-
Notifications
You must be signed in to change notification settings - Fork 0
/
crypto.html
785 lines (773 loc) · 48.2 KB
/
crypto.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
<!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" href="images/favicon.png" sizes="192x192">
<title>FIDO Web Pay - Crypto</title><style>
.header {font-size:1.6em;margin:1em 0 0.8em 0}
.subheader {font-size:1.2em;margin-top:1em;margin-bottom:0.6em}
.step {font-size:1.2em;margin-top:1.5em;margin-bottom:0.6em}
.para {margin-top: 0.8em}
.gutter {margin-top: 0.3em}
.msg {font-weight:500}
.formula {overflow-x:auto;padding:0.5em 0 0.5em 1em;white-space:nowrap}
.staticbox {
font-family: "Noto Mono",monospace;
margin: 0.8em 0 1em 0;
box-sizing: border-box;
word-break: break-all;
border-width: 1px;
border-style: solid;
border-color: grey;
padding: 10pt;
box-shadow: 0.2em 0.2em 0.2em #d0d0d0;
background-color: #f8f8f8;
}
.comment {padding:0.5em 1em;margin-top:1.5em;display:inline-block;background-color:#fafffa}
.box {box-shadow: 0.2em 0.2em 0.2em #d0d0d0;border-width:1px;border-style:solid;border-color:black}
.numbox {border-width:1pt;border-style:solid;border-color:black;border-radius:0.3em;display:inline-block;margin-right:0.6em;padding:0 3pt}
.tftable {border-collapse:collapse;box-shadow:0.2em 0.2em 0.2em #d0d0d0;margin:0.6em 0 1em 0}
.tftable td {background-color: #fffdf2;padding: 0.4em 0.5em;border-width: 1px;border-style: solid; border-color: black}
.tftable th {font-weight: normal;padding: 0.4em 0.5em;background-color: #f8f8f8;text-align: center;border-width: 1px;border-style: solid; border-color: black}
.json {word-break:break-all;background-color:#f8f8f8;padding:1em;border-width:1px;border-style:solid;border-color:#a9a9a9;box-shadow:0.3em 0.3em 0.3em #d0d0d0}
body {margin:1em;font-size:10pt;font-family:Roboto,sans-serif;background-color:white}
code {font-family:"Noto Mono",monospace;color:maroon}
kbd {font-family: "Noto Mono",monospace}
pre {font-family:"Noto Mono",monospace;margin: 0.8em 0 1em 0;padding:0.6em 1em;background-color: #f8f8f8}
ul,ol {margin: 0;padding-left:2em}
li {margin-top:0.3em}
a {color:#4366bf;text-decoration:none;font-weight:500;white-space:nowrap}
.toc {padding:0 0 0.3em 1em}
</style>
</head>
<body>
<img style="max-width:30%" src="images/fwp.svg" alt="logo" title="FWP logotype">
<img style="max-width:30%;position:absolute;right:1em;top:1em" src="images/ipr.svg" alt="IPR declaration" title="IPR declaration">
<div style="text-align:center" class="header">FIDO Web Pay - Crypto</div>
<div id="toc" class="header">Table of Contents</div>
<div class='toc'><a href='#1'>1 Introduction</a></div><div class='toc'><a href='#2'>2 Relationship to Existing Standards</a></div><div class='toc'><a href='#3'>3 Terminology</a></div><div class='toc'><a href='#4'>4 User Authorization</a></div><div class='toc'> <a href='#4.1'>4.1 Create Authorization Data (AD)</a></div><div class='toc'> <a href='#4.2'>4.2 Create Signed Authorization Data (SAD)</a></div><div class='toc'> <a href='#4.3'>4.3 Signature Algorithms</a></div><div class='toc'><a href='#5'>5 Encrypted User Authorization (ESAD)</a></div><div class='toc'> <a href='#5.1'>5.1 Encryption Object</a></div><div class='toc'> <a href='#5.2'>5.2 Encryption Process</a></div><div class='toc'> <a href='#5.3'>5.3 Content Encryption Algorithms</a></div><div class='toc'> <a href='#5.4'>5.4 Key Algorithms</a></div><div class='toc'> <a href='#5.5'>5.5 Key Encryption Algorithms</a></div><div class='toc'> <a href='#5.6'>5.6 Key Derivation Function</a></div><div class='toc'><a href='#6'>6 User Authorization Decoding and Verification</a></div><div class='toc'> <a href='#6.1'>6.1 Decrypt Authorization (ESAD)</a></div><div class='toc'> <a href='#6.2'>6.2 Decode Signed Authorization Data (SAD)</a></div><div class='toc'> <a href='#6.3'>6.3 Validate Signature</a></div><div class='toc'><a href='#7'>7 Sample Keys</a></div><div class='toc'> <a href='#7.1'>7.1 Signature Key</a></div><div class='toc'> <a href='#7.2'>7.2 Encryption Key</a></div><div class='toc'><a href='#documenthistory'>Document History</a></div><div class='toc'><a href='#authors'>Authors</a></div><div class='toc'><a href='#trademarks'>Trademarks</a></div>
<div id='1' class='header'>1. Introduction</div>
<div>
This document describes the cryptographic constructs used in
<a href="index.html"
title="FIDO Web Pay">FIDO Web Pay<img src="images/xtl.svg" alt="link"></a> (FWP) Assertions.
</div>
<div class="para">To make the descriptions more accessible,
the samples in the core document are used for illustrating the different processing steps.
The samples depend on the keys provided in the <a href='#7'>Sample Keys</a> section.
</div>
<div id='2' class='header'>2. Relationship to Existing Standards</div>
<div>
Since the user authorization component of <a href='index.html#seq-4.5'>FWP Assertions<img src='images/xtl.svg' alt='link'></a> is based on CBOR
[<a href="https://tools.ietf.org/html/rfc8949"
title="RFC8949">RFC8949<img src="images/xtl.svg" alt="link"></a>],
one might assume that the cryptography would be based on
COSE [<a href="https://tools.ietf.org/html/rfc8152"
title="RFC8152">RFC8152<img src="images/xtl.svg" alt="link"></a>].
