[Cryptech Core] auto-zeroise and complex use cases

Joachim Strömbergson joachim at assured.se
Thu Dec 13 15:40:00 UTC 2018

Previous message (by thread): [Cryptech Core] auto-zeroise and complex use cases
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aloha!

On 2018-12-13 15:43, Rob Austein wrote:
> Um, what I think I said was that I'm sure we want auto-zeroing when
> using the keywrap core, but that I'm not sure we've thought through
> other uses of the AES core well enough to really know yet whether this
> a good idea in the general case.  I also explicitly stated that this
> was an initial gut reaction rather than a considered opinion.
> 
> We haven't yet done anything with even the simple non-ECB modes, much
> less complex ones like GCM or CCM.  Auto-zeroing is *probably*
> harmless in such modes, but once we start talking about doing these
> modes in Verilog I suspect things might get complex, at which point we
> might wish that the AES core itself was just the simplest possible
> building block.

Since I have implemented both GCM and CCM in hardware in other projects
I'm fairly certain that this type of functionality would not affect
those modes. Esp GCM where the AES is simply used in CTR mode. CCM is
imho less complex than keywrap.


> At some level it feels like auto-zeroing is something that belongs on
> the user-interface edge of a core, not deep in the guts of a core used
> as one component of more complex cores.  That's really more your field
> of expertise than mine, so I'll defer if you're sure this will always
> be harmless, but I would like folks to at least think about it a bit
> before rushing to a decision that doesn't need to be made in haste.

I can agree on the not rushing to a decision. That is why I initiated
this discussion, not simply started pushing the functionality into AES.

I can understand that one might want to see this as an API level
functionality. And to a large extent it really is. the control/state
part is just a few registers that SW can manipulate. Then you do need to
get into the gut to really zeroise the registers that store key material.

-- 
Med vänlig hälsning, Yours

Joachim Strömbergson
========================================================================
                               Assured AB
========================================================================

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cryptech.is/archives/core/attachments/20181213/e19d9537/attachment.sig>

Previous message (by thread): [Cryptech Core] auto-zeroise and complex use cases
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Core mailing list