diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-01-04 17:22:54 +0100 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-01-05 15:23:38 +0100 |
commit | b9292918b2ec3c26492ae2424756080059a089b4 (patch) | |
tree | 18cb7dfd715759f0d64d0d67c574af3981e7cf21 /security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java | |
parent | bb6638634f5bec608f62d710c97b0b97f79fc07f (diff) |
Use ChaCha20-Poly1305 instead of AES-GCM for shared key-based crypto
This is to get around the limitation where AES GCM can only produce
a maximum of 64 GiB of ciphertext for a particular <key, IV> pair before
its security properties break down. ChaCha20-Poly1305 does not have any
practical limitations here.
ChaCha20-Poly1305 uses a 256-bit key whereas the shared key is 128 bits.
A HKDF is used to internally expand the key material to 256 bits.
To let token based decryption be fully backwards compatible, introduce
a token version 2. V1 tokens will be decrypted with AES-GCM 128, while
V2 tokens use ChaCha20-Poly1305.
As a bonus, cryptographic operations will generally be _faster_ after
this cipher change, as we use BouncyCastle ciphers and these do not use
any native AES instructions. ChaCha20-Poly1305 is usually considerably
faster when running without specialized hardware support. An ad-hoc
experiment with a large ciphertext showed a near 70% performance increase
over AES-GCM 128.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java | 57 |
1 files changed, 48 insertions, 9 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java index b59e7cff6b4..22503292413 100644 --- a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java +++ b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java @@ -7,6 +7,7 @@ import com.yahoo.security.hpke.Hpke; import com.yahoo.security.hpke.Kdf; import com.yahoo.security.hpke.Kem; import org.bouncycastle.crypto.engines.AESEngine; +import org.bouncycastle.crypto.modes.ChaCha20Poly1305; import org.bouncycastle.crypto.modes.GCMBlockCipher; import org.bouncycastle.crypto.params.AEADParameters; import org.bouncycastle.crypto.params.KeyParameter; @@ -21,6 +22,8 @@ import java.security.SecureRandom; import java.security.interfaces.XECPrivateKey; import java.security.interfaces.XECPublicKey; +import static com.yahoo.security.ArrayUtils.toUtf8Bytes; + /** * Implements both the sender and receiver sides of a secure, anonymous one-way * key generation and exchange protocol implemented using HPKE; a hybrid crypto @@ -40,9 +43,13 @@ import java.security.interfaces.XECPublicKey; */ public class SharedKeyGenerator { - private static final int AES_GCM_KEY_BITS = 128; - private static final int AES_GCM_AUTH_TAG_BITS = 128; - private static final String AES_GCM_ALGO_SPEC = "AES/GCM/NoPadding"; + private static final int AES_GCM_KEY_BITS = 128; + private static final int AES_GCM_AUTH_TAG_BITS = 128; + + private static final int CHACHA20_POLY1305_KEY_BITS = 256; + private static final int CHACHA20_POLY1305_AUTH_TAG_BITS = 128; + private static final byte[] CHACHA20_POLY1305_KDF_CONTEXT = toUtf8Bytes("ChaCha20Poly1305 key expansion"); + private static final byte[] EMPTY_BYTES = new byte[0]; private static final SecureRandom SHARED_CSPRNG = new SecureRandom(); // Since the HPKE ciphersuite is not provided in the token, we must be very explicit about what it always is @@ -61,7 +68,7 @@ public class SharedKeyGenerator { public static SecretSharedKey generateForReceiverPublicKey(PublicKey receiverPublicKey, KeyId keyId) { var secretKey = generateRandomSecretAesKey(); - return internalSealSecretKeyForReceiver(secretKey, receiverPublicKey, keyId); + return internalSealSecretKeyForReceiver(SealedSharedKey.CURRENT_TOKEN_VERSION, secretKey, receiverPublicKey, keyId); } public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, PrivateKey receiverPrivateKey) { @@ -71,13 +78,15 @@ public class SharedKeyGenerator { } public static SecretSharedKey reseal(SecretSharedKey secret, PublicKey receiverPublicKey, KeyId keyId) { - return internalSealSecretKeyForReceiver(secret.secretKey(), receiverPublicKey, keyId); + // The resealed token must inherit the token version of the original token, or the receiver will + // end up trying to decrypt with the wrong parameters and/or cipher. + return internalSealSecretKeyForReceiver(secret.sealedSharedKey().tokenVersion(), secret.secretKey(), receiverPublicKey, keyId); } - private static SecretSharedKey internalSealSecretKeyForReceiver(SecretKey secretKey, PublicKey receiverPublicKey, KeyId keyId) { + private static SecretSharedKey internalSealSecretKeyForReceiver(int tokenVersion, SecretKey secretKey, PublicKey receiverPublicKey, KeyId keyId) { // We protect the integrity of the key ID by passing it as AAD. var sealed = HPKE.sealBase((XECPublicKey) receiverPublicKey, EMPTY_BYTES, keyId.asBytes(), secretKey.getEncoded()); - var sealedSharedKey = new SealedSharedKey(keyId, sealed.enc(), sealed.ciphertext()); + var sealedSharedKey = new SealedSharedKey(tokenVersion, keyId, sealed.enc(), sealed.ciphertext()); return new SecretSharedKey(secretKey, sealedSharedKey); } @@ -88,6 +97,7 @@ public class SharedKeyGenerator { // token recipient (which would be the case if the IV were deterministically derived // from the recipient key and ephemeral ECDH public key), as that would preclude // support for delegated key forwarding. + // Both AES GCM and ChaCha20Poly1305 use a 96-bit user-supplied IV. private static final byte[] FIXED_96BIT_IV_FOR_SINGLE_USE_KEY = new byte[] { 'h','e','r','e','B','d','r','a','g','o','n','s' // Nothing up my sleeve! }; @@ -100,12 +110,24 @@ public class SharedKeyGenerator { return AeadCipher.of(cipher); } + private static AeadCipher makeChaCha20Poly1305Cipher(SecretSharedKey secretSharedKey, boolean forEncryption) { + // ChaCha20Poly1305 uses 256-bit keys, but our shared secret keys are 128 bit. + // Deterministically derive a longer key from the existing key using a KDF. + var expandedKey = HKDF.unsaltedExtractedFrom(secretSharedKey.secretKey().getEncoded()) + .expand(CHACHA20_POLY1305_KEY_BITS / 8, CHACHA20_POLY1305_KDF_CONTEXT); + var aeadParams = new AEADParameters(new KeyParameter(expandedKey), CHACHA20_POLY1305_AUTH_TAG_BITS, + FIXED_96BIT_IV_FOR_SINGLE_USE_KEY); + var cipher = new ChaCha20Poly1305(); + cipher.init(forEncryption, aeadParams); + return AeadCipher.of(new ChaCha20Poly1305AeadBlockCipherAdapter(cipher)); + } + /** * Creates an AES-GCM cipher that can be used to encrypt arbitrary plaintext. * * The given secret key MUST NOT be used to encrypt more than one plaintext. */ - public static AeadCipher makeAesGcmEncryptionCipher(SecretSharedKey secretSharedKey) { + static AeadCipher makeAesGcmEncryptionCipher(SecretSharedKey secretSharedKey) { return makeAesGcmCipher(secretSharedKey, true); } @@ -113,8 +135,25 @@ public class SharedKeyGenerator { * Creates an AES-GCM cipher that can be used to decrypt ciphertext that was previously * encrypted with the given secret key. */ - public static AeadCipher makeAesGcmDecryptionCipher(SecretSharedKey secretSharedKey) { + static AeadCipher makeAesGcmDecryptionCipher(SecretSharedKey secretSharedKey) { return makeAesGcmCipher(secretSharedKey, false); } + /** + * Creates a ChaCha20-Poly1305 cipher that can be used to encrypt arbitrary plaintext. + * + * The given secret key MUST NOT be used to encrypt more than one plaintext. + */ + static AeadCipher makeChaCha20Poly1305EncryptionCipher(SecretSharedKey secretSharedKey) { + return makeChaCha20Poly1305Cipher(secretSharedKey, true); + } + + /** + * Creates a ChaCha20-Poly1305 cipher that can be used to decrypt ciphertext that was previously + * encrypted with the given secret key. + */ + static AeadCipher makeChaCha20Poly1305DecryptionCipher(SecretSharedKey secretSharedKey) { + return makeChaCha20Poly1305Cipher(secretSharedKey, false); + } + } |