mirror of https://github.com/minio/minio.git
999bbd3a14
This commit changes how MinIO generates the object encryption key (OEK) when encrypting an object using server-side encryption. This change is fully backwards compatible. Now, MinIO generates the OEK as following: ``` Nonce = RANDOM(32) // generate 256 bit random value OEK = HMAC-SHA256(EK, Context || Nonce) ``` Before, the OEK was computed as following: ``` Nonce = RANDOM(32) // generate 256 bit random value OEK = SHA256(EK || Nonce) ``` The new scheme does not technically fix a security issue but uses a more familiar scheme. The only requirement for the OEK generation function is that it produces a (pseudo)random value for every pair (`EK`,`Nonce`) as long as no `EK`-`Nonce` combination is repeated. This prevents a faulty PRNG from repeating or generating a "bad" key. The previous scheme guarantees that the `OEK` is a (pseudo)random value given that no pair (`EK`,`Nonce`) repeats under the assumption that SHA256 is indistinguable from a random oracle. The new scheme guarantees that the `OEK` is a (pseudo)random value given that no pair (`EK`, `Nonce`) repeats under the assumption that SHA256's underlying compression function is a PRF/PRP. While the later is a weaker assumption, and therefore, less likely to be false, both are considered true. SHA256 is believed to be indistinguable from a random oracle AND its compression function is assumed to be a PRF/PRP. As far as the OEK generating is concerned, the OS random number generator is not required to be pseudo-random but just non-repeating. Apart from being more compatible to standard definitions and descriptions for how to generate crypto. keys, this change does not have any impact of the actual security of the OEK key generation. Signed-off-by: Andreas Auernhammer <github@aead.dev> |
||
|---|---|---|
| .. | ||
| amztime | ||
| arn | ||
| auth | ||
| bpool | ||
| bucket | ||
| cachevalue | ||
| color | ||
| config | ||
| crypto | ||
| deadlineconn | ||
| disk | ||
| dsync | ||
| etag | ||
| event | ||
| fips | ||
| grid | ||
| handlers | ||
| hash | ||
| http | ||
| init | ||
| ioutil | ||
| jwt | ||
| kms | ||
| lock | ||
| logger | ||
| lsync | ||
| mcontext | ||
| mountinfo | ||
| net | ||
| once | ||
| pubsub | ||
| rest | ||
| s3select | ||
| store | ||