However, this is only partially true because FIDO signatures (<a href='https://www.w3.org/TR/webauthn-2/' title='Web Authentication'>Web Authentication<img src='images/xtl.svg' alt='link'></a>) are
incompatible with COSE. In addition, FWP authorization signatures build on
deterministic CBOR as outlined in RFC8949, section 4.2.1.
</div>
<div id='3' class='header'>3. Terminology</div>
<div>
Throughout this document CBOR primitives are expressed in
CDDL [<a href="https://tools.ietf.org/html/rfc8610"
title="RFC8610">RFC8610<img src="images/xtl.svg" alt="link"></a>]
notation.
</div>
<div class="para">
Items in <code>red</code> refer to attributes associated with the selected <a href='index.html#credentialdatabase'>Payment Credential<img src='images/xtl.svg' alt='link'></a>.
</div>
<div id='4' class='header'>4. User Authorization</div>
<div>
Unlike <a href='https://www.w3.org/TR/webauthn-2/' title='Web Authentication'>Web Authentication<img src='images/xtl.svg' alt='link'></a>, FWP builds on an <i>authorization</i> concept derived
from EMV®. That is, user authorizations are created entirely locally in the FWP client.
Compatible FIDO authenticators MUST therefore be "client side" only.
</div>
<div class="para">
The following subsections describe the steps required
for creating the user authorization component of <a href='index.html#seq-4.5'>FWP Assertions<img src='images/xtl.svg' alt='link'></a>.
</div>
<div id='4.1' class='subheader'>4.1. Create Authorization Data (AD)</div>
<div>Before requesting the user to authorize ("sign"),
the FWP client creates data to related to the
payment request (aka "dynamic linking") like in the sample from the
main document:
</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox" style='min-width:50em'>
{<br> 1: {<br> 1: "Space Shop",<br> 2: "7040566321",<br> 3: "435.00",<br> 4: "EUR"<br> },<br> 2: "spaceshop.com",<br> 3: "FR7630002111110020050014382",<br> 4: "https://banknet2.org",<br> 5: "0057162932",<br> 6: "additional stuff...",<br> 7: {<br> 1: {<br> 3: "Android",<br> 4: "12.0"<br> },<br> 2: {<br> 3: "Chrome",<br> 4: "108"<br> }<br> },<br> 8: [40.74844, -73.984559],<br> 9: "2023-02-16T10:14:07+01:00",<br><div style='height:0.5em'></div> <span style='color:grey'>/ signature /</span><br> -1: {<br><div style='height:0.5em'></div> <span style='color:grey'>/ signatureAlgorithm = ES256 /</span><br> 1: -7,<br><div style='height:0.5em'></div> <span style='color:grey'>/ publicKey /</span><br> 2: {<br><div style='height:0.5em'></div> <span style='color:grey'>/ kty = EC /</span><br> 1: 2,<br><div style='height:0.5em'></div> <span style='color:grey'>/ crv = P-256 /</span><br> -1: 1,<br><div style='height:0.5em'></div> <span style='color:grey'>/ x /</span><br> -2: h'e812b1a6dcbc708f9ec43cc2921fa0a14e9d5eadcc6dc63471dd4b680c6236b5',<br><div style='height:0.5em'></div> <span style='color:grey'>/ y /</span><br> -3: h'9826dcbd4ce6e388f72edd9be413f2425a10f75b5fd83d95fa0cde53159a51d8'<br> }<br> }<br>}
</div>
</div>
<div>
This object is referred to as <a href='index.html#seq-4.2'>Authorization Data (AD)<img src='images/xtl.svg' alt='link'></a>.
</div>
<div id="signature" class="para">
Since this section is about cryptographic constructs, only the data in the
<code>signature</code> <kbd>map</kbd> (label <kbd>-1</kbd>) is
elaborated on here.
</div>
<div class="para">
Definition:
</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<table class="tftable">
<tr><th>Name</th><th>Label</th><th>Type</th><th style="min-width:25em">Description</th></tr>
<tr>
<td><code>signatureAlgorithm</code></td>
<td style='text-align:center'><kbd>1</kbd></td>
<td><kbd>int</kbd></td>
<td>
FIDO <code>signatureAlgorithm</code> associated with the selected <a href='index.html#credentialdatabase'>Payment Credential<img src='images/xtl.svg' alt='link'></a>.
The value to use is the "Identifier" specified in the <a href='#4.3'>Signature Algorithms</a> table.
</td>
</tr>
<tr>
<td><code>publicKey</code></td>
<td style='text-align:center'><kbd>2</kbd></td>
<td><kbd>map</kbd></td>
<td>
FIDO <code>publicKey</code> descriptor associated with the selected <a href='index.html#credentialdatabase'>Payment Credential<img src='images/xtl.svg' alt='link'></a>.
The key descriptor MUST only contain the core public key data.
This item MUST be COSE compliant as well as be compatible with the
<code>signatureAlgorithm</code>.
</td>
</tr>
<tr>
<td><code>authenticatorData</code></td>
<td style='text-align:center'><kbd>3</kbd></td>
<td><kbd>bstr</kbd></td>
<td>
FIDO assertion data attribute.
See also <a href='https://www.w3.org/TR/webauthn-2/' title='Web Authentication'>Web Authentication<img src='images/xtl.svg' alt='link'></a>.
</td>
</tr>
<tr>
<td><code>signatureValue</code></td>
<td style='text-align:center'><kbd>4</kbd></td>
<td><kbd>bstr</kbd></td>
<td>
FIDO assertion signature.
See also <a href='https://www.w3.org/TR/webauthn-2/' title='Web Authentication'>Web Authentication<img src='images/xtl.svg' alt='link'></a>.
</td>
</tr>
</table>
</div>
<div>
As can be seen in the listing, the <code>signatureAlgorithm</code> and
<code>publicKey</code> attributes are already featured in the <code>signature</code> <kbd>map</kbd>.
This is because they are static and can thus be included in the data
to be signed, potentially making the signature scheme more resistant to tampering.
</div>
<div class="para">
The sample AD should read as follows
when expressed in hexadecimal encoding:
</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox">
aa01a4016a53706163652053686f70026a3730343035363633323103663433352e30300463455552026d737061636573686f702e636f6d03781b465237363330303032313131313130303230303530303134333832047468747470733a2f2f62616e6b6e6574322e6f7267056a3030353731363239333206736164646974696f6e616c2073747566662e2e2e07a201a20367416e64726f6964046431322e3002a203664368726f6d6504633130380882fb40445fcce1c58256fbc0527f0303c07ee1097819323032332d30322d31365431303a31343a30372b30313a303020a2012602a401022001215820e812b1a6dcbc708f9ec43cc2921fa0a14e9d5eadcc6dc63471dd4b680c6236b52258209826dcbd4ce6e388f72edd9be413f2425a10f75b5fd83d95fa0cde53159a51d8
</div>
</div>
<div id='4.2' class='subheader'>4.2. Create Signed Authorization Data (SAD)</div>
<div>
Using the result of the previous step (but
using binary encoding), as the sole data input to the
FIDO signature process,
the user should at this stage be asked to authorize a payment request
using the key (authenticator)
pointed out by the <code>credentialId</code> of the selected <a href='index.html#credentialdatabase'>Payment Credential<img src='images/xtl.svg' alt='link'></a>.
</div>
<div class="para">
For a detailed description of how FIDO signatures are created,
turn to <a href='https://www.w3.org/TR/webauthn-2/' title='Web Authentication'>Web Authentication<img src='images/xtl.svg' alt='link'></a>. Note that AD is signed after <i>hashing</i>, making
<code>clientDataHash</code> the actual data to be signed:
</div>
<div style='overflow-x:auto;padding:0.5em 0.2em 0 0'>
<img src='https://www.w3.org/TR/webauthn-2/images/fido-signature-formats-figure2.svg' alt='signature'>
</div>
<div>
The SHA256 hash of the sample AD should read as follows if encoded in hexadecimal:
</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox" style='min-width:50em'>
d1f6eba26d2a7308eecdcd2a215460d5ac50a395de72ca2f5c4343622e8acf23
</div>
</div>
<div class="para">
After adding the asserted FIDO <code>authenticatorData</code> and
<code>signatureValue</code> attributes to the <a href="#signature">signature</a>
<kbd>map</kbd> of AD, the resulting sample should read as follows:</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox" style='min-width:50em'>
{<br> 1: {<br> 1: "Space Shop",<br> 2: "7040566321",<br> 3: "435.00",<br> 4: "EUR"<br> },<br> 2: "spaceshop.com",<br> 3: "FR7630002111110020050014382",<br> 4: "https://banknet2.org",<br> 5: "0057162932",<br> 6: "additional stuff...",<br> 7: {<br> 1: {<br> 3: "Android",<br> 4: "12.0"<br> },<br> 2: {<br> 3: "Chrome",<br> 4: "108"<br> }<br> },<br> 8: [40.74844, -73.984559],<br> 9: "2023-02-16T10:14:07+01:00",<br><div style='height:0.5em'></div> <span style='color:grey'>/ signature /</span><br> -1: {<br><div style='height:0.5em'></div> <span style='color:grey'>/ signatureAlgorithm = ES256 /</span><br> 1: -7,<br><div style='height:0.5em'></div> <span style='color:grey'>/ publicKey /</span><br> 2: {<br><div style='height:0.5em'></div> <span style='color:grey'>/ kty = EC /</span><br> 1: 2,<br><div style='height:0.5em'></div> <span style='color:grey'>/ crv = P-256 /</span><br> -1: 1,<br><div style='height:0.5em'></div> <span style='color:grey'>/ x /</span><br> -2: h'e812b1a6dcbc708f9ec43cc2921fa0a14e9d5eadcc6dc63471dd4b680c6236b5',<br><div style='height:0.5em'></div> <span style='color:grey'>/ y /</span><br> -3: h'9826dcbd4ce6e388f72edd9be413f2425a10f75b5fd83d95fa0cde53159a51d8'<br> },<br><div style='height:0.5em'></div> <span style='color:grey'>/ authenticatorData /</span><br> 3: h'412e175a0f0bdc06dabf0b1db79b97541c08dbacee7e31c97a553588ee922ea70500000017',<br><div style='height:0.5em'></div> <span style='color:grey'>/ signatureValue /</span><br> 4: h'304402204fbd186e8eac7d7dbb915a7a443b0939af77de5e35cf87831663ae3a8bfc1d940220201d0c51ff9b683648a626cbe0bbb69fed29ce854aea65763e0e33edf2af9e09'<br> }<br>}
</div>
</div>
<div>This object is subsequently referred to as Signed Authorization Data (SAD).</div>
<div class="para">
The sample SAD object should read as follows if encoded in hexadecimal:
</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox">
aa01a4016a53706163652053686f70026a3730343035363633323103663433352e30300463455552026d737061636573686f702e636f6d03781b465237363330303032313131313130303230303530303134333832047468747470733a2f2f62616e6b6e6574322e6f7267056a3030353731363239333206736164646974696f6e616c2073747566662e2e2e07a201a20367416e64726f6964046431322e3002a203664368726f6d6504633130380882fb40445fcce1c58256fbc0527f0303c07ee1097819323032332d30322d31365431303a31343a30372b30313a303020a4012602a401022001215820e812b1a6dcbc708f9ec43cc2921fa0a14e9d5eadcc6dc63471dd4b680c6236b52258209826dcbd4ce6e388f72edd9be413f2425a10f75b5fd83d95fa0cde53159a51d8035825412e175a0f0bdc06dabf0b1db79b97541c08dbacee7e31c97a553588ee922ea70500000017045846304402204fbd186e8eac7d7dbb915a7a443b0939af77de5e35cf87831663ae3a8bfc1d940220201d0c51ff9b683648a626cbe0bbb69fed29ce854aea65763e0e33edf2af9e09
</div>
</div>
<div>
After the Signed Authorization Data (SAD) has been created,
it MUST be encrypted as described in <a href='#5'>Encrypted User Authorization (ESAD)</a>.
