mirror of
https://github.com/minio/minio.git
synced 2024-12-25 22:55:54 -05:00
b181a693fb
This commit fixes a weakness of the key-encryption-key derivation for SSE-C encrypted objects. Before this change the key-encryption-key was not bound to / didn't depend on the object path. This allows an attacker to repalce objects - encrypted with the same client-key - with each other. This change fixes this issue by updating the key-encryption-key derivation to include: - the domain (in this case SSE-C) - a canonical object path representation - the encryption & key derivation algorithm Changing the object path now causes the KDF to derive a different key-encryption-key such that the object-key unsealing fails. Including the domain (SSE-C) and encryption & key derivation algorithm is not directly neccessary for this fix. However, both will be included for the SSE-S3 KDF. So they are included here to avoid updating the KDF again when we add SSE-S3. The leagcy KDF 'DARE-SHA256' is only used for existing objects and never for new objects / key rotation.
117 lines
5.0 KiB
Go
117 lines
5.0 KiB
Go
// Minio Cloud Storage, (C) 2015, 2016, 2017, 2018 Minio, Inc.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
// Package crypto implements AWS S3 related cryptographic building blocks
|
|
// for implementing Server-Side-Encryption (SSE-S3) and Server-Side-Encryption
|
|
// with customer provided keys (SSE-C).
|
|
//
|
|
// All objects are encrypted with an unique and randomly generated 'ObjectKey'.
|
|
// The ObjectKey itself is never stored in plaintext. Instead it is only stored
|
|
// in a sealed from. The sealed 'ObjectKey' is created by encrypting the 'ObjectKey'
|
|
// with an unique key-encryption-key. Given the correct key-encryption-key the
|
|
// sealed 'ObjectKey' can be unsealed and the object can be decrypted.
|
|
//
|
|
//
|
|
// ## SSE-C
|
|
//
|
|
// SSE-C computes the key-encryption-key from the client-provided key, an
|
|
// initialization vector (IV) and the bucket/object path.
|
|
//
|
|
// 1. Encrypt:
|
|
// Input: ClientKey, bucket, object, metadata, object_data
|
|
// - IV := Random({0,1}²⁵⁶)
|
|
// - ObjectKey := SHA256(ClientKey || Random({0,1}²⁵⁶))
|
|
// - KeyEncKey := HMAC-SHA256(ClientKey, IV || 'SSE-C' || 'DAREv2-HMAC-SHA256' || bucket || '/' || object)
|
|
// - SealedKey := DAREv2_Enc(KeyEncKey, ObjectKey)
|
|
// - enc_object_data := DAREv2_Enc(ObjectKey, object_data)
|
|
// - metadata <- IV
|
|
// - metadata <- SealedKey
|
|
// Output: enc_object_data, metadata
|
|
//
|
|
// 2. Decrypt:
|
|
// Input: ClientKey, bucket, object, metadata, enc_object_data
|
|
// - IV <- metadata
|
|
// - SealedKey <- metadata
|
|
// - KeyEncKey := HMAC-SHA256(ClientKey, IV || 'SSE-C' || 'DAREv2-HMAC-SHA256' || bucket || '/' || object)
|
|
// - ObjectKey := DAREv2_Dec(KeyEncKey, SealedKey)
|
|
// - object_data := DAREv2_Dec(ObjectKey, enc_object_data)
|
|
// Output: object_data
|
|
//
|
|
//
|
|
// ## SSE-S3
|
|
//
|
|
// SSE-S3 can use either a master key or a KMS as root-of-trust.
|
|
// The en/decryption slightly depens upon which root-of-trust is used.
|
|
//
|
|
// ### SSE-S3 and single master key
|
|
//
|
|
// The master key is used to derive unique object- and key-encryption-keys.
|
|
// SSE-S3 with a single master key works as SSE-C where the master key is
|
|
// used as the client-provided key.
|
|
//
|
|
// 1. Encrypt:
|
|
// Input: MasterKey, bucket, object, metadata, object_data
|
|
// - IV := Random({0,1}²⁵⁶)
|
|
// - ObjectKey := SHA256(MasterKey || Random({0,1}²⁵⁶))
|
|
// - KeyEncKey := HMAC-SHA256(MasterKey, IV || 'SSE-S3' || 'DAREv2-HMAC-SHA256' || bucket || '/' || object)
|
|
// - SealedKey := DAREv2_Enc(KeyEncKey, ObjectKey)
|
|
// - enc_object_data := DAREv2_Enc(ObjectKey, object_data)
|
|
// - metadata <- IV
|
|
// - metadata <- SealedKey
|
|
// Output: enc_object_data, metadata
|
|
//
|
|
// 2. Decrypt:
|
|
// Input: MasterKey, bucket, object, metadata, enc_object_data
|
|
// - IV <- metadata
|
|
// - SealedKey <- metadata
|
|
// - KeyEncKey := HMAC-SHA256(MasterKey, IV || 'SSE-S3' || 'DAREv2-HMAC-SHA256' || bucket || '/' || object)
|
|
// - ObjectKey := DAREv2_Dec(KeyEncKey, SealedKey)
|
|
// - object_data := DAREv2_Dec(ObjectKey, enc_object_data)
|
|
// Output: object_data
|
|
//
|
|
//
|
|
// ### SSE-S3 and KMS
|
|
//
|
|
// SSE-S3 requires that the KMS provides two functions:
|
|
// 1. Generate(KeyID) -> (Key, EncKey)
|
|
// 2. Unseal(KeyID, EncKey) -> Key
|
|
//
|
|
// 1. Encrypt:
|
|
// Input: KeyID, bucket, object, metadata, object_data
|
|
// - Key, EncKey := Generate(KeyID)
|
|
// - IV := Random({0,1}²⁵⁶)
|
|
// - ObjectKey := SHA256(Key, Random({0,1}²⁵⁶))
|
|
// - KeyEncKey := HMAC-SHA256(Key, IV || 'SSE-S3' || 'DAREv2-HMAC-SHA256' || bucket || '/' || object)
|
|
// - SealedKey := DAREv2_Enc(KeyEncKey, ObjectKey)
|
|
// - enc_object_data := DAREv2_Enc(ObjectKey, object_data)
|
|
// - metadata <- IV
|
|
// - metadata <- KeyID
|
|
// - metadata <- EncKey
|
|
// - metadata <- SealedKey
|
|
// Output: enc_object_data, metadata
|
|
//
|
|
// 2. Decrypt:
|
|
// Input: bucket, object, metadata, enc_object_data
|
|
// - KeyID <- metadata
|
|
// - EncKey <- metadata
|
|
// - IV <- metadata
|
|
// - SealedKey <- metadata
|
|
// - Key := Unseal(KeyID, EncKey)
|
|
// - KeyEncKey := HMAC-SHA256(Key, IV || 'SSE-S3' || 'DAREv2-HMAC-SHA256' || bucket || '/' || object)
|
|
// - ObjectKey := DAREv2_Dec(KeyEncKey, SealedKey)
|
|
// - object_data := DAREv2_Dec(ObjectKey, enc_object_data)
|
|
// Output: object_data
|
|
//
|
|
package crypto
|