Daily Keypair Rotation

As Health Departments are federated in Germany, they need to share a common keypair (namely the daily keypair) to retain access to Check-In data anywhere in Germany (see Tracing the Check-In History of an Infected Guest). This keypair is generated and distributed among all Health Departments on a daily basis. For the distribution, we use the HDEKPs (that are uniquely owned by each health department) to encrypt the daily keypair’s private key for each Health Department. These encrypted private key objects are then uploaded to luca.

Overview

Assets

  • None

Preconditions

Postconditions

Secrets

The following secrets are involved in this process:

Secret

Use / Purpose

Location

daily keypair

Guest Apps use the daily keypair’s public key to encrypt their contact data reference for every Check-In. The daily keypair is rotated frequently to minimize potential misuse.

Private key is accessible to all Health Departments

HDSKP

New daily keypair public keys are signed by the Health Department’s private key so that Guest Apps can validate the public key’s authenticity.

Every Health Department maintains their own HDSKP locally. Certified public keys are distributed via the Luca Server.

HDEKP

New daily keypair private keys are encrypted for each Health Department via their associated HDEKP.

Every Health Department maintains their own HDEKP locally. Certified public keys are distributed via the Luca Server.

Daily Public Key Rotation

For every Check-In the Guest App encrypts a contact data reference with the daily keypair. To mitigate the impact of any single compromised key luca rotates the daily keypair frequently.

The rotation will be performed by any Health Department that logs in after the last daily keypair expired. The private key is encrypted and shared by all participating Health Departments using their associated HDEKPs (Health Department Encryption Key Pair) via the Luca Server. Prior to encrypting the private key with any HDEKP the Health Department Frontend verifies that it was issued by a genuine Health Department and was not revoked in the meantime (see Verification of Health Department Keypair Certificates).

The daily keypair’s public key (and its creation date) are signed with the HDSKP (Health Department Signing Key Pair) and distributed to all Guest Apps via the Luca Server. This effectively replaces the old daily keypair. All described cryptographic actions are performed in the Health Department Frontend, the Luca Server never learns the daily keypair private key in plaintext form.

Measures are taken to solve race conditions if multiple Health Departments try to perform the key rotation simultaneously. Eventually, all Health Departments share the knowledge of the new daily keypair and are ready to decipher Contact Data of Check-Ins performed on that day.

Rotation Process

../_images/daily_key_rotation_2_0.svg

Key Destruction

Private keys of daily keypairs that are older than the epidemiologically relevant time span (specifically, four weeks) can be destroyed. The Luca Server removes all such encrypted private keys for all Health Departments. Furthermore, the Health Department Frontend removes all locally stored copies of such private keys.