Use PHP's built-in hash_hkdf function

[C0rby]

Reported by @lynn-stephenson

OC\Security\Crypto::calculateHMAC computes the MAC key like so:

$password = \hash('sha512', $password . 'a');

This is vulnerable to related key attacks. The relationship between the encryption key and the MAC key is not well isolated. Note that if the MAC key is obtained, it is not feasible to obtain the encryption key with the MAC key due to the one-way function.

Solution

Use PHP's built-in hash_hkdf to split a single key into multiple keys. I highly recommend you use SHA512 with this function. Obtain the first 256 bits and use that as the encryption key, and use the last 256 bits for the MAC key. This complicates the relationship between the encryption and MAC key providing both a different key and prevent them from being easily relatable to each other.

Impact

Should an adversary obtain the encryption key (which is not entirely impractical these days), by any means it is trivial to also compute the MAC key, resulting in loss of not only confidentially, but also integrity, and authenticity.

---

For further clarification, when I'm referring to a single key, I talking about OwnCloud's $this->config->getSystemValue('secret').