如何旋转密钥?

huangapple go评论86阅读模式
英文:

How to rotate keys?

问题

我在查看Tink文档,但我没有看到清楚的方法来旋转密钥。基本上,我想做类似这样的事情:

KeyTemplate keyTemplate = AeadKeyTemplates.AES256_GCM;
KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
// 做一些操作... 然后
keysetHandle.rotateKey(); // 如何实现这个的等效操作呢?

文档提到密钥旋转是该库的核心功能。然而,文档中没有关于如何执行此操作的示例。使用该库进行密钥旋转的“正确”方法是什么?我还希望将密钥的旋转和激活分开。

英文:

I'm looking at the Tink documentation, but I don't see a clear way how to rotate a key. Basically, I would like to do somethink like:

KeyTemplate keyTemplate = AeadKeyTemplates.AES256_GCM;
KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
// Do some stuff... and then
keysetHandle.rotateKey(); // How to do the equivalent of this??

The documentation talks about how key rotation is a core feature of the library. However, there are no examples in the documentation for how to do this. What's the "correct" way to rotate keys using the library? I would also prefer to separate rotate and activate the new key.

答案1

得分: 1

开发人员改进了 GitHub 文档上的文档(请参阅 https://github.com/google/tink/blob/master/docs/JAVA-HOWTO.md#key-rotation):

  • Tink 中支持密钥轮换,通过 KeysetManager 类实现。
    您需要提供一个包含应进行轮换的密钥集的 KeysetHandle 对象,以及通过 KeyTemplate 消息指定的新密钥的规范。
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KeysetManager;
import com.google.crypto.tink.proto.KeyTemplate;
KeysetHandle keysetHandle = ...;   // 现有密钥集
KeyTemplate keyTemplate = ...;     // 新密钥的模板
KeysetHandle rotatedKeysetHandle = KeysetManager
    .withKeysetHandle(keysetHandle)
    .rotate(keyTemplate)
    .getKeysetHandle();
  • 一些常见的规范在 examples/keytemplates 中作为预生成的模板可用,并可以通过各自原语的...KeyTemplates.java 类访问。成功轮换后,生成的密钥集将包含根据 keyTemplate 中的规范生成的新密钥,并且新密钥将成为密钥集的主密钥。要成功进行轮换,注册表必须包含针对 keyTemplate 中指定的密钥类型的密钥管理器。或者,您可以使用 Tinkey 来轮换或管理密钥集。

以下是一个简短示例以及此程序生成的文件:

keyset_original.json 是(第一个)原始密钥:

{
    "primaryKeyId": 937652358,
    "key": [{
        "keyData": {
            "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
            "keyMaterialType": "SYMMETRIC",
            "value": "GhC1iBVcPeQwNp9GcXfqpm8G"
        },
        "outputPrefixType": "TINK",
        "keyId": 937652358,
        "status": "ENABLED"
    }]
}

keyset_rotated.json 是轮换后的密钥集 - primaryKeyId 已更改,(第一个)密钥仍然可用且已启用,但不再是主密钥:

{
    "primaryKeyId": 138119043,
    "key": [
        {
            "keyData": {
                "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
                "keyMaterialType": "SYMMETRIC",
                "value": "GhC1iBVcPeQwNp9GcXfqpm8G"
            },
            "outputPrefixType": "TINK",
            "keyId": 937652358,
            "status": "ENABLED"
        },
        {
            "keyData": {
                "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
                "keyMaterialType": "SYMMETRIC",
                "value": "GhBrr2JLPAMMi36n56RHGF2A"
            },
            "outputPrefixType": "TINK",
            "keyId": 138119043,
            "status": "ENABLED"
        }
    ]
}

代码:

import com.google.crypto.tink.*;
import com.google.crypto.tink.aead.AeadKeyTemplates;
import com.google.crypto.tink.config.TinkConfig;
import com.google.crypto.tink.proto.KeyTemplate;

import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;

public class KeyRotation {
    public static void main(String[] args) throws GeneralSecurityException, IOException {
        System.out.println("Google Tink 密钥轮换");
        TinkConfig.register();
        // 密钥生成
        KeyTemplate keyTemplate = AeadKeyTemplates.AES128_GCM;
        KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
        // 写入文件
        String originalKeysetFilename = "keyset_original.json";
        CleartextKeysetHandle.write(keysetHandle, JsonKeysetWriter.withFile(
                new File(originalKeysetFilename)));
        // 加载现有密钥集
        KeysetHandle keysetHandleLoaded = CleartextKeysetHandle.read(
                JsonKeysetReader.withFile(new File(originalKeysetFilename)));
        // 生成新密钥并将其设置为主密钥
        KeysetHandle rotatedKeysetHandle = KeysetManager
                .withKeysetHandle(keysetHandleLoaded)
                .rotate(keyTemplate)
                .getKeysetHandle();
        // 写入文件
        String rotatedKeysetFilename = "keyset_rotated.json";
        CleartextKeysetHandle.write(rotatedKeysetHandle, JsonKeysetWriter.withFile(
                new File(rotatedKeysetFilename)));
        System.out.println("密钥轮换完成,新密钥集位于 " + rotatedKeysetFilename);
    }
}
英文:

The developers improved the documentation on the GitHub-docs (see https://github.com/google/tink/blob/master/docs/JAVA-HOWTO.md#key-rotation):

*Support for key rotation in Tink is provided via the KeysetManager class.
You have to provide a KeysetHandle-object that contains the keyset that should be rotated, and a specification of the new key via a KeyTemplate message.

import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KeysetManager;
import com.google.crypto.tink.proto.KeyTemplate;
KeysetHandle keysetHandle = ...;   // existing keyset
KeyTemplate keyTemplate = ...;     // template for the new key
KeysetHandle rotatedKeysetHandle = KeysetManager
    .withKeysetHandle(keysetHandle)
    .rotate(keyTemplate)
    .getKeysetHandle();

Some common specifications are available as pre-generated templates in examples/keytemplates, and can be accessed via the
...KeyTemplates.java classes of the respective primitives. After a successful rotation, the resulting keyset contains a new key
generated according to the specification in keyTemplate, and the new key becomes the primary key of the keyset. For the rotation
to succeed the Registry must contain a key manager for the key type specified in keyTemplate. Alternatively, you can use Tinkey
to rotate or manage a keyset.
*

Below you find a short example and the files generated by this program:

<u>keyset_original.json</u> is the (first) original key:

{
    &quot;primaryKeyId&quot;: 937652358,
    &quot;key&quot;: [{
        &quot;keyData&quot;: {
            &quot;typeUrl&quot;: &quot;type.googleapis.com/google.crypto.tink.AesGcmKey&quot;,
            &quot;keyMaterialType&quot;: &quot;SYMMETRIC&quot;,
            &quot;value&quot;: &quot;GhC1iBVcPeQwNp9GcXfqpm8G&quot;
        },
        &quot;outputPrefixType&quot;: &quot;TINK&quot;,
        &quot;keyId&quot;: 937652358,
        &quot;status&quot;: &quot;ENABLED&quot;
    }]
}

<u>keyset_rotated.json</u> is the rotated keyset - the primaryKeyId has changed and the (first) key is still
available <u>and</u> enabled but no longer primary key:

{
    &quot;primaryKeyId&quot;: 138119043,
    &quot;key&quot;: [
        {
            &quot;keyData&quot;: {
                &quot;typeUrl&quot;: &quot;type.googleapis.com/google.crypto.tink.AesGcmKey&quot;,
                &quot;keyMaterialType&quot;: &quot;SYMMETRIC&quot;,
                &quot;value&quot;: &quot;GhC1iBVcPeQwNp9GcXfqpm8G&quot;
            },
            &quot;outputPrefixType&quot;: &quot;TINK&quot;,
            &quot;keyId&quot;: 937652358,
            &quot;status&quot;: &quot;ENABLED&quot;
        },
        {
            &quot;keyData&quot;: {
                &quot;typeUrl&quot;: &quot;type.googleapis.com/google.crypto.tink.AesGcmKey&quot;,
                &quot;keyMaterialType&quot;: &quot;SYMMETRIC&quot;,
                &quot;value&quot;: &quot;GhBrr2JLPAMMi36n56RHGF2A&quot;
            },
            &quot;outputPrefixType&quot;: &quot;TINK&quot;,
            &quot;keyId&quot;: 138119043,
            &quot;status&quot;: &quot;ENABLED&quot;
        }
    ]
}

code:

import com.google.crypto.tink.*;
import com.google.crypto.tink.aead.AeadKeyTemplates;
import com.google.crypto.tink.config.TinkConfig;
import com.google.crypto.tink.proto.KeyTemplate;

import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;

public class KeyRotation {
    public static void main(String[] args) throws GeneralSecurityException, IOException {
        System.out.println(&quot;Google Tink key rotation&quot;);
        TinkConfig.register();
        // key generation
        KeyTemplate keyTemplate = AeadKeyTemplates.AES128_GCM;
        KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
        // write it to a file
        String originalKeysetFilename = &quot;keyset_original.json&quot;;
        CleartextKeysetHandle.write(keysetHandle, JsonKeysetWriter.withFile(
                new File(originalKeysetFilename)));
        // load the existing keysetHandle
        KeysetHandle keysetHandleLoaded = CleartextKeysetHandle.read(
                JsonKeysetReader.withFile(new File(originalKeysetFilename)));
        // generate a new key and make it primary key
        KeysetHandle rotatedKeysetHandle = KeysetManager
                .withKeysetHandle(keysetHandleLoaded)
                .rotate(keyTemplate)
                .getKeysetHandle();
        // write it to a file
        String rotatedKeysetFilename = &quot;keyset_rotated.json&quot;;
        CleartextKeysetHandle.write(rotatedKeysetHandle, JsonKeysetWriter.withFile(
                new File(rotatedKeysetFilename)));
        System.out.println(&quot;key rotation done, new keyset in &quot; + rotatedKeysetFilename);
    }
}

huangapple
  • 本文由 发表于 2020年9月19日 00:58:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/63959906.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定