IETF Logo Mail Archive

Re: [TLS] Dumb thoughts for hardware backed keys for AEAD

Eric Rescorla <ekr@rtfm.com> Tue, 01 December 2015 03:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39FB81B3872 for <tls@ietfa.amsl.com>; Mon, 30 Nov 2015 19:07:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MvcRVEVRRLJw for <tls@ietfa.amsl.com>; Mon, 30 Nov 2015 19:07:31 -0800 (PST)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A31881B386D for <TLS@ietf.org>; Mon, 30 Nov 2015 19:07:31 -0800 (PST)
Received: by ykba77 with SMTP id a77so209289718ykb.2 for <TLS@ietf.org>; Mon, 30 Nov 2015 19:07:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=X7XzTMGBEpHGF47hIKdwAMM3v8Dsql2c2ewgPC+/F34=; b=GtfJt7XQ+9tH6d06Ofgcj/kprxA/HgpKveUUCH/S8eaiiGl3aQGa35kUMggg9ZiOva IqfBhpAHppkmQtw/3aIJVStLX1JzB09HjPj22PdyRAkVonnpODaXV12hxl0IrsZjwhFG uXtioi+RfTILy4lD68iMJu5Nh1J4WzJidA8d2IBTjToUI8vx/i00Q96gHt/YptsI0ph6 THOY60H/ZP300yW8n0QxW7HDIU1C+oBj8Nnb0n+g4yRlhFw7IipAGTd2J/Z1GK2RsPOI Jdt1UYWmUZd4J+1Ut3YVM/9pFQrEBnhTHA6rek5sof4q/moXjK8+V/3qvC2LU7sWp47J A7aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=X7XzTMGBEpHGF47hIKdwAMM3v8Dsql2c2ewgPC+/F34=; b=fW+UrJ/uLnqTVSfyCd7OnYDkA72BoSCj2l5Cle+EulqAnIaMhApVburzTSNZjSWWOh AClIQWYuPY8VPy6WCxxLJLbPR8tprN4z1I02Js0BqGHGKlBGl8HooxT76mOmPezYVFQj NdcbDqIoo+TeVQ0FUcCOXrNt9nGiaFu92suebDGHNpJXKdqhld4UssVzgnB/gxHZS79r DthCdztWEUG23oVe5/wy6xfxBGTb7KgdTfpBqog6i7c6+yKjWOQgbghm5JZO8rt/U4Oi D9tkvn5lJxQmx5M63kcgdTNJx8jSdMQlDUPWmVByohOiWNseJwmG+W0f6EH7yCPlZmqN QTZQ==
X-Gm-Message-State: ALoCoQlxUXBP75h7GSDy1lH5E8e4JdmwIB9YR7BpsY/+ABpdYO8LkvLb7scl5771pGvU4IkjZyDI
X-Received: by 10.13.197.194 with SMTP id h185mr56491215ywd.12.1448939250994; Mon, 30 Nov 2015 19:07:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Mon, 30 Nov 2015 19:06:51 -0800 (PST)
In-Reply-To: <CAH9QtQG7738NcAaTHaiaS_zuGhyX3dONp2xkZaB3=JWtaUaz=A@mail.gmail.com>
References: <CAH9QtQG7738NcAaTHaiaS_zuGhyX3dONp2xkZaB3=JWtaUaz=A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 30 Nov 2015 19:06:51 -0800
Message-ID: <CABcZeBOAaGvuF7+8y9M0P=Mh5+BWp-UdouEC2Tu1H+v7_kju4Q@mail.gmail.com>
To: Bill Cox <waywardgeek@google.com>
Content-Type: multipart/alternative; boundary="001a114edd4a5b83910525cd755f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6rxGkFqJz0qAdHUtT6tUzajdg_E>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Dumb thoughts for hardware backed keys for AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 03:07:33 -0000

Hi Bill,

I am sorry, but I do not understand what you are proposing. Do you think
you could try restating the computation you have in mind, perhaps by
providing an equation that explains the construct?

Thanks,
-Ekr


On Mon, Nov 30, 2015 at 6:07 PM, Bill Cox <waywardgeek@google.com> wrote:

> I don't think even I agree with this idea, but I'll put it out there
> anyway.
>
> We're seeing some new secure computing modes in ARM and Intel processors.
> Arm has TEE, and Intel has SGX.  Both modes basically run at the same speed
> as the CPU... in theory.
>
> There are potential benefits to securing the read/write session keys in
> these modes.  For example, if malware is doing evil things over your
> connections, when you remove the malware or close your laptop, the
> encryption keys are out of reach, and the connections go dead.  Otherwise,
> malware might export the keys where they could be used to resume a session,
> for example, enabling an attacker to continue doing evil.  This is possible
> today over TLS 1.2, even when using Client Certificates.
>
> However, there are overhead costs for moving data in/out of these
> execution zones, and overhead when switching back and forth.  Execution
> speed is a little slower in these modes for various reasons.  For maximum
> speed, I might want a separate HMAC/HKDF key besides the read/write keys.
> That way, I keep just the HMAC/HKDF key in a secure execution zone, and
> only have to do one small operation with it per AEAD call per TLS record.
>
> This is just a dumb efficiency hack.  I hate leaving either speed or
> security on the table if I can have both :)  However, complexity harms
> security, so even I don't really think this is a good idea.  Is there
> anyone who feels even more strongly about speed than me?
>
> Bill
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email