Re: [TLS] Dumb thoughts for hardware backed keys for AEAD
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 01 December 2015 18:11 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2701B2E3A for <tls@ietfa.amsl.com>; Tue, 1 Dec 2015 10:11:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnYuNSjPlIwi for <tls@ietfa.amsl.com>; Tue, 1 Dec 2015 10:11:22 -0800 (PST)
Received: from filtteri2.pp.htv.fi (filtteri2.pp.htv.fi [213.243.153.185]) by ietfa.amsl.com (Postfix) with ESMTP id 451C41B2E5C for <TLS@ietf.org>; Tue, 1 Dec 2015 10:11:22 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by filtteri2.pp.htv.fi (Postfix) with ESMTP id C69CE19BE6E; Tue, 1 Dec 2015 20:11:20 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp5.welho.com ([213.243.153.39]) by localhost (filtteri2.pp.htv.fi [213.243.153.185]) (amavisd-new, port 10024) with ESMTP id nXt+cDb4VwFT; Tue, 1 Dec 2015 20:11:20 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp5.welho.com (Postfix) with ESMTPSA id 96C805BC007; Tue, 1 Dec 2015 20:11:20 +0200 (EET)
Date: Tue, 01 Dec 2015 20:11:18 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Bill Cox <waywardgeek@google.com>
Message-ID: <20151201181118.GA15222@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAH9QtQG7738NcAaTHaiaS_zuGhyX3dONp2xkZaB3=JWtaUaz=A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAH9QtQG7738NcAaTHaiaS_zuGhyX3dONp2xkZaB3=JWtaUaz=A@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eFQ4o0CnSCEeV-_Kmvm_i9t-Kus>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Dumb thoughts for hardware backed keys for AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 18:11:24 -0000
On Mon, Nov 30, 2015 at 06:07:19PM -0800, Bill Cox wrote: > I don't think even I agree with this idea, but I'll put it out there anyway. > > We're seeing some new secure computing modes in ARM and Intel processors. > Arm has TEE, and Intel has SGX. Both modes basically run at the same speed > as the CPU... in theory. > > There are potential benefits to securing the read/write session keys in > these modes. For example, if malware is doing evil things over your > connections, when you remove the malware or close your laptop, the > encryption keys are out of reach, and the connections go dead. Otherwise, > malware might export the keys where they could be used to resume a session, > for example, enabling an attacker to continue doing evil. This is possible > today over TLS 1.2, even when using Client Certificates. > > However, there are overhead costs for moving data in/out of these execution > zones, and overhead when switching back and forth. Execution speed is a > little slower in these modes for various reasons. For maximum speed, I > might want a separate HMAC/HKDF key besides the read/write keys. That way, > I keep just the HMAC/HKDF key in a secure execution zone, and only have to > do one small operation with it per AEAD call per TLS record. > > This is just a dumb efficiency hack. I hate leaving either speed or > security on the table if I can have both :) However, complexity harms > security, so even I don't really think this is a good idea. Is there > anyone who feels even more strongly about speed than me? If you want absolute maximum speed without handling encryption in the secure module, you would essentially need the secure module to MAC the data second time (one can repurpose any AEAD ciphers as a MAC). (Hmm... why does this remind me of "key escrow"?... :-) ) The reason for this is that even the fastest hash-based MAC that is even remotely secure (Blake2b native MAC) loses in speed to both main TLS 1.3 AEADs (doing full authenticated encryption). You can't shorten things either, because the MACs in main TLS 1.3 AEADs are not designed to offer any security against attacker knowing the keys. And as said, schemes that allow shortening are relatively slow. -Ilari
- [TLS] Dumb thoughts for hardware backed keys for … Bill Cox
- Re: [TLS] Dumb thoughts for hardware backed keys … Eric Rescorla
- Re: [TLS] Dumb thoughts for hardware backed keys … Tony Arcieri
- Re: [TLS] Dumb thoughts for hardware backed keys … Bill Cox
- Re: [TLS] Dumb thoughts for hardware backed keys … Eric Rescorla
- Re: [TLS] Dumb thoughts for hardware backed keys … Bill Cox
- Re: [TLS] Dumb thoughts for hardware backed keys … Ilari Liusvaara