<!-- HTML header for doxygen 1.8.10-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.14"/>
<title>Intel® Enhanced Privacy ID SDK: Managing Groups with iKGF</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="resize.js"></script>
<script type="text/javascript" src="navtreedata.js"></script>
<script type="text/javascript" src="navtree.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */
$(document).ready(initResizable);
/* @license-end */</script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
<link href="epidstyle.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td id="projectalign" style="padding-left: 0.5em;">
<div id="projectname"><a
onclick="storeLink('index.html')"
id="projectlink"
class="index.html"
href="index.html">Intel® Enhanced Privacy ID SDK</a>
 <span id="projectnumber">6.0.1</span>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.14 -->
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
<div id="nav-tree">
<div id="nav-tree-contents">
<div id="nav-sync" class="sync"></div>
</div>
</div>
<div id="splitbar" style="-moz-user-select:none;"
class="ui-resizable-handle">
</div>
</div>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&dn=gpl-2.0.txt GPL-v2 */
$(document).ready(function(){initNavTree('_usingi_k_g_f.html','');});
/* @license-end */
</script>
<div id="doc-content">
<div class="header">
<div class="headertitle">
<div class="title">Managing Groups with iKGF </div> </div>
</div><!--header-->
<div class="contents">
<div class="toc"><h3>Table of Contents</h3>
<ul><li class="level1"><a href="#ContactingiKGF">Contacting iKGF</a></li>
<li class="level1"><a href="#RevocationTools">Tools for Creating Revocation Requests</a><ul><li class="level2"><a href="#RevocationTools_revokegrp">Requesting Group Revocation</a></li>
<li class="level2"><a href="#RevocationTools_revokekey">Requesting Private Key Revocation</a></li>
<li class="level2"><a href="#RevocationTools_revokesig">Requesting Signature Revocation</a></li>
</ul>
</li>
<li class="level1"><a href="#ExtractionTools">Tools for Extracting Keys from iKGF Files</a><ul><li class="level2"><a href="#ExtractionTools_extractgrps">Extracting Group Public Keys</a></li>
<li class="level2"><a href="#ExtractionTools_extractkeys">Extracting Member Private Keys</a></li>
</ul>
</li>
</ul>
</div>
<div class="textblock"><p>The issuer handles group membership and revocation. To provision devices with Intel® EPID keys, you need to process data provided by the issuer. Also, in order to revoke a member, you have to generate a revocation request and send it to the issuer.</p>
<p>This section assumes you are using iKGF as your issuer, and describes how to do the following:</p>
<ul>
<li>Create group revocation request for iKGF</li>
<li>Create member private key revocation request for iKGF</li>
<li>Create signature revocation request for iKGF</li>
<li>Extract group public keys from iKGF files</li>
<li>Extract member private keys from iKGF files</li>
</ul>
<p>After you send revocation requests with the issuer, the issuer updates the revocation lists as needed.</p>
<p>The Intel® EPID SDK provides tools designed to make it easier to generate revocation requests and extract keys from iKGF files.</p>
<h1><a class="anchor" id="ContactingiKGF"></a>
Contacting iKGF</h1>
<p>If you want to use the Intel Key Generation Facility (iKGF) as the issuer, contact <a href="#" onclick="location.href='mai'+'lto:'+'inf'+'o@'+'dig'+'it'+'al-'+'cp'+'.co'+'m'; return false;">info@<span style="display: none;">.nosp@m.</span>digi<span style="display: none;">.nosp@m.</span>tal-c<span style="display: none;">.nosp@m.</span>p.co<span style="display: none;">.nosp@m.</span>m</a> to get started.</p>
<h1><a class="anchor" id="RevocationTools"></a>
Tools for Creating Revocation Requests</h1>
<p>The Intel® EPID SDK includes tools to help you request that iKGF add a revoked group, member private key, or signature to a revocation list.</p>
<p>These tools are designed to create a revocation request in the specific format required by iKGF. After one of these tools generates a revocation request, the request must be submitted to the issuer in order for the revocation to take effect.</p>
<p>To access the tools, go to <code>_install/epid-sdk/tools</code> in the SDK directory.</p>
<p>You need to build the SDK before you can use these tools. For more information, refer to <a class="el" href="_building_sdk.html">Building from Source</a>.</p>
<p>The following tools are available:</p>
<table class="markdownTable">
<tr class="markdownTableHead">
<th class="markdownTableHeadNone">Tool </th><th class="markdownTableHeadNone">Purpose ----------— </th></tr>
<tr class="markdownTableBody" class="markdownTableRowOdd">
<td class="markdownTableBodyNone"><code>revokegrp</code> </td><td class="markdownTableBodyNone">Create group revocation request </td></tr>
<tr class="markdownTableBody" class="markdownTableRowEven">
<td class="markdownTableBodyNone"><code>revokekey</code> </td><td class="markdownTableBodyNone">Create member private key revocation request </td></tr>
<tr class="markdownTableBody" class="markdownTableRowOdd">
<td class="markdownTableBodyNone"><code>revokesig</code> </td><td class="markdownTableBodyNone">Create signature revocation request </td></tr>
</table>
<p><br />
</p>
<h2><a class="anchor" id="RevocationTools_revokegrp"></a>
Requesting Group Revocation</h2>
<p>The <code>revokegrp</code> tool adds a group to the revocation request file. </p><pre class="fragment">Usage: revokegrp [OPTION]...
Revoke Intel(R) EPID group
Options:
--gpubkey=FILE
load group public key from FILE (default: pubkey.bin)
--capubkey=FILE
load IoT Issuing CA public key from FILE
--reason=NUM
revocation reason (default: 0)
--req=FILE
append group revocation request to FILE (default: grprlreq.dat)
-h, --help
display this help and exit
-v, --verbose
print status messages to stdout
</pre><p><br />
</p>
<h2><a class="anchor" id="RevocationTools_revokekey"></a>
Requesting Private Key Revocation</h2>
<p>The <code>revokekey</code> tool adds a member private key to the revocation request file. </p><pre class="fragment">Usage: revokekey [OPTION]
Revoke Intel(R) EPID private key
Options:
--mprivkey=FILE
load private key to revoke from FILE (default: mprivkey.dat)
--req=FILE
append private key revocation request to FILE (default: privreq.dat)
-h, --help
display this help and exit
-v,--verbose
print status messages to stdout
The following options are only needed for compressed keys:
--gpubkey=FILE
load group public key from FILE (default: pubkey.bin)
--capubkey=FILE
load IoT Issuing CA public key from FILE
</pre><p><br />
</p>
<h2><a class="anchor" id="RevocationTools_revokesig"></a>
Requesting Signature Revocation</h2>
<p>The <code>revokesig</code> tool creates a request to add a signature to the revocation request file.</p>
<p><code>revokesig</code> only accepts valid signatures for addition to the revocation request. </p><pre class="fragment">Usage: revokesig [OPTION]...
Revoke Intel(R) EPID signature
Options:
--sig=FILE
load signature to revoke from FILE (default: sig.dat)
--msg=MESSAGE
MESSAGE used to generate signature to revoke
--msgfile=FILE
FILE containing message used to generate signature to revoke
--gpubkey=FILE
load group public key from FILE (default: pubkey.bin)
--capubkey=FILE
load IoT Issuing CA public key from FILE
--req=FILE
append signature revocation request to FILE (default: sigrlreq.dat)
-h, --help
display this help and exit
-v, --verbose
print status messages to stdout
</pre><h1><a class="anchor" id="ExtractionTools"></a>
Tools for Extracting Keys from iKGF Files</h1>
<p>The Intel® EPID SDK includes tools to help you extract individual keys from files provided by the Intel Key Generation Facility (iKGF).</p>
<p>To access the tools, go to <code>_install/epid-sdk/tools</code> in the SDK directory.</p>
<p>You need to build the SDK before you can use these tools. For more information, refer to <a class="el" href="_building_sdk.html">Building from Source</a>.</p>
<p>The following tools are available:</p>
<table class="markdownTable">
<tr class="markdownTableHead">
<th class="markdownTableHeadNone">Tool </th><th class="markdownTableHeadNone">Purpose ------------— </th></tr>
<tr class="markdownTableBody" class="markdownTableRowOdd">
<td class="markdownTableBodyNone"><code>extractgrps</code> </td><td class="markdownTableBodyNone">Extracts group public keys </td></tr>
<tr class="markdownTableBody" class="markdownTableRowEven">
<td class="markdownTableBodyNone"><code>extractkeys</code> </td><td class="markdownTableBodyNone">Extracts member private keys </td></tr>
</table>
<p><br />
</p>
<h2><a class="anchor" id="ExtractionTools_extractgrps"></a>
Extracting Group Public Keys</h2>
<p>The <code>extractgrps</code> tool extracts group public keys from the input file to the current directory. </p><pre class="fragment">Usage: extractgrps [OPTION]... [FILE] [NUM]
Extract the first NUM group certs from FILE to current directory
Options:
-h, --help
display this help and exit
-v, --verbose
print status messages to stdout
</pre><p><br />
</p>
<h2><a class="anchor" id="ExtractionTools_extractkeys"></a>
Extracting Member Private Keys</h2>
<p>The <code>extractkeys</code> tool extracts member private keys from the input file to the current directory. </p><pre class="fragment">Usage: extractkeys [OPTION]... [FILE] [NUM]
Extract the first NUM private keys from FILE to current directory.
Options:
-c, --compressed
extract compressed keys
-h, --help
display this help and exit
-v, --verbose
print status messages to stdout</pre> </div></div><!-- contents -->
</div><!-- doc-content -->
<!-- HTML footer for doxygen 1.8.10-->
<!-- start footer part -->
<div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
<ul>
<li class="footer">
© 2016-2017 Intel Corporation
</li>
</ul>
</div>
</body>
</html>