Symmetric Key Derivation
ICE never stores or transmits encryption keys directly. Instead, keys are algorithmically derived using the PBKDF2algorithm, approved by the NIST. Here's how the process works:
Baseline Key Material (BKM): The incoming passphrase provided by the user, referred to as the Baseline Key Material (BKM), serves as the foundation for key derivation.Salt and Iterations: The BKM is combined with a 128-bit salt, and the PBKDF2 algorithm performs 15,000 iterations to generate the derived key. (NIST recommends a minimum of 10,000 iterations.)Derived Key: The result is a secure, 256-bit encryption key used for encrypting data.Note: To simplify the user interface, ICE Desktop and ICE Mobile label the BKM as the 'encryption key.' While not technically accurate, this term is used to help users understand its purpose as a parameter for deriving the encryption key.
When sharing channel configurations—either tactically via QR codes and files or through the ICE Server in enterprise mode—it is the BKM that is transmitted between clients. The derived encryption key and the salt used to generate it are never shared.