-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aloha!
Peter Stuge wrote: > Rob Austein wrote: >> Where do we place the decrypted private key components? > > If the FPGA is going to use them then it must be able to access them > and store them internally. > >> At one point I was hearing muttering about private keys never >> leaving the FPGA, > > Yes - that sounds familiar to me too! My impression is that there has been a back and forth about this. The current solution (to mu mind) is that the keys are stored in external Flash controlled by the ARM. When to be used they are unwrapped using AES KEYWRAP by the CPU, but using the AES-core and the master key, which is only accessible from the FPGA. The whole keywrap mechanism could be implemented in the FPGA which would mean that keys are only used in the FPGA and not exposed in cleartext. But, at least for RSA keys, the CPU needs to be involved in order to generate them. For EC at least the private key could be generated totally inside the FPGA (it is after all just a random number). The public EC keys could probably also be generated inside the FPGA. >> implying that we'll have some magic storage core implemented in the >> FPGA and that keys will (somehow) be transformed from their >> encrypted form into the forms (sometimes a bit odd) needed by the >> various crypto cores. > > Maybe the MKM can take care of all odd transformations? No, the MKM is just that, a memory. It is not capable of doing any transformations by itself. The FPGA however would be able to do so given the correct core. We will need to have a MKM core anyway that initially provides an interface to the memory (an i2c interface). But later also generates a master key inside the FPGA, provides key bit rotation and key movement to protect against remanence effects. Having key wrap here would be possible too. >> At the moment, what I have is software and conventional memory, >> and unless somebody tells me otherwise, I assume that's what we're >> to be using for the bridge board implementation. Are we expecting >> to do better than this on the Alpha board? In time, yes. The Alpha board provides the infrastructure in terms of components and space inside the FPGA to do key wrapping inside the FPGA. - -- Med vänlig hälsning, Yours Joachim Strömbergson - Alltid i harmonisk svängning. ======================================================================== Joachim Strömbergson Secworks AB [email protected] ======================================================================== -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJWb8kCAAoJEF3cfFQkIuyNOEMP/1+/Ro7Fad7FSSAvnQiVCgmN PEo1uH28USi4aMFFuDgY2Y0KcoFIoMabNyERHlrFhN7zTa+BGVTzWfubojX3SJW+ MhYBAzpsXi9+OTLn7JHrTclQ0M2KOQSI25IAv8teN7R9J6MQmR0lsV/VDOYfBs+b gl99qhrVhLdnc8uZJweos1Lj8K0JdPHLvkCKvC5/wQNX/YuPXFIs7saZaxQYH5cq csbUk2johrM3ma3vCwusp2iEgRzK6TwUyFWrP1pHgBLtLpZes7S/nhMKH0EvqrmL 7pL3BqNu8+vDMhxKKJbMW+1Zuw9DIUtU3+syEiVMaCW7Vk1FTtf+wX/mOw1W2+Z+ fAYPhMVg1E50Gxhrk0KatC3j9aJ2RCz5QJO8Co/oi1rH3HTmIRl/7fAp3csM1AJo 3MxClNyQzZBFs80sXe8uj2/p/Aeufz4ITJFMTgwJ6w9CKQAvWdGjAwSbiUyO3giP 5dtEIC2BE2rDNxm+vajp/P6ZZ5kR4ORusMlEu0F4zNM574FrWUXLU14KcTzhUehs mDQJC6uUxpIyQx6h3v7uLqMCunrF3RhF56e8Yu35sLGM32/8zuJAe5b5s7HqbpbH oOuYNij8dXqWgYMcZyJJUUZ76VBGB9jtgiUQhAnEyH97Bko/I8YZzY/87zhPRJ99 iSH2TrDVqKvHLJ7i/ack =5Ynw -----END PGP SIGNATURE----- _______________________________________________ Tech mailing list [email protected] https://lists.cryptech.is/listinfo/tech
