[Cryptech Tech] Key wrap in HW

Russ Housley housley at vigilsec.com
Mon Jun 25 19:48:55 UTC 2018


>>>> Is that specific to the NIST wrap mechanism or an issue with the HW in
>>>> general?  For PKCS #15 it's just AES-CBC with an HMAC around it, so presumably
>>>> a single operation, or at least one for AES over a block of memory and a
>>>> second for the HMAC over the same block.
>>> 
>>> 
>>> It is mainly specific to the keywrap mechanism in RFC 3394. See 2.2.1:
>>> 
>>> https://tools.ietf.org/html/rfc3394#section-2.2.1
>>> 
>>> Basically it divides a given message M into n 64-bit blocks. Each block is encrypted 6 times with AES (the 64-bit block is combined with an evolved 64-bit state A). With the architecture we have this means that each 64-bit block moves back and forth between the MCU and the FPGA 12 times. Just moving all of M to the FPGA and instead process it there before moving the resulting C back should make quite a difference.
>> 
>>   The key wrapping technique from RFC 5297 (section 4) is much more efficient, and unlike
>> RFC 3394, it has a security proof around it.
> 
> I think Rob, Russ etc need to respond regarding suggestions of changing wrapping methods than RFC 3394/RFC 5649 used today.
> I’m just trying to improve the performance of the method used today. Quite a lot.

I would like to see what the performance is once the whole key wrap function is put in the FPGA.

Russ



More information about the Tech mailing list