yubihsm setup: use hkd32 crate to derive key hierarchy #302

`hkd32` is an implementation of the same hierarchical key derivation algorithm the KMS was previously using, which is an extracted subset of the symmetric parts of BIP32 derivation (to the point it could potentially be used to implement a full BIP32). The `hkd32` crate has the advantage of using a zeroize-on-drop type for all key material, as opposed to some of the manual zeroization this crate was previously using. In addition, it has some richer types for things like derivation paths, which may be potentially useful in the future. There is one case that deviated from the previous implementation, which is the behavior of calling derive with an empty derivation path. Before it would output the "chain code" derived after inputting the `DERIVATION_VERSION`, whereas when using `hkd32` it correctly outputs the other half of the derived key material, which is intended to be used as a secret key. Nothing presently calls the derivation function with an empty derivation path, except for a test I just added today in #299. While the output for this case differs, it has no practical impact, and if anything the function outputting the raw chain code for the first level of the hierarchy (which is the version number) is a sharp edge that could potentially leak what is the root key to the entire hierarchy if it were to be called with an empty derivation path. `hkd32` uses a fully uniform derivation algorithm which treats the `DERIVATION_VERSION` like any other part of the path, and therefore does not have this sharp edge. Test vectors for path lengths of 1, 2, and 3 all pass with the original vectors.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

yubihsm setup: use hkd32 crate to derive key hierarchy #302

yubihsm setup: use hkd32 crate to derive key hierarchy #302

Commits on Jul 24, 2019