[Cryptech Tech] AES SIV mode for key wrapping?

[Peter Gutmann]

Randy Bush <randy at psg.com> writes:

>first, the key wrapping does not need to be compatible with anyone else as
>one does not port keys between hsm vendors.  so the state of deployment of X
>is not of critical import.

But if the goal is to back up the contents of an HSM then you're going to need
a lot more than an encryption mode, you need a standardised (or even
proprietary-spec, but at least something) data format to encapsulate
everything.  Using the PKCS #15 spec as a guideline (I'm pretty familiar with
it, which is why I used it as a yardstick), the encryption mode used makes up
a fraction of a percent of the spec, all the rest is data formatting
requirements to make sure you can get everything you want into the exported
blob, and back out again afterwards.

>pkcs#15 has running code in C, but we would need to implement in verilog, as
>we would like critical keys to stay in the fpga.

EUNDERSPECIFIEDREQUIREMENTS :-).  When you said "back up the HSM" I assumed
you meant the equivalent of the old Safekeyper clone-HSM functionality where
you can clone the complete state of an exiting HSM into a new one.  For that
you need a complex, structured-data format that goes beyond just wrapping up a
key.  It looks like you'd need to break this down into "what happens in the
FPGA" and "what happens in the HSM as a whole".

(Also, if you're encapsulating the whole thing in a tamper-responsive mesh as
per the recent ATtiny discussion, why do you then need to isolate things in
the FPGA?  I'm still trying to understand the exact requirements here).

Peter.