13 Hardware cryptography

Cryptographic primitives and protocols are often described as isolated building blocks as if they were running in a galaxy far, far away from any adversary. In practice, this is an unrealistic assumption that has often proven wrong. In the real world, cryptography runs in all kinds of environments and is subject to all sorts of threats. In this chapter, we’ll look at the more extreme scenarios—the highly adversarial environments—and what you can do to protect your keys and your data in these situations. (Spoiler alert: it involves using specialized hardware.)

13.1 Modern cryptography attacker model

Present-day computer and network security starts with the assumption that there is a domain that we can trust. For example: if we encrypt data for transport over the Internet, we generally assume the computer that’s doing the encrypting is not compromised and that there’s some other “endpoint” at which it can be safely decrypted.

—Joanna Rutkowska (“Intel x86 considered harmful,” 2015)

13.2 Untrusted environments: Hardware to the rescue

13.2.1 White box cryptography, a bad idea

13.2.2 They’re in your wallet: Smart cards and secure elements

13.2.3 Banks love them: Hardware security modules (HSMs)

13.2.4 Trusted Platform Modules (TPMs): A useful standardization of secure elements

13.2.5 Confidential computing with a trusted execution environment (TEE)

13.3 What solution is good for me?

13.4 Leakage-resilient cryptography or how to mitigate side-channel attacks in software

13.4.1 Constant-time programming

13.4.2 Don’t use the secret! Masking and blinding

13.4.3 What about fault attacks?

Summary