The ASk is used by the KSM to derive the dASk, which is then used to decrypt the SK...R1. If the only thing we give the client is the certificate, how does it encrypt the SK...R1 so the server is able to process it. Would be nice to know it it works generally, because I've been getting questions about it and can't provide a helpful answer. Thanks in advance.
FairPlay Client Question
Hi,
FPS's core security functions are:
ASkcalculation algorithmDASkderivation algorithm
The ASk is a symmetric key utilised as the Root-of-Trust and bootstraps the secure communication between the FPS enabled client and server.
The DASk is a session-bound symmetric key derived from the ASk and a random value R2 used to further encrypt communication.
While the DASk algorithm is available to developers via the FPS SDK, the ASk algorithm is highly confidential and is not documented.
At a high-level, the FPS client consumes the Application Certificate and from this, using the core security function, the client is able to calculate the ASk. On the server side, the ASk is hardcoded and readily available.
During SPC generation, the FPS client will calculate the DASk through the core security function and a randomly generated 21 byte value, R2. The SK_R1 block is then symmetrically encrypted against the DASk. The R2 is included in the SPC message that the server consumes.
Now since both the FPS client and server have the ASk and R2 value, both sides can confidently calculate the DASk which is used to encrypt / decrypt the SK_R1 block.
Hope this answers your question.
ThetaSeg!