Wrap key operation in Azure Key Vault – symmetric keys

Could anyone explain why the bolded part of the wrap key description?

Wraps a symmetric key using a specified key. The WRAP operation supports encryption of a symmetric key using a key encryption key that has previously been stored in an Azure Key Vault. The WRAP operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using the public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission.

AFAIK, all the keys in Azure Key Vault are stored at rest in HSM modules. Why is key wrapping necessary for symmetric keys? What does ‘protection’ mean in this case? Using a public key to encrypt data?

If HSM are securing all the keys in Key Vault (using its built-in symmetric key), then why would encrypting a symmetric key be necessary as quoted?

Can’t one reverse engineering Chrome source code to reveal Widevine and friends keys?

If I understand correctly, Widevine, FairPlay and PlayReady are all security through obscurity. Given the popularity of services using them, can’t someone just RE them and find exactly how their work? If so, was it done? If not, why? If this (can be) done, why people continue using these services?

Related: How does Widevine, FairPlay, and other DRM's work under the hood?

Databases and B-Trees: What are Keys and how are they related

I confused about the description & definition of "key" occuring as terminology for databases and b-trees.

In first case dealing with theory of databases a key is defined as a choice for a in certain sense minimal (see below) subset $ K \subset A := \{A_1,A_2,…,A_n\}$ of a fixed set of attributes $ A_i$ parametrizing a data table (consisting of relations; a single relation is abstraction of a row in the table), where each attribute is literally a column specifying a property of objects = relations.

A key is characterized by property that there exist no two different relations (a relation is a row) which have exactly the same values for all attributes which belong to the key. And a key is a minimal subset with this property, ie there not exist a proper smaller subset of attributes contained in the key and having the property described in last sentence. Clearly keys are not unique. So the set of a keys is certain subset of the power set of the set attributes $ A_i$ . See also here: https://en.wikipedia.org/wiki/Unique_key

On the other hand the key concept occures as well for b-trees: https://en.wikipedia.org/wiki/B-tree#Definition

Here keys are a priori numbers or integers and different knots of b-tree contain different totally ordered subsets of keys where the total order on the space of keys is inherited from the order "$ \ge$ " for integers $ \mathbb{Z}$ . Especially the set of keys is a totally ordered subset of integers.

Question: How are the two concept of ‘key’ related to each other? My first idea was that if we consider in light of for definition (as elements of power set of attributes), we can simply randomly enumerate all the keys (that is associate to each key an number; formally speaking to specify an injection $ f:\mathcal{K} \to \mathbb{Z}, K \mapsto f(K)$ where $ \mathcal{K} \subset \Omega(A)$ )

and then treat them as numbers when working with b-trees. Is this exactly the correct connection or is there another deeper one and my approach is wrong?

Storing private keys for updates to remote device

I’m reading up on how to perform signed updates for remote hardware devices. I need to check if the new software has been generated by a "trusted" source, ie me.

Based on my understanding of asymmetric cryptography I understand that I can embed a public key on all my devices and then any new software that needs to be updated on the device, needs to have a signed hash in a header that I could check against. I’m all onboard until this part, and it sounds great for secure updates, but I’m wondering how one would securely store the private key. Say I built 1M units. All have the public key programmed on them. If my private key is lost for whatever reason, I lose the ability to update any of these devices. It sounds like the jugular vein. Should I accept storing private keys very safely as a cost of doing business, or is there a better way to handle this case?

Can Protonmail import dsa1024 keys?

I have a public key sent by a friend. It’s dsa1024. I have imported this key into gpg and can encrypt messages with it. But, when I try to upload it to Protonmail for his contact, I get a message that it’s not a valid PGP key.

I can successfully upload other keys for other contacts. Here’s the result of gpg -k (with fingerprint and email obscured).

pub   dsa1024 2003-12-09 [SCA] [expires: 2021-06-06]       5----------------------------------------4 uid           [ unknown] ---------- <---@---.net> uid           [ unknown] ---------- <------@-------.com> sub   elg4096 2003-12-09 [E] [expires: 2021-06-06] 

Does Protonmail not support DSA 1024? Could I be doing something else wrong?

How to exchange public keys between two servers in a secure way?

I have 2 servers with pair of RSA public and private keys.

I need to establish a trust between 2 servers: I need to copy a public key form the first server to the second server and the public key from the second server to the first server.

Note that it is not Diffie–Hellman key exchange (that explained very well here "Diffie-Hellman Key Exchange" in plain English).

The simplest way is just manually copy the public keys from one server to another. Additional option is to use the following homegrown flow:

  1. Generate a one-time token on the first server
  2. Copy the token manually to the second server
  3. The first servers accesses the second server via API. Ase the token for the API authentication. The API implementation exchanges public keys between servers

Any suggestions to improve the flow?

Do we have some best practices flow since homegrown flows usually bad for security?

GPG issues with sending and receiving keys

I’ve experimented a lot with GPG the last couple days and one issue persists:

Someone signed my GPG key and published it to a keyserver X. I can see on the webpage that his signature is shown under my key, so that worked. But my local PGP doesn’t understand:

gpg --keyserver [X] —refresh-keys [myKey] gpg: refreshing 1 key from [X] gpg: key [myKey]: [...] not changed gpg: Total number processed: 1 gpg:              unchanged: 1 

If I check my signatures, that new signature doesn’t appear.

gpg --list-sigs [myKey] => only outputs the signatures I already had before (either manually imported or signed by other keys that belong to me) 

Also, when signing a key and performing a --send-keys, it throws no errors but the key just never arrives on the servers. This only happens with some keyservers. I read something about ports maybe being closed by the firewall, but didn’t find any concise answer for what to check and how to fix.

Thanks in advance!

PS: Sometimes, the webinterfaces of the keyservers I’m using just load forever or are generally very slow or unreachable, is this normal?