[Cryptech Core] auto-zeroise and complex use cases

Joachim Strömbergson joachim at assured.se
Thu Dec 13 10:07:18 UTC 2018


Aloha!

Bakground:
I've recently implemented an auto-zeroise functionality in the keywrap
core. The functionality basically sets a timer when a wrapping key has
been loaded. Loading implies that the given wrapping key has been used
to initialize the AES core within the keywrap core with the given key.

If no keywrap operations are performed before the timer expires, the key
material in all registers within keywrap itself and in AES are zeroised.
Currently the default timeout is something like 10 seconds, given a
clock frequency of 90 MHz.

If any wrap/operation are started, the timer will stop until the
operation has completed. The timer is also set to the timeout value. SW

SW can adjust the timeout as it sees fit. SW can also force the timer to
restart at the timeout value. Finally SW can trigger zeroisation if needed.

Given this functionality, the keywrap can perform long, complex keywrap
operations that lasts thousands of cycles.


After implementing the auto-zeroise functionality in keywrap, I started
thinking that it would be better to move the functionality into the AES
core itself. keywrap would be simpler, and other AES use cases would
benefit automatically.

However Rob stated that he saw problems with this, that there might be
complex use cases for which the auto-zeroise could be a problem. I've
tried to come up with use cases where this would be a problem. Things
like use cases where new AES operations are done rarely over long spans
of time (many seconds to minutes, hours). But since the timeout can be
set by SW and that SW can keep the loaded key alive indefinitely by
periodically checking status, this type of use case should be possible
to support also.

So, Rob, can you explain what problems you saw and for which use cases?


One possibility is to allow SW to enable/disable the auto-zeroise
functionality. But it sounds like a good way to bypass security
functionality. Or would this be ok?

-- 
Med vänlig hälsning, Yours

Joachim Strömbergson
========================================================================
                               Assured AB
========================================================================

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cryptech.is/archives/core/attachments/20181213/6d453ffc/attachment.sig>


More information about the Core mailing list