[Cryptech Tech] Key wrap in HW
Joachim Strömbergson
joachim.strombergson at assured.se
Mon Jun 25 17:55:27 UTC 2018
Aloha!
On 25 Jun 2018, at 17:45, Daniel Harkins wrote:
> Ola,
>
> On 6/25/18 7:40 AM, Joachim Strömbergson wrote:
>> Aloha!
>>
>> On 25 Jun 2018, at 14:26, Peter Gutmann wrote:
>>> Is that specific to the NIST wrap mechanism or an issue with the HW
>>> in
>>> general? For PKCS #15 it's just AES-CBC with an HMAC around it, so
>>> presumably
>>> a single operation, or at least one for AES over a block of memory
>>> and a
>>> second for the HMAC over the same block.
>>
>>
>> It is mainly specific to the keywrap mechanism in RFC 3394. See
>> 2.2.1:
>>
>> https://tools.ietf.org/html/rfc3394#section-2.2.1
>>
>> Basically it divides a given message M into n 64-bit blocks. Each
>> block is encrypted 6 times with AES (the 64-bit block is combined
>> with an evolved 64-bit state A). With the architecture we have this
>> means that each 64-bit block moves back and forth between the MCU and
>> the FPGA 12 times. Just moving all of M to the FPGA and instead
>> process it there before moving the resulting C back should make quite
>> a difference.
>
> The key wrapping technique from RFC 5297 (section 4) is much more
> efficient, and unlike
> RFC 3394, it has a security proof around it.
I think Rob, Russ etc need to respond regarding suggestions of changing
wrapping methods than RFC 3394/RFC 5649 used today.
I’m just trying to improve the performance of the method used today.
Quite a lot.
Regards,
JoachimS
More information about the Tech
mailing list