Keys and Algorithms

Keys and Algorithms in the LaunchKey API are define using the JSON Web Key (JWK) and JSON Web Algorithm (JWA) standards.

Keys

LaunchKey supports key rotation and multiple active keys as a mechanism to reduce potential damage of the LaunchKey API and iovation Subscribers as related to key exposure. To support these key based features, a key identifier must be included with every message sent to and received from the LaunchKey API. JWK supports this functionality by allowing for a key ID header, kid, to be provided. The kid header should contain the Key ID for a Public Key that belongs to a particular entity. The key ID for an entity can be obtained from the Keys section in the Admin Center or via an API call.

Algorithms

LaunchKey supports multiple algorithms for and key strengths for encryption and cryptographic signatures.

Encryption

The LaunchKey API is based on public key cryptography. Due to restrictions on data size with the available public key cryptography algorithms, the LaunchKey API utilizes a mixture of public key cryptography and symmetric key cryptography in a methodology known as key wrapping. Put simply, key wrapping allows for encrypting data using symmetric key cryptography with a random key that is then encrypted using public key cryptography. As such there are two separate algorithms that need to be defined for data encryption in the LaunchKey API. The first is the content encryption algorithm. Second is the algorithm for key encryption.

Content Encryption

The content encryption algorithm is identified in a JOSE header with the enc attribute. This is the algorithm used to encrypt the content of a message. The acceptable algorithms for content encryption are:

A256CBC-HS512:Advanced Encryption Standard (AES) in Cipher Block Chain (CBC) mode with a 256 bit cipher key utilizing a Secure Hash Algorithm 2 (SHA-2) 512 bit Hash-Based Message Authentication Code (HMAC) to generate the authentication tag.

Key Encryption

The encryption algorithm for the cipher key is identified in a JOSE header with the alg attribute. The acceptable algorithms for key encryption are:

RSA-OAEP:RSA encryption with Optimal Asymmetric Encryption Padding (OAEP) utilizing a Secure Hash Algorithm 1 (SHA-1) 160 bit hashing mechanism.
RSA-OAEP-256:RSA encryption with Optimal Asymmetric Encryption Padding (OAEP) utilizing a Secure Hash Algorithm 2 (SHA-2) 256 bit hashing mechanism.

Digital Signatures

The digital signature algorithm is is identified in a JOSE header with the alg attribute. The acceptable algorithms for digital signatures are:

RS256:RSA encryption utilizing a Secure Hash Algorithm 2 (SHA-2) 256 bit hashing mechanism.
RS384:RSA encryption utilizing a Secure Hash Algorithm 2 (SHA-2) 384 bit hashing mechanism.
RS512:RSA encryption utilizing a Secure Hash Algorithm 2 (SHA-2) 512 bit hashing mechanism.

Body Hash

These are non-JOSE algorithm identifiers use to identify the hashing algorithm used to has the HTTP body in a JWT.

S256:Secure Hash Algorithm 2 (SHA-2) 256 bit hash.
S384:Secure Hash Algorithm 2 (SHA-2) 384 bit hash.
S512:Secure Hash Algorithm 2 (SHA-2) 512 bit hash.

User Contributed

LaunchKey links to user contributed code as a resource to its community. LaunchKey does not in any way guarantee or warrant the quality and security of these code bases. User contributed code is supported by the creators. If you do find a link from the site to user contributed code that is malicious or inappropriate in any way, please report that link to LaunchKey immediately and we will investigate the claim. Submit any issue to LaunchKey support at https://launchkey.com./support. ×