Skip to content

Static HKDF salt "RATLS" with no key versioning #552

Description

@pbeza

The disk encryption key derivation in dstack/kms/src/main_service.rs uses a hardcoded, empty HKDF salt rather than a per-instance random salt, reducing HKDF's security margin and making all derived keys deterministic given the same input keying material.

Root Cause

The RA-TLS key derivation uses a hardcoded salt b"RATLS" for all HKDF operations. There is no key versioning mechanism and no support for key rotation. If the HKDF input keying material (IKM) is compromised at any point, all historically derived keys are also compromised because the salt is static and publicly known.

// kdf.rs:28
const SALT: &[u8] = b"RATLS";

Attack Path

  1. Attacker compromises the HKDF input keying material (e.g., via a KMS vulnerability)
  2. Because the salt is static and hardcoded, the attacker can re-derive all keys ever produced by this KDF
  3. No key versioning means there is no way to distinguish keys from different epochs
  4. Key rotation requires changing the IKM, but old keys remain derivable from old IKM + static salt

Impact

No forward secrecy in the key derivation hierarchy. Compromise of the IKM at any point reveals all past and future derived keys. The static salt provides no additional entropy or domain separation beyond what the IKM already provides.

Suggested Fix

  1. Include a version number in the salt or info parameter: format!("RATLS-v{}", version)
  2. Support key rotation by allowing the salt to be updated periodically
  3. Consider using a random salt persisted alongside the derived keys

Note: This issue was created automatically. The vulnerability report was generated by Claude and has not been verified by a human.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issue, report, or hardening worksecurity: reportPublic security report or already-public security findingsecurity: roadmapSecurity-related roadmap or compatibility design work

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions