Non-volatile storage with flash encryption enabled.

kyklas
Posts: 3
Joined: Thu Mar 15, 2018 5:07 pm

Re: Non-volatile storage with flash encryption enabled.

Postby kyklas » Tue Nov 13, 2018 1:22 am

I am curious about the NVS encryption key :
https://github.com/espressif/esp-idf/bl ... i.cpp#L585

The self generation seems to be based on the Flash Encryption key. However this makes a key made of twice the same 16-byte block.

Could a key similar to the flash encryption be generated with the RNG ?
Any reason to base the NVS key on the flash key ?
Can the Key be generated on a PC and then flashed to the flash ?

Regards,
Stan

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Non-volatile storage with flash encryption enabled.

Postby ESP_Angus » Tue Nov 13, 2018 11:30 pm

Hi Stan,

The AES-XTS keys are generated by taking two different generated ciphertexts (all 0xff and all 0xee) which are written to flash as-is. These are then decrypted by the flash encryption hardware, which does use the same AES key to decrypt both (due to reading the same 32 byte block). However due to the different starting ciphertexts each of the two AES-XTS keys will be different and not interchangeable, and can only be derived by someone possessing the flash encryption key.

There's no reason why they couldn't be generated using the RNG. However, the AES-XTS keys will always need to be stored in the flash and protected using flash encryption. This means anyone with the flash encryption key will be able to read the AES-XTS keys, no matter what these keys are. So generating from the RNG doesn't add any additional protection, and it has the downside that if the keys are accidentally erased from flash they will be lost forever - whereas with the current scheme they can be recreated, provided the flash encryption key is not lost.

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Non-volatile storage with flash encryption enabled.

Postby WiFive » Wed Nov 14, 2018 1:55 pm

I think he is saying that because the ciphertext is two identical 128-bit blocks then the key will also be. So key space has been reduced to 128-bit.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Non-volatile storage with flash encryption enabled.

Postby ESP_Angus » Wed Nov 14, 2018 10:44 pm

WiFive wrote:
Wed Nov 14, 2018 1:55 pm
I think he is saying that because the ciphertext is two identical 128-bit blocks then the key will also be. So key space has been reduced to 128-bit.
The ciphertext is not two identical 128-bit blocks. The first block is all 0xff and the second block is all 0xee.

However, because the flash encryption algorithm only tweaks the key for each 256-bit pair of AES blocks then they will be decrypted with the same (256-bit) AES key (to produce two different plaintexts for use as keys, because of the two different ciphertexts).

The thing to note is that the strength of these keys will only be as strong as the (256-bit) efuse flash encryption key used to derive them. But if the ciphertext inputs were randomly generated (instead of all 0xff and all 0xee), this would still be true.

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Non-volatile storage with flash encryption enabled.

Postby WiFive » Thu Nov 15, 2018 7:55 am

ESP_Angus wrote:
Wed Nov 14, 2018 10:44 pm
The ciphertext is not two identical 128-bit blocks. The first block is all 0xff and the second block is all 0xee.
Each key has a different ciphertext but each key is 256bit which is 2 128bit blocks which are identical.

jas39_
Posts: 21
Joined: Mon Aug 29, 2016 8:26 pm

Re: Non-volatile storage with flash encryption enabled.

Postby jas39_ » Fri Nov 16, 2018 3:31 am

Im trying to compile with code from the test suite as guided by WiFive and the latest from esp-idf but get the following errors:

Code: Select all


undefined reference to `nvs_flash_read_security_cfg'
undefined reference to `nvs_flash_generate_keys'
undefined reference to `nvs_flash_secure_init'
i do include the following files:

Code: Select all


#include "nvs.h"
#include "nvs_flash.h"
#include "esp_partition.h"
#include "esp_flash_encrypt.h"
Anything I'm missing or is it still not complete?

Rgds
/A

ESP_igrr
Posts: 2072
Joined: Tue Dec 01, 2015 8:37 am

Re: Non-volatile storage with flash encryption enabled.

Postby ESP_igrr » Fri Nov 16, 2018 4:20 am

NVS encryption option only becomes available when Flash encryption feature is open.

First, read Flash Encryption docs to know how to configure and use it: https://docs.espressif.com/projects/esp ... ption.html.

Then, go to menuconfig, Component config, NVS, and open "Enable NVS encryption" option.

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Non-volatile storage with flash encryption enabled.

Postby WiFive » Sun Nov 18, 2018 12:50 pm

WiFive wrote:
Thu Nov 15, 2018 7:55 am
ESP_Angus wrote:
Wed Nov 14, 2018 10:44 pm
The ciphertext is not two identical 128-bit blocks. The first block is all 0xff and the second block is all 0xee.
Each key has a different ciphertext but each key is 256bit which is 2 128bit blocks which are identical.
@ESP_Angus how about:
  1. for(uint8_t cnt = 0; cnt < NVS_KEY_SIZE; cnt++) {
  2.         cfg->eky[cnt] = 0xff - cnt;
  3.         cfg->tky[cnt] = 0xee - cnt;
  4.     }

Who is online

Users browsing this forum: brsmdnlr and 113 guests