diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-01-04 17:22:54 +0100 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-01-05 15:23:38 +0100 |
commit | b9292918b2ec3c26492ae2424756080059a089b4 (patch) | |
tree | 18cb7dfd715759f0d64d0d67c574af3981e7cf21 /security-utils | |
parent | bb6638634f5bec608f62d710c97b0b97f79fc07f (diff) |
Use ChaCha20-Poly1305 instead of AES-GCM for shared key-based crypto
This is to get around the limitation where AES GCM can only produce
a maximum of 64 GiB of ciphertext for a particular <key, IV> pair before
its security properties break down. ChaCha20-Poly1305 does not have any
practical limitations here.
ChaCha20-Poly1305 uses a 256-bit key whereas the shared key is 128 bits.
A HKDF is used to internally expand the key material to 256 bits.
To let token based decryption be fully backwards compatible, introduce
a token version 2. V1 tokens will be decrypted with AES-GCM 128, while
V2 tokens use ChaCha20-Poly1305.
As a bonus, cryptographic operations will generally be _faster_ after
this cipher change, as we use BouncyCastle ciphers and these do not use
any native AES instructions. ChaCha20-Poly1305 is usually considerably
faster when running without specialized hardware support. An ad-hoc
experiment with a large ciphertext showed a near 70% performance increase
over AES-GCM 128.
Diffstat (limited to 'security-utils')
5 files changed, 228 insertions, 24 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/ChaCha20Poly1305AeadBlockCipherAdapter.java b/security-utils/src/main/java/com/yahoo/security/ChaCha20Poly1305AeadBlockCipherAdapter.java new file mode 100644 index 00000000000..5166e44e20c --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/ChaCha20Poly1305AeadBlockCipherAdapter.java @@ -0,0 +1,84 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security; + +import org.bouncycastle.crypto.BlockCipher; +import org.bouncycastle.crypto.CipherParameters; +import org.bouncycastle.crypto.DataLengthException; +import org.bouncycastle.crypto.InvalidCipherTextException; +import org.bouncycastle.crypto.modes.AEADBlockCipher; +import org.bouncycastle.crypto.modes.ChaCha20Poly1305; + +/** + * Minimal adapter to make ChaCha20Poly1305 usable as an AEADBlockCipher (it's technically + * an AEAD stream cipher, but this is not exposed in the BouncyCastle type system). + * + * @author vekterli + */ +class ChaCha20Poly1305AeadBlockCipherAdapter implements AEADBlockCipher { + + private final ChaCha20Poly1305 cipher; + + ChaCha20Poly1305AeadBlockCipherAdapter(ChaCha20Poly1305 cipher) { + this.cipher = cipher; + } + + @Override + public BlockCipher getUnderlyingCipher() { + return null; + } + + @Override + public void init(boolean forEncryption, CipherParameters params) throws IllegalArgumentException { + cipher.init(forEncryption, params); + } + + @Override + public String getAlgorithmName() { + return cipher.getAlgorithmName(); + } + + @Override + public void processAADByte(byte in) { + cipher.processAADByte(in); + } + + @Override + public void processAADBytes(byte[] in, int inOff, int len) { + cipher.processAADBytes(in, inOff, len); + } + + @Override + public int processByte(byte in, byte[] out, int outOff) throws DataLengthException { + return cipher.processByte(in, out, outOff); + } + + @Override + public int processBytes(byte[] in, int inOff, int len, byte[] out, int outOff) throws DataLengthException { + return cipher.processBytes(in, inOff, len, out, outOff); + } + + @Override + public int doFinal(byte[] out, int outOff) throws IllegalStateException, InvalidCipherTextException { + return cipher.doFinal(out, outOff); + } + + @Override + public byte[] getMac() { + return cipher.getMac(); + } + + @Override + public int getUpdateOutputSize(int len) { + return cipher.getUpdateOutputSize(len); + } + + @Override + public int getOutputSize(int len) { + return cipher.getOutputSize(len); + } + + @Override + public void reset() { + cipher.reset(); + } +} diff --git a/security-utils/src/main/java/com/yahoo/security/SealedSharedKey.java b/security-utils/src/main/java/com/yahoo/security/SealedSharedKey.java index 65f149579f4..d570cd799cc 100644 --- a/security-utils/src/main/java/com/yahoo/security/SealedSharedKey.java +++ b/security-utils/src/main/java/com/yahoo/security/SealedSharedKey.java @@ -14,11 +14,11 @@ import java.nio.ByteBuffer; * This token representation is expected to be used as a convenient serialization * form when communicating shared keys. */ -public record SealedSharedKey(KeyId keyId, byte[] enc, byte[] ciphertext) { +public record SealedSharedKey(int version, KeyId keyId, byte[] enc, byte[] ciphertext) { /** Current encoding version of opaque sealed key tokens. Must be less than 256. */ - public static final int CURRENT_TOKEN_VERSION = 1; - /** Encryption context for v1 tokens is always a 32-byte X25519 public key */ + public static final int CURRENT_TOKEN_VERSION = 2; + /** Encryption context for v{1,2} tokens is always a 32-byte X25519 public key */ public static final int MAX_ENC_CONTEXT_LENGTH = 255; public SealedSharedKey { @@ -36,7 +36,7 @@ public record SealedSharedKey(KeyId keyId, byte[] enc, byte[] ciphertext) { byte[] keyIdBytes = keyId.asBytes(); // u8 token version || u8 length(key id) || key id || u8 length(enc) || enc || ciphertext ByteBuffer encoded = ByteBuffer.allocate(1 + 1 + keyIdBytes.length + 1 + enc.length + ciphertext.length); - encoded.put((byte)CURRENT_TOKEN_VERSION); + encoded.put((byte)version); encoded.put((byte)keyIdBytes.length); encoded.put(keyIdBytes); encoded.put((byte)enc.length); @@ -62,8 +62,8 @@ public record SealedSharedKey(KeyId keyId, byte[] enc, byte[] ciphertext) { ByteBuffer decoded = ByteBuffer.wrap(rawTokenBytes); // u8 token version || u8 length(key id) || key id || u8 length(enc) || enc || ciphertext int version = Byte.toUnsignedInt(decoded.get()); - if (version != CURRENT_TOKEN_VERSION) { - throw new IllegalArgumentException("Token had unexpected version. Expected %d, was %d" + if (version < 1 || version > CURRENT_TOKEN_VERSION) { + throw new IllegalArgumentException("Token had unexpected version. Expected value in [1, %d], was %d" .formatted(CURRENT_TOKEN_VERSION, version)); } int keyIdLen = Byte.toUnsignedInt(decoded.get()); @@ -75,10 +75,10 @@ public record SealedSharedKey(KeyId keyId, byte[] enc, byte[] ciphertext) { byte[] ciphertext = new byte[decoded.remaining()]; decoded.get(ciphertext); - return new SealedSharedKey(KeyId.ofBytes(keyIdBytes), enc, ciphertext); + return new SealedSharedKey(version, KeyId.ofBytes(keyIdBytes), enc, ciphertext); } - public int tokenVersion() { return CURRENT_TOKEN_VERSION; } + public int tokenVersion() { return version; } private static void verifyInputTokenStringNotTooLarge(String tokenString) { // Expected max decoded size for v1 is 3 + 255 + 32 + 32 = 322. For simplicity, round this diff --git a/security-utils/src/main/java/com/yahoo/security/SecretSharedKey.java b/security-utils/src/main/java/com/yahoo/security/SecretSharedKey.java index 3e90711d57f..da582eae92c 100644 --- a/security-utils/src/main/java/com/yahoo/security/SecretSharedKey.java +++ b/security-utils/src/main/java/com/yahoo/security/SecretSharedKey.java @@ -21,4 +21,31 @@ public record SecretSharedKey(SecretKey secretKey, SealedSharedKey sealedSharedK return "SharedSecretKey(sealed: %s)".formatted(sealedSharedKey.toTokenString()); } + /** + * @return an encryption cipher that matches the version of the SealedSharedKey bound to + * the secret shared key + */ + public AeadCipher makeEncryptionCipher() { + var version = sealedSharedKey.tokenVersion(); + return switch (version) { + case 1 -> SharedKeyGenerator.makeAesGcmEncryptionCipher(this); + case 2 -> SharedKeyGenerator.makeChaCha20Poly1305EncryptionCipher(this); + default -> throw new IllegalStateException("Unsupported token version: " + version); + }; + } + + /** + * @return a decryption cipher that matches the version of the SealedSharedKey bound to + * the secret shared key. In other words, the cipher shall match the cipher algorithm + * used to perform the encryption this key was used for. + */ + public AeadCipher makeDecryptionCipher() { + var version = sealedSharedKey.tokenVersion(); + return switch (version) { + case 1 -> SharedKeyGenerator.makeAesGcmDecryptionCipher(this); + case 2 -> SharedKeyGenerator.makeChaCha20Poly1305DecryptionCipher(this); + default -> throw new IllegalStateException("Unsupported token version: " + version); + }; + } + } diff --git a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java index b59e7cff6b4..22503292413 100644 --- a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java +++ b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java @@ -7,6 +7,7 @@ import com.yahoo.security.hpke.Hpke; import com.yahoo.security.hpke.Kdf; import com.yahoo.security.hpke.Kem; import org.bouncycastle.crypto.engines.AESEngine; +import org.bouncycastle.crypto.modes.ChaCha20Poly1305; import org.bouncycastle.crypto.modes.GCMBlockCipher; import org.bouncycastle.crypto.params.AEADParameters; import org.bouncycastle.crypto.params.KeyParameter; @@ -21,6 +22,8 @@ import java.security.SecureRandom; import java.security.interfaces.XECPrivateKey; import java.security.interfaces.XECPublicKey; +import static com.yahoo.security.ArrayUtils.toUtf8Bytes; + /** * Implements both the sender and receiver sides of a secure, anonymous one-way * key generation and exchange protocol implemented using HPKE; a hybrid crypto @@ -40,9 +43,13 @@ import java.security.interfaces.XECPublicKey; */ public class SharedKeyGenerator { - private static final int AES_GCM_KEY_BITS = 128; - private static final int AES_GCM_AUTH_TAG_BITS = 128; - private static final String AES_GCM_ALGO_SPEC = "AES/GCM/NoPadding"; + private static final int AES_GCM_KEY_BITS = 128; + private static final int AES_GCM_AUTH_TAG_BITS = 128; + + private static final int CHACHA20_POLY1305_KEY_BITS = 256; + private static final int CHACHA20_POLY1305_AUTH_TAG_BITS = 128; + private static final byte[] CHACHA20_POLY1305_KDF_CONTEXT = toUtf8Bytes("ChaCha20Poly1305 key expansion"); + private static final byte[] EMPTY_BYTES = new byte[0]; private static final SecureRandom SHARED_CSPRNG = new SecureRandom(); // Since the HPKE ciphersuite is not provided in the token, we must be very explicit about what it always is @@ -61,7 +68,7 @@ public class SharedKeyGenerator { public static SecretSharedKey generateForReceiverPublicKey(PublicKey receiverPublicKey, KeyId keyId) { var secretKey = generateRandomSecretAesKey(); - return internalSealSecretKeyForReceiver(secretKey, receiverPublicKey, keyId); + return internalSealSecretKeyForReceiver(SealedSharedKey.CURRENT_TOKEN_VERSION, secretKey, receiverPublicKey, keyId); } public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, PrivateKey receiverPrivateKey) { @@ -71,13 +78,15 @@ public class SharedKeyGenerator { } public static SecretSharedKey reseal(SecretSharedKey secret, PublicKey receiverPublicKey, KeyId keyId) { - return internalSealSecretKeyForReceiver(secret.secretKey(), receiverPublicKey, keyId); + // The resealed token must inherit the token version of the original token, or the receiver will + // end up trying to decrypt with the wrong parameters and/or cipher. + return internalSealSecretKeyForReceiver(secret.sealedSharedKey().tokenVersion(), secret.secretKey(), receiverPublicKey, keyId); } - private static SecretSharedKey internalSealSecretKeyForReceiver(SecretKey secretKey, PublicKey receiverPublicKey, KeyId keyId) { + private static SecretSharedKey internalSealSecretKeyForReceiver(int tokenVersion, SecretKey secretKey, PublicKey receiverPublicKey, KeyId keyId) { // We protect the integrity of the key ID by passing it as AAD. var sealed = HPKE.sealBase((XECPublicKey) receiverPublicKey, EMPTY_BYTES, keyId.asBytes(), secretKey.getEncoded()); - var sealedSharedKey = new SealedSharedKey(keyId, sealed.enc(), sealed.ciphertext()); + var sealedSharedKey = new SealedSharedKey(tokenVersion, keyId, sealed.enc(), sealed.ciphertext()); return new SecretSharedKey(secretKey, sealedSharedKey); } @@ -88,6 +97,7 @@ public class SharedKeyGenerator { // token recipient (which would be the case if the IV were deterministically derived // from the recipient key and ephemeral ECDH public key), as that would preclude // support for delegated key forwarding. + // Both AES GCM and ChaCha20Poly1305 use a 96-bit user-supplied IV. private static final byte[] FIXED_96BIT_IV_FOR_SINGLE_USE_KEY = new byte[] { 'h','e','r','e','B','d','r','a','g','o','n','s' // Nothing up my sleeve! }; @@ -100,12 +110,24 @@ public class SharedKeyGenerator { return AeadCipher.of(cipher); } + private static AeadCipher makeChaCha20Poly1305Cipher(SecretSharedKey secretSharedKey, boolean forEncryption) { + // ChaCha20Poly1305 uses 256-bit keys, but our shared secret keys are 128 bit. + // Deterministically derive a longer key from the existing key using a KDF. + var expandedKey = HKDF.unsaltedExtractedFrom(secretSharedKey.secretKey().getEncoded()) + .expand(CHACHA20_POLY1305_KEY_BITS / 8, CHACHA20_POLY1305_KDF_CONTEXT); + var aeadParams = new AEADParameters(new KeyParameter(expandedKey), CHACHA20_POLY1305_AUTH_TAG_BITS, + FIXED_96BIT_IV_FOR_SINGLE_USE_KEY); + var cipher = new ChaCha20Poly1305(); + cipher.init(forEncryption, aeadParams); + return AeadCipher.of(new ChaCha20Poly1305AeadBlockCipherAdapter(cipher)); + } + /** * Creates an AES-GCM cipher that can be used to encrypt arbitrary plaintext. * * The given secret key MUST NOT be used to encrypt more than one plaintext. */ - public static AeadCipher makeAesGcmEncryptionCipher(SecretSharedKey secretSharedKey) { + static AeadCipher makeAesGcmEncryptionCipher(SecretSharedKey secretSharedKey) { return makeAesGcmCipher(secretSharedKey, true); } @@ -113,8 +135,25 @@ public class SharedKeyGenerator { * Creates an AES-GCM cipher that can be used to decrypt ciphertext that was previously * encrypted with the given secret key. */ - public static AeadCipher makeAesGcmDecryptionCipher(SecretSharedKey secretSharedKey) { + static AeadCipher makeAesGcmDecryptionCipher(SecretSharedKey secretSharedKey) { return makeAesGcmCipher(secretSharedKey, false); } + /** + * Creates a ChaCha20-Poly1305 cipher that can be used to encrypt arbitrary plaintext. + * + * The given secret key MUST NOT be used to encrypt more than one plaintext. + */ + static AeadCipher makeChaCha20Poly1305EncryptionCipher(SecretSharedKey secretSharedKey) { + return makeChaCha20Poly1305Cipher(secretSharedKey, true); + } + + /** + * Creates a ChaCha20-Poly1305 cipher that can be used to decrypt ciphertext that was previously + * encrypted with the given secret key. + */ + static AeadCipher makeChaCha20Poly1305DecryptionCipher(SecretSharedKey secretSharedKey) { + return makeChaCha20Poly1305Cipher(secretSharedKey, false); + } + } diff --git a/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java b/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java index 25324ad7317..35b52d13b1d 100644 --- a/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java +++ b/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java @@ -59,20 +59,74 @@ public class SharedKeyTest { } @Test - void token_v1_representation_is_stable() { + void resealed_token_preserves_token_version_of_source_token() { + var originalPrivate = KeyUtils.fromBase58EncodedX25519PrivateKey("GFg54SaGNCmcSGufZCx68SKLGuAFrASoDeMk3t5AjU6L"); + var v1Token = "OntP9gRVAjXeZIr4zkYqRJFcnA993v7ZEE7VbcNs1NcR3HdE7Mpwlwi3r3anF1kVa5fn7O1CyeHQpBWpdayUTKkrtyFepG6WJrZdE"; + + var originalSealed = SealedSharedKey.fromTokenString(v1Token); + var originalSecret = SharedKeyGenerator.fromSealedKey(originalSealed, originalPrivate); + + var secondaryReceiverKp = KeyUtils.generateX25519KeyPair(); + var resealedShared = SharedKeyGenerator.reseal(originalSecret, secondaryReceiverKp.getPublic(), KEY_ID_2); + + var theirSealed = SealedSharedKey.fromTokenString(resealedShared.sealedSharedKey().toTokenString()); + assertEquals(1, theirSealed.tokenVersion()); + } + + @Test + void token_v1_representation_is_stable() throws IOException { var receiverPrivate = KeyUtils.fromBase58EncodedX25519PrivateKey("GFg54SaGNCmcSGufZCx68SKLGuAFrASoDeMk3t5AjU6L"); var receiverPublic = KeyUtils.fromBase58EncodedX25519PublicKey( "5drrkakYLjYSBpr5Haknh13EiCYL36ndMzK4gTJo6pwh"); var keyId = KeyId.ofString("my key ID"); - // Token generated for the above receiver public key, with the below expected shared secret (in hex) + // V1 token generated for the above receiver public key, with the below expected shared secret (in hex) var publicToken = "OntP9gRVAjXeZIr4zkYqRJFcnA993v7ZEE7VbcNs1NcR3HdE7Mpwlwi3r3anF1kVa5fn7O1CyeHQpBWpdayUTKkrtyFepG6WJrZdE"; var expectedSharedSecret = "1b33b4dcd6a94e5a4a1ee6d208197d01"; var theirSealed = SealedSharedKey.fromTokenString(publicToken); var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverPrivate); + assertEquals(1, theirSealed.tokenVersion()); + assertEquals(keyId, theirSealed.keyId()); + assertEquals(expectedSharedSecret, hex(theirShared.secretKey().getEncoded())); + + // Encryption with v1 tokens must use AES-GCM 128 + var plaintext = "it's Bocchi time"; + var expectedCiphertext = "a2ba842b2e0769a4a2948c4236d4ae921f1dd05c2e094dcde9699eeefcc3d7ae"; + byte[] ct = streamEncryptString(plaintext, theirShared); + assertEquals(expectedCiphertext, hex(ct)); + + // Decryption with v1 tokens must use AES-GCM 128 + var decrypted = streamDecryptString(ct, theirShared); + assertEquals(plaintext, decrypted); + } + + @Test + void token_v2_representation_is_stable() throws IOException { + var receiverPrivate = KeyUtils.fromBase58EncodedX25519PrivateKey("GFg54SaGNCmcSGufZCx68SKLGuAFrASoDeMk3t5AjU6L"); + var receiverPublic = KeyUtils.fromBase58EncodedX25519PublicKey( "5drrkakYLjYSBpr5Haknh13EiCYL36ndMzK4gTJo6pwh"); + var keyId = KeyId.ofString("my key ID"); + + // V2 token generated for the above receiver public key, with the below expected shared secret (in hex) + var publicToken = "mjA83HYuulZW5SWV8FKz4m3b3m9zU8mTrX9n6iY4wZaA6ZNr8WnBZwOU4KQqhPCORPlzSYk4svlonzPZIb3Bjbqr2ePYKLOpdGhCO"; + var expectedSharedSecret = "205af82154690fd7b6d56a977563822c"; + + var theirSealed = SealedSharedKey.fromTokenString(publicToken); + var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverPrivate); + + assertEquals(2, theirSealed.tokenVersion()); assertEquals(keyId, theirSealed.keyId()); assertEquals(expectedSharedSecret, hex(theirShared.secretKey().getEncoded())); + + // Encryption with v2 tokens must use ChaCha20-Poly1305 + var plaintext = "it's Bocchi time"; + var expectedCiphertext = "ea19dd0ac3ea6d76dc4e96430b0d5902a21cb3a27fa99490f4dcc391eaf5cec4"; + byte[] ct = streamEncryptString(plaintext, theirShared); + assertEquals(expectedCiphertext, hex(ct)); + + // Decryption with v2 tokens must use ChaCha20-Poly1305 + var decrypted = streamDecryptString(ct, theirShared); + assertEquals(plaintext, decrypted); } @Test @@ -102,7 +156,7 @@ public class SharedKeyTest { var mySealed = myShared.sealedSharedKey(); var badId = KeyId.ofString("my key 2"); - var tamperedShared = new SealedSharedKey(badId, mySealed.enc(), mySealed.ciphertext()); + var tamperedShared = new SealedSharedKey(SealedSharedKey.CURRENT_TOKEN_VERSION, badId, mySealed.enc(), mySealed.ciphertext()); // Should not be able to unseal the token since the AAD auth tag won't be correct assertThrows(RuntimeException.class, // TODO consider distinct exception class () -> SharedKeyGenerator.fromSealedKey(tamperedShared, keyPair.getPrivate())); @@ -130,7 +184,7 @@ public class SharedKeyTest { var myShared = SharedKeyGenerator.generateForReceiverPublicKey(keyPair.getPublic(), goodId); // token header is u8 version || u8 key id length || key id bytes ... - // Since the key ID is only 1 bytes long, patch it with a bad UTF-8 value + // Since the key ID is only 1 byte long, patch it with a bad UTF-8 value byte[] tokenBytes = Base62.codec().decode(myShared.sealedSharedKey().toTokenString()); tokenBytes[2] = (byte)0xC0; // First part of a 2-byte continuation without trailing byte var patchedTokenStr = Base62.codec().encode(tokenBytes); @@ -138,7 +192,7 @@ public class SharedKeyTest { } static byte[] streamEncryptString(String data, SecretSharedKey secretSharedKey) throws IOException { - var cipher = SharedKeyGenerator.makeAesGcmEncryptionCipher(secretSharedKey); + var cipher = secretSharedKey.makeEncryptionCipher(); var outStream = new ByteArrayOutputStream(); try (var cipherStream = cipher.wrapOutputStream(outStream)) { cipherStream.write(data.getBytes(StandardCharsets.UTF_8)); @@ -148,7 +202,7 @@ public class SharedKeyTest { } static String streamDecryptString(byte[] encrypted, SecretSharedKey secretSharedKey) throws IOException { - var cipher = SharedKeyGenerator.makeAesGcmDecryptionCipher(secretSharedKey); + var cipher = secretSharedKey.makeDecryptionCipher(); var inStream = new ByteArrayInputStream(encrypted); var total = ByteBuffer.allocate(encrypted.length); // Assume decrypted form can't be _longer_ byte[] tmp = new byte[8]; // short buf to test chunking @@ -198,7 +252,7 @@ public class SharedKeyTest { } private static void doOutputStreamCipherDecrypt(SecretSharedKey myShared, byte[] encrypted) throws Exception { - var cipher = SharedKeyGenerator.makeAesGcmDecryptionCipher(myShared); + var cipher = myShared.makeDecryptionCipher(); var outStream = new ByteArrayOutputStream(); try (var cipherStream = cipher.wrapOutputStream(outStream)) { cipherStream.write(encrypted); |