Encrypted attributes should be hashed locally before applying HMAC #82
Comments
|
The process for computing encrypted attributes (aka blind attributes) should be better documented as well. This includes the details of first producing hashed attributes (separately SHA-256 hashing the attribute name and JCS-canonlized value) and then using those hashed attributes to produce both simple and compound hashed attributes. Compound hashed attributes separately join and SHA-256 hash the hashed attribute names and values of which they are composed to create a new hashed attribute name and value, respectively. Finally, each hashed attribute's name is HMAC's to produce the blind attribute name and the SHA-256 hash of the joined name and value is HMAC'd to produce the (salted) blind attribute value. The above process also allows for all HMAC'ing to occur at the end -- to enable computing all HMACs in parallel, which is important for efficiency when using remote key material (e.g., via WebKMS). |
In our EDV client implementation, we use SHA-256 to hash the encrypted attribute values that will be HMAC'd. We do this additional hashing prior to HMACing to improve privacy and performance; when the HMAC function is implemented via an external KMS system (e.g., WebKMS), the data to be HMAC'd must be sent to that system.
We should update the spec to require EDV clients to do this step before HMACing and provide the above rationale as security/privacy/performance considerations.
The text was updated successfully, but these errors were encountered: