Skip to main content

Key Derivation

In the realm of cryptography, the process of key derivation plays a pivotal role in ensuring secure communication and data protection. Key derivation involves generating new cryptographic keys from existing ones, either persisted keys (filling storage) or temporary derivation usage. Understanding the distinction between persisted and temporarily derived keys is essential for implementing robust security measures and save storage space, so you application can scale better.

The derive flag of the key must be set to true to work with key-derivation.

It is crucial to understand the difference between Persisted Derived keys and Temporary Derived Keys.

Persisted Derived Keys

You can derive from a base key and persist that derived key. This approach offers the advantage of faster signing operations since the derived key is readily available for repeated usage without the need for re-computation. However, it's important to note that persisting derived keys incurs overhead in terms of storage space and management, as they need to be securely stored.

Derived keys can be generated by using the endpoint:

Temporary Derived Keys

Temporary derived keys, on the other hand, are generated dynamically upon cryptographic requests and used for specific operations without persisting them in storage. These keys are derived on-the-fly from existing master keys and discarded after their immediate use, eliminating the need for long-term storage. Temporary key derivation is often preferred in scenarios where security and efficiency are paramount, as it minimizes the risk of key exposure and reduces storage overhead.

Endpoint where Temporary Key Derivation is available:

Key-Derivation Process

The key-derivation process for both elliptic curve (EC) and Edwards-curve (ED) keys follows a similar path-based approach, delineated by the path separator /.

For signing with persisted derived keys and temporary key derivation is the same, the key is either loaded from the key-store or re-computated upon cryptographic request.

note

Note: the master-key is called PerformanceTestDerive the derivation-path is /44'/60'/0'

POST /v1/synchronousSign

{
  "signRequest": {
    "payload": "c2VjdXJvc3lz",
    "payloadType": "UNSPECIFIED",
    "signKeyName": "PerformanceTestDerive/44'/60'/0'",
    "signKeyObject": null,
    "keyPassword": null,
    "metaData": null,
    "metaDataSignature": null,
    "signatureAlgorithm": "NONE_WITH_ECDSA"
  }
}

Conclusion

In summary, the distinction between persisted and temporarily derived keys lies in their storage and lifespan. While persisted keys offer long-term consistency and availability, temporary derived keys provide efficiency benefits by avoiding storage space utilization. Understanding and implementing key derivation mechanisms tailored to specific requirements is crucial for maintaining robust cryptographic practices.