Yes, it doesn't increase the entropy of the key as such, but using a
fixed or session-specific "salt" per direction, and hashing it together
with the session key to generate a stream-specific key will prevent that
type of XOR attack.
Same for doubling the nonce for ChaCha / ChaCha64, so the nonce can be
split in two (one per stream direction).
However, both client and server need to be aware **and** agree that they
need to do this, otherwise older clients cannot connect to newer servers
nor can newer clients connect to older servers.
The current wire crypt exchange doesn't really allow for this: the
server can send additional info to the client, but the client cannot
send additional information to the server (i.e. to confirm it used the
new key-generation). So this requires either a new protocol version
(either to allow more info to be sent by client to server as part of
op_crypt, or the new key-generation is selected based on the protocol
version), or it requires introducing another wire crypt plugin name or
key type, where the newer key types are listed before the older key types.
Defining a new key type might be the simplest way forward. For example,
with `WireCryptPlugin = ChaCha64, ChaCha, Arc4` configured in
firebird.conf, the server sends Symmetric2 (ChaCha64, ChaCha, Arc4),
Symmetric (ChaCha64, ChaCha, Arc4), so new clients can select the new
Symmetric2 variant, while older clients can select the Symmetric variant.
The Symmetric2 variant will then define:
1) How to derive a stream specific key (e.g. use
SHA256(<stream-specific-part>,<session-key>); As far as I know, Arc4
will work with 256-bit keys, but otherwise we could use
SHA1(<stream-specific-part>,<session-key>) for Arc4 to keep the key 160
bits like now)
2) What <stream-specific-part> is, e.g. fixed data like the strings
"firebird-server-to-client", "firebird-client-to-server", or maybe
something session-specific sent in op_cond_accept or op_accept_data in
the server keys buffer (say TAG_SERVER_STREAM_ID for server-to-client,
TAG_CLIENT_STREAM_ID for client-to-server, both with, say, 128-bits of
random data).
3) For ChaCha and ChaCha64, it doubles the "plugin specific data" size,
so it can be split in two, so the nonce is different per direction, and
which part of the plugin specific data is for which direction.
However, I don't know if and how the existing wire crypt plugin API
allows for them to register with multiple key types, so I don't know if
this is a feasible approach in that regard.
Mark
--
Mark Rotteveel