Skip to content

[stream] Harden KDF for ChaCha20Poly1305 cipher #1021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
May 30, 2025
Merged

[stream] Harden KDF for ChaCha20Poly1305 cipher #1021

merged 11 commits into from
May 30, 2025

Conversation

BrendanChou
Copy link
Collaborator

@BrendanChou BrendanChou commented May 29, 2025
edited
Loading

Thanks to @dnkolegov-ar for finding these issues

Fixes #1013
Fixes #1014
Fixes #1016

Updates the ChaCha20Poly1305 cipher derivation for the commonware-stream::public_key module:

  • Uses hkdf and sha2::Sha256 to derive the cipher from the Diffie-Hellman shared secret (rather than the shared secret directly)
  • Includes a "commonware" constant, the application namespace, and the handshake transcript into the cipher derivation to tie the construction to the exact usecase
  • Creates separate ciphers for each direction, allowing for simplification of the cipher nonce code

patrick-ogrady
patrick-ogrady reviewed May 29, 2025
View reviewed changes
BrendanChou
BrendanChou commented May 29, 2025
View reviewed changes
patrick-ogrady
patrick-ogrady reviewed May 29, 2025
View reviewed changes
BrendanChou
BrendanChou commented May 29, 2025
View reviewed changes
patrick-ogrady
patrick-ogrady reviewed May 29, 2025
View reviewed changes
patrick-ogrady
patrick-ogrady reviewed May 29, 2025
View reviewed changes
BrendanChou
BrendanChou commented May 29, 2025
View reviewed changes
patrick-ogrady
patrick-ogrady reviewed May 29, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed May 29, 2025
View reviewed changes
@BrendanChou BrendanChou marked this pull request as ready for review May 29, 2025 22:57
@BrendanChou BrendanChou changed the title [stream] Update ChaCha KDF [stream] Harden KDF for ChaCha20Poly1305 cipher May 29, 2025
patrick-ogrady
patrick-ogrady reviewed May 29, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed May 30, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed May 30, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed May 30, 2025
View reviewed changes
stream/src/public_key/cipher.rs Outdated
let salt = hasher.finalize();

// HKDF-Extract: creates a pseudorandom key (PRK)
let prk = Hkdf::<ISha256>::new(Some(salt.as_ref()), ikm);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think prk is not zeroized

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe prk does its own internal zeroization when its dropped but I'll have to double-check on that

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please. hkdf does not have zeroization, hmac has it, but it is a separate feature.

Copy link
Collaborator Author

@BrendanChou BrendanChou May 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hkdf::Hkdf:

pub struct Hkdf<H: OutputSizeUser, I: HmacImpl<H> = Hmac<H>> {
    hmac: I::Core,
    _pd: PhantomData<H>,
}

Since we use sha2::Sha256 as H and don't specify I, it defaults to hmac::Hmac<sha2::Sha256>. This means that Hkdf itself doesn't have to implement zeroize on drop, only hmac does (PhantomData is inconsequential). Therefore, hmac::Hmac<sha2::Sha256>::Core must ultimately implement zeroize on drop

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm having a difficult time tracing the code that deep but my strong suspicion is that the library ultimately takes care of the zeroize on drop since hkdf and hmac are in the RustCrypto github

@dnkolegov-ar
Copy link
Collaborator

I also opened one minor issue - #1031 - if you think it is valid, it would be great to fix it in this PR.

@BrendanChou
Copy link
Collaborator Author

BrendanChou commented May 30, 2025
edited
Loading

#1031 I will do in a separate PR as I think it's unrelated enough that it doesn't need to be associated with this PR

patrick-ogrady
patrick-ogrady reviewed May 30, 2025
View reviewed changes
stream/src/public_key/cipher.rs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose it may make sense to put ciphers in cryptography eventually...

@patrick-ogrady patrick-ogrady merged commit e95b043 into main May 30, 2025
13 checks passed
@patrick-ogrady patrick-ogrady deleted the bc/stream branch May 30, 2025 21:07
@codecov Codecov
Copy link

codecov bot commented May 30, 2025

Codecov Report

Attention: Patch coverage is 94.37086% with 17 lines in your changes missing coverage. Please review.

Project coverage is 90.97%. Comparing base (f932db2) to head (19060b5).
Report is 7 commits behind head on main.

Files with missing lines Patch % Lines
stream/src/public_key/cipher.rs 92.97% 17 Missing ⚠️ 
@@            Coverage Diff             @@
##             main    #1021      +/-   ##
==========================================
+ Coverage   90.96%   90.97%   +0.01%     
==========================================
  Files         191      192       +1     
  Lines       53587    54092     +505     
==========================================
+ Hits        48743    49210     +467     
- Misses       4844     4882      +38
Files with missing lines Coverage Δ
cryptography/src/lib.rs 100.00% <ø> (ø)
cryptography/src/sha256/mod.rs 95.60% <100.00%> (+0.14%) ⬆️
stream/src/public_key/connection.rs 99.64% <100.00%> (+<0.01%) ⬆️
stream/src/public_key/nonce.rs 100.00% <100.00%> (ø)
stream/src/public_key/cipher.rs 92.97% <92.97%> (ø)

... and 7 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f932db2...19060b5. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrick-ogrady patrick-ogrady patrick-ogrady approved these changes

@dnkolegov-ar dnkolegov-ar dnkolegov-ar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

The protocol uses a non-standard nonce separation [construction](https://github.com/commonwarexyz/monorepo/blob/5da31892d3b445964cdcef0b1b3e7559cb4b1dd8/stream/src/public_key/mod.rs#L56-L60). The standard technique is to use different keys for each direction. The transcript hash is not used. The transport keys are derived from the DH shared secret, which does not adhere to best practices and may lead to attacks such as the Unknown Key Share attack. The protocol uses x25519 output directly as an encryption key. The raw output of a Diffie-Hellman key exchange should never be used directly as an encryption key (e.g., non-uniform distribution, information leaking). It is [recommended](https://www.rfc-editor.org/rfc/rfc7748.html) to use a key-derivation function to derive encryption keys.

3 participants

@BrendanChou @dnkolegov-ar @patrick-ogrady