Moving to a more formal authentication secret

Author: martinthomson

nodejs/ece.js

@@ -9,6 +9,7 @@ var AES_GCM = 'id-aes128-GCM';
 var TAG_LENGTH = 16;
 var KEY_LENGTH = 16;
 var NONCE_LENGTH = 12;
+var SHA_256_LENGTH = 32;
 var MODE_ENCRYPT = 'encrypt';
 var MODE_DECRYPT = 'decrypt';
 
@@ -38,6 +39,10 @@ function HKDF_expand(prk, info, l) {
   return output.slice(0, l);
 }
 
+function HKDF(salt, ikm, info, l) {
+  return HKDF_expand(HKDF_extract(salt, ikm), info, l);
+}
+
 function info(base, context) {
   return Buffer.concat([
     new Buffer('Content-Encoding: ' + base + '\0', 'ascii'),
@@ -110,11 +115,9 @@ function extractSecretAndContext(params, mode) {
   if (!secret) {
     throw new Error('Unable to determine key');
   }
-  if (params.expandedContext) {
-    context = Buffer.concat([
-      context,
-      base64.decode(params.expandedContext)
-    ]);
+  if (params.authSecret) {
+    secret = HKDF(base64.decode(params.authSecret), secret,
+                  info('auth', new Buffer(0)), SHA_256_LENGTH);
   }
   return { secret: secret, context: context };
 }

nodejs/test.js

@@ -48,16 +48,16 @@ function useExplicitKey() {
   encryptDecrypt(length.readUInt16BE(2), params);
 }
 
-function expandedContext() {
+function authenticationSecret() {
   var length = crypto.randomBytes(4);
   var params = {
     key: base64.encode(crypto.randomBytes(16)),
     salt: base64.encode(crypto.randomBytes(16)),
     rs: length.readUInt16BE(0) + 1,
-    expandedContext: base64.encode(crypto.randomBytes(16))
+    authSecret: base64.encode(crypto.randomBytes(16))
   };
   log('Key: ' + base64.encode(params.key));
-  log('Context: ' + base64.encode(params.expandedContext));
+  log('Context: ' + base64.encode(params.authSecret));
   encryptDecrypt(length.readUInt16BE(2), params);
 }
 
@@ -149,7 +149,7 @@ function useDH() {
 var i;
 for (i = 0; i < count; ++i) {
   useExplicitKey();
-  expandedContext();
+  authenticationSecret();
   exactlyOneRecord();
   detectTruncation();
   useKeyId();

python/http_ece/__init__.py

@@ -10,9 +10,9 @@
 keys = {}
 labels = {}
 
-def deriveKey(mode, salt, key=None, dh=None, keyid=None, expandedContext=b""):
+def deriveKey(mode, salt, key=None, dh=None, keyid=None, authSecret=b""):
     def buildInfo(base, context):
-        return b"Content-Encoding: " + base + b"\0" + context + expandedContext
+        return b"Content-Encoding: " + base + b"\0" + context
 
     def deriveDH(mode, keyid, dh):
         def lengthPrefix(key):
@@ -53,6 +53,16 @@ def lengthPrefix(key):
     if secret is None:
         raise Exception(u"unable to determine the secret")
 
+    if authSecret is not None:
+        hkdf_auth = HKDF(
+            algorithm=hashes.SHA256(),
+            length=32,
+            salt=authSecret,
+            info=buildInfo(b"auth", b""),
+            backend=default_backend()
+        )
+        secret = hkdf_auth.derive(secret)
+
     hkdf_key = HKDF(
         algorithm=hashes.SHA256(),
         length=16,
@@ -75,7 +85,7 @@ def iv(base, counter):
     (mask,) = struct.unpack("!Q", base[4:])
     return base[:4] + struct.pack("!Q", counter ^ mask)
 
-def decrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096, expandedContext=b""):
+def decrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096, authSecret=b""):
     def decryptRecord(key, nonce, counter, buffer):
         decryptor = Cipher(
             algorithms.AES(key),
@@ -91,7 +101,7 @@ def decryptRecord(key, nonce, counter, buffer):
 
     (key_, nonce_) = deriveKey(mode="decrypt", salt=salt,
                                key=key, keyid=keyid, dh=dh,
-                               expandedContext=expandedContext)
+                               authSecret=authSecret)
     if rs < 2:
         raise Exception(u"Record size too small")
     rs += 16 # account for tags
@@ -105,7 +115,7 @@ def decryptRecord(key, nonce, counter, buffer):
         counter += 1
     return result
 
-def encrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096, expandedContext=b""):
+def encrypt(buffer, salt, key=None, keyid=None, dh=None, rs=4096, authSecret=b""):
     def encryptRecord(key, nonce, counter, buffer):
         encryptor = Cipher(
             algorithms.AES(key),
@@ -118,7 +128,7 @@ def encryptRecord(key, nonce, counter, buffer):
 
     (key_, nonce_) = deriveKey(mode="encrypt", salt=salt,
                                key=key, keyid=keyid, dh=dh,
-                               expandedContext=expandedContext)
+                               authSecret=authSecret)
     if rs < 2:
         raise Exception(u"Record size too small")
     rs -= 1 # account for padding

python/test.py

@@ -34,14 +34,14 @@ def encryptDecrypt(length, encryptParams, decryptParams=None):
                             keyid=encryptParams.get("keyid"),
                             dh=encryptParams.get("dh"),
                             rs=encryptParams.get("rs"),
-                            expandedContext=encryptParams.get("expandedContext", b""))
+                            authSecret=encryptParams.get("authSecret", b""))
     log("Encrypted: " + b64e(encrypted))
     decrypted = ece.decrypt(encrypted, salt=decryptParams.get("salt"),
                             key=decryptParams.get("key"),
                             keyid=decryptParams.get("keyid"),
                             dh=decryptParams.get("dh"),
                             rs=decryptParams.get("rs"),
-                            expandedContext=decryptParams.get("expandedContext", b""))
+                            authSecret=decryptParams.get("authSecret", b""))
     log("Decrypted: " + b64e(decrypted))
     assert input == decrypted
     log("----- OK");
@@ -56,15 +56,15 @@ def useExplicitKey():
     encryptDecrypt(rlen() + 1, params)
 
 
-def expandedContext():
+def authSecret():
     params = {
         "key": os.urandom(16),
         "salt": os.urandom(16),
         "rs": rlen() + 1,
-        "expandedContext": os.urandom(10)
+        "authSecret": os.urandom(10)
     }
     log("Key: " + b64e(params["key"]))
-    log("Context: " + b64e(params["expandedContext"]))
+    log("Context: " + b64e(params["authSecret"]))
     encryptDecrypt(rlen() + 1, params)
 
 
@@ -150,7 +150,7 @@ def isUncompressed(k):
 if __name__ == "__main__":
     for i in list(range(0,count)):
         useExplicitKey()
-        expandedContext()
+        authSecret()
         exactlyOneRecord()
         detectTruncation()
         useKeyId()