Enhanced HKDF-based key derivation with improved security features

- Implemented proper RFC 5869 compliant HKDF key derivation process - Added Perfect Forward Secrecy (PFS) key for enhanced session security - Improved key separation using unique info parameters for each derived key - Enhanced salt size from 32 to 64 bytes for increased entropy - Added comprehensive key validation and error handling - Implemented proper ECDH + HKDF integration following Web Crypto API best practices - Added metadata encryption key for enhanced data protection - Improved compatibility with modern cryptographic standards (RFC 7748, NIST SP 800-56A) -Enhanced logging and debugging capabilities for cryptographic operations - Maintained backward compatibility while upgrading security infrastructure Security improvements: - Cryptographic isolation between different key purposes - Enhanced protection against cross-key attacks - Improved resistance to future key compromise scenarios - Better compliance with OWASP cryptographic storage guidelines Technical details: - Refactored deriveSharedKeys() method for proper HKDF implementation - Updated WebRTC manager to use new messageKey API - Added comprehensive error handling and validation - Improved browser compatibility with standardized cryptographic operations - This update strengthens the existing security foundation with modern cryptographic practices while maintaining full system compatibility.
2025-10-27 15:18:15 -04:00
parent 3c2bac588c
commit c7b16157fc
13 changed files with 565 additions and 435 deletions
@@ -101,7 +101,7 @@ class EnhancedSecureWebRTCManager {
    };

    //   Static debug flag instead of this._debugMode
-    static DEBUG_MODE = false; // Set to true during development, false in production
+    static DEBUG_MODE = true; // Set to true during development, false in production


    constructor(onMessage, onStatusChange, onKeyExchange, onVerificationRequired, onAnswerError = null, onVerificationStateChange = null, config = {}) {
@@ -9766,22 +9766,47 @@ async processMessage(data) {
                let derivedKeys;
                
                try {
+                    this._secureLog('debug', 'About to call deriveSharedKeys', {
+                        operationId: operationId,
+                        privateKeyType: typeof this.ecdhKeyPair.privateKey,
+                        publicKeyType: typeof peerECDHPublicKey,
+                        saltLength: this.sessionSalt?.length,
+                        privateKeyAlgorithm: this.ecdhKeyPair.privateKey?.algorithm?.name,
+                        publicKeyAlgorithm: peerECDHPublicKey?.algorithm?.name
+                    });
+                    
                    derivedKeys = await window.EnhancedSecureCryptoUtils.deriveSharedKeys(
                        this.ecdhKeyPair.privateKey,
                        peerECDHPublicKey,
                        this.sessionSalt
                    );
+                    
+                    this._secureLog('debug', 'deriveSharedKeys completed successfully', {
+                        operationId: operationId,
+                        hasMessageKey: !!derivedKeys.messageKey,
+                        hasMacKey: !!derivedKeys.macKey,
+                        hasPfsKey: !!derivedKeys.pfsKey,
+                        hasMetadataKey: !!derivedKeys.metadataKey,
+                        hasFingerprint: !!derivedKeys.fingerprint
+                    });
                } catch (error) {
                    this._secureLog('error', 'Failed to derive shared keys', {
                        operationId: operationId,
-                        errorType: error.constructor.name
+                        errorType: error.constructor.name,
+                        errorMessage: error.message,
+                        errorStack: error.stack,
+                        privateKeyType: typeof this.ecdhKeyPair.privateKey,
+                        publicKeyType: typeof peerECDHPublicKey,
+                        saltLength: this.sessionSalt?.length,
+                        privateKeyAlgorithm: this.ecdhKeyPair.privateKey?.algorithm?.name,
+                        publicKeyAlgorithm: peerECDHPublicKey?.algorithm?.name
                    });
                    this._throwSecureError(error, 'key_derivation');
                }
                
                // Securely set keys via helper
                await this._setEncryptionKeys(
-                    derivedKeys.encryptionKey,
+                    derivedKeys.messageKey,
                    derivedKeys.macKey,
                    derivedKeys.metadataKey,
                    derivedKeys.fingerprint
@@ -10524,7 +10549,7 @@ async processMessage(data) {
                this.sessionSalt
            );
            
-            this.encryptionKey = derivedKeys.encryptionKey;
+            this.encryptionKey = derivedKeys.messageKey;
            this.macKey = derivedKeys.macKey;
            this.metadataKey = derivedKeys.metadataKey;
            this.keyFingerprint = derivedKeys.fingerprint;