Daily Key Pair Rotation

As Health Departments are federated in Germany, they need to share a common key pair (namely the daily key pair) to retain access to Check-In data anywhere in Germany (see Tracing the Check-In History of an Infected Guest). This key pair is generated and distributed among all Health Departments on a daily basis. For the distribution, we use the HDEKPs (that are uniquely owned by each health department) to encrypt the daily key pair’s private key for each Health Department. These encrypted private key objects are then uploaded to luca.

Overview

Assets

  • None

Preconditions

Postconditions

Secrets

The following secrets are involved in this process:

Secret

Use / Purpose

Location

daily key pair

Guest Apps use the daily key pair’s public key to encrypt their contact data reference for every Check-In. The daily key pair is rotated frequently to minimize potential misuse.

Private key is accessible to all Health Departments

HDSKP

New daily key pair public keys are signed by the Health Department’s private key so that Guest Apps can validate the public key’s authenticity.

Every Health Department maintains their own HDSKP locally. Certified public keys are distributed via the luca Server.

HDEKP

New daily key pair private keys are encrypted for each Health Department via their associated HDEKP.

Every Health Department maintains their own HDEKP locally. Certified public keys are distributed via the luca Server.

Daily Public Key Rotation

For every Check-In the Guest App encrypts a contact data reference with the daily key pair. To mitigate the impact of any single compromised key luca rotates the daily key pair frequently.

The rotation will be performed by any Health Department that logs in after the last daily key pair expired. The private key is encrypted and shared by all participating Health Departments using their associated HDEKPs (Health Department Encryption Key Pair) via the luca Server. Prior to encrypting the private key with any HDEKP the Health Department Frontend verifies that it was issued by a genuine Health Department and was not revoked in the meantime (see Verification of Health Department Key Pair Certificates).

The daily key pair’s public key (and its creation date) are signed with the HDSKP (Health Department Signing Key Pair) and distributed to all Guest Apps via the luca Server. This effectively replaces the old daily key pair. All described cryptographic actions are performed in the Health Department Frontend, the luca Server never learns the daily key pair private key in plaintext form.

Measures are taken to solve race conditions if multiple Health Departments try to perform the key rotation simultaneously. Eventually, all Health Departments share the knowledge of the new daily key pair and are ready to decipher Contact Data of Check-Ins performed on that day.

Rotation Process

../_images/daily_key_rotation_2_0.svg

Key Destruction

Private keys of daily key pairs that are older than the epidemiologically relevant time span (specifically, four weeks) can be destroyed. The luca Server removes all such encrypted private keys for all Health Departments. Furthermore, the Health Department Frontend removes all locally stored copies of such private keys.