0

I have a power constrained environment where I do not have enough power to update an encryption key. For this reason, the symmetric key will be programmed before the devices are distributed, and this key is used to encrypt a payload. I have two different things that I could possibly change, one is a nonce, and the other is a modification to the base key. I don't have a way to generate a nonce locally; however, in the system, you have a "host" and a "client" and the host polls the client. The encrypted packed goes from the client to host. For the sake of scope, let's assume AES-128. I have a very small, non-volatile memory of 128 bytes. Here is a list of things that I could possibly do within the current framework:

  • I could send a random number and XOR that with key that is already stored in the "client". The problem there is that I have 128-bit key but only the ability to send a 32-bit value to the device (currently that is, I possibly could get 128-bits, but I need to look into the channel bandwidth)
  • The device creates a 16-bit pseudorandom number that is generated by the client is known by both the host and client, and I could use that a nonce in some way. This approach is easiest because it becomes a host-side software issue because the key is not modified.

Above is basically a nuance to the problem, so the question is: Is there a standard method to deal with the problem of an immutable key structure in a system which uses a symmetric cipher?

b degnan
  • 4,810
  • 1
  • 24
  • 48
  • How long do the life of the key? What is the encryption algorithm and mode of operation? – kelalaka Apr 21 '21 at 15:32
  • 1
    Your problem statement is underspecified. What is the key used for: communication with the host, communication with other devices, local encryption? Do you have persistent storage that you trust for integrity but not for confidentiality? Is the code so constrained that a simple KDF (e.g. hash(key+nonce)) is a problem? – Gilles 'SO- stop being evil' Apr 21 '21 at 17:08
  • @Gilles'SO-stopbeingevil' and kelalaka I have updated the question to address you comments. And yes, integrity of the memory is good. You cannot get information out that's not encrypted, so I don't know if that qualifies as confidentially in the cryptographic sense. I'm trying to retrieve the memory in an encrypted fashion. – b degnan Apr 21 '21 at 17:39
  • Can you prefer xChaCha20 with a single key? you can use that for a very long time. I guess your device has no AES-NI, so xChaCha20 is faster and it is secure against side-channel attacks by design. Does the memory for the key is writeable by the system? – kelalaka Apr 21 '21 at 17:53
  • @kelalaka The key is "write once". The memory is write once, and it's done before the wafer is sliced. – b degnan Apr 21 '21 at 18:08
  • https://en.wikipedia.org/wiki/Double_Ratchet_Algorithm – kelalaka Apr 21 '21 at 20:21

1 Answers1

1

I'm not sure if this is precisely what you are asking, but developing single-session keys from a long term hard-wired key is something that mobile phones and SIM cards do. Hard-wired keys on the SIM and known to the service provider kick off key derivation process augmented with a random nonce value from the service provider's base station. The 3GPP MILENAGE suite is such a method, is standardised via ETSI, and only uses symmetric primitives (block ciphers).

Daniel S
  • 23,716
  • 1
  • 29
  • 67