chapter thirteen

13 Hardware cryptography

 

This chapter covers:

  • The issues that cryptography faces in highly-adversarial environments.
  • The solutions that hardware offers to increase the attacker’s cost in such environments.
  • How software mitigations can help against side-channel attacks.

Cryptographic primitives and protocols are often described as isolated building blocks, as if they were running in a blackbox far from any adversary. In practice, this is an unrealistic assumption that has often proven wrong. In the real world, cryptography runs in all kinds of environments, and is subject to all sorts of threats. In this chapter I’ll look at the more extreme scenarios, the highly-adversarial environments, and what you can do to protect your keys and your data in these situations. Spoiler alert: it involves using specialized hardware.

13.1 Modern cryptography attacker model

 

Present-day computer and network security starts with the assumption that there is a domain that we can trust. For example: if we encrypt data for transport over the Internet, we generally assume the computer that’s doing the encrypting is not compromised and that there’s some other "endpoint" at which it can be safely decrypted.

  
  -- Joanna Rutkowska Intel x86 considered harmful (2015)

13.2 Untrusted environments: hardware to the rescue

13.2.1 Whitebox cryptography, a bad idea

13.2.2 They’re in your wallet: smart cards and secure elements

13.2.3 Banks love them: hardware security modules (HSMs)

13.2.4 Trusted Platform Modules (TPMs): a useful standardization of secure elements

13.2.5 Confidential computing with a trusted execution environment (TEE)

13.3 What solution is good for me?

13.4 Leakage-resilient cryptography - or how to mitigate side-channel attacks in software

13.4.1 Constant-Time Programming

13.4.2 Don’t use the secret! Masking and blinding

13.4.3 What about fault attacks?

13.5 Summary