Non-volatile storage with flash encryption enabled.

[kyklas]

I am curious about the NVS encryption key :
https://github.com/espressif/esp-idf/bl ... i.cpp#L585

The self generation seems to be based on the Flash Encryption key. However this makes a key made of twice the same 16-byte block.

Could a key similar to the flash encryption be generated with the RNG ?
Any reason to base the NVS key on the flash key ?
Can the Key be generated on a PC and then flashed to the flash ?

Regards,
Stan

[ESP_Angus]

Hi Stan,

The AES-XTS keys are generated by taking two different generated ciphertexts (all 0xff and all 0xee) which are written to flash as-is. These are then decrypted by the flash encryption hardware, which does use the same AES key to decrypt both (due to reading the same 32 byte block). However due to the different starting ciphertexts each of the two AES-XTS keys will be different and not interchangeable, and can only be derived by someone possessing the flash encryption key.

There's no reason why they couldn't be generated using the RNG. However, the AES-XTS keys will always need to be stored in the flash and protected using flash encryption. This means anyone with the flash encryption key will be able to read the AES-XTS keys, no matter what these keys are. So generating from the RNG doesn't add any additional protection, and it has the downside that if the keys are accidentally erased from flash they will be lost forever - whereas with the current scheme they can be recreated, provided the flash encryption key is not lost.

[WiFive]

I think he is saying that because the ciphertext is two identical 128-bit blocks then the key will also be. So key space has been reduced to 128-bit.

[ESP_Angus]

I think he is saying that because the ciphertext is two identical 128-bit blocks then the key will also be. So key space has been reduced to 128-bit.

The ciphertext is not two identical 128-bit blocks. The first block is all 0xff and the second block is all 0xee.

However, because the flash encryption algorithm only tweaks the key for each 256-bit pair of AES blocks then they will be decrypted with the same (256-bit) AES key (to produce two different plaintexts for use as keys, because of the two different ciphertexts).

The thing to note is that the strength of these keys will only be as strong as the (256-bit) efuse flash encryption key used to derive them. But if the ciphertext inputs were randomly generated (instead of all 0xff and all 0xee), this would still be true.

[WiFive]

The ciphertext is not two identical 128-bit blocks. The first block is all 0xff and the second block is all 0xee.

Each key has a different ciphertext but each key is 256bit which is 2 128bit blocks which are identical.

[jas39_]

Im trying to compile with code from the test suite as guided by WiFive and the latest from esp-idf but get the following errors:

Code: Select all

undefined reference to `nvs_flash_read_security_cfg'

undefined reference to `nvs_flash_generate_keys'

undefined reference to `nvs_flash_secure_init'

i do include the following files:

Code: Select all

#include "nvs.h"

#include "nvs_flash.h"

#include "esp_partition.h"

#include "esp_flash_encrypt.h"

Anything I'm missing or is it still not complete?

Rgds
/A

[ESP_igrr]

NVS encryption option only becomes available when Flash encryption feature is open.

First, read Flash Encryption docs to know how to configure and use it: https://docs.espressif.com/projects/esp ... ption.html.

Then, go to menuconfig, Component config, NVS, and open "Enable NVS encryption" option.

[WiFive]

The ciphertext is not two identical 128-bit blocks. The first block is all 0xff and the second block is all 0xee.

Each key has a different ciphertext but each key is 256bit which is 2 128bit blocks which are identical.

@ESP_Angus how about:

Code: [Select all] [Expand/Collapse]

1. for(uint8_t cnt = 0; cnt < NVS_KEY_SIZE; cnt++) {
2.         cfg->eky[cnt] = 0xff - cnt;
3.         cfg->tky[cnt] = 0xee - cnt;
4.     }

GeSHi © Codebox Plus Extension