Skip to main content

OrBIT User Guide

Obfuscations

In this section:

Note

Obfuscation is only available for the eSecIP Professional and eSecIP Standard editions.

The obfuscations information type is optional for the product configuration file.

Obfuscation records define how sensitive information, such as a password or cryptographic key, can be obfuscated when it is provisioned onto a device.

  • With the eSecIP Professional edition, you can use the same obfuscation record for multiple configuration objects. Critical assets such as the encryption key and the initialization vector values are uniquely generated by the Security Appliance every time the record is used. Most of the input parameters such as the KDF, anti-cloning mode, and AAD values, for example, are re-used in each usage of the record.

  • With the eSecIP Standard edition, a different obfuscation record must be created for every configuration object because all obfuscation-related values must be written to user-defined addresses. Therefore all obfuscated items using the same record would all use the same values, including cryptographic ones.

If no obfuscation records are required for a product, the obfuscations field should be provided as an empty list—"obfuscations": []). However, because data that is not obfuscated is provisioned to the device as clear text, it is recommended that all data is obfuscated where practicable.

Field name

Description

aad

A string with additional authenticated data (AAD) for use with the AES128GCM obfuscation type. Optional.

aadAddress

The memory location for additional authenticated data (AAD). Only for the eSecIP Standard edition and mandatory when the obfuscation type is AES128GCM.

aadLengthAddress

The memory location for the length value (in bytes) of the additional authenticated data (AAD). Only for the eSecIP Standard edition and mandatory when the obfuscation type is AES128GCM.

antiCloning

Specifies whether the device ID is used in the obfuscation. Mandatory.

id

The name of the obfuscation record. Mandatory.

kdf

The key derivation function to use in the obfuscation. Mandatory.

nonceAddress

The memory location for the nonce (number used once) generated by the Security Appliance. Only for the eSecIP Standard edition and mandatory when the obfuscation type is CHACHA20.

obfKeyAddress

The memory location for the obfuscated encryption key generated by the Security Appliance. Only for the eSecIP Standard edition and mandatory when the obfuscation type is CHACHA20.

obfuscationType

The cryptographic function to use for obfuscation. Mandatory.

saltAddress

The memory location for the random (salt) value generated by the Security Appliance. Only for the eSecIP Standard edition and mandatory.

tagAddress

The memory location for the message authentication code value generated by the Security Appliance. Only for the eSecIP Standard edition and mandatory when the obfuscation type is AES128GCM.

Table 8. Summary of available fields for the obfuscations information type