</div>
<div id='4.3' class='subheader'>4.3. Signature Algorithms</div>
<div class="para">FIDO currently supports the following COSE signature algorithms:</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<table class="tftable">
<tr><th>Name</th><th>Identifier</th><th>Notes</th></tr>
<tr>
<td style='white-space:nowrap'><kbd>ES256</kbd></td>
<td style='text-align:center'><kbd>-7</kbd></td>
<td>ECDSA signatures differs in encoding from COSE.
See <a href='https://www.w3.org/TR/webauthn-2/' title='Web Authentication'>Web Authentication<img src='images/xtl.svg' alt='link'></a>.</td>
</tr>
<tr>
<td style='white-space:nowrap'><kbd>ED25519</kbd></td>
<td style='text-align:center'><kbd>-8</kbd></td>
<td>This identifier is strictly put not COSE compliant.</td>
</tr>
<tr>
<td style='white-space:nowrap'><kbd>RS256</kbd></td>
<td style='text-align:center'><kbd>-257</kbd></td>
<td></td>
</tr>
</table>
</div>
<div id='5' class='header'>5. Encrypted User Authorization (ESAD)</div>
<div id="esad">
For privacy and security reasons the user authorization component of <a href='index.html#seq-4.5'>FWP Assertions<img src='images/xtl.svg' alt='link'></a>
MUST be encrypted.
</div>
<div class="para">The listing below shows a sample of an encrypted <a href='#4.2'>SAD</a> object:</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox" style='min-width:50em'>
<span style='color:grey'>/ COTX wrapper /</span><br>1010(["https://fido-web-pay.github.io/ns/p1", {<br><div style='height:0.5em'></div> <span style='color:grey'>/ algorithm = A256GCM /</span><br> 1: 3,<br><div style='height:0.5em'></div> <span style='color:grey'>/ keyEncryption /</span><br> 2: {<br><div style='height:0.5em'></div> <span style='color:grey'>/ algorithm = ECDH-ES+A256KW /</span><br> 1: -31,<br><div style='height:0.5em'></div> <span style='color:grey'>/ keyId /</span><br> 3: "x25519:2022:1",<br><div style='height:0.5em'></div> <span style='color:grey'>/ ephemeralKey /</span><br> 7: {<br><div style='height:0.5em'></div> <span style='color:grey'>/ kty = OKP /</span><br> 1: 1,<br><div style='height:0.5em'></div> <span style='color:grey'>/ crv = X25519 /</span><br> -1: 4,<br><div style='height:0.5em'></div> <span style='color:grey'>/ x /</span><br> -2: h'034e9273d9d55c3df0fb366fc33425648d8150de504c1b3499e0a7dac91a2c17'<br> },<br><div style='height:0.5em'></div> <span style='color:grey'>/ cipherText /</span><br> 10: h'2fd62268299b5e2fe57bafd5762a8eff3a8b9991facbec2d36093cdacb23ed5dff5750ca3bd5d7fc'<br> },<br><div style='height:0.5em'></div> <span style='color:grey'>/ tag /</span><br> 8: h'c20ab16145f1e5349c1d85fab4caf0a3',<br><div style='height:0.5em'></div> <span style='color:grey'>/ iv /</span><br> 9: h'57e7341b3b1379d8765ae613',<br><div style='height:0.5em'></div> <span style='color:grey'>/ cipherText /</span><br> 10: h'204e5f5b4ad63d013ac875d160ffc4f762b75153fb8b30a9d9ecefaf23a30898cd68ac104edfdf854e060d906f1229f739b37e52dffed874a07df3fd661c061d6d7b4d561afe9fc31f14ffbb15a5d62debe1f5cb54a851fdc4b54a83d6f8e64a5a5b0c445960992af964126c17aa5591d747b9e74a40c5ea2d6c2a5f387401c63685bb1cc2a7a331b9b44505622e27a7c29314dedaacc8d3f425b48010d97115f7672dc1ad89a6b01b3d6f0427333d1abf0667feb54c42383ceb4a8883a24b93b4b7921649d05435fb62d4d4aafcb4ce93238d3538fc8821bf6a71bc906173152f933b359ccf9a546ad840510baebdecb6ee15fddc4348b8ef8d80cb36f8410a94784e22542208bfbf6cab1989f23d34be75ccc38a29502bf0e952174ab823df6728c39315c2acf3be75fb8a072a048c08e1efec35ee5158cf828f2b8b8a9e304824ff5dc7c9139af3667165ebc5dca0cfc20baa9e2e45fa65aad54ae026e7b463ec8f974dbe37e90217f6abe223c598c334e9aaa98647ee485eb65f271a7386db71c13843b7570ee211a5b055ee83e9ab9068536ae0b698821bad1a79de35'<br>}])
</div>
</div>
<div>The resulting object is referred to as Encrypted Signed Authorization Data (ESAD).</div>
<div class="para">
The sample ESAD object should read as follows if encoded in hexadecimal:
</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox">
d903f282782468747470733a2f2f6669646f2d7765622d7061792e6769746875622e696f2f6e732f7031a5010302a401381e036d7832353531393a323032323a3107a301012004215820034e9273d9d55c3df0fb366fc33425648d8150de504c1b3499e0a7dac91a2c170a58282fd62268299b5e2fe57bafd5762a8eff3a8b9991facbec2d36093cdacb23ed5dff5750ca3bd5d7fc0850c20ab16145f1e5349c1d85fab4caf0a3094c57e7341b3b1379d8765ae6130a59019f204e5f5b4ad63d013ac875d160ffc4f762b75153fb8b30a9d9ecefaf23a30898cd68ac104edfdf854e060d906f1229f739b37e52dffed874a07df3fd661c061d6d7b4d561afe9fc31f14ffbb15a5d62debe1f5cb54a851fdc4b54a83d6f8e64a5a5b0c445960992af964126c17aa5591d747b9e74a40c5ea2d6c2a5f387401c63685bb1cc2a7a331b9b44505622e27a7c29314dedaacc8d3f425b48010d97115f7672dc1ad89a6b01b3d6f0427333d1abf0667feb54c42383ceb4a8883a24b93b4b7921649d05435fb62d4d4aafcb4ce93238d3538fc8821bf6a71bc906173152f933b359ccf9a546ad840510baebdecb6ee15fddc4348b8ef8d80cb36f8410a94784e22542208bfbf6cab1989f23d34be75ccc38a29502bf0e952174ab823df6728c39315c2acf3be75fb8a072a048c08e1efec35ee5158cf828f2b8b8a9e304824ff5dc7c9139af3667165ebc5dca0cfc20baa9e2e45fa65aad54ae026e7b463ec8f974dbe37e90217f6abe223c598c334e9aaa98647ee485eb65f271a7386db71c13843b7570ee211a5b055ee83e9ab9068536ae0b698821bad1a79de35
</div>
</div>
<div class="para">The following subsections describe the encryption scheme in detail.</div>
<div id='5.1' class='subheader'>5.1. Encryption Object</div>
<div class="para">
The encryption scheme is based on an ECDH profile derived from
<a href="https://cyberphone.github.io/javaapi/org/webpki/cbor/package-summary.html#cef">
CBOR Encryption Format (CEF)<img src="images/xtl.svg" alt="link"></a>.
</div>
<div class="para">
To identify the ESAD object profile, as well as the encrypted SAD object,
a common <a href="https://www.ietf.org/archive/id/draft-rundgren-cotx-03.html">
COTX<img src="images/xtl.svg" alt="link"></a> tag with the value
<kbd style='white-space:nowrap'>"https://fido-web-pay.github.io/ns/p1"</kbd>
is wrapping the encryption attributes.
</div>
<div class="para">
ESAD objects are packaged as follows:
</div>
<div style="overflow-x:auto;padding:8pt 0">
<svg style='display:block;width:27em;padding:0.5em' class='box' viewBox='0 0 1063 650' xmlns='http://www.w3.org/2000/svg'>
<title>FWP Encryption Layout</title>
<!-- Anders Rundgren 2021 -->
<g stroke='#4366bf' stroke-width='3' fill='none'>
<rect x='20' y='150' width='460' height='80' rx='8'/>
<rect x='20' y='250' width='460' height='80' rx='8'/>
<rect x='20' y='350' width='460' height='80' rx='8'/>
<rect x='20' y='450' width='460' height='80' rx='8'/>
<rect x='20' y='550' width='460' height='80' rx='8'/>
<rect x='603' y='150' width='440' height='80' rx='8'/>
<rect x='603' y='250' width='440' height='80' stroke-dasharray='8' rx='8'/>
<rect x='603' y='350' width='440' height='80' stroke-dasharray='8' rx='8'/>
<rect x='603' y='450' width='440' height='80' rx='8'/>
<rect x='603' y='550' width='440' height='80' stroke-dasharray='8' rx='8'/>
</g>
<g font-size='40' font-family='Roboto,sans-serif'>
<text x='250' y='60' font-size='50' text-anchor='middle'>Main Map</text>
<text x='250' y='110' text-anchor='middle'>(Content Encryption)</text>
<text x='823' y='60' font-size='50' text-anchor='middle'>Sub Map</text>
<text x='823' y='110' text-anchor='middle'>(Key Encryption)</text>
</g>
<g font-size='40' font-family='Noto Mono,monospace' fill='maroon'>
<text x='44' y='204'>algorithm<tspan fill='black'> (1)</tspan></text>
<text x='44' y='304'>keyEncryption<tspan fill='black'> (2)</tspan></text>
<text x='44' y='404'>tag<tspan fill='black'> (8)</tspan></text>
<text x='44' y='504'>iv<tspan fill='black'> (9)</tspan></text>
<text x='44' y='604'>cipherText<tspan fill='black'> (10)</tspan></text>
<text x='627' y='204'>algorithm<tspan fill='black'> (1)</tspan></text>
<text x='627' y='304'>keyId<tspan fill='black'> (3)</tspan></text>
<text x='627' y='404'>publicKey<tspan fill='black'> (4)</tspan></text>
<text x='627' y='504'>ephemeralKey<tspan fill='black'> (7)</tspan></text>
<text x='627' y='604'>cipherText<tspan fill='black'> (10)</tspan></text>
</g>
<path fill='none' stroke='#4366bf' stroke-width='3' stroke-linecap='round' d='m 583,150 c -35,0 -35,80 -35,80 v 0 c 0,0 0,49 -48,60 c 48,11 48,60 48,60 v 200 c 0,0 0,80 35,80'/>
</svg>
</div>
<div>Numbers in parentheses represent the CBOR <kbd>map</kbd> key
(label) associated with the symbolic name.
The attributes in the dashed boxes are <i>optional</i>, depending on
key encryption algorithm and encryption key reference method.</div>
<div id="mainmap" class="para">Main map definition:</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<table class="tftable">
<tr><th>Name</th><th>Label</th><th>Type</th><th style="min-width:25em">Description</th></tr>
<tr>
<td><code>algorithm</code></td>
<td style='text-align:center'><kbd>1</kbd></td>
<td><kbd>int</kbd></td>
<td>
Symmetric key algorithm used for encrypting the actual content.
The value to use is the "Identifier" specified in the
<a href='#5.3'>Content Encryption Algorithms</a> table.
</td>
</tr>
<tr>
<td><code>keyEncryption</code></td>
<td style='text-align:center'><kbd>2</kbd></td>
<td><kbd>map</kbd></td>
<td>
Holds the <a href="#submap">Sub map</a>.
</td>
</tr>
<tr>
<td><code>tag</code></td>
<td style='text-align:center'><kbd>8</kbd></td>
<td><kbd>bstr</kbd></td>
<td>
Algorithm specific authentication data.
</td>
</tr>
<tr>
<td><code>iv</code></td>
<td style='text-align:center'><kbd>9</kbd></td>
<td><kbd>bstr</kbd></td>
<td>
Algorithm specific initialization vector.
</td>
</tr>
<tr>
<td><code>cipherText</code></td>
<td style='text-align:center'><kbd>10</kbd></td>
<td><kbd>bstr</kbd></td>
<td>
Encrypted content.
</td>
</tr>
</table>
</div>
<div id="submap" class="para">Sub map definition:</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<table class="tftable">
<tr><th>Name</th><th>Label</th><th>Type</th><th style="min-width:25em">Description</th></tr>
<tr>
<td><code>algorithm</code></td>
<td style='text-align:center'><kbd>1</kbd></td>
<td><kbd>int</kbd></td>
<td>
Key encryption algorithm.
