Closed resilar closed 3 years ago
PBKDF2-HMAC-SHA256 will be replaced by Balloon hashing with BLAKE2s or BLAKE3 hash function.
Balloon hashing is a elegant memory-hard key derivation algorithm with the same or superior security properties as Argon2; for example, the memory-hardness of Balloon hashing has been proven while the memory-hardness of Argon2 remains unproven. (Argon2 sucks for multiple other reasons as well...)
EncryptV1(K, PageNumber, Data[0..n]):
|
| K_i, K_j = ChaCha20(K, PageNumber)
| Hash = Poly1305(K_i, Data)
| Nonce = Hash ^ randombytes(16)
| K_stream, K_mac = ChaCha20(K_j, Nonce)
| Data ^= ChaCha20(K_stream ^ K_i, 0)
| MAC = Poly1305(K_mac, Hash)
|
| Output: (Data[0..n-32], Nonce[0..16], MAC[0..16])
Notice that Hash = Poly1305(K_i, Data)
is dangerous because reusing a Poly1305 key for distinct messages leaks the Poly1305 key. With broken RNG, Nonce = Hash ^ randombytes(16) = Hash ^ 0
yields nonce Poly1305(K_i, Data)
. Therefore, an attacker can recover K_i
after observing 2 nonces for the same page assuming a known-plaintext attack.
Fortunately, leaked K_i
is not useful to the attacker because ChaCha20(K_stream ^ K_i, 0)
XORs K_i
with K_stream
before use. Leaking K_i
is still unacceptable though, because the attacker may be able to reveal K_stream
with another attack (e.g., power/EM side-channel attack to find K_j
and consequently K_stream
).
The problem can be addressed by computing Hash = H(Data)
with regular hash function like BLAKE2 or SHA-256. Alternatively, Hash = H(Poly1305(K_i, Data))
can be used as a optimization (Poly1305 is fast). Or simply fix the RNG...
Codec API deprecation and switching to VFS-level encryption makes deterministic counter-based (instead of hash-based) nonces feasible by allowing sqleet to maintain persistent state. I think the proposed v1 crypto should be revised to exploit this fact in order to simplify and improve the crypto, for example and most importantly, by avoiding random number generation.
Using counter-based nonces sounds good, and would allow to get rid of problematic RNG implementations.
BTW, I have now a first implementation of VFS-level encryption ready for testing (see SQLite3 Multiple Ciphers).
Closing this issue. A redesign is needed to fully exploit the new VFS-based architecture.
A draft of a new cryptosystem for the next major version of sqleet. The current sqleet v0 cryptosystem is strong and the goal here is improving secure enclave (TPM/SGX/TrustZone) support and reducing the security impact of nonce reuse attacks (if an attacker obtains a Poly1305 key of a single page somehow, the attacker can reuse the key and nonce to compromise the security of other database pages). See the description below for more details.
Warning: This is just a draft and subject to changes. I'm still in the process of getting the proposed cryptosystem verified by "professionals", so some changes are expected.
Any feedback is appreciated.