2.2.9.1.13 ENABLINGBITS
An ENABLINGBITS element includes a key and a hash encrypted together in a license or certificate. The format for ENABLINGBITS is as follows:
Enabling bits in XrML license = Base64Encoded(RawEnablingBits)
RawEnablingBits = KPublic(KeyHeader & KSession) + KSession(EnablingBitsHeader + (KeyHeader & K) + Hash)
Note Notation: 'K(A)' means data 'A' encrypted with key 'K'.
|
License |
KPublic |
K |
Hashed data |
|---|---|---|---|
|
Licensor (RMS Server) public key |
Symmetric content key |
ISSUEDPRINCIPALS element of PL |
|
|
RAC public key |
Symmetric content key |
ISSUER element of UL |
|
|
RAC public key |
CLC private key |
ISSUER element of CLC |
|
|
RAC |
Security processor public key |
RAC private key |
ISSUER element of RAC |
K varies depending upon the type of license. The preceding table describes what K and A are for each of the license types that contain enabling bits.
The session key MUST be either a 56-bit Data Encryption Standard (DES) key or a 128-bit, 192-bit, or 256-bit Advanced Encryption Standard (AES) key. The KeyHeader for the session key describes the key type, size, and block size. For more information about the KeyHeader, see section 2.2.9.1.13.1.
A new session key is randomly generated each time the client or server has to create enabling bits. The session key is encrypted with the public key (licensor public key, group identity certificate (GIC) public key, or machine public key, depending upon the license type) and this forms the first 1,024 bits of the ENABLINGBITS, assuming a 1,024-bit RSA key was used for the encryption. The size of this equals the size of the RSA key pair encrypting the symmetric key, and since during decryption the size of the private key is already known (from the prologue of the key bits), the size of the encrypted symmetric key is also known.
The session key is used to encrypt the rest of the data in the ENABLINGBITS. The rest of the data includes an enabling bits header, the key header and key, and the hash.
The ENABLINGBITS header is defined as follows.
-
typedef struct _UDEBHeader { DWORD dwVersion; DWORD dwcbSize; DWORD dwReserved1; DWORD dwReserved2; } UDEBHeader;
The value of dwVersion is 0x00000001 for enabling bits of type "sealed-key" and 0x00000002 for enabling bits of type "sealed-key-v2". In either case, the value is a 32-bit unsigned LE integer.
The size of the header is 128 bits. The value of dwReserved1 and dwReserved2 MUST be 0. The dwcbSize indicates the combined size of the payload and hash. The format of the field is a 32-bit unsigned LE integer.
The key itself is either an RSA private key or a 56-bit DES or AES (128-bit, 192-bit, or 256-bit) symmetric content key. The KeyHeader in front of the key specifies the key type, size, and algorithm block size.
The hash is a hash of XrML data. The XrML data that is hashed depends on the type of XrML document, as described in the preceding table. The hash is a 160-bit SHA-1 hash for enabling bits of type "sealed-key" and a 256-bit SHA-256 hash for enabling bits of type "sealed-key-v2".
The ENABLINGBITS header, the payload, and the hash are concatenated and then encrypted with the freshly generated symmetric key. The result of this encryption is then concatenated with the encrypted symmetric key, and the result of this is base64-encoded and can be inserted into the XrML document. The encryption uses PKCS #1 padding for enabling bits of type "sealed-key" and OAEP padding for enabling bits of type "sealed-key-v2".
The ENABLINGBITS element contains the enabling bits in XrML. It MUST follow the XrML DTD and the following template.
-
<ENABLINGBITS type="[[- type -]]"> <VALUE encoding="base64" size="[[- size -]]"> [[- sealedkey -]] </VALUE> </ENABLINGBITS>
[[- type -]]: The type of the enabling bits: "sealed-key" or "sealed-key-v2".
[[- size -]]: The length, in bits, of the enabling bits.
[[- sealedkey -]]: The enabling bits, base64-encoded.