[Cryptech Tech] Key generation and storage
Joachim Strömbergson
joachim at secworks.se
Fri Jan 30 08:48:19 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aloha!
Rob Austein wrote:
> So, again: what's the problem we're trying to solve by moving key
> generation onto the FPGA?
The discussion Jakob and I had (and why we added this as as a question
in the mail Jakob posted), is if it would be possible to never ever have
secret keys in cleartext outside of the FPGA and thus out of the SW
domain. If there would be a benefit to do so in terms? And if that
benefit would outweigh the added complexity in HW?
Moving the at-rest storage handling from the FPGA to the ARM makes it
easier to increase the size of the storage, handle FLASH wear leveling
etc [1]. As long as the FPGA has the Master Key and handles key wrapping
we should be able to have a clear separation where keys are used and
thus unwrapped, and where they can be efficiently stored. It probably
makes for a simpler and more flexible solution.
Moving the key generation into the FPGA might strengthen the separation,
but would make the FPGA more complex. The question is how bad it would be?
I have done some searches, but not found any good papers describing
complete RSA key generation in FPGAs. Peter, do you know about any
published research into this?
[1] When Jakob and I discussed this our conclusion was that wear
leveling quite probably would not be needed for FLASH memory based key
storage. They are basically never rewritten. But the metadata records
for the keys might be written a bit more often. What makes having the
CPU handling the FLASH storage better is to handle FLASH page access
issues.
- --
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
Joachim Strömbergson Secworks AB joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJUy0VSAAoJEF3cfFQkIuyNIpsP/1wdg86AHqmK79A4BCv1ZXYV
BffHn+k3lm6IlYILsTYxDh5USKBBUy20YT1Y9NNqjymQzYW2VsUTMLXy5YxwuVnA
A7DYdj2T/U0tKHmWv0dLV0497U0xW4fF00dOll+zBMVPA/DK+D0sXt0fitY42YN8
OP4sBNlE0LegZYYKfAzzQtQhCeBvogdVaEUiCBcUgfOY1zXaqiFMysdv8plr3Vze
m697GA03iztIUHN7MgkvGsTdNh8rzm25JmIYsP/tZkNj7+uUXakSKwIbRrhqcyMZ
uPN+VA5fJT6iMXKAts9xkClcCYqc9Ps4TeSfWiGkMltgEMcPRHgKqgH0Z/INtI55
cN3JenzsQTQ/nvgaTxPqQIm+c1hCJ7S0NGo1gciTFxECsv8E9CrszhZWMY7SOjqQ
bfpeoedgKAvPzbknVKwrXA8hpwqfoLTyKj/mbZv5qZVPvDCtwfL3HM2D0yqGMXT9
WoqeHPeMsuD8AnmNxPaot8f2+drUjBn2/qiDT8IF9nQVPoYrvikBCj0zAnFv9hZr
n0qswjwJ7IhgZoN+Kv8Tq7Kb6abEFgcbeCjfwSxSL3PU1DUJmk58Qft534FkML2N
rfTGVomQHbNPFF+qbiK7s8QF3wOtRoEWOT0WIWoUU+k3B0/qLxQ/40fXGeSQgOSG
UAQYqSHFcdOGPkdOUKzt
=yndO
-----END PGP SIGNATURE-----
More information about the Tech
mailing list