Reformat text

rnapier · rnapier · commit e042dc3105d1 · 2014-06-12T17:47:46.000-04:00
diff --git a/draft-RNCryptor-Spec-v4.0.md b/draft-RNCryptor-Spec-v4.0.md
@@ -18,19 +18,26 @@
 
 All data is in network order (big-endian).
 
-Note that the version of the RNCryptor ObjC library is not directly related to the version of the RNCryptor file format. For example, v2.2 of the RNCryptor ObjC library writes v3 of the file format. The versioning of an implementation is related to its API, not the file formats it supports.
+Note that the version of the RNCryptor ObjC library is not directly related to
+the version of the RNCryptor file format. For example, v2.2 of the RNCryptor
+ObjC library writes v3 of the file format. The versioning of an implementation
+is related to its API, not the file formats it supports.
 
 ## Key Generation
 
-RNCryptor uses either a 256-bit random key or a password. It extracts a 512-bit pseudorandom key (PRK) from this using HKDF-Extract or PBKDF2. It then uses HKDF-Expand to expand this key material into the IV, a validation token, the encryption key, and the HMAC key.
+RNCryptor uses either a 256-bit random key or a password. It extracts a 512-bit
+pseudorandom key (PRK) from this using HKDF-Extract or PBKDF2. It then uses
+HKDF-Expand to expand this key material into the IV, a validation token, the
+encryption key, and the HMAC key.
 
 ## Key Validation
 
 Using the validation token, the encryption key can be tested without validating HMAC.
 
 ## Implementation Procedure
 
-Unless otherwise noted, all example implementations are given in an abtract, idealized language. It includes the following constructs:
+Unless otherwise noted, all example implementations are given in an abtract,
+idealized language. It includes the following constructs:
 
 * `||` - Operator that concatenates two octet strings.
 * `RandomDataOfLength(n)` - Returns `n` random octets generated by a [CSPRNG](https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator).
@@ -46,76 +53,91 @@ Unless otherwise noted, all example implementations are given in an abtract, ide
 * `SHA512` - Token indicating SHA-2 hash function with 512-bit length.
 * `CBCMode` - Token indicating [cipher block chaining (CBC)](https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29) block cipher mode. This implicitly includes PKCS#7 padding.
 
+## Key HKDF-expansion
+
+Expand PRK to 96 bytes for required material using HMAC-SHA-512 + HMAC-SHA-512-256.
+
+```
+def Expand(prk[64]) =
+    info = "rncryptor"
+    T1 = HMAC(SHA512, prk,       info || 0x01, 512 bits)
+    T2 = HMAC(SHA512, prk, T1 || info || 0x02, 256 bits)
+    return T1 || T2
+```
+
 ## General encryption function
 
-Takes a 512-bit pseudorandom key (prk). Expands it into the validator, IV, encryption key, and HMAC key. 
+Takes a 512-bit pseudorandom key (prk). Expands it into the encryption key,HMAC
+key, IV, and validator. Validator is last so attacker cannot short-cut
+Expand().
 
 ```
 def Encrypt(prk[64], options[1], salt[16], plaintext) =
-    // HKDF-Expand
-    (validator[16], iv[16]) = HMAC(SHA512, prk, "rncryptor.validator+iv" || 0x01, 256 bits)
-    (encryptionKey[32], hmacKey[32]) = HMAC(SHA512, prk, "rncryptor.keys" || 0x01, 512 bits)
+    (encryptionKey[32], hmacKey[32], iv[16], validator[16]) = Expand(prk)
 
     version = 0x04
-    header = version[1] || options[1] || salt[16] || validator[16]
-    headerBitLength = 272LL
+    header = version || options || salt || validator
     ciphertext = AESEncrypt(256 bits, CBCMode, encryptionKey, iv, plaintext)
-    hmac = HMAC(SHA512, hmacKey, header || ciphertext || headerBitLength, 256 bits)
+    hmac = HMAC(SHA512, hmacKey, header || ciphertext, 256 bits)
     return header || ciphertext || hmac
 ```
 
-1. Expand PRK into validator and IV
-2. Expand PRK into encryption key and HMAC key
-3. Construct header from version, options, salt, and validator
-4. Note length of header in bits
-5. Encrypt ciphertext with AES-256
-6. Compute HMAC with SHA-512, truncated to 256 bits
-7. Return message with header, ciphertext, and HMAC
+1. Expand PRK into validator, IV, and keys
+2. Construct header from version, options, salt, and validator
+3. Encrypt ciphertext with AES-256
+4. Compute HMAC with SHA-512-256
+5. Return message with header, ciphertext, and HMAC
 
 ## General decryption function
 
 ```
 def Decrypt(prk[64], options[1], salt[16], validator[16], ciphertext, hmac[32]) =
-    // HKDF-Expand
-    (expectedValidator[16], iv[16]) =  HMAC(SHA512, prk, "rncryptor.validator+iv" || 0x01, 256 bits)
+    (encryptionKey[32], hmacKey[32], iv[16], validator[16]) = Expand(prk)
     if (! ConsistentTimeEqual(expectedValidator, validator) return KEY_MISMATCH
 
-    (encryptionKey, hmacKey) = HMAC(SHA512, prk, "rncryptor.keys" || 0x01, 512 bits)
-
     version = 0x04
     header = version || options || salt || validator
-    headerBitLength = 272LL
-    expectedHmac = HMAC(SHA512, hmacKey, header || ciphertext || headerBitLength, 256 bits)
+    expectedHmac = HMAC(SHA512, hmacKey, header || ciphertext, 256 bits)
 
     if ! ConsistentTimeEqual(expectedHmac, hmac) return CORRUPT
     else return AESDecrypt(2556 bits, CBCMode, encryptionKey, iv, ciphertext)
 ```
 
-1. Expand PRK into an expected validator and IV.
+1. Expand PRK into validator, IV, and keys
 2. Verify (in constant time) that validators match. If not, the password was incorrect.
-3. Expand PRK into encryption key and HMAC key.
-4. Construct header from version, options, salt, and validator.
-5. Note length of header in bits.
-6. Compute expected HMAC with SHA-512, truncated to 256 bit.
-7. Verify (in constant time) that HMACs match. If not, the ciphertext is corrupt.
-8. Return decrypted data.
+3. Construct header from version, options, salt, and validator.
+4. Compute expected HMAC with SHA-512-256
+5. Verify (in constant time) that HMACs match. If not, the ciphertext is corrupt.
+6. Return decrypted data.
 
 ## Key-based encryption
 
+Input is 256 random bits of source keying material (called `key`). To maintain
+consistency with PBKDF2, and to improve poorly generated keys (key reuse or
+non-random key selection), the actual pseudorandom key (PRK) is extracted with
+HKDF and a 128-bit random salt.
+
+Note that SHA-1 is used (rather than SHA-2) to maintain better platform
+support. .NET's Rfc2898DeriveBytes only supports SHA1HMAC. There is no security
+concern in using SHA-1 here. PBKDF2 only requires a PRF to maintain itssecurity
+proof, and SHA-1, even with its known attacks, continues to be a PRF. Hopefully
+.NET will eventually support SHA-2 PBKDF2 and we'll be able to drop SHA-1 as a
+matter of housekeeping (minimizing the number of algorithms required).
+
 ```
 def KeyBasedEncrypt(key[32], plaintext) =
     salt = RandomDataOfLength(16 bytes)
 
     // HKDF-Extract
-    prk = HMAC(SHA512, salt, key, 512 bits)
+    prk = HMAC(SHA1, salt, key, 512 bits)
 
     options = 0
 
     return Encrypt(prk, options, salt, plaintext)
 ```
 
 1. Generate random salt.
-2. Extract 512-bit PRK from 32-bit key via HKDF.
+2. Extract 512-bit PRK from 256-bit key + 128-bit salt via HKDF.
 3. Perform generic encryption.
 
 ## Key-based Decryption
@@ -193,9 +215,16 @@ def PasswordBasedDecrypt(password, message) =
 
 ## Consistent-time equality checking
 
-When comparing the computed HMAC with the expected HMAC, it is important that your comparison be made in consistent time. Your comparison function should compare all of the bytes of the ExpectedHMAC, even if it finds a mismatch. Otherwise, your comparison can be subject to a timing attack, where the attacker sends you different HMACs and times how long it takes you to return that they are not equal. Using this, the attacker can progressively determine each byte of the HMAC.
+When comparing the computed HMAC with the expected HMAC, it is important that
+your comparison be made in consistent time. Your comparison function should
+compare all of the bytes of the ExpectedHMAC, even if it finds a mismatch.
+Otherwise, your comparison can be subject to a timing attack, where the
+attacker sends you different HMACs and times how long it takes you to return
+that they are not equal. Using this, the attacker can progressively determine
+each byte of the HMAC.
 
 Here is an example consistent-time equality function in ObjC:
+
 ``` objc
 - (BOOL)rnc_isEqualInConsistentTime:(NSData *)otherData {
   // The point of this routine is XOR the bytes of each data and accumulate the results with OR.
@@ -219,18 +248,26 @@ Here is an example consistent-time equality function in ObjC:
 
 ## Approach and Notes
 
-RNCryptor is very similar to [draft-mcgrew-aead-aes-cbc-hmac-sha2](https://tools.ietf.org/id/draft-mcgrew-aead-aes-cbc-hmac-sha2-02.html) AEAD_AES_256_CBC_HMAC_SHA_512 in how it produces authenticated encryption from AES-CBC and HMAC-SHA. It differs slightly in how it generates the keys (via HKDF rather than splitting the PRK), and it computes the IV via HKDF rather than passing a random IV.
+RNCryptor is similar to
+[draft-mcgrew-aead-aes-cbc-hmac-sha2](https://tools.ietf.org/id/draft-mcgrew-aead-aes-cbc-hmac-sha2-02.html)
+AEAD_AES_256_CBC_HMAC_SHA_512 in how it produces authenticated encryption from
+AES-CBC and HMAC-SHA. It differs slightly in how it generates the keys (via
+HKDF rather than splitting the PRK), and it computes the IV via HKDF rather
+than passing a random IV.
 
-RNCryptor relies on HKDF ([RFC 5869](https://tools.ietf.org/html/rfc5869)) to generate random octet strings from a master 512-bit PRK.
+RNCryptor relies on HKDF ([RFC 5869](https://tools.ietf.org/html/rfc5869)) to
+generate random octet strings from a master 512-bit PRK.
 
-RNCryptor makes an effort to minimize the number of cryptographic primitives required. In particular, SHA-512 is used in some places that SHA-256 could be sufficient.
+The HMAC is are truncated according to [RFC 2104 Section
+5](https://tools.ietf.org/html/rfc2104). Private HMACs are not truncated.
 
-The HMAC is truncated to 256 bits in accordance with AEAD_AES_256_CBC_HMAC_SHA_512.
+SHA-512 is used throughout to favor CPU rather than GPU performance.
 
-## Changes since version 3.1
+## Changes since version 3.0
 
 * Employs draft-mcgrew-aead-aes-cbc-hmac-sha2 and HKDF.
 * Computes IV and keys from salt and master key.
 * Adds validator for fast password checking
 * Replaces SHA-1 and SHA-256 with SHA-512.
-* Unifies key- and password-based formats.
+* Unifies key- and password-based formats.
+
