Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

The goal of the crypto and KMS plugins is to provide a pluggable interface for Cryptographic operations such as Encryption, Decryption, Signing and Verification as well as keys management operations usually offered by a KMS (Key Management Service).

Aries Agents should be able to plugin a Crypto module and a KMS module and use their services regardless of their detailed implementation. This will help integrate crypto operations as well as manipulating and querying keys in an agent with minimal change.

Tink, a library created to make crypto easy for non cryptographers, is a strong candidate that offers pluggability of crypto operations and supports integration with multiple KMS solutions like AWS KMS, GCP (Google Cloud KMS) and Android Keystore KMS. It supports multi languages including Go. Tink serves to wrap the crypto functions in a KMS, so the client cannot see secrets, and so the client works with a simpler API that makes it harder to break your crypto. It also supports key wrapping using ECDH, but it does not match ECDH-1PU which will require additional work.


The plan is to have 3 interfaces in three sub-directories under pkg/plugins, one for JWEBuilder to serialize/deserialize a JWE, another for Crypto and the other for KMS. Crypto and KMS interfaces will serve as wrapper to Tink operations like Encrypt(), Decrypt(), Sign(), Verify(), etc. While JWEBuilder will use the other two to build a JWE envelope by offering a Seal (serialize) and Open (unserialize) functions.




The introduction of Tink begins with Crypto interface for which an implementation will use Tink primitives for the crypto operations. Tink will need to be updated to use a custom AEAD cipher with key wrapping using ECDH-1PU. The implementation will somewhat resemble the Hybrid AEAD one in Tink with the difference in the key derivation function differs in 1PU (here) than the conventional and standardized HKDF (example here and defined here) mode.


In Tink, operations are isolated in a distinguished interface grouped by the type of crypto used. There are interfaces for deterministic aead (payload re encryptions yield the same output, this implementation is not recommend), aead (direct mode, no key wrapping), hybrid aead (with key wrapping including key derivation defined as ECDH-ES), signatures and MAC hashing. For the purpose of Aries Agents, only AEAD, Signer and Verifier primitives will be used. The implementation of 1PU will require additional work to see if a new Tink primitive is required or can be implemented separately in the Crypto plugin.






  • No labels