[Cryptech Tech] Key wrap in HW

Joachim Strömbergson joachim.strombergson at assured.se
Mon Jun 18 14:46:05 UTC 2018

Previous message (by thread): [Cryptech Tech] hash-based signatures
Next message (by thread): [Cryptech Tech] Key wrap in HW
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aloha!

I’ve spent a couple of hours reading RFC 3394 specifying AES Key Wrap, and RFC 5649 specifying a version of RFC 3394 with padding to handle data/plaintext that is not a multiple of 64 bits.

The core of the Key Wrap algorithm as described in RFC 3394, section 2.2.1 on page 5 is this:

     For j = 0 to 5
           For i=1 to n
               B = AES(K, A | R[i])
               A = MSB(64, B) ^ t where t = (n*j)+i
               R[i] = LSB(64, B)

Where R[i] contains the plaintext divided into 64-bit blocks and A is a 64-bit authenticator state register. Basically we loop over all blocks six times, updating the blocks as well as the authenticator state each time.

Building this in HW is not hard. What it would require is a data buffer able to handle the size of the plaintext, info about the size of the plaintext and the wrapping key. The resulting wrapped text (the ciphertext) will be available in the buffer after processing.

For larger plaintext - a 4096 bit RSA key for example. Having the wrapping functionality in HW instead of in SW should cut down the number of times a given 64 bit data block would be sent over the FMC bus to and from the AES core quite a lot. And the HW would be able to use the AES core much faster than the SW waiting for the AES core signalling it being ready via the FMC. So, I think there is a good opportunity to speed key wrap/unwrap.

The key issue I see is how key wrapping is used in the Alpha. Are we wrapping/unwrapping single keys? Or are wrapping/unwrapping performed on a bunch of keys as they belong to the same plaintext? If we do wrap/unwrap on per-key basis the size of the processing buffer will not be that big, and we can implement this with the block memories in the FPGA without any problems. 8192 bits for example should be no problem.


Rob, what are your thoughts?

—
Med vänlig hälsning, Regards,

Joachim Strömbergson - Assured AB
=================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cryptech.is/archives/tech/attachments/20180618/b7c004d1/attachment.sig>

Previous message (by thread): [Cryptech Tech] hash-based signatures
Next message (by thread): [Cryptech Tech] Key wrap in HW
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list