[TLS] Dumb thoughts for hardware backed keys for AEAD
Bill Cox <waywardgeek@google.com> Tue, 01 December 2015 02:07 UTC
Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3A181B36BD for <tls@ietfa.amsl.com>; Mon, 30 Nov 2015 18:07:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.312
X-Spam-Level: *
X-Spam-Status: No, score=1.312 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcLRx-lNWJaJ for <tls@ietfa.amsl.com>; Mon, 30 Nov 2015 18:07:20 -0800 (PST)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BB731B36BA for <TLS@ietf.org>; Mon, 30 Nov 2015 18:07:20 -0800 (PST)
Received: by iofh3 with SMTP id h3so196149240iof.3 for <TLS@ietf.org>; Mon, 30 Nov 2015 18:07:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=JiiWtts7Ixkk/WB4NH7yAaWAWV5hFNKB+ZDc/hsFE+0=; b=hWqgjmpVqkB7w6Xar8SW2jSsmPkHS+YZIhrqnKO98C420O6ZZisPzk6mCF7DKLu5yB 8eCGysJgEFxdvyWP+DeKMXsg0AZX++TTVNqGeYfVM5jwh7kLvdVGn2rNMXgOmjYz6rXH CXcMJEhz9/z2W3Ej11hDhcF9e6UF9syZKfdFARll6pihMDLirxdhCy3zgTYG2vFY7jrn KKu2WHAcumjwLd1KriDUCX0WfyEnNAzFx0FaVt5BGODL3C/WcI8kAK4nP2NOrj0h9AIE qwE1QveXsVsInLIuY/XM15WCxIpf6jj9MIxiAEWyndTge55HrJXmebKMtoh3ZJUC02lD tE1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=JiiWtts7Ixkk/WB4NH7yAaWAWV5hFNKB+ZDc/hsFE+0=; b=C+RrhlbFTyYaA0iK9hwIyE8Wp4XcPLL39BUPMNzO12rvJpZkR5Y10z3rBLNTmwsZX9 k0rqjzi9JFGKSepVWmAepSjLbSuB6pvvcEtNObikalwNc+SuP6Kkcu/PFswZvkm7ieSH uiDAHMPKHUJVYBmFX1AeJd6/Na9JzZxWdi4l1JBDJfo0eoQ3fDAhaPTJggGFiua4n+kV PqSMRqMEoiUP1wVXul+27mEuQmgaq0HnIcvTFPMpgVwPMeZxYtMxMHBnaneUrUCYzIda kX6kiHnHweE3xOt0PTCfbZk9SsgITwVgMcII4FVlLJzUMKsmzmuh2TrRpj7JjKt2gDQj jnVw==
X-Gm-Message-State: ALoCoQl3WC6aZjobUJuPxHCmpJ9jOD7qihyKS72T3r+S638Z/OJaagyZEwjVe4DlEQP/DTqOUKrH
MIME-Version: 1.0
X-Received: by 10.107.152.133 with SMTP id a127mr63394122ioe.60.1448935639746; Mon, 30 Nov 2015 18:07:19 -0800 (PST)
Received: by 10.107.173.15 with HTTP; Mon, 30 Nov 2015 18:07:19 -0800 (PST)
Date: Mon, 30 Nov 2015 18:07:19 -0800
Message-ID: <CAH9QtQG7738NcAaTHaiaS_zuGhyX3dONp2xkZaB3=JWtaUaz=A@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140e69e1c52970525cc9e98"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/iaSb9KpN8zM5nW2gtspjJ70uYcc>
Subject: [TLS] Dumb thoughts for hardware backed keys for AEAD
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 02:07:22 -0000
I don't think even I agree with this idea, but I'll put it out there anyway. We're seeing some new secure computing modes in ARM and Intel processors. Arm has TEE, and Intel has SGX. Both modes basically run at the same speed as the CPU... in theory. There are potential benefits to securing the read/write session keys in these modes. For example, if malware is doing evil things over your connections, when you remove the malware or close your laptop, the encryption keys are out of reach, and the connections go dead. Otherwise, malware might export the keys where they could be used to resume a session, for example, enabling an attacker to continue doing evil. This is possible today over TLS 1.2, even when using Client Certificates. However, there are overhead costs for moving data in/out of these execution zones, and overhead when switching back and forth. Execution speed is a little slower in these modes for various reasons. For maximum speed, I might want a separate HMAC/HKDF key besides the read/write keys. That way, I keep just the HMAC/HKDF key in a secure execution zone, and only have to do one small operation with it per AEAD call per TLS record. This is just a dumb efficiency hack. I hate leaving either speed or security on the table if I can have both :) However, complexity harms security, so even I don't really think this is a good idea. Is there anyone who feels even more strongly about speed than me? Bill
- [TLS] Dumb thoughts for hardware backed keys for … Bill Cox
- Re: [TLS] Dumb thoughts for hardware backed keys … Eric Rescorla
- Re: [TLS] Dumb thoughts for hardware backed keys … Tony Arcieri
- Re: [TLS] Dumb thoughts for hardware backed keys … Bill Cox
- Re: [TLS] Dumb thoughts for hardware backed keys … Eric Rescorla
- Re: [TLS] Dumb thoughts for hardware backed keys … Bill Cox
- Re: [TLS] Dumb thoughts for hardware backed keys … Ilari Liusvaara