[Cryptech Tech] Incremental digest outputs
Bernd Paysan
bernd at net2o.de
Mon Nov 17 22:46:59 UTC 2014
Am Dienstag, 18. November 2014, 00:44:33 schrieb Basil Dolmatov:
> 17 нояб. 2014 г., в 23:49, Rob Austein <sra at hactrn.net> написал(а):
> > At Mon, 17 Nov 2014 09:52:56 +0100, Joachim Strömbergson wrote:
> >> Bernd Paysan wrote:
> >>> So yes, I'd like to have a push/pop the current state of a hash
> >>> algorithm. That's doable when the entire state is memory mapped.
> >>
> >> And fairly easy to add. And then update the security model to state that
> >> this assumes that observing the state or manipulating the state by an
> >> evildoer is blocked by mechanisms outside of the core.
> >
> > So that is one of the real questions: do we need this functionality
> > badly enough that we should weaken what protection blue currently has
> > against attacks by green?
> >
> > I don't think our overall design model ever really expected blue to be
> > strongly defended against attacks by green, but one can make both
> > Principal of Least Privilege and defense in depth arguments against
> > granting green any access it does not really need to do its job.
> >
> > Related question: is it green that needs this access, or only other
> > parts of blue (ie, other cores)?
>
> I really cannot imagine any _real_ need for that kind of access,
A simple push/pop state (with a stack depth of 1), or a save/restore (to and
from saved states) is sufficient to implement this Dan-Bernstein-style
deterministic elliptic curve signature. It also can be done by first
extracting the digest, and then feeding it in again, not using the full state
of the hash (this is only important for hashes where the full state actually
*is* more than the thing you get out); this just changes the outcome of the
calculation; and I don't like it, because it needlessly reduces the security
promise of this signature-internal operation.
For a HSM, you might have the first part (the hashing of a big multi-gigabyte
file) outside the HSM, and the second part (the signature) in the HSM; in this
case, it's sufficient when you can write the state of the hash.
--
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
More information about the Tech
mailing list