Fixed
- Usage of a broken PRF for deriving keys to encrypt generated data encryption keys in case of AES-GCM
This fixes a potential security issue. See: 3300fb6
From now (v0.6.1) on the KES server uses HMAC-SHA-256 has KDF which has been proven to be a PRF
under the assumption that SHA-256 is a collision-resistant hash function.
Before, the KES server used a key derivation function (KDF) based on RFC 8452. More precisely, the KDF described in RFC 8452 has been slightly tweaked to use 128 bit nonce / IV values instead of 96 bit values. During an internal analysis we detected that this tweaked KDF version is not a pseudo-random function PRF. This violates the assumptions of the cryptographic key derivation model KES is relying on.
However, we are not aware of any attack vector that an adversary could use to exploit this issue within the KES
server threat model.