Re: [PATCH 0/4] crypto: Key Derivation Function (SP800-108)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 27, 2016 at 08:33:00AM +0100, Stephan Mueller wrote:
>
> With the current development of EXT4 encryption we currently have the 
> logic that the files are either open (read/writable) or closed (not 
> accessible).
> 
> There is a scenario for a third option: a file is writable in a "device-
> locked" state, but not readable. The logic that would implement such mechanism 
> is nicely described in [1] section D.3.3, especially figure 4. To use such a 
> mechanism, the generated shared secret should definitely go through a KDF to 
> ensure that the key has the right size for the underlying symmetric cipher.
> 
> This approach would allow locking your device, but yet the system could still 
> write confidential data (like getting emails, generating logs, etc.) but the 
> data is not accessible unless you unlock the device.
> 
> So, my idea was to provide a building block for such encryption scenarios 
> which I would think will come.
> 
> Besides, if crypto network protocols are contemplated to be included into the 
> kernel (like TLS), I would think that the KDF should be handled by the kernel 
> crypto API as a central place for such logic. Thus, my patch would provide the 
> framework by providing the RNG template handling to have that KDF here.

While this is all very nice until such a user is ready for submission
into the kernel I'd rather not add this.

Thanks,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux