Don't use random IVs for AES-GCM for SSE-C #848
Labels
No labels
action
check-aws
action
discussion-needed
action
for-external-contributors
action
for-newcomers
action
more-info-needed
action
need-funding
action
triage-required
kind
correctness
kind
ideas
kind
improvement
kind
performance
kind
testing
kind
usability
kind
wrong-behavior
prio
critical
prio
low
scope
admin-api
scope
background-healing
scope
build
scope
documentation
scope
k8s
scope
layout
scope
metadata
scope
ops
scope
rpc
scope
s3-api
scope
security
scope
telemetry
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Deuxfleurs/garage#848
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
From this comment : https://news.ycombinator.com/item?id=41173644
To start the discussion:
What about deriving an object encryption key from the provided SSE-C key?
Because the SSE-C key is already a PRK (assumed it was properly generated), HKDF-Expand should be enough:
The OEK could then be used to encrypt the resulting blocks of the object using AES256-GCM and randomly generated 12byte IVs.
This looks like a good idea, we just need to find a way to ensure backwards-compatibility with data that is already encrypted in current Garage clusters. Maybe we just need to try decryption with the OEK and if that fails try the original SSE-C key instead?
Also, could you explain what the acronym PRK means?
PRK means "pseudorandom key". If the SSE-C Key is generated by using a cryptographically strong Random Number Generator (e,g., using /dev/random), the resulting key can be considered as a PRK.
I am thinking about introducing a kind of plaintext header to encrypted data so that the used encryption scheme can be extracted from the encrypted data itself. This is useful if we need to make again changes in future in the way we encrypt/decrypt objects (e.g. using a different algorithm). Maybe for the beginning, a kind of Garage Object Encryption Scheme version information (uint16) header is already sufficient? Having the Garage Object Encryption Scheme version, additional headers could be easily added in future if needed.
The only open question is, how we could differentiate between encrypted objects with and without such a header prepended. Maybe this can be extracted from the size information of an object? We know that the current encryption scheme will generate 12byte IV and 16byte Authentication Tag of additional bytes to the ciphertext size compared to the plaintext size of the object. If the object is at least 2 bytes bigger in overhead, we would know that there is a header in place. Do we know the ciphertext size and plaintext size of an object in advance to calculate the encryption overhead?
If there is no better way differentiating encrypted objects with and without a header, i think the only way would be as you proposed: Try to parse the header and decrypt according to the included Garage Object Encryption Scheme version information, if this fails, try the old scheme.