Class SIVAESBasedPairwiseSubjectCodec

java.lang.Object
com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
com.nimbusds.openid.connect.sdk.id.SIVAESBasedPairwiseSubjectCodec

@ThreadSafe public class SIVAESBasedPairwiseSubjectCodec extends PairwiseSubjectCodec
SIV AES - based encoder / decoder of pairwise subject identifiers. Requires a 256, 384, or 512-bit secret key. Reversal is supported.

The plain text is formatted as follows ('|' as delimiter):

 sector_id|local_sub
 

The encoder can be configured to pad the local subject up to a certain string length, typically the maximum expected length of the local subject identifiers, to ensure the output pairwise subject identifiers are output with a length that is uniform and doesn't vary with the local subject identifier length. This is intended as an additional measure against leaking end-user information and hence correlation. Note that local subjects that are longer than the configured length will appear as proportionally longer pairwise identifiers.

Pad local subjects that are shorter than 50 characters in length:

 new SIVAESBasedPairwiseSubjectCodec(secretKey, 50);
 

Related specifications:

  • Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES) (RFC 5297).
  • OpenID Connect Core 1.0, section 8.1.
  • Constructor Details

    • SIVAESBasedPairwiseSubjectCodec

      Creates a new SIV AES - based codec for pairwise subject identifiers. Local subjects are not padded up to a certain length.
      Parameters:
      secretKey - A 256, 384, or 512-bit secret key. Must not be null.
    • SIVAESBasedPairwiseSubjectCodec

      public SIVAESBasedPairwiseSubjectCodec(SecretKey secretKey, int padSubjectToLength)
      Creates a new SIV AES - based codec for pairwise subject identifiers.
      Parameters:
      secretKey - A 256, 384, or 512-bit secret key. Must not be null.
      padSubjectToLength - Pads the local subject to the specified length, -1 (negative integer) for no padding.
  • Method Details