The value to use is the "Identifier" specified in the
<a href='#5.5'>Key Encryption Algorithms</a> table.
</td>
</tr>
<tr>
<td><code>keyId</code></td>
<td style='text-align:center'><kbd>3</kbd></td>
<td><i>"Any"</i></td>
<td>
<i>Optional</i>: To facilitate a streamlined decryption process,
the encryption object MUST include a reference to the
encryption key. This reference is either provided through a <code>keyId</code>
or through the <code>publicKey</code> itself. That is, both attributes MUST NOT
be present in an FWP compliant encryption object.
<div class="para">
Note that the this specification does not define any specific <code>keyId</code> syntax.
The sample uses a <kbd>tstr</kbd> but it could equally well be
a hash of the <code>publicKey</code> featured in a <kbd>bstr</kbd>.
</div>
</td>
</tr>
<tr>
<td><code>publicKey</code></td>
<td style='text-align:center'><kbd>4</kbd></td>
<td><kbd>map</kbd></td>
<td>
<i>Optional</i>: Public key in COSE format. See <code>keyId</code>.
<div class="para">
Note that a <code>publicKey</code> attribute MUST only contain the
core public key data.
</div>
</td>
</tr>
<tr>
<td><code>ephemeralKey</code></td>
<td style='text-align:center'><kbd>7</kbd></td>
<td><kbd>map</kbd></td>
<td>
Ephemeral public key in COSE format.
<div class="para">
Note that a <code>publicKey</code> attribute MUST only contain the
core public key data.
</div>
</td>
</tr>
<tr>
<td><code>cipherText</code></td>
<td style='text-align:center'><kbd>10</kbd></td>
<td><kbd>bstr</kbd></td>
<td>
<i>Optional</i>: Encrypted key for key-wrapping ECDH algorithms.
</td>
</tr>
</table>
</div>
<div id='5.2' class='subheader'>5.2. Encryption Process</div>
To encrypt a <a href='#4.2'>SAD</a> object, the following steps MUST be performed:
<ol>
<li>
Retrieve the <code>keyEncryptionAlgorithm</code>,
<code>contentEncryptionAlgorithm</code>,
and <code>encryptionKey</code> attributes of the selected <a href='index.html#credentialdatabase'>Payment Credential<img src='images/xtl.svg' alt='link'></a>.
The compatibility of these attributes with respect to this specification,
as well as with the client implementation, is assumed
to have been verified during credential enrollment.
</li>
<li>Create an empty CBOR <a href="#submap">Sub map</a> object.</li>
<li>
Copy the <code>keyEncryptionAlgorithm</code> to the <code>algorithm</code> label.
</li>
<li>
If the <code>encryptionKeyId</code> of the selected <a href='index.html#credentialdatabase'>Payment Credential<img src='images/xtl.svg' alt='link'></a>
is defined, copy the value to the <code>keyId</code> label,
else copy the <code>encryptionKey</code> to the <code>publicKey</code> label.
</li>
<li>Creating a key for encrypting the content (SAD) requires the following steps:
<ul>
<li>
Generate a key pair compatible with the <code>encryptionKey</code>.
</li>
<li>Copy the public key of the generated key pair to the <code>ephemeralKey</code> label.</li>
<li>
Perform the core ECDH operation (key agreement) including the <a href='#5.6'>KDF</a>,
using the private key of the generated key pair and
the <code>encryptionKey</code>.
Note that the requested length of the shared secret generated by the KDF,
is defined by the <code>keyEncryptionAlgorithm</code>. See <a href='#5.5'>Key Encryption Algorithms</a>.
</li>
<li>
For the <kbd>ECDH-ES</kbd> (direct mode) <code>keyEncryptionAlgorithm</code>,
set a varible <kbd>contentEncryptionKey</kbd> equal
to the result of the ECDH operation. For the other (key wrapping)
ECDH variants, perform the following steps:
<ul>
<li>Define a <kbd>contentEncryptionKey</kbd> variable.</li>
<li>Assign a random number to the <kbd>contentEncryptionKey</kbd>.</li>
<li>
Encrypt the <kbd>contentEncryptionKey</kbd> with the key wrapping method
associated with the ECDH algorithm using
the previously generated shared secret as encryption key.
</li>
<li>Copy the result of the previous operation to the <code>cipherText</code> label.</li>
</ul>
<div class="para" style="padding-bottom:0.5em">
Note that the length of the <kbd>contentEncryptionKey</kbd> is defined by the
<code>contentEncryptionAlgorithm</code>. See <a href='#5.3'>Content Encryption Algorithms</a>.
</div>
</li>
</ul>
</li>
<li>Create an empty CBOR <a href="#mainmap">Main map</a> object.</li>
<li>
Copy the <code>contentEncryptionAlgorithm</code>
to the <code>algorithm</code> label.
</li>
<li>
Copy the previously created CBOR <a href="#submap">Sub map</a> object to
the <code>keyEncryption</code> label.
</li>
<li>
Wrap the current <a href="#mainmap">Main map</a> object in a COTX tag
and assign the serialized result to an AAD (Additional Authenticated Data) variable.
</li>
<li>
Generate an IV (Initialization Vector) compliant with the
<code>contentEncryptionAlgorithm</code>. See <a href='#5.3'>Content Encryption Algorithms</a>.
</li>
<li>Encrypt the SAD object as follows
<div class="formula">
<kbd>
cipherText, tag = encrypt(<code>contentEncryptionAlgorithm</code>,<br>
contentEncryptionKey,<br>
SAD,<br>
AAD,<br>
IV)
</kbd>
</div>
here using an hypothetical encryption method returning both
the resulting <kbd>cipherText</kbd> and a <kbd>tag</kbd> value.
</li>
<li>Copy the <kbd>cipherText</kbd>, <kbd>tag</kbd>, and <kbd>IV</kbd> values to the
<code>cipherText</code>, <code>tag</code>, and <code>iv</code> labels
respectively.
</ol>
<div class="para">The wrapped CBOR <a href="#mainmap">Main map</a>
object represents an <a href='#5'>ESAD</a> object according to this specification.</div>
<div id='5.3' class='subheader'>5.3. Content Encryption Algorithms</div>
<div>Compliant FWP
implementations MUST as a minimum support the following
COSE content encryption algorithms:</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<table class="tftable">
<tr><th>Name</th><th>Identifier</th><th>Key</th><th>Tag</th><th>IV</th></tr>
<tr>
<td style='text-align:center'><kbd>A128GCM</kbd></td>
<td style='text-align:center'><kbd>1</kbd></td>
<td style='text-align:center'><kbd>16</kbd></td>
<td style='text-align:center'><kbd>16</kbd></td>
<td style='text-align:center'><kbd>12</kbd></td>
</tr>
<tr>
<td style='text-align:center'><kbd>A192GCM</kbd></td>
<td style='text-align:center'><kbd>2</kbd></td>
<td style='text-align:center'><kbd>24</kbd></td>
<td style='text-align:center'><kbd>16</kbd></td>
<td style='text-align:center'><kbd>12</kbd></td>
</tr>
<tr>
<td style='text-align:center'><kbd>A256GCM</kbd></td>
<td style='text-align:center'><kbd>3</kbd></td>
<td style='text-align:center'><kbd>32</kbd></td>
<td style='text-align:center'><kbd>16</kbd></td>
<td style='text-align:center'><kbd>12</kbd></td>
</tr>
</table>
</div>
<div>The length of the "Key", "Tag", and "IV"
attributes are in bytes.</div>
<div id='5.4' class='subheader'>5.4. Key Algorithms</div>
<div>
Compliant FWP implementations MUST as a
minimum support <kbd>P-256</kbd> and <kbd>X25519</kbd> keys.
</div>
<div id='5.5' class='subheader'>5.5. Key Encryption Algorithms</div>
<div>Compliant FWP
implementations MUST as a minimum support the following
COSE key encryption algorithms:</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<table class="tftable">
<tr><th>Name</th><th>Identifier</th><th>Derived Key</th></tr>
<tr>
<td style='white-space:nowrap'><kbd>ECDH-ES</kbd></td>
<td style='text-align:center'><kbd>-25</kbd></td>
<td>Defined by the content encryption algorithm. See <a href='#5.3'>Content Encryption Algorithms</a>.</td>
</tr>
<tr>
<td style='white-space:nowrap'><kbd>ECDH-ES+A128KW</kbd></td>
<td style='text-align:center'><kbd>-29</kbd></td>
<td style='text-align:center'><kbd>16</kbd></td>
</tr>
<tr>
<td style='white-space:nowrap'><kbd>ECDH-ES+A192KW</kbd></td>
<td style='text-align:center'><kbd>-30</kbd></td>
<td style='text-align:center'><kbd>24</kbd></td>
</tr>
<tr>
<td style='white-space:nowrap'><kbd>ECDH-ES+A256KW</kbd></td>
<td style='text-align:center'><kbd>-31</kbd></td>
<td style='text-align:center'><kbd>32</kbd></td>
</tr>
</table>
</div>
<div>
The length of the "Derived Key" attribute is in bytes.
</div>
<div id='5.6' class='subheader'>5.6. Key Derivation Function</div>
<div>
Note that the ECDH algorithms MUST use a Key Derivation Function (KDF) according to HKDF
[<a href="https://tools.ietf.org/html/rfc5869"
title="RFC5869">RFC5869<img src="images/xtl.svg" alt="link"></a>],
profiled as follows:
</div>
<ul>
<li><kbd>hmac</kbd>: The HKDF implementation MUST use HMAC with SHA256</li>
<li><kbd>salt</kbd>: N/A. The default extract mode handling MUST be implemented.</li>
<li><kbd>info</kbd>: This parameter MUST consist of the actual COSE key
encryption algorithm, expressed as a 32-bit (4 byte) signed big-endian integer.</li>
</ul>
<div id='6' class='header'>6. User Authorization Decoding and Verification</div>
<div>
The following sections describe the steps needed for decoding
the user authorization part (ESAD) of <a href='index.html#seq-4.5'>FWP Assertions<img src='images/xtl.svg' alt='link'></a>, as well as
verifying that it is technically correct from a <i>cryptographic</i> point of view.
As outlined in the core document, several other checks MUST also be performed
before an associated payment request can be considered as trusted.
</div>
<div class="comment box">
Missing, erroneous, or extraneous data MUST cause the verification
process to terminate with an appropriate error indication.
</div>
<div id='6.1' class='subheader'>6.1. Decrypt Authorization (ESAD)</div>
<div>Decode the <a href='#5'>ESAD</a> binary using a suitable CBOR parser.</div>
<div class="para">
Perform the following steps to decrypt the ESAD object:
</div>
<ol>
<li>
Retrieve the private encryption key associated with the <code>encryptionKeyId</code> or
the <code>publicKey</code> in the <a href="#submap">Sub map</a>, depending on
which of the attributes that are defined (which in most cases is known in advance
since the issuer and relying party usually is the same entity).
</li>
<li>
Fetch the ECDH algorithm to use from the <code>algorithm</code> attribute in the <a href="#submap">Sub map</a>.
</li>
<li>
Perform an ECDH key agreement operation including <a href='#5.6'>KDF</a> with the retrieved private key
and the <code>ephemeralKey</code> attribute in the <a href="#submap">Sub map</a>.
</li>
<li>
For key wrapping ECDH algorithms, use the result of the ECDH operation
to unwrap a <kbd>contentEncryptionKey</kbd> (specified by
the <code>cipherText</code> attribute in the <a href="#submap">Sub map</a>), while <kbd>ECDH-ES</kbd>
returns the <kbd>contentEncryptionKey</kbd> directly. See <a href='#5.5'>Key Encryption Algorithms</a>.
</li>
<li>
Fetch the <kbd>contentEncryptionAlgorithm</kbd> specified by the <code>algorithm</code>
attribute in the <a href="#mainmap">Main map</a>. See <a href='#5.3'>Content Encryption Algorithms</a>.
