[Security] Weak KDF and static salt in KMS implementation

[RinZ27]

Description

Weak cryptographic practices in the KMS key derivation logic currently affect the security of encrypted backends. The implementation in lib/kms/common.js relies on SHA1 with a single iteration and a static salt ("ItsTasty") for both key and IV derivation. This approach is highly susceptible to brute-force attacks and, more critically, leads to predictable IVs in AES-256-CTR mode. If a dataKey is reused, which I observed as a possibility in the current architecture, the resulting keystream will be identical, allowing for plaintext recovery through simple XOR operations.

Steps to reproduce the issue

1. Inspect the _deriveKey method in cloudserver/lib/kms/common.js.
2. Observe the static salt and single-iteration PBKDF2-SHA1 call.
3. Note how createCipher and createDecipher both call _deriveKey with the same parameters for a given dataKey.

Actual result

Cryptographic schemes 0 and 1 use sub-optimal derivation parameters that do not meet modern security standards for data at rest.

Expected result

Key derivation should utilize a strong hash like SHA-256 with a significantly higher iteration count. Each encryption operation ought to ideally use a unique, randomized IV to prevent keystream reuse in CTR mode.

Additional information

• Affected file: lib/kms/common.js
• Severity: Critical (Architectural)