[Cryptography] Minimal secure boot
sebastien riou
matic at nimp.co.uk
Sun Jun 9 16:57:25 EDT 2019
I am looking for a minimal secure boot scheme, with 128 bit security level.
The target device has a 16bit CPU, RAM in the KBytes range and the code
size is critical (this is supposed to go in ROM and its already full...).
What I am considering so far:
- Generate an RSA2048 key pair
- d: private exponent
- n: modulus
- e: public exponent
- store n and e in the ROM
- at build time:
- digest = sha256 over the code
- sig = mod_exp(digest,d,n)
- append sig to code
- at boot:
- get code and sig
- digest = sha256 over code
- expectetd = mod_exp(sig,e,n)
- launch code only if digest == expected
Any issue with that ?
Now I am wondering if I need:
- e larger than 3 ? if yes what is the sensible minimum ? I am inclined
to set e=11 to get (digest power e) > n but I do not have really clear
argument for that.
- padding the digest before the mod_exp
I will be the only one knowing the private key and I won't sign any third
party code, so chosen plaintext attacks are not a worry.
I am not concerned by attacks where the same thing is signed by multiple
keys either.
Sebastien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190609/d29098da/attachment.html>
More information about the cryptography
mailing list