Issue 1528021: Implement PBKDF2-based key derivation, random key generation,...

Issue 1528021: Implement PBKDF2-based key derivation, random key generation,... (Closed)

Created:
10 years, 8 months ago by wtc

Modified:
9 years, 7 months ago

Reviewers:
albertb, rsleevi-old

CC:
chromium-reviews, Paweł Hajdan Jr., brettw-cc_chromium.org

Base URL:
svn://chrome-svn/chrome/trunk/src/

Visibility:
Public.

Description

Implement PBKDF2-based key derivation, random key generation, and AES-CBC encryption/decryption using CryptoAPI. Contributed by Ryan Sleevi <ryan.sleevi@gmail.com>;. Original review URL: http://codereview.chromium.org/1558018 R=wtc,albertb BUG=none TEST=SymmetricKeyTest.* and EncryptorTest.* Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=44106

Patch Set 1 #

Patch Set 2 : Add encryptor_{mac,nss}.cc to CL. Still need to review scoped_capi_types.h and symetric_key_win.cc. #

Total comments: 9

Patch Set 3 : Check point: finished scoped_capi_types.h and most of symmetric_key_win.cc. #

Patch Set 4 : Add symmetric_key_{mac,nss}.cc to CL. Finished review. #

Patch Set 5 : Fix nits. #

Total comments: 8

Patch Set 6 : Make albertb's suggested changes. #

Created: 10 years, 8 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+866 lines, -92 lines)			Patch
M	base/crypto/encryptor.h	View	1	2 chunks	+12 lines, -2 lines	0 comments	Download
M	base/crypto/encryptor_mac.cc	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	base/crypto/encryptor_nss.cc	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	base/crypto/encryptor_unittest.cc	View	1 2 3 4 5	2 chunks	+82 lines, -9 lines	0 comments	Download
M	base/crypto/encryptor_win.cc	View	1 2 3 4 5	2 chunks	+85 lines, -4 lines	0 comments	Download
M	base/crypto/rsa_private_key.h	View	1	3 chunks	+6 lines, -5 lines	0 comments	Download
M	base/crypto/rsa_private_key_win.cc	View	1	3 chunks	+6 lines, -15 lines	0 comments	Download
A	base/crypto/scoped_capi_types.h	View	1 2 3 4 5	1 chunk	+124 lines, -0 lines	0 comments	Download
M	base/crypto/signature_creator.h	View	1	3 chunks	+5 lines, -4 lines	0 comments	Download
M	base/crypto/signature_creator_win.cc	View	1	2 chunks	+2 lines, -9 lines	0 comments	Download
M	base/crypto/signature_verifier.h	View		2 chunks	+7 lines, -6 lines	0 comments	Download
M	base/crypto/signature_verifier_win.cc	View	1	4 chunks	+6 lines, -20 lines	0 comments	Download
M	base/crypto/symmetric_key.h	View	1 2 3	5 chunks	+28 lines, -2 lines	0 comments	Download
M	base/crypto/symmetric_key_mac.cc	View	4	4 chunks	+6 lines, -4 lines	0 comments	Download
M	base/crypto/symmetric_key_nss.cc	View		1 chunk	+2 lines, -0 lines	0 comments	Download
M	base/crypto/symmetric_key_unittest.cc	View		2 chunks	+2 lines, -8 lines	0 comments	Download
M	base/crypto/symmetric_key_win.cc	View	1 2 3 4 5	2 chunks	+491 lines, -4 lines	0 comments	Download

Messages

Total messages: 5 (0 generated)

Expand Messages | Collapse Messages

wtc

The CL is now ready for review. Patch Set 1 is Ryan Sleevi's original CL. ...

10 years, 8 months ago (2010-04-09 00:11:22 UTC) #1

rsleevi-old

Just addressing comments, haven't reviewed in depth. In addition to the provided comments, I did ...

10 years, 8 months ago (2010-04-09 03:04:49 UTC) #2

Just addressing comments, haven't reviewed in depth. 

In addition to the provided comments, I did some double-checking and I am not
sure if it will (ever) be possible to include/use PBKDF2 as the derivation
method, as it's a non NIST/FIPS approved KDF. The list is at
http://csrc.nist.gov/groups/ST/toolkit/kdf.html , but even implementing one of
those may trigger "concerns" if it needs to be CMVP validated. I think it 
requires some further research, but an alternative solution would be to disable
/ not use the function if configured for FIPS mode (either as a Chromium config
option/command line flag or by reading the MSFT registry key). Both methods are
discussed at http://technet.microsoft.com/en-us/library/cc750357.aspx#c1 , under
Implementors and Developers sections.

