13 Hardware cryptography

At some point, writing cryptographic applications, you end up realizing that you have a number of short-term and long-term keys, and you have to make sure nobody can steal them. It means you’re standing in the world of key management. Makes sense right? You’ve seen some of that in previous chapters, but in this chapter we’ll do things a bit differently: we’ll look at how key management and cryptography can be done in highly-adversarial environments. Environments where the attacker is much more powerful than the typical scenarios we’ve looked at so far.

Let’s first introduce this concept in the next section. The rest of this chapter will then survey the different techniques that allow us to continue to do interesting things in spite of these constraints. Spoiler alert: it involves using specialized hardware. Finally, we’ll see how cryptographic primitives have adapted to these highly-adversarial environments.

13.1  Modern cryptography attacker model

13.2  Untrusted environments: hardware to the rescue

13.2.1  Whitebox cryptography, a bad idea

13.2.2  You probably have one in your wallet: smart cards

13.2.3  Secure elements: a generalization of smart cards

13.2.4  Enforcing user intent with hardware security tokens

13.2.5  Trusted Platform Modules (TPMs): a useful standardization of secure elements

13.2.6  Banks love them: hardware security modules (HSMs)

13.2.7  Modern integrated solutions: Trusted Execution Environment (TEE)

13.3  What solution is good for me?

13.4  Leakage-resilient cryptography - or how to mitigate side-channel attacks in software

13.4.1  Constant-Time Programming

13.4.2  Don’t use the secret! Masking and blinding

13.4.3  What about fault attacks?

13.5  Summary