6

I noticed AWS KMS generates encryption keys based off of a master key, using a key derivation function (HKDF).

What's the practical advantage of deriving keys based on a master key? Isn't it simpler and typically more secure to just generate random keys with a CSPRNG?

Fewer keys to store?

Edit: to add context to AWS KMS, it uses a hardware security module, which would seem to add a storage constraint. However, given KMS basically just generates new data encryption keys (DEKs) and wraps (envelope encrypts) them with the master key for the user to store elsewhere, it doesn't seem to change storage requirements. So it begs the question, why derive the DEKs from the master key?

Shruggie
  • 237
  • 2
  • 8
  • 1
    In a sense HKDF _is_ a CSPRNG. – Squeamish Ossifrage Mar 08 '19 at 06:41
  • Right, but is there a practical advantage to HKDF when you can generate uniformly random numbers in the first place? – Shruggie Mar 08 '19 at 07:34
  • 3
    Test vectors, reproducible computation, storage reduction as you mentioned, no reliance on an entropy source later on which might be busted… – Squeamish Ossifrage Mar 08 '19 at 07:36
  • Very interesting. I'm also considering whether they have a reason to verify the derived keys against the master key... but given they use AES-GCM to envelope encrypt the key, they should already have authentication on the key. Also, what kind of reproducible computations do you mean? – Shruggie Mar 08 '19 at 07:48
  • 2
    To @Squeamish Ossifrage's excellent comment/answer, add that with key derivation from a serial number or other form of ID, no backup of the generated keys is necessary; and that distribution of the derived keys is automagic with distribution of the master key. That's also called (key) diversification. – fgrieu Mar 08 '19 at 08:58
  • The technical details of the protocol are missing. Could you describe it or link to them so we can check how the keys are actually used? One big security related advantage of key derivation is that you can use the derived keys, possibly exposing them e.g. because of an algorithm or implementation issue, while the master key is kept secure. – Maarten Bodewes Mar 08 '19 at 11:50
  • 1
    @MaartenBodewes here are two links that discuss AWS KMS's use of KDF https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3009.pdf https://rwc.iacr.org/2018/Slides/Gueron.pdf And the documentation https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html – Shruggie Mar 08 '19 at 23:35

1 Answers1

3

Here are various advantages. Maybe they don't all apply in this case—I don't know, but there are cases in the real world in which they do apply.

  • Test vectors. You can write known-answer tests for your entire cryptosystem, end-to-end. You can verify these test vectors in a power-on self-test to cheaply detect catastrophic failure. You can easily use these test vectors to debug an interoperable alternative implementation during development.
  • Reproducible subcomputations. If you need to add a branch to a tree of subcomputations with an independent key, you can simply use a distinct label for the HKDF info parameter, and all the other computations will remain unchanged. That way, e.g., you don't have to update your test vectors, whereas you would have to if you drew keys out of a sequential PRNG.
  • Reduced storage. You only need to store as many keys as there are independent privilege domains in your system. You can simply rederive any subkeys for different purposes within a privilege domain instead of having to store them separately.
  • Reduced reliance on entropy sources. You can flash a key onto an embedded microcontroller, and use it to derive subkeys for various purposes, and even rotate keys and erase old ones, without having to rely on an entropy source on the microcontroller itself.
Squeamish Ossifrage
  • 46,897
  • 3
  • 110
  • 214