Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add encryption using libsodium keyed-hash nonce recommendation #159

Closed
tasket opened this issue Apr 29, 2023 · 11 comments
Closed

Add encryption using libsodium keyed-hash nonce recommendation #159

tasket opened this issue Apr 29, 2023 · 11 comments
Labels
enhancement New feature or request
Milestone

Comments

@tasket
Copy link
Owner

tasket commented Apr 29, 2023

Per libsodium documentation, XChaCha20 nonces generated from keyed hashes are recommended to mitigate the possibility of nonce reuse. This has security advantages for a multi-session format like Wyng.

The recommended form is Hk( rnd || m ) where Hk is a keyed hash function like BLAKE2 or HMAC. The latter, HMAC, presents the possibility to use a faster hashing engine such as KangarooTwelve which is available in newer versions of PyCryptodome (the crypto library used by Wyng).

Question: There appears to be little/no guidance on the 'rnd' size. My inclination is to make it the same size as the nonce (i.e. 24 bytes), but maybe there are better choices?

Related issues:
#157
#158
#161

@tasket
Copy link
Owner Author

tasket commented Apr 30, 2023

@DemiMarie @marmarek Added the keyed-hash encryption mode. It can be accessed via the test name 'xchacha20-t1' when creating a new archive, like so:

sudo wyng arch-init --dest=file:/mnt/drive1/test.backup --local=vg1/pool1 --encrypt=xchacha20-t1

tasket added a commit that referenced this issue May 4, 2023
Call digest() only once

Fix nonce comment

Issues #160 #159
@tasket tasket added this to the v0.4 milestone May 4, 2023
@tasket tasket added the enhancement New feature or request label May 4, 2023
@tasket
Copy link
Owner Author

tasket commented May 12, 2023

Testing notes:

Hashing the plaintext does have a noticeable impact on performance when sending to a very fast storage medium.

Backup times for a volume holding 12GB data:

Runtime (sec) Wyng Encryption Mode Nonce Method
68.7 xchacha20 XChaCha20 concat counter
83.8 xchacha20-t1 XChaCha20 BLAKE2b Hk(rnd||m)
68.0 xchacha20-t2 XChaCha20 rnd nonce
76.3 xchacha20-t3 XChaCha20 HMAC-SHA256 Hk(rnd||m)*
68.5 n/a XChaCha20 BLAKE2b Hk(rnd||pthash)

The -t3 mode may not be usable as-is since I merely truncated the HMAC digest to fit in the 192-bit nonce (which appears to be OK in practice, see HMAC note below). Its still interesting to see the performance difference vs. BLAKE2b (-t1).

The last entry, improvised, doesn't have a mode. Its a simple re-use of the Wyng manifest hash of the plaintext, prefixed with rnd and fed into a keyed hash function.

The first 3 in the table are all libsodium recommendations, and I'm currently inclined to keep them as some type of option. The last 3 haven't yet been pushed to github.

@tasket
Copy link
Owner Author

tasket commented May 12, 2023

KangarooTwelve: This doesn't appear to be a near-term option since the @Legrandin Cryptodome version is running slower than BLAKE2b in my comparison tests. It would have been great to be able to pair it as HMAC-K12 to obtain a more performant keyed hash with a select-able output size.

@DemiMarie
Copy link

What about using the keyed hash as the key, as well as the nonce, for plain ChaCha20 (instead of XChaCha20)?

@tasket
Copy link
Owner Author

tasket commented May 12, 2023

That is intriguing, being both fast and deterministic...I think its the same as the issue #157 you posted, right?

TBH, it stretches my head somewhat beyond my comfort zone on this topic. And it has one additional complexity hurdle that I don't think was expressed in that issue: The manifest hashes are themselves encrypted, albeit under a separate key from the data; that could mean having to encrypt the metadata in a special way. We can continue discussion in 157.

@tasket
Copy link
Owner Author

tasket commented May 12, 2023

HMAC Truncate:

In the HMAC RFC 2104 truncating to 192 bits is OK...

  1. Truncated output

Applications of HMAC can choose to truncate the output of HMAC by outputting the t leftmost bits of the HMAC computation for some parameter t (namely, the computation is carried in the normal way as defined in section 2 above but the end result is truncated to t bits). We recommend that the output length t be not less than half the length of the hash output (to match the birthday attack bound) and not less than 80 bits [...]

So that means the -t3 method also fall into the libsodium recommended category, assuming they do not themselves place additional restrictions on the use of HMAC output.

tasket added a commit that referenced this issue May 15, 2023
Save/send ini at checkpoints only if cadence is lt 101 as this is useful only for stateful crypto counter

get_config: Resolve ts difference if only counters differ

send: benchmark fixes

Issues #158 #159
@tasket
Copy link
Owner Author

tasket commented May 15, 2023

The xchacha20-t3 mode is now available for testing.

Differences from its sibling -t1:

  • Faster, due to hardware accelerated HMAC-SHA256 instead of BLAKE2
  • Uses a subkey for the HMAC nonce generator

As usual, these modes can be used by creating a new archive with wyng arch-init --encrypt=modename


FYI: These -tN testing modes may or may not make it into the beta version, but if they do they will be re-named to something more relatable.

Also, there will likely be an xchacha20-t4 mode as well that uses the manifest hashes in some way.

@tasket
Copy link
Owner Author

tasket commented May 16, 2023

If there are no objections, within a couple weeks' time I'd be ready to make the xchacha20-t3 mode the default setting for Wyng going forward.

We know it has good security, being a recommended method, and performance isn't bad on systems with SHA-256 acceleration.


Its likely I'll drop the xchacha20-t1 and aes-256-siv modes as they are slow and there is no advantage to keeping them.

tasket added a commit that referenced this issue May 25, 2023
Use HMAC-256 for faster manifest hashes #159

Handle data hashing separately from metadata hashing

Make xchacha20-t3 the default mode

Change subkey derivation from scrypt to HKDF-SHA256

get_configs: check entire .ini structure

Cleanup tmp manifests when closing them

Fix debug tmp retention: use atexit for better cleanup()

Fix benchmark mode cleanup
@tasket
Copy link
Owner Author

tasket commented May 25, 2023

The data hashing algorithm for xchacha20-t3 (and -t2) has been changed to the much faster HMAC-SHA256. As a result, if you created older -t2 or -t3 archives their data will no longer be recognized as valid!

You are urged to create new -t2 and -t3 archives in that case.

(If you created archives under the old default xchacha20, they will still be handled the same way and data recognized as valid. A counter mode is still select-able as xchacha20-tc which now uses HMAC for faster data hashing.)

tasket added a commit that referenced this issue May 25, 2023
tasket added a commit that referenced this issue May 29, 2023
Use salts for subkeys, use 512 bits for each, and separate context for each subkey

Note this may invalidate test archives!

Issues #159, #161
@tasket
Copy link
Owner Author

tasket commented May 29, 2023

An extra precaution was added to make the subkeys more robust. Their size has been increased to 512 bits and they now have independent 512 bit salts (slots 2 and 3) and separate contexts and separate iterations within those contexts. The subkey hash algorithm has also been changed to SHA-512. Primary keys (slots 0 and 1) now use 512 bit salts as well. This is being done to ensure ample key differentiation and strength.

This change also means if you were using any of the -tX encryption modes, those archives won't work with Wyng version 20230528 onward ...again. (Sorry about that!)

@tasket tasket mentioned this issue Jun 2, 2023
12 tasks
tasket added a commit that referenced this issue Jun 14, 2023
Limit messages for authentication, issue #165

Check header ci mode against authenticated cipher mode
@tasket
Copy link
Owner Author

tasket commented Jun 14, 2023

The encryption mode selection names have been decided. Here is a quick rundown of the changes:

Deprecated:

xchacha20 — This is the original counter mode, which is replaced by slightly better counter mode below. This mode will continue to function for existing archives.

Removed:

xchacha20-t1 and xchacha20-t2 — No longer present in code.

Accepted:

xchacha20-t3, xchacha20-t4 and xchacha20-tc — These modes have been renamed xchacha20-msr, xchacha20-dgr and xchacha20-ct, respectively. The last option is the name going forward for the protected counter mode.

Also, the default encryption setting will be xchacha20-dgr from #161, which uses the 'Hk || rnd' amalgam for generating nonces under the data key and the simpler-to-implement but slower 'm || rnd' for metadata.

@tasket tasket closed this as completed Jun 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants