I have a question related to bitstream encryption using eFUSE option. If my FPGA has bitstream encryption key stored in the eFUSE, how Vivado will know the encryption key when generating new encrypted bitstream? Does Vivado has a method to readback the key from eFUSE and use it for encryption?
How can Vivado know the encryption key?
Vivado uses an NKY file that is generated when setting the encryption key. For instance when executing
set_property BITSTREAM.ENCRYPTION.KEY0 56’h12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA current_design]
An NKY file will be create, whose format is:
KEY 0 <hex string> (256 bit AES key)
For example: (top.nky)
Device xc7k325t;
Key 0 12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA12345678ABCDDCBA;
Key StartCBC 7115e9aa80085ea3ed65d26d3a8ab608;
Key HMAC d293d51c6058430262b05521f8f67279c9abce27d5fcafcf839bbe1af46713cc;
Can Vivado read back the key?
Quoting XAPP1239
The encryption key can only be loaded onto a device through the JTAG interface
After the key is programmed and the key-access mode is exited, the key cannot be read out of the device by any means, and it cannot be reprogrammed without clearing the entire device.
Related
I'm trying to understand the key exchange happening with CurveMQ described here.
http://curvezmq.org/page:read-the-docs
My understanding of public key cryptography is you use a public key to encrypt data that can then be decrypted by the corresponding private key. In the CurveMQ specification it describes encrypting data from a key to a key. See the excerpts below they reference 2 keys. What does this mean in layman's terms?
The signature box (80 octets). This SHALL contain 64 zero octets,
encrypted from the client's transient key C' to the server's permanent
key S.
and
A welcome box (144 octets) that encrypts the server public transient
key S' (32 octets) and the server cookie (96 octets), from the server
permanent key S to the client's transient key C'.
I have service that runs in background, manages cryptographic keys. I want to transfer those keys from one end to another.
This transfer includes RSA's Private Key also. During this transfer I encrypt actual Key value with some other public key. AES "key value" encryption working as expected. But RSA private key transfer it throws following error.
error=crypto/rsa: message too long for RSA public key size
I understand that only limited amount of bytes can be encrypted by particular length of key length.
For 3072 bit public key it shows, "Data must not be longer than 373
bytes"
For 4096 bit public key it shows, "Data must not be longer than 501
bytes"
Reference -> https://www.devglan.com/online-tools/rsa-encryption-decryption
But in my case, actual key length of private key is 1624(2048 key length). To encrypt this I need to create key pair with 15360 encrypt key with public key(15360)and it is working.
But I've key supported length up to 15360 in my service. So again to transfer this length of private key I need to create again 115200(i'm not sure about this length) of length keypair? Whether this approach is correct or there is any other way for this problem ?
Is there a way to convert a USB HID Usage ID to a Virtual Key code in Windows OS?
for example,
HID Usage ID 0x04 ---> Virtual Key is 0x41 (this is key A)
HID Usage ID 0x91 ---> Virtual Key is 0xE9 (this is a OEM specific key)
HID Usage ID 0x87 ---> Virtual Key is 0xC1 (this is a Reserved key code)
...
I just found a virtual keys code table,
but I can't find a translation table or a way to translate it efficiently.
There is no API to translate between HID Usage IDs and virtual key codes. The translation is performed by the device driver.
The Usage IDs for keyboards are published on http://usb.org in the HID Usage Tables specification (Chapter 10 "Keyboard/Keypad Page (0x07)").
Windows uses I8042 scan codes for keyboard input for historical reasons (API is scan code dependant). Scan codes are produced by Windows Keyboard HID