User flows
This section explains user actions to accomplish various tasks and how the TR-34 services are used in context of the protocol.
There are two scenarios:
- Peer-to-peer exchange where two parties use the protocol to establish a common transport key to exchange symmetric keys securely. In the peer-to-peer scenario, one party is the KDH (Key Distribution Host) and the other party is the KRD (Key Receiving Device).
- One KDH (Key Distribution Host) to many KRDs (Key Receiving Device) where the host uses the protocol to establish a transport key for distributing symmetric keys with each of the receiving devices in service.
Parameters used in the protocol
The following are descriptions of some of the common parameters in the TR-34 protocol. They are
credentials, certificates, TR-34 tokens, and
CCA or TR-31
key tokens.
- CSR-KDH
- PKCS #10 certificate signing request for KDH.
- CSR-KRD
- PKCS #10 certificate signing request for KRD.
- CredKDH
- KDH credential (X.509 certificate) with ID and public key.
- CredKRD
- KRD credential (X.509 certificate) needed for key distribution.
- CredCA
- Certificate Authority credential.
- CRL-CA
- Certificate Revocation List from CA.
- CT-KDH
- KDH credential token, KDH bind token.
- RBT-KDH
- KDH rebind token.
- UBT-KDH
- KDH unbind token.
- CT-KRD
- KRD credential token, containing CredKRD.
- RT-KRD
- Random number token, generated by KRD.
- KT-KDH
- KDH key token – 1 or 2 pass.
- D-kdh-T
- RSA private key token for KDH, contains the private key (D-kdh) and public key (E-kdh).
- D-krd-T
- RSA private key token for KRD, contains the private key (D-krd) and public key (E-krd).
- Kn
- Key to be exported using TR-34.
- Kn-T
- CCA or TR-31 key tokens.
Note: These scenarios assume that the KDH and KRD are using CCA services and servers for the TR-34 setup
and applications. When CCA services
are not being used, other appropriate cryptographic services should be substituted and used. The
same situation applies to hardware and key storage.