feat(config): support modern ECDH/AES-GCM encryption #27416
Conversation
which keys? the gpg keys? no. the key derive is only possible with two ecdh keys. |
Co-authored-by: HonkingGoose <[email protected]>
Co-authored-by: HonkingGoose <[email protected]>
| * EC JSON Web Key (private key) | ||
| * https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#json_web_key | ||
| */ | ||
| export const EcJwkPriv = EcJwkPub.extend({ |
There was a problem hiding this comment.
| export const EcJwkPriv = EcJwkPub.extend({ | |
| const EcJwkPriv = EcJwkPub.extend({ |
| ); | ||
|
|
||
| // derive shared secret from our private key and Renovate's public key | ||
| const pw = await crypto.subtle.deriveKey( |
There was a problem hiding this comment.
This looks cryptographically problematic to me.
The shared secret derived by an ECDH key agreement is not uniformly random. deriveKey doesn't perform any key stretching or hashing on the shared secret. It is basically the same as calling deriveBits to get a byte array and then passing it to importKey to use as a symmetric key with AES. P-384 generates more output bits than needed, some part will simply be dropped to fit the 256 bits needed for AES.
To derive a cryptographically strong key for AES-GCM, the shared secret needs to be processed via HKDF. An example how to do this can be found here: https://stackoverflow.com/a/67942717/589259
Note that this example uses an empty salt. I'd say it makes sense to use a salt though, as it ensures that reusing the same shared secret for two operations will still yield different encryption keys. I'd suggest prepending it to the ciphertext.
Also see:
- Problems with ECDH deriveBits/deriveKey operations w3c/webcrypto#193
- https://security.stackexchange.com/questions/201284/ecdh-and-static-key-encryption
- https://crypto.stackexchange.com/questions/30367/ecdh-security-when-no-kdf-is-used
- https://crypto.stackexchange.com/questions/97975/applications-in-which-you-should-shouldnt-use-a-salt-with-hkdf
There was a problem hiding this comment.
🤔 didn't know that. do we need a separate value for salt, or can we reuse the aes-gcm iv?
We should try to make the encypted object as small as possible but of cause as secure as possible.
There was a problem hiding this comment.
Salt and IV are similar in some ways but also need to fulfill different requirements depending on what you want to achieve. I'd suggest to not simply reuse the same values. What you could do in this particular case:
Call deriveBits({ name: "HKDF", ... (as shown in the stackoverflow example above) and produce bits for both the key and the VI. You can use the iv (as it is currently named in your code) as a salt value for the HKDF. When calling deriveBits, increase the length param by the 96 bits you need for the IV, so 256 + 96 bits overall, then use the trailing 96 bits for the IV.
This way you don't need to prepend it to the ciphertext and the HKDF ensures it's uniformly random for use with a symmetric cipher like AES. If you change the salt, the encryption key and IV will change as well. This is generally desirable because it ensures that if you encrypt multiple texts (with different salt values in the HKDF call), a unique encryption key and IV will be used as well.
|
closing for now, as we've an alternate pgp implementation |
Changes
Context
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via: