member private keys, including the membership credential and the secret f component.</li>
 <li>Fuse the member private keys into each device.</li>
 </ul>
 <h1><a class="anchor" id="Provisioning_JoinProvisioning"></a>
 Dynamic Provisioning</h1>
 <p><b>Dynamic provisioning</b> was designed to allow a device to join a group post-manufacturing. While key generation is the key part of bulk provisioning, the key part of dynamic provisioning is the join protocol.</p>
 <p>Dynamic provisioning relies on a two-way exchange of intermediate values to protect the secrecy of the final member private key. In dynamic provisioning, the issuer provides the membership credential component of each member private key, while the secret <code>f</code> value comes from the device and is never known to the issuer.</p>
 <div class="image">
 <img src="member_private_key.png" alt="member_private_key.png"/>
 </div>
 <p>In dynamic provisioning, the manufacturer needs to do the following:</p>
 <ol type="1">
 <li><b>Generate the <code>f</code> value</b> of the member private key.</li>
 <li><b>Generate the join request</b> using the <code>f</code> value and a nonce obtained from the issuer.</li>
 <li><b>Send the join request to the issuer.</b> The issuer will respond to the join request by returning the membership credential.</li>
 <li><b>Provision the membership credential</b> to the member device.</li>
 </ol>
 <h1><a class="anchor" id="SampleIssuerMaterial"></a>
 Issuer Material</h1>
 <p>Members and verifiers need issuer material to operate. The SDK includes sample material in <code>example/data</code> so that members and verifiers can operate without real issuer material. The following types of sample issuer material are included:</p>
 <ul>
 <li>Group public key, which corresponds to the issuing private key kept by the issuer</li>
 <li>Member private keys</li>
 <li>Signature based revocation list (SigRL)</li>
 <li>Private key based revocation list (PrivRL)</li>
 <li>Group revocation list (GroupRL)</li>
 </ul>
 <p>For detailed information on what sample issuer material is included in the SDK, refer to <a class="el" href="_issuer_material.html">Test Data</a>.</p>
 <p>For information on how to work with real issuer material, refer to <a class="el" href="_usingi_k_g_f.html">Managing Groups with iKGF</a>.</p>
 <h2><a class="anchor" id="Provisioning_ValidatingVerifiers"></a>
 Issuer Material for Verifiers</h2>
 <p>To test a verifier, you can provide the verifier a sample group public key and sample revocation lists from <code>example/data</code>, and make sure that verification succeeds or fails based on the revoked or non-revoked status of the member.</p>
 <h2><a class="anchor" id="Provisioning_ValidatingMembers"></a>
 Issuer Material for Members</h2>
 <p>To test a member, you can provision the member with a sample group public key, sample member private key, and sample <code>SigRL</code> from <code>example/data</code>.</p>
 <p>You can provision the member with revoked material to make sure the verification process fails. For example, when you sign and verify using the member <code>groupa/privrevokedmember0</code>, and use the sample private key revocation list on which <code>privrevokedmember0</code> is revoked, verification should fail.</p>
 <p>Similarly, when you generate a signature using the member <code>groupa/sigrevokedmember0</code>, using sample SigRL <code>groupa/sigrl.bin</code>, verification should fail. </p>
 </div></div><!-- contents -->
 </div><!-- doc-content -->
 <!-- HTML footer for doxygen 1.8.10-->
 <!-- start footer part -->
 <div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
   <ul>
     <li class="footer">
       &copy; 2016-2017 Intel Corporation
     </li>
   </ul>
 </div>
 </body>
 </html>
	<!-- HTML header for doxygen 1.8.10-->
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
	<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
	<meta http-equiv="X-UA-Compatible" content="IE=9"/>
	<meta name="generator" content="Doxygen 1.8.14"/>
	<title>Intel® Enhanced Privacy ID SDK: Preparing a Device</title>
	<link href="tabs.css" rel="stylesheet" type="text/css"/>
	<script type="text/javascript" src="jquery.js"></script>
	<script type="text/javascript" src="dynsections.js"></script>
	<link href="navtree.css" rel="stylesheet" type="text/css"/>
	<script type="text/javascript" src="resize.js"></script>
	<script type="text/javascript" src="navtreedata.js"></script>
	<script type="text/javascript" src="navtree.js"></script>
	<script type="text/javascript">
	/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */
	$(document).ready(initResizable);
	/* @license-end */</script>
	<link href="doxygen.css" rel="stylesheet" type="text/css" />
	<link href="epidstyle.css" rel="stylesheet" type="text/css"/>
	</head>
	<body>
	<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
	<div id="titlearea">
	<table cellspacing="0" cellpadding="0">
	<tbody>
	<tr style="height: 56px;">
	<td id="projectalign" style="padding-left: 0.5em;">
	<div id="projectname"><a
	onclick="storeLink('index.html')"
	id="projectlink"
	class="index.html"
	href="index.html">Intel® Enhanced Privacy ID SDK</a>
	<span id="projectnumber">6.0.1</span>
	</div>
	</td>
	</tr>
	</tbody>
	</table>
	</div>
	<!-- end header part -->
	<!-- Generated by Doxygen 1.8.14 -->
	</div><!-- top -->
	<div id="side-nav" class="ui-resizable side-nav-resizable">
	<div id="nav-tree">
	<div id="nav-tree-contents">
	<div id="nav-sync" class="sync"></div>
	</div>
	</div>
	<div id="splitbar" style="-moz-user-select:none;"
	class="ui-resizable-handle">
	</div>
	</div>
	<script type="text/javascript">
	/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */
	$(document).ready(function(){initNavTree('_provisioning.html','');});
	/* @license-end */
	</script>
	<div id="doc-content">
	<div class="header">
	<div class="headertitle">
	<div class="title">Preparing a Device </div> </div>
	</div><!--header-->
	<div class="contents">
	<div class="toc"><h3>Table of Contents</h3>
	<ul><li class="level1"><a href="#Provisioning_BulkProvisioning">Bulk Provisioning</a></li>
	<li class="level1"><a href="#Provisioning_JoinProvisioning">Dynamic Provisioning</a></li>
	<li class="level1"><a href="#SampleIssuerMaterial">Issuer Material</a><ul><li class="level2"><a href="#Provisioning_ValidatingVerifiers">Issuer Material for Verifiers</a></li>
	<li class="level2"><a href="#Provisioning_ValidatingMembers">Issuer Material for Members</a></li>
	</ul>
	</li>
	</ul>
	</div>
	<div class="textblock"><p>In order to be an Intel® EPID device, members need to be provisioned with a member private key and group public key. Members can get member private keys through bulk or dynamic provisioning.</p>
	<p>For Intel® EPID verifiers to function, they need access to a group public key and revocation lists.</p>
	<p>All Intel® EPID keys and revocation lists are referred to collectively as issuer material.</p>
	<p>This section describes how to:</p>
	<ul>
	<li>Provision member private keys through bulk provisioning</li>
	<li>Provision member private keys through dynamic provisioning</li>
	<li>Provision members and verifiers with sample issuer material</li>
	</ul>
	<p>For information on obtaining real issuer material from iKGF (Intel Key Generation Facility), see <a class="el" href="_usingi_k_g_f.html">Managing Groups with iKGF</a>. For more general information on how the issuer provides material for members and verifiers, see <a class="el" href="_epid_overview.html">Introduction to the Intel® EPID Scheme</a>.</p>
	<h1><a class="anchor" id="Provisioning_BulkProvisioning"></a>
	Bulk Provisioning</h1>
	<p><b>Bulk provisioning</b> is typically done during manufacturing.</p>
	<p>In bulk provisioning, the issuer provides complete member private keys to the device manufacturer.</p>
	<p>In bulk provisioning, the manufacturer needs to do the following:</p>
	<ul>
	<li>Request member private keys from the issuer in bulk. These are complete member private keys, including the membership credential and the secret f component.</li>
	<li>Fuse the member private keys into each device.</li>
	</ul>
	<h1><a class="anchor" id="Provisioning_JoinProvisioning"></a>
	Dynamic Provisioning</h1>
	<p><b>Dynamic provisioning</b> was designed to allow a device to join a group post-manufacturing. While key generation is the key part of bulk provisioning, the key part of dynamic provisioning is the join protocol.</p>
	<p>Dynamic provisioning relies on a two-way exchange of intermediate values to protect the secrecy of the final member private key. In dynamic provisioning, the issuer provides the membership credential component of each member private key, while the secret <code>f</code> value comes from the device and is never known to the issuer.</p>
	<div class="image">
	<img src="member_private_key.png" alt="member_private_key.png"/>
	</div>
	<p>In dynamic provisioning, the manufacturer needs to do the following:</p>
	<ol type="1">
	<li><b>Generate the <code>f</code> value</b> of the member private key.</li>
	<li><b>Generate the join request</b> using the <code>f</code> value and a nonce obtained from the issuer.</li>
	<li><b>Send the join request to the issuer.</b> The issuer will respond to the join request by returning the membership credential.</li>
	<li><b>Provision the membership credential</b> to the member device.</li>
	</ol>
	<h1><a class="anchor" id="SampleIssuerMaterial"></a>
	Issuer Material</h1>
	<p>Members and verifiers need issuer material to operate. The SDK includes sample material in <code>example/data</code> so that members and verifiers can operate without real issuer material. The following types of sample issuer material are included:</p>
	<ul>
	<li>Group public key, which corresponds to the issuing private key kept by the issuer</li>
	<li>Member private keys</li>
	<li>Signature based revocation list (SigRL)</li>
	<li>Private key based revocation list (PrivRL)</li>
	<li>Group revocation list (GroupRL)</li>
	</ul>
	<p>For detailed information on what sample issuer material is included in the SDK, refer to <a class="el" href="_issuer_material.html">Test Data</a>.</p>
	<p>For information on how to work with real issuer material, refer to <a class="el" href="_usingi_k_g_f.html">Managing Groups with iKGF</a>.</p>
	<h2><a class="anchor" id="Provisioning_ValidatingVerifiers"></a>
	Issuer Material for Verifiers</h2>
	<p>To test a verifier, you can provide the verifier a sample group public key and sample revocation lists from <code>example/data</code>, and make sure that verification succeeds or fails based on the revoked or non-revoked status of the member.</p>
	<h2><a class="anchor" id="Provisioning_ValidatingMembers"></a>
	Issuer Material for Members</h2>
	<p>To test a member, you can provision the member with a sample group public key, sample member private key, and sample <code>SigRL</code> from <code>example/data</code>.</p>
	<p>You can provision the member with revoked material to make sure the verification process fails. For example, when you sign and verify using the member <code>groupa/privrevokedmember0</code>, and use the sample private key revocation list on which <code>privrevokedmember0</code> is revoked, verification should fail.</p>
	<p>Similarly, when you generate a signature using the member <code>groupa/sigrevokedmember0</code>, using sample SigRL <code>groupa/sigrl.bin</code>, verification should fail. </p>
	</div></div><!-- contents -->
	</div><!-- doc-content -->
	<!-- HTML footer for doxygen 1.8.10-->
	<!-- start footer part -->
	<div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
	<ul>
	<li class="footer">
	© 2016-2017 Intel Corporation
	</li>
	</ul>
	</div>
	</body>
	</html>