</li>
<li>Fetch and remove the <code>tag</code>, <code>iv</code>, and <code>cipherText</code>
attributes in the <a href="#mainmap">Main map</a>.</li>
<li>Serialize the remaining CBOR object and assign the result to an
<kbd>AAD</kbd> (Additional Authenticated Data) variable.</li>
<li>
Decrypt the ESAD object as follows
<div class="formula">
<kbd>
plainText = decrypt(contentEncryptionAlgorithm,<br>
contentEncryptionKey,<br>
AAD,<br>
<code>iv</code>,<br>
<code>tag</code>,<br>
<code>cipherText</code>)
</kbd>
</div>
here using an hypothetical decryption method.
</li>
</ol>
<div class="para">If all steps succeed, the resulting plain text
is assumed to be a <a href='#4.2'>SAD</a> object.</div>
<div id='6.2' class='subheader'>6.2. Decode Signed Authorization Data (SAD)</div>
<div>Decode the <a href='#4.2'>SAD</a> binary using a suitable CBOR parser.</div>
<div class="para">Fetch and remove the FIDO attributes <code>authenticatorData</code>
and <code>signatureValue</code> from the decoded object
which now effectively is an <a href='#4.1'>AD</a> object.
</div>
<div id='6.3' class='subheader'>6.3. Validate Signature</div>
<div>
The signature is validated by applying the attributes received in the
<a href="#signature">signature</a> <kbd>map</kbd> to
a suitable signature validation API like:
</div>
<div class="formula">
<kbd>
<span style="color:grey">// Hypothetical signature validation method</span><br>
validate(<code>signatureAlgorithm</code>,<br>
<code>publicKey</code>,<br>
<span style="color:grey">// Signed data</span><br>
<code>authenticatorData</code> || SHA256(<a href='#4.1'>AD</a>),<br>
<code>signatureValue</code>)
</kbd>
</div>
<div class="comment box">
Although the FIDO signature scheme is unique, signatures can be validated by
any cryptographic API supporting the signature algorithm in question.
</div>
<div id='7' class='header'>7. Sample Keys</div>
<div id='7.1' class='subheader'>7.1. Signature Key</div>
<div>
The following key (here expressed as a JWK [<a href="https://tools.ietf.org/html/rfc7517"
title="RFC7517">RFC7517<img src="images/xtl.svg" alt="link"></a>]),
was used for the signature part of the <a href='#4.2'>SAD</a> sample:
</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox" style='min-width:35em'>
{<br> "kty": "EC",<br> "crv": "P-256",<br> "x": "6BKxpty8cI-exDzCkh-goU6dXq3MbcY0cd1LaAxiNrU",<br> "y": "mCbcvUzm44j3Lt2b5BPyQloQ91tf2D2V-gzeUxWaUdg",<br> "d": "6XxMFXhcYT5QN9w5TIg2aSKsbcj-pj4BnZkK7ZOt4B8"<br>}<br>
</div>
</div>
<div>Note that ES256 signatures usually depend on a random factor as well, making
each signature unique. Verification should still work
as long as the signature key and data to be signed remain constant.
</div>
<div id='7.2' class='subheader'>7.2. Encryption Key</div>
<div>
The following key (here expressed as a JWK [<a href="https://tools.ietf.org/html/rfc7517"
title="RFC7517">RFC7517<img src="images/xtl.svg" alt="link"></a>]),
was used for the encryption part of the <a href='#5'>ESAD</a> sample:
</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<div class="staticbox" style='min-width:35em'>
{<br> "kty": "OKP",<br> "crv": "X25519",<br> "x": "6ZoM7yBYlJYNmxwFl4UT3MtCoTv7ztUjpRuKEXrV8Aw",<br> "d": "cxfl86EVmcqrR07mWENCf1F_5Ni5mt1ViGyERB6Q1vA"<br>}<br>
</div>
</div>
<div>
Note that the ESAD sample uses a <code>keyId</code> for identifying the encryption key.
</div>
<div id='documenthistory' class='header'>Document History</div>
<div style='overflow-x:auto;padding-right:0.2em'>
<table class="tftable">
<tr><th>Date</th><th>Version</th><th style="min-width:30em">Comment</th></tr>
<tr>
<td style="text-align:center;white-space:nowrap">2021-07-26</td>
<td style="text-align:center">0.1</td><td>Initial publishing.</td>
</tr>
<tr>
<td style="text-align:center;white-space:nowrap">2021-08-23</td>
<td style="text-align:center">0.11</td><td>Added CTAP2 suggestion.</td>
</tr>
<tr>
<td style="text-align:center;white-space:nowrap">2021-09-30</td>
<td style="text-align:center">0.12</td><td>Made <code>keyId</code> generic.</td>
</tr>
<tr>
<td style="text-align:center;white-space:nowrap">2022-02-02</td>
<td style="text-align:center">0.13</td><td>Main document update forced test data update.</td>
</tr>
<tr>
<td style="text-align:center;white-space:nowrap">2022-06-17</td>
<td style="text-align:center">0.14</td><td>CBOR primitives expressed in CDDL notation.</td>
</tr>
<tr>
<td style="text-align:center;white-space:nowrap">2022-08-18</td>
<td style="text-align:center">0.15</td><td>CTAP2 signature scheme.</td>
</tr>
<tr>
<td style="text-align:center;white-space:nowrap">2022-12-19</td>
<td style="text-align:center">0.16</td><td>Set <code>signature</code> key to -1.</td>
</tr>
<tr>
<td style="text-align:center;white-space:nowrap">2023-01-07</td>
<td style="text-align:center">0.17</td><td>Added COTX wrapper to ESAD.</td>
</tr>
</table>
</div>
<div id='authors' class='header'>Authors</div>
<div>
The FWP specification is currently authored by Anders Rundgren
(anders.rundgren.net@gmail.com) on GitHub
(<a href="https://github.com/fido-web-pay/specification"
title="GitHub">https://github.com/fido-web-pay/specification<img src="images/xtl.svg" alt="link"></a>).
</div>
<div id='trademarks' class='header'>Trademarks</div>
<div>
FIDO is a registered trademark of the FIDO alliance.<br>
EMV is a registered trademark of EMVCo.<br> <br>
This specification represents an <i>independent effort</i>,
not associated with the FIDO alliance or EMVCo.
</div>
</body></html>