Feature Request: Individual LLA Keys Per RID

[dandrzejewski]

My understanding is that dvmhost can currently have a "global" LLA key in its configuration, which means every subscriber accessing that site must have the same key loaded.

This presents the obvious issue of having to share LLA keys between multiple subscribers, but also means that all of the sites a particular subscriber unit affiliates with must have the same LLA key configured.

One way to implement this might be to add a field to the rid_acl.dat with that RID's LLA key in it.

[gatekeep]

There is a variety of reasons why this isn't currently a feature, and while it is valid, is a back burner todo list item.

1. Currently yes, we could slap the LLA key onto the end of the parameters in the rid_acl.dat file; however this is very insecure, and not all data from the rid_acl.dat is transferred from FNE to host/endpoint. (RID ACL transfers from FNE to host/endpoint are very sparse for performance reasons. On top of, mainly the host doesn't give a shit about the rest of the parameters other then the RID and whether or not that RID is enabled or not.)
2. The same issue currently exists for UKEK implementation for DVM's eventual KMF implementation. Feasibly a secure container, keyed by RID for both the UKEK and LLA key would be best for this.
3. Parts of how LLA currently work would need to be refactored, LLA requires more then just the LLA key under the hood, and there are a few cryptographic parameters that are derived from it. Once we've actually split and create LLA keys per RID, we would now need to properly generate the intermediate parameters (the ones actually used for the LLA test). This could create a bit of a performance problem and LLA response latency problem depending on how its implemented.
4. A ACL transfer or other DVM network protocol opcode would need to be created to transfer cryptographic data tied to a RID from FNE to host/endpoint.