PFS Service

Perfect Forward Secrecy (PFS) is a technique, that protects previously intercepted traffic from being decrypted even if the main private key is compromised.

Virgil PFS Service is a standalone web-service that is dedicated to solve the PFS use-case scenario. It works over Virgil Cards PKI infrastructure and heavily uses Virgil Cards as building blocks. Virgil PFS service can be accessed by using the Virgil PFS Service SDK or Virgil PFS API.

Authorization header

Virgil PFS Service address:

https://api.virgilsecurity.com/pfs/v2

All API calls require authentication with Virgil JWT. So all requests go through Virgil API Gateway which bypasses the request with preset HTTP headers: X-Application-Id, X-Virgil-Identity.

Entities

Each recipient is identified by:

Parameter	Description
IC	User's Identity Card. The long-term user's Card registered for the recipient on the Virgil Cards Service. Identity Card contains information about user and his Public Key. Identity Card will never be rotated and has an unlimited lifetime. Identity Card is stored on Virgil Cards Service
LTK	Long-Term Key. The Key is rotated periodically (on a daily or monthly basis depending on the application developer's security considerations) and signed with the `IC`. `LTK` is created on behalf of the Virgil PFS service.
OTK.	One-Time Key. The short-term Key that expired each session (session lifetime is determined on the client side by the Virgil PFS SDK) and are signed with the `IC`. `OTK` is created on the behalf of the Virgil PFS service.

Endpoints

The Virgil PFS REST API supports the following operations:

Operations	Description
Create Keys Set	Creates a set of keys (LTK and OTK) for provided ID of the Identity Card (IC).
Get Keys	Returns the subset of keys for provided identity.
Validate Keys	Validates a list of one-time keys IDs and returns subset of that list with already used one-time keys IDs.
Delete Keys Set	Deletes keys entity.

Create keys set

Creates a set of keys for provided ID of the Identity Card .

Request info

HTTP Request method    PUT
Request URL            https://api.virgilsecurity.com/pfs/v2/keys HTTP/1.1
Headers                Authorization: Virgil {JWT Token}

Request

{
    "identity_card_id": "3084dab511135ec...b5db52bca8f7bf6b0b83a7fa4c740a59",
    "long_term_key": {
      "public_key": "BASE64_STRING",
      "signature":  "BASE64_STRING"
    },
    "one_time_keys": [
      "BASE64_STRING",
      "BASE64_STRING",
      "BASE64_STRING",
      "BASE64_STRING"
    ]
}

Response info

HTTP/1.1 200 OK
Content-Type: application/json

Click here to see the description of request parameters

The endpoint contains the following request and response parameters:

Parameter	Type	Constraints	Description
identity_card_id	string	-	ID of the Identity Card (user Card). the ID had to be available on Card Service and be the same as used in provided JWT token. In case of update operation, parameter is not required.
long_term_key	object	-	Long-term public key + its signature created using identity private key (user's private key).
one_time_keys	array	-	The list of base64 encoded one-time public keys (up to 150 keys in the cloud).

Get keys set for user

Returns the subset of keys for provided identity (user).

Request info

HTTP Request method    POST
Request URL            https://api.virgilsecurity.com/pfs/v2/keys/actions/pick-one HTTP/1.1
Headers                Authorization: Virgil {JWT Token}

Request

{
    "identity": "[email protected]"
}

Response info

HTTP/1.1 200 OK
Content-Type: application/json

Response

{
	"identity_key": "BASE64_STRING",
	"long_term_key": {
	   "public_key": "BASE64_STRING",
	   "signature":  "BASE64_STRING"
	},
	"one_time_key": "BASE64_STRING"
}

Click here to see the description of response parameters

The endpoint contains the following request and response parameters:

Parameter	Type	Constraints	Description
identity_card_id	string	-	Identity card id that must be available on Card service and be the same as used in provided in JWT token. In case of update operation, parameter is not required.
long_term_key	object	-	Long-term public key + its signature created using identity private key (user's private key).
one_time_keys	array	-	The list of base64 encoded one-time public keys (up to 150 keys in the cloud).

Get keys set for multiple users

Returns the list of subset of keys for provided identities.

Request info

HTTP Request method    POST
Request URL            https://api.virgilsecurity.com/pfs/v2/keys/actions/pick-batch HTTP/1.1
Headers                Authorization: Virgil {JWT Token}

Request

{
    "identities": ["[email protected]", "[email protected]"]
}

identities - number of identities for search should be between 1 and 50.

Response info

HTTP/1.1 200 OK
Content-Type: application/json

Response

[
  {
    "identity": "[email protected]",
    "identity_key": "BASE64_STRING",
    "long_term_key": {
        "public_key": "BASE64_STRING",
        "signature": "BASE64_STRING"
    },
    "one_time_key": "BASE64_STRING"
  },
  {
    "identity": "[email protected]",
    "identity_key": "BASE64_STRING",
    "long_term_key": {
        "public_key": "BASE64_STRING",
        "signature": "BASE64_STRING"
    },
    "one_time_key": "BASE64_STRING"
  }
]

Click here to see the description of response parameters

The endpoint contains the following request and response parameters:

Parameter	Type	Constraints	Description
identity_card_id	string	-	Identity card id that must be available on Card service and be the same as used in provided in JWT token. In case of update operation, parameter is not required.
long_term_key	object	-	Long-term public key + its signature created using identity private key (user's private key).
one_time_keys	array	-	The list of base64 encoded one-time public keys (up to 150 keys in the cloud).

Validate keys

Validates a list of one-time keys IDs and returns subset of that list with already used one-time keys IDs.

Request info

HTTP Request method    POST
Request URL            https://api.virgilsecurity.com/pfs/v2/keys/actions/validate HTTP/1.1
Headers                Authorization: Virgil {JWT Token}

Request

{
  "long_term_key_id": "BASE64_STRING",
  "one_time_keys_ids": [
      "BASE64_STRING",
      "BASE64_STRING",
      "BASE64_STRING",
      "BASE64_STRING"
  ]
}

Response info

HTTP/1.1 200 OK
Content-Type: application/json

Response

{
  "used_long_term_key_id": "BASE64_STRING",
  "used_one_time_keys_ids": [
      "BASE64_STRING",
      "BASE64_STRING",
      "BASE64_STRING",
      "BASE64_STRING"
  ]
}

Click here to see the description of request and response parameters

The endpoint contains the following request and response parameters:

Parameter	Type	Constraints	Description
identity_card_id	string	-	ID of Identity card that must be available on Card service and be the same as used in provided in JWT token. In case of update operation, parameter is not required.
long_term_key	object	-	Long-term public key + its signature created using identity private key.
one_time_keys	array	-	The list of base64 encoded one-time public keys (up to 150 keys in the cloud).

Delete keys set

Deletes keys entity from the PFS service.

Request info

HTTP Request method    DELETE
Request URL            https://api.virgilsecurity.com/pfs/v2/keys HTTP/1.1
Headers                Authorization: Virgil {JWT Token}

Response info

HTTP/1.1 200 OK
Content-Type: application/json

Errors

HTTP error codes

The Application uses standard HTTP response codes:

Error code	Description
200	Success
201	Created
400	Request error
404	Entity not found
405	Method not allowed
500	Server error

HTTP 400. Request errors

This status is returned in extremely rare cases of internal application errors

Error code	Description
30000	Json parsing error.
30001	One of fields is not a valid base64 string.
50000	`X-Application-Id` header is missing.
50001	`X-Account-Id` header is missing.
50002	`X-Virgil-Identity` header is missing.
50003	`identity_card_id` parameter is missing.
50005	`long_term_key` parameter is missing.
50006	`long_term_key.public_key` parameter is missing.
50007	`long_term_key.public_key` parameter has wrong length. Allowed key length is up to 32kb.
50008	`long_term_key.signature` parameter is missing.
50009	`long_term_key.signature` parameter is invalid.
50010	`one_time_keys` parameter is missing.
50011	`one_time_keys` parameter has wrong number of keys. Maximum number of keys should be <= 150
50012	`one_time_keys` parameter has wrong number of keys. Maximum allowed number of keys to append is: 2
50013	`one_time_keys` parameter has a key with wrong size. Max size is 32kb.
50015	`one_time_keys_ids` parameter has wrong number of keys id's to validate. Maximum number of keys id's should be <= 150
50016	`identity` parameter is missing.
50017	Keys data not found for provided identity.
50018	Identity card was not found on Virgil Cards Service.
50019	Identity provided in JWT is not the holder of requested card.

Service SDK

Virgil Security provides SDKs which allow you to communicate with the Virgil PFS Service to upload, download, and synchronize encrypted sensitive data (private keys) between user's devices: