[Cryptech Tech] AES SIV mode for key wrapping?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Mar 18 07:36:27 UTC 2015


Randy Bush <randy at psg.com> writes:

>first, the key wrapping does not need to be compatible with anyone else as
>one does not port keys between hsm vendors.  so the state of deployment of X
>is not of critical import.

But if the goal is to back up the contents of an HSM then you're going to need
a lot more than an encryption mode, you need a standardised (or even
proprietary-spec, but at least something) data format to encapsulate
everything.  Using the PKCS #15 spec as a guideline (I'm pretty familiar with
it, which is why I used it as a yardstick), the encryption mode used makes up
a fraction of a percent of the spec, all the rest is data formatting
requirements to make sure you can get everything you want into the exported
blob, and back out again afterwards.

>pkcs#15 has running code in C, but we would need to implement in verilog, as
>we would like critical keys to stay in the fpga.

EUNDERSPECIFIEDREQUIREMENTS :-).  When you said "back up the HSM" I assumed
you meant the equivalent of the old Safekeyper clone-HSM functionality where
you can clone the complete state of an exiting HSM into a new one.  For that
you need a complex, structured-data format that goes beyond just wrapping up a
key.  It looks like you'd need to break this down into "what happens in the
FPGA" and "what happens in the HSM as a whole".

(Also, if you're encapsulating the whole thing in a tamper-responsive mesh as
per the recent ATtiny discussion, why do you then need to isolate things in
the FPGA?  I'm still trying to understand the exact requirements here).

Peter.


More information about the Tech mailing list