Skip to main content

Integrity Information Object

The integrityInformation object, nested within encryptionInformation, provides mechanisms to verify the integrity of the encrypted payload, essential for streaming and detecting tampering.

Example

"integrityInformation": {
"rootSignature": {
"alg": "HS256",
"sig": "M2E2MTI5YmMxMW...WNlMWVjYjlmODUzNmNiZQ==" // Base64 encoded signature
},
"segmentHashAlg": "GMAC",
"segments": [ { /* See Segment Object */ } ],
"segmentSizeDefault": 1000000,
"encryptedSegmentSizeDefault": 1000028
}

Fields

ParameterTypeDescriptionRequired?
rootSignatureObjectContains a cryptographic signature or HMAC over the combined integrity hashes of all segments, providing overall payload integrity.Yes
rootSignature.algStringAlgorithm used for the rootSignature.sig. HS256 (HMAC-SHA256 using the payload key) is commonly used.Yes
rootSignature.sigStringThe Base64 encoded signature or HMAC value. Calculated over the concatenation of all segment hashes/tags in order. E.g., Base64(HMAC-SHA256(PayloadKey, Concat(SegmentHash1, SegmentHash2, ...))).Yes
segmentHashAlgStringThe algorithm used to generate the hash for each segment in the segments array. GMAC (using the AES-GCM payload key) is commonly used when method.algorithm is AES-256-GCM.Yes
segmentsArrayAn array of Segment Objects, one for each chunk of the payload if method.isStreamable is true. Order MUST match payload order.Yes
segmentSizeDefaultNumberThe default size (in bytes) of the plaintext payload segments. Allows omitting segmentSize in individual segment objects if they match this default.Yes
encryptedSegmentSizeDefaultNumberThe default size (in bytes) of the encrypted payload segments (including any authentication tag overhead, like from AES-GCM). Allows omitting encryptedSegmentSize in segments.

encryptionInformation.integrityInformation.segment

Object containing integrity information about a segment of the payload, including its hash.

{
"hash": "NzhlZDg5OWMwZWVhZDBjMWEzZTQyYmFlODA0NjNlMDM=",
"segmentSize": 14056,
"encryptedSegmentSize": 14084
}
ParameterTypeDescription
hashStringA hash generated using the specified segmentHashAlg.

Base64.encode(HMAC(segment, payloadKey))
segmentSizeNumberThe size of the segment. This field is optional. The size of the segment is inferred from 'segmentSizeDefault' defined above, but in the event that a segment were modified and re-encrypted, the segment size would change.
encryptedSegmentSizeNumberThe size of the segment (in bytes) after the payload segment has been encrypted.