BlackBerry Spark Communications Platform Guide

Cloud Key Storage

In the BlackBerry Spark Communication Platform, messages are protected from being viewed or modified by anyone other than the sender and intended recipients. The cryptographic keys used to protect communications are stored and distributed in a cloud storage system that you choose.

To ensure that your application may use any combination of the SDKs to fulfill its needs, a common storage schema for the encryption, signing, and symmetric keys must be maintained across all product lines. For example, both the Android and iOS versions of an application using the Spark SDK must be able to exchange keys, and users must be able to switch between those two versions without losing their keys.

Architecture Overview - Cloud Key Management

Requirements

Private data

The cloud storage solution must include restricted read and write access (private data can only be read or written if the owner of that data is logged into the app). The following private data must be stored:

Public data

The cloud storage solution must include public read access (where public data can only be read by authenticated users within the ecosystem), and restricted write access (where private data can only be written if the owner of that data is logged into the application). The following public data must be stored:

Securing Private Keys

Your application should secure exported private key data with a per-user secret before storing it in the cloud.

The Spark example applications protect all private key with the following steps:

  1. Generate a securely random symmetric encryption key and HMAC key. These keys will be referred to as the management keys.
  2. Use the management keys to encrypt and create a MAC for each private key data value being stored (AES-256 CTR and HMAC SHA-256 are used in the provided examples).
  3. Store the encrypted bytes, nonce (initialization vector) and MAC for each key in the cloud.
  4. Use a key derivation function (KDF) to generate a symmetric encryption key and HMAC key from a user provided password. The example applications use ANSI X9.42/X9.63 SHA-512(see Section 3.6.1) as the KDF.
  5. Use the keys derived by the KDF to encrypt and create a MAC of the management keys created in step 1.
  6. Store the encrypted management key data created in step 5 in the cloud. The keys derived by the KDF must not be stored.
  7. To recover the private key data use the KDF as in step 3 to re-create derived keys. Use the derived keys to decrypt the management keys. The management keys can be used to decrypt the Spark SDK private key data.

Cloud Key Storage

Example Cloud Key Storage Integrations

Spark can use any cloud storage system that meets these basic requirements.

For example: