# BSNk Polymorphic Decryption Keys

When you have received BSNk key material from our Technical Support or via the automatic Signicat Identity Broker endpoint, it is not directly clear which keys are for which purpose. There are three possible keys that are obtained from BSNk that are used in polymorphic decryption of pseudo IDs and identifiers. These are:

  • The closing key (EC)
  • Pseudo ID key (EP)
  • Identity key (EI)

# Steps to follow

Here are steps to identify which keys you have received from BSNk:

1. You will receive a Base64 encoded stream of keys from BSNk. For each Base64 encoded string first save it in a file. Then base64 decodes the contents using:

base64 -d {file} > out.p7

The base64 decoded output is the p7 file which contains an encrypted key in binary format.

2. Have your private key ready. The file should begin with

-----BEGIN RSA PRIVATE KEY-----

with the base64 encoded private key contents and end with

-----END RSA PRIVATE KEY-----

Let's name this file dv-private-key.pem.

3. Decrypt the encrypted key using:

openssl cms -decrypt -in out.p7 -inkey dv-private-key.pem -inform DER -out key-file.pempenssl cms -decrypt -in out.p7 -inkey dv-private-key.pem -inform DER -out key-file.pem

4. Open the output key-file.pem. The contents will look like:

-----BEGIN EC PRIVATE KEY-----
SchemeVersion: 1
SchemeKeyVersion: 1
Type: EP Closing
Recipient: OIN of the customer
RecipientKeySetVersion: Version identifying the recipient and their active key set.

Base64 encoded private key
-----END EC PRIVATE KEY-----

Here in the metadata section, you can see what type of key it is. The types are:

  • EP Closing --> closing key
  • EP Decryption --> Pseudo ID key
  • EI Decryption --> Identity key
Last updated: 9/20/23, 12:13:17 PM UTC