Details
-
Sub-task
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
When we are locally managing master key material, when users have supplied their own data key material, derive the actual data keys using HKDF (https://tools.ietf.org/html/rfc5869)
DK' = HKDF(S, DK, MK)
where
S = salt
DK = user supplied data key
MK = master key
DK' = derived data key for the HFile
User supplied key material may be weak or an attacker may have some partial knowledge of it.
Where we generate random data keys we can still use HKDF as a way to mix more entropy into the secure random generator.
DK' = HKDF(R, MK)
where
R = random key material drawn from the system's secure random generator
MK = master key
(Salting isn't useful here because salt S and R would be drawn from the same pool, so will not have statistical independence.)