Cloud Key Storage
In BlackBerry Spark Communication Services, messages are protected from being viewed or modified by anyone other than the sender and intended recipients. The cryptographic keys used to protect communications can be stored and distributed in a cloud storage system that you choose.
Your application should use a common storage schema for the encryption, signing, and symmetric keys for all platforms and operating systems it supports. For example, both the Android and iOS versions of an application using the SDK must be able to exchange keys, and users must be able to switch between those two versions without losing their keys.
- The cloud storage system must authenticate users that are using tokens or credentials managed by your application.
- The cloud storage system must allow a user to read and write private data.
- The cloud storage system must allow a user to publish data that other users can read only.
The cloud storage solution must include restricted read and write access (private data can only be read or written if the owner of that data is logged into your application). The following private data must be stored:
- The user's private encryption key
- The user's private signing key
- For each chat:
- The symmetric encryption key for each of the user’s chats
The cloud storage solution must include public read access (where public data can only be read by authenticated users within the ecosystem), and restricted write access (where private data can only be written if the owner of that data is logged into the application). The following public data must be stored:
- The user's public encryption key
- The user's public signing key
Securing Private Keys
Your application should secure exported private key data with a per-user secret before storing it in the cloud.
When using Cloud Key Storage, the SDK example applications protect all private key with the following steps.
- Generate a securely random symmetric encryption key and HMAC key. These keys will be referred to as the management keys.
- Use the management keys to encrypt and create a MAC for each private key data value being stored (AES-256 CTR and HMAC SHA-256 are used in the provided examples).
- Store the encrypted bytes, nonce (initialization vector) and MAC for each key in the cloud.
- Use a key derivation function (KDF) to generate a symmetric encryption key and HMAC key from a user provided password. The example applications use ANSI X9.42/X9.63 SHA-512 (see Section 3.6.1) as the KDF.
- Use the keys derived by the KDF to encrypt and create a MAC of the management keys created in step 1.
- Store the encrypted management key data created in step 5 in the cloud. The keys derived by the KDF must not be stored.
- To recover the private key data use the KDF as in step 3 to re-create derived keys. Use the derived keys to decrypt the management keys. The management keys can be used to decrypt the SDK private key data.
Example Cloud Key Storage Integrations
The SDK can use any cloud storage service that meets the basic requirements outlined above. See the following other sections of this guide to learn how to use some popular storage services in your application.