hw-security / de.cotech.hw.pairedkey

Package de.cotech.hw.pairedkey


Name Summary

open class PairedAuthenticator :SecurityKeyAuthenticator

This use case class performs an “authenticate” operation on a challenge, with a check that the connected security key matches the provided PairedSecurityKey.

This class performs the authenticate operation on a security key. Before doing so, it checks to ensure the security key matches the given PairedSecurityKey. See de.cotech.hw.standalone.SecurityKeyAuthenticator for the same operation outside of a “paired” workflow.


byte[] challenge = { (byte) 1, (byte) 2, (byte) 3, (byte) 4 };
      PairedAuthenticator authenticator = new PairedAuthenticator(keyInteractor, pairedPinProvider, pairedSecurityKey)
      byte[] signatureBytes = authenticator.authenticateWithDigest(challenge, "SHA-1");
      Signature signature = Signature.getInstance("SHA1withRSA");
      boolean isVerified = signature.verify(signatureBytes);
      assert isVerified;

open class PairedDecryptor

This use case class performs a “decrypt” operation on encrypted data, parametrized by a SecurityKeyInteractor, PairedPinProvider, and PairedSecurityKey.

PairedSecurityKey pairedSecurityKey = pairedSecurityTokenStorage.getPairedSecurityKey(keyInteractor.getSecurityKeyAid());
  PairedDecryptor decryptor = PairedDecryptor(keyInteractor, pairedPinProvider, pairedSecurityToken);
  byte[] encryptedSessionSecret = encryptedSessionStorage.getEncryptedSessionSecret(pairedSecurityToken.getSecurityKeyAid());
  ByteSecret sessionSecret = decryptor.decryptSessionSecret(encryptedSessionSecret);

This sessionSecret can be used for symmetric encryption operations, e.g. to encrypt a database.


open class PairedEncryptor

This use case class performs an “encrypt” operation on some data, parametrized by a PairedSecurityKey.

ByteSecret sessionSecret = SecretGenerator.getInstance().createRandom(32);
  byte[] encryptedSessionSecret = new PairedEncryptor(pairedSecurityKey).encrypt(sessionSecret);

The encryptedSessionSecret is typically stored in an de.cotech.hw.storage.sessionkey.EncryptedSessionStorage, to be able to later restore the sessionSecret using a PairedDecryptor.

The sessionSecret can be used for symmetric encryption operations, e.g. to encrypt a database. Once it has been deleted, it can only be restored from the encryptedSessionSecret when the paired security key is connected.


open class PairedSecurityKey :Serializable

A PairedSecurityKey represents a storable reference to a hardware security key that has been paired before.

Specifically, it contains the security key’s AID, and public keys for key pairs stored on the security key. The AID (Application Identifier) contains a unique serial number, which can be used to identify its related security key when it connects.

This class is primarily used for two use cases:

  • Recognize a security key that has been paired before upon connection.
  • Perform public operations on the security key’s key pairs.

This class is a serializable POJO, and instances can be stored in a de.cotech.hw.storage.pairedkey.PairedSecurityKeyStorage, or any storage that supports Serializable objects.


Name Summary
PairedSecurityKeyException open class PairedSecurityKeyException :IOException