The code as is still has a number of FIPS Approved use cases, so I think it's
still a good idea - just maybe not derivation.

http://codereview.chromium.org/1528021/diff/10002/14004
File base/crypto/symmetric_key_win.cc (right):

http://codereview.chromium.org/1528021/diff/10002/14004#newcode75
base/crypto/symmetric_key_win.cc:75: HCRYPTKEY unsafe_key = NULL;
Just that it doesn't automatically free (not a scoped handle), and keeping with
the naming scheme of scoped vars = safe_, but here it is not that critical as it
doesn't need to be freed unless everything suceeds, and if it does, it's placed
into a scoped handle right away.

http://codereview.chromium.org/1528021/diff/10002/14004#newcode117
base/crypto/symmetric_key_win.cc:117: PROV_RSA_AES, CRYPT_VERIFYCONTEXT);
Less to do with the provider type, moreso the provider name/default for that
type. None of the types require 3DES as a MUST implement, IIRC. From a naive
MSFT standpoint, only the Strong and Enhanced providers expose 3DES. XP+'s
default should be Enhanced for PROV_RSA_FULL, so I'm not sure why it wouldn't be
exposed.

http://codereview.chromium.org/1528021/diff/10002/14004#newcode153
base/crypto/symmetric_key_win.cc:153: PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
Should be fine, PROV_RSA_AES is required to implement all of _FULL.

http://codereview.chromium.org/1528021/diff/10002/14004#newcode177
base/crypto/symmetric_key_win.cc:177: ok = CryptGenRandom(safe_provider,
key_size_in_bytes,
1) MSFT's security policy says HMAC keys of should be CryptImport'ed. 
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp989.pdf See
CryptCreateHash

2) Try it. Should get NTE_BAD_ALG if it is not an encryption (or pub/priv) alg

However, I admit it's a bit troubling since one can argue it's key generation
happening outside the boundary, even if the RNG is inside it. It may need
clarification from MSFT as to their Security Policy.

rsleevi-old

http://codereview.chromium.org/1528021/diff/10002/14004 File base/crypto/symmetric_key_win.cc (right): http://codereview.chromium.org/1528021/diff/10002/14004#newcode177 base/crypto/symmetric_key_win.cc:177: ok = CryptGenRandom(safe_provider, key_size_in_bytes, One more link I forgot, ...

10 years, 8 months ago (2010-04-09 03:16:35 UTC) #3

albertb

LGTM for headers and tests. http://codereview.chromium.org/1528021/diff/44002/2012 File base/crypto/encryptor_unittest.cc (right): http://codereview.chromium.org/1528021/diff/44002/2012#newcode42 base/crypto/encryptor_unittest.cc:42: #if defined(OS_WIN) Can this ...

10 years, 8 months ago (2010-04-09 16:41:07 UTC) #4

wtc

10 years, 8 months ago (2010-04-09 17:55:22 UTC) #5

albertb: thanks for the review!

I made all the changes you suggested in Patch Set 6.  I respond
to two of your comments below.

http://codereview.chromium.org/1528021/diff/44002/2005
File base/crypto/scoped_capi_types.h (right):

http://codereview.chromium.org/1528021/diff/44002/2005#newcode66
base/crypto/scoped_capi_types.h:66: CAPIHandle* receive() {
On 2010/04/09 16:41:07, albertb wrote:
> nit: Isn't this called get() in scoped_ptr?

No.  scoped_ptr doesn't have an equivalent method.  The
receive() method returns a pointer to |handle_| to the
caller to allow the caller to set |handle_| to a value
via the pointer.

scoped_comptr_win.h has this method.

http://codereview.chromium.org/1528021/diff/44002/2006
File base/crypto/symmetric_key_win.cc (right):

http://codereview.chromium.org/1528021/diff/44002/2006#newcode416
base/crypto/symmetric_key_win.cc:416: DCHECK_GT(l, 0);
On 2010/04/09 16:41:07, albertb wrote:
> nit: Maybe call this len instead? The DCHECK looks like 1 > 0 :)

I agree.  I changed it to capital L.

The variable names L, dkLen, and hLen violate the Style Guide.
I (or rather, Ryan) named them after the names used in the
spec.  This makes it easier to verify our code conforms to
the spec.

If we want to follow the Style Guide, these variables can
be renamed as follows:
  L: num_blocks
  dkLen: derived_key_len
  hLen: hash_len or hmac_len

Expand Messages | Collapse Messages