feat(crypto): update key derivation / tag computation to draft-03

With the newest draft now also the key id/auth tag length is used during the key derivation
to create distinct salts. Also for AES CTR mode ciphers the tag length is also taken into
account when computing the tag

BREAKING CHANGE:
The latest [changes in the draft](https://author-tools.ietf.org/diff?doc_1=draft-ietf-sframe-enc-01&doc_2=draft-ietf-sframe-enc-03) regarding the key derivation and tag computation, make theimplementation incompatible with previous versions

Author: Tobias Waurick

Cargo.toml

@@ -10,7 +10,7 @@ authors = [
   "Richard Haehne <[email protected]>",
 ]
 
-description = "pure rust implementation of SFrame draft-ietf-sframe-enc-01"
+description = "pure rust implementation of SFrame draft-ietf-sframe-enc-03"
 repository = "https://github.com/goto-opensource/sframe-rs"
 documentation = "https://docs.rs/sframe/"
 readme = "README.md"

src/crypto/aead.rs

@@ -60,7 +60,8 @@ mod test {
         thread_rng().fill(data.as_mut_slice());
         let header = Header::default();
         let cipher_suite = CipherSuite::from(CipherSuiteVariant::AesGcm256Sha512);
-        let secret = Secret::expand_from(&cipher_suite, KEY_MATERIAL.as_bytes()).unwrap();
+        let secret =
+            Secret::expand_from(&cipher_suite, KEY_MATERIAL.as_bytes(), KeyId::default()).unwrap();
 
         let _tag = cipher_suite
             .encrypt(
@@ -138,7 +139,7 @@ mod test {
     fn prepare_secret(cipher_suite: &CipherSuite, test_vec: &SframeTest) -> Secret {
         if cipher_suite.is_ctr_mode() {
             // the test vectors do not provide the auth key, so we have to expand here
-            Secret::expand_from(cipher_suite, &test_vec.key_material).unwrap()
+            Secret::expand_from(cipher_suite, &test_vec.key_material, test_vec.key_id).unwrap()
         } else {
             Secret {
                 key: test_vec.sframe_key.clone(),

src/crypto/cipher_suite.rs

@@ -3,7 +3,7 @@
 
 /// Depicts which AEAD algorithm is used for encryption
 /// and which hashing function is used for the key expansion,
-/// see [sframe draft 00 4.4](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-01#name-ciphersuites)
+/// see [sframe draft 03 4.4](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-03#name-cipher-suites)
 #[derive(Debug, PartialEq, Eq, Clone, Copy)]
 #[cfg_attr(test, derive(strum_macros::Display))]
 pub enum CipherSuiteVariant {

src/crypto/key_expansion.rs

@@ -5,22 +5,58 @@ use super::{cipher_suite::CipherSuite, secret::Secret};
 use crate::error::Result;
 
 pub trait KeyExpansion {
-    fn expand_from<T>(cipher_suite: &CipherSuite, key_material: T) -> Result<Secret>
+    fn expand_from<M, K>(cipher_suite: &CipherSuite, key_material: M, key_id: K) -> Result<Secret>
     where
-        T: AsRef<[u8]>;
+        M: AsRef<[u8]>,
+        K: Into<u64>;
 }
 
-pub const SFRAME_HKDF_SALT: &[u8] = b"SFrame10";
-pub const SFRAME_HKDF_KEY_EXPAND_INFO: &[u8] = b"key";
-pub const SFRAME_HDKF_SALT_EXPAND_INFO: &[u8] = b"salt";
+pub fn get_hkdf_key_expand_info(key_id: u64) -> Vec<u8> {
+    [
+        SFRAME_LABEL,
+        SFRAME_HKDF_KEY_EXPAND_INFO,
+        &key_id.to_be_bytes(),
+    ]
+    .concat()
+}
 
-#[cfg(feature = "openssl")]
-pub const SFRAME_HKDF_SUB_SALT: &[u8] = b"SFrame10 AES CTR AEAD";
-#[cfg(feature = "openssl")]
-pub const SFRAME_HKDF_SUB_ENC_EXPAND_INFO: &[u8] = b"enc";
-#[cfg(feature = "openssl")]
-pub const SFRAME_HDKF_SUB_AUTH_EXPAND_INFO: &[u8] = b"auth";
+pub fn get_hkdf_salt_expand_info(key_id: u64) -> Vec<u8> {
+    [
+        SFRAME_LABEL,
+        SFRAME_HDKF_SALT_EXPAND_INFO,
+        &key_id.to_be_bytes(),
+    ]
+    .concat()
+}
+
+const SFRAME_LABEL: &[u8] = b"SFrame 1.0 ";
+
+// For the current test vectors different labels than specified were used
+// see https://github.com/sframe-wg/sframe/issues/137
+cfg_if::cfg_if! {
+    if #[cfg(test)] {
+        const SFRAME_HKDF_KEY_EXPAND_INFO: &[u8] = b"key ";
+        const SFRAME_HDKF_SALT_EXPAND_INFO: &[u8] = b"salt ";
+    } else {
+        const SFRAME_HKDF_KEY_EXPAND_INFO: &[u8] = b"Secret key ";
+        const SFRAME_HDKF_SALT_EXPAND_INFO: &[u8] = b"Secret salt ";
+    }
+}
+
+cfg_if::cfg_if! {
+    if #[cfg(feature = "openssl")] {
+        pub fn get_hkdf_aead_label(tag_len: usize) -> Vec<u8> {
+            // for current platforms there is no issue casting from usize to u64
+            return [SFRAME_HDKF_SUB_AEAD_LABEL, &(tag_len).to_be_bytes()].concat()
+        }
 
+        pub const SFRAME_HDKF_SUB_AEAD_LABEL: &[u8] = b"SFrame 1.0 AES CTR AEAD ";
+        pub const SFRAME_HKDF_SUB_ENC_EXPAND_INFO: &[u8] = b"enc";
+        pub const SFRAME_HDKF_SUB_AUTH_EXPAND_INFO: &[u8] = b"auth";
+    }
+}
+
+#[cfg(feature = "openssl")]
 #[cfg(test)]
 mod test {
     use super::KeyExpansion;
@@ -30,16 +66,26 @@ mod test {
     use crate::{crypto::cipher_suite::CipherSuiteVariant, util::test::assert_bytes_eq};
 
     mod aes_gcm {
+        use crate::crypto::key_expansion::SFRAME_LABEL;
+
         use super::*;
 
         use test_case::test_case;
 
         #[test_case(CipherSuiteVariant::AesGcm128Sha256; "AesGcm128Sha256")]
         #[test_case(CipherSuiteVariant::AesGcm256Sha512; "AesGcm256Sha512")]
+
         fn derive_correct_base_keys(variant: CipherSuiteVariant) {
             let test_vec = get_sframe_test_vector(&variant.to_string());
-            let secret =
-                Secret::expand_from(&CipherSuite::from(variant), &test_vec.key_material).unwrap();
+
+            assert_bytes_eq(SFRAME_LABEL, &test_vec.sframe_label);
+
+            let secret = Secret::expand_from(
+                &CipherSuite::from(variant),
+                &test_vec.key_material,
+                test_vec.key_id,
+            )
+            .unwrap();
 
             assert_bytes_eq(&secret.key, &test_vec.sframe_key);
             assert_bytes_eq(&secret.salt, &test_vec.sframe_salt);
@@ -49,37 +95,23 @@ mod test {
     #[cfg(feature = "openssl")]
     mod aes_ctr {
         use super::*;
-        use crate::test_vectors::get_aes_ctr_test_vector;
-
         use test_case::test_case;
 
         #[test_case(CipherSuiteVariant::AesCtr128HmacSha256_80; "AesCtr128HmacSha256_80")]
         #[test_case(CipherSuiteVariant::AesCtr128HmacSha256_64; "AesCtr128HmacSha256_64")]
         #[test_case(CipherSuiteVariant::AesCtr128HmacSha256_32; "AesCtr128HmacSha256_32")]
         fn derive_correct_sub_keys(variant: CipherSuiteVariant) {
-            let test_vec = get_aes_ctr_test_vector(&variant.to_string());
+            let test_vec = get_sframe_test_vector(&variant.to_string());
             let cipher_suite = CipherSuite::from(variant);
-            let secret = Secret::expand_from(&cipher_suite, &test_vec.key_material).unwrap();
 
-            assert_bytes_eq(&secret.auth.unwrap(), &test_vec.auth_key);
-            assert_bytes_eq(&secret.key, &test_vec.enc_key);
-        }
-
-        #[test]
-        fn derive_correct_keys_aes_ctr_128_hmac_sha256_64() {
-            derive_correct_sub_keys(CipherSuiteVariant::AesCtr128HmacSha256_64);
-        }
-
-        #[test]
-        fn derive_correct_keys_aes_ctr_128_hmac_sha256_32() {
-            derive_correct_sub_keys(CipherSuiteVariant::AesCtr128HmacSha256_32);
-        }
+            let secret =
+                Secret::expand_from(&cipher_suite, &test_vec.key_material, test_vec.key_id)
+                    .unwrap();
 
-        #[test]
-        // AesCtr128HmacSha256_80 is not available in the test vectors
-        #[ignore]
-        fn derive_correct_keys_aes_ctr_128_hmac_sha256_80() {
-            derive_correct_sub_keys(CipherSuiteVariant::AesCtr128HmacSha256_80);
+            assert_bytes_eq(&secret.salt, &test_vec.sframe_salt);
+            // the subkeys stored in secret.key and secret.auth are not included in the test vectors
+            assert_eq!(secret.auth.unwrap().len(), cipher_suite.hash_len);
+            assert_eq!(secret.key.len(), cipher_suite.key_len);
         }
     }
 }

src/crypto/openssl/aead.rs

@@ -190,11 +190,14 @@ impl CipherSuite {
         let mut signer = openssl::sign::Signer::new(openssl::hash::MessageDigest::sha256(), &key)?;
 
         // for current platforms there is no issue casting from usize to u64
-        let aad_len = (aad.len() as u64).to_be_bytes();
-        let ct_len = (encrypted.len() as u64).to_be_bytes();
-        for buf in [&aad_len, &ct_len, nonce, aad, encrypted] {
+        let aad_len = &(aad.len() as u64).to_be_bytes();
+        let ct_len = &(encrypted.len() as u64).to_be_bytes();
+        let tag_len = &(self.auth_tag_len as u64).to_be_bytes();
+
+        for buf in [aad_len, ct_len, tag_len, nonce, aad, encrypted] {
             signer.update(buf)?;
         }
+
         let mut tag = signer.sign_to_vec()?;
         tag.resize(self.auth_tag_len, 0);
 

src/crypto/openssl/key_expansion.rs

@@ -5,22 +5,23 @@ use crate::{
     crypto::{
         cipher_suite::{CipherSuite, CipherSuiteVariant},
         key_expansion::{
-            KeyExpansion, SFRAME_HDKF_SALT_EXPAND_INFO, SFRAME_HDKF_SUB_AUTH_EXPAND_INFO,
-            SFRAME_HKDF_KEY_EXPAND_INFO, SFRAME_HKDF_SALT, SFRAME_HKDF_SUB_ENC_EXPAND_INFO,
-            SFRAME_HKDF_SUB_SALT,
+            get_hkdf_aead_label, get_hkdf_key_expand_info, get_hkdf_salt_expand_info, KeyExpansion,
+            SFRAME_HDKF_SUB_AUTH_EXPAND_INFO, SFRAME_HKDF_SUB_ENC_EXPAND_INFO,
         },
         secret::Secret,
     },
     error::{Result, SframeError},
 };
 
 impl KeyExpansion for Secret {
-    fn expand_from<T>(cipher_suite: &CipherSuite, key_material: T) -> Result<Secret>
+    fn expand_from<M, K>(cipher_suite: &CipherSuite, key_material: M, key_id: K) -> Result<Secret>
     where
-        T: AsRef<[u8]>,
+        M: AsRef<[u8]>,
+        K: Into<u64>,
     {
         let try_expand = || {
-            let (base_key, salt) = expand_secret(cipher_suite, key_material.as_ref())?;
+            let (base_key, salt) =
+                expand_secret(cipher_suite, key_material.as_ref(), key_id.into())?;
             let (key, auth) = if cipher_suite.is_ctr_mode() {
                 let (key, auth) = expand_subsecret(cipher_suite, &base_key)?;
                 (key, Some(auth))
@@ -38,18 +39,20 @@ impl KeyExpansion for Secret {
 fn expand_secret(
     cipher_suite: &CipherSuite,
     key_material: &[u8],
+    key_id: u64,
 ) -> std::result::Result<(Vec<u8>, Vec<u8>), openssl::error::ErrorStack> {
-    let prk = extract_prk(cipher_suite, key_material, SFRAME_HKDF_SALT)?;
+    // No salt used for the extraction: https://www.ietf.org/archive/id/draft-ietf-sframe-enc-03.html#name-key-derivation
+    let prk = extract_pseudo_random_key(cipher_suite, key_material, b"")?;
     let key = expand_key(
         cipher_suite,
         &prk,
-        SFRAME_HKDF_KEY_EXPAND_INFO,
+        &get_hkdf_key_expand_info(key_id),
         cipher_suite.key_len,
     )?;
     let salt = expand_key(
         cipher_suite,
         &prk,
-        SFRAME_HDKF_SALT_EXPAND_INFO,
+        &get_hkdf_salt_expand_info(key_id),
         cipher_suite.nonce_len,
     )?;
 
@@ -60,7 +63,8 @@ fn expand_subsecret(
     cipher_suite: &CipherSuite,
     key: &[u8],
 ) -> std::result::Result<(Vec<u8>, Vec<u8>), openssl::error::ErrorStack> {
-    let prk = extract_prk(cipher_suite, key, SFRAME_HKDF_SUB_SALT)?;
+    let salt = get_hkdf_aead_label(cipher_suite.auth_tag_len);
+    let prk = extract_pseudo_random_key(cipher_suite, key, &salt)?;
     let key = expand_key(
         cipher_suite,
         &prk,
@@ -77,7 +81,7 @@ fn expand_subsecret(
     Ok((key, auth))
 }
 
-fn extract_prk(
+fn extract_pseudo_random_key(
     cipher_suite: &CipherSuite,
     key_material: &[u8],
     salt: &[u8],
@@ -135,3 +139,29 @@ impl From<CipherSuiteVariant> for &'static openssl::md::MdRef {
         }
     }
 }
+#[cfg(test)]
+mod test {
+
+    use super::*;
+    use crate::{test_vectors::get_aes_ctr_test_vector, util::test::assert_bytes_eq};
+
+    use test_case::test_case;
+
+    #[test_case(CipherSuiteVariant::AesCtr128HmacSha256_80; "AesCtr128HmacSha256_80")]
+    #[test_case(CipherSuiteVariant::AesCtr128HmacSha256_64; "AesCtr128HmacSha256_64")]
+    #[test_case(CipherSuiteVariant::AesCtr128HmacSha256_32; "AesCtr128HmacSha256_32")]
+    fn derive_correct_sub_keys(variant: CipherSuiteVariant) {
+        let test_vec = get_aes_ctr_test_vector(&variant.to_string());
+        let cipher_suite = CipherSuite::from(variant);
+
+        let aead_salt = get_hkdf_aead_label(cipher_suite.auth_tag_len);
+        assert_bytes_eq(&aead_salt, &test_vec.aead_label);
+
+        let prk = extract_pseudo_random_key(&cipher_suite, &test_vec.base_key, &aead_salt).unwrap();
+        assert_bytes_eq(&prk, &test_vec.aead_secret);
+
+        let (key, auth) = expand_subsecret(&cipher_suite, &test_vec.base_key).unwrap();
+        assert_bytes_eq(&key, &test_vec.enc_key);
+        assert_bytes_eq(&auth, &test_vec.auth_key);
+    }
+}

src/crypto/ring/key_expansion.rs

@@ -4,25 +4,34 @@
 use crate::{
     crypto::{
         cipher_suite::{CipherSuite, CipherSuiteVariant},
-        key_expansion::{
-            KeyExpansion, SFRAME_HDKF_SALT_EXPAND_INFO, SFRAME_HKDF_KEY_EXPAND_INFO,
-            SFRAME_HKDF_SALT,
-        },
+        key_expansion::{get_hkdf_key_expand_info, get_hkdf_salt_expand_info, KeyExpansion},
         secret::Secret,
     },
     error::{Result, SframeError},
 };
 
 impl KeyExpansion for Secret {
-    fn expand_from<T>(cipher_suite: &CipherSuite, key_material: T) -> Result<Secret>
+    fn expand_from<M, K>(cipher_suite: &CipherSuite, key_material: M, key_id: K) -> Result<Secret>
     where
-        T: AsRef<[u8]>,
+        M: AsRef<[u8]>,
+        K: Into<u64>,
     {
+        let key_id = key_id.into();
         let algorithm = cipher_suite.variant.into();
-        let prk = ring::hkdf::Salt::new(algorithm, SFRAME_HKDF_SALT).extract(key_material.as_ref());
+        // No salt used for the extraction: https://www.ietf.org/archive/id/draft-ietf-sframe-enc-03.html#name-key-derivation
+        let pseudo_random_key =
+            ring::hkdf::Salt::new(algorithm, b"").extract(key_material.as_ref());
 
-        let key = expand_key(&prk, SFRAME_HKDF_KEY_EXPAND_INFO, cipher_suite.key_len)?;
-        let salt = expand_key(&prk, SFRAME_HDKF_SALT_EXPAND_INFO, cipher_suite.nonce_len)?;
+        let key = expand_key(
+            &pseudo_random_key,
+            &get_hkdf_key_expand_info(key_id),
+            cipher_suite.key_len,
+        )?;
+        let salt = expand_key(
+            &pseudo_random_key,
+            &get_hkdf_salt_expand_info(key_id),
+            cipher_suite.nonce_len,
+        )?;
 
         Ok(Secret {
             key,

src/header/basic_header.rs

@@ -11,7 +11,7 @@ use super::{
 };
 
 bitfield! {
-    /// Modeled after [sframe draft 00 4.2](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-01#name-sframe-header)
+    /// Modeled after [sframe draft 03 4.3](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-03#name-sframe-header)
     /// ```txt
     ///  0 1 2 3 4 5 6 7
     /// +-+-+-+-+-+-+-+-+---------------------------------+

src/header/extended_header.rs

@@ -13,7 +13,7 @@ use super::{
 };
 
 bitfield! {
-    /// Modeled after [sframe draft 00 4.2](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-01#name-sframe-header)
+    /// Modeled after [sframe draft 03 4.3](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-03#name-sframe-header)
     /// ```txt
     ///  0 1 2 3 4 5 6 7
     /// +-+-+-+-+-+-+-+-+---------------------------+---------------------------+

src/header/mod.rs

@@ -44,7 +44,7 @@ pub trait HeaderFields {
 }
 
 /// Sframe header with a KID with a length of up to 3bits
-/// modeled after [sframe draft 00 4.2](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-01#name-sframe-header)
+/// modeled after [sframe draft 03 4.3](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-03#name-sframe-header)
 /// ```txt
 ///  0 1 2 3 4 5 6 7
 /// +-+-+-+-+-+-+-+-+---------------------------------+
@@ -73,7 +73,7 @@ impl BasicHeader {
     }
 }
 /// Extended sframe header with a KID with a length of up to 8 bytes
-/// modeled after [sframe draft 00 4.2](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-01#name-sframe-header)
+/// modeled after [sframe draft 03 4.3](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-03#name-sframe-header)
 /// ```txt
 ///  0 1 2 3 4 5 6 7
 /// +-+-+-+-+-+-+-+-+---------------------------+---------------------------+
@@ -102,7 +102,7 @@ impl ExtendedHeader {
 }
 
 #[derive(Copy, Clone, Debug)]
-/// Represents an Sframe header modeled after [sframe draft 00 4.2](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-01#name-sframe-header)
+/// Represents an Sframe header modeled after [sframe draft 03 4.3](https://datatracker.ietf.org/doc/html/draft-ietf-sframe-enc-03#name-sframe-header)
 /// containing the key id of the sender (KID) and the current frame count (CTR).
 /// There are two variants, either with a KID represented by 3 bits (Basic) and an extended version with a KID of up to 8 bytes (Extended).
 /// The CTR field has a variable length of up to 8 bytes where the size is represented with LEN. Here LEN=0 represents a length of 1.
@@ -218,7 +218,6 @@ mod test {
     use super::{frame_count::FrameCount, keyid::KeyId, Header};
     use crate::header::{Deserialization, HeaderFields};
     use crate::util::test::assert_bytes_eq;
-    use crate::CipherSuiteVariant::{AesGcm128Sha256, AesGcm256Sha512};
 
     use pretty_assertions::assert_eq;