Daily Keypair Rotation¶
As Health Departments are federated in Germany, they need to share a common keypair (namely the daily keypair) to retain access to Check-In data anywhere in Germany (see Tracing the Check-In History of an Infected Guest). This keypair is generated and distributed among all Health Departments on a daily basis. For the distribution, we use the HDEKPs (that are uniquely owned by each health department) to encrypt the daily keypair’s private key for each Health Department. These encrypted private key objects are then uploaded to luca.
The following secrets are involved in this process:
Use / Purpose
Private key is accessible to all Health Departments
Daily Public Key Rotation¶
The rotation will be performed by any Health Department that logs in after the last daily keypair expired. The private key is encrypted and shared by all participating Health Departments using their associated HDEKPs (Health Department Encryption Key Pair) via the Luca Server. Prior to encrypting the private key with any HDEKP the Health Department Frontend verifies that it was issued by a genuine Health Department and was not revoked in the meantime (see Verification of Health Department Keypair Certificates).
The daily keypair’s public key (and its creation date) are signed with the HDSKP (Health Department Signing Key Pair) and distributed to all Guest Apps via the Luca Server. This effectively replaces the old daily keypair. All described cryptographic actions are performed in the Health Department Frontend, the Luca Server never learns the daily keypair private key in plaintext form.
Measures are taken to solve race conditions if multiple Health Departments try to perform the key rotation simultaneously. Eventually, all Health Departments share the knowledge of the new daily keypair and are ready to decipher Contact Data of Check-Ins performed on that day.
Private keys of daily keypairs that are older than the epidemiologically relevant time span (specifically, four weeks) can be destroyed. The Luca Server removes all such encrypted private keys for all Health Departments. Furthermore, the Health Department Frontend removes all locally stored copies of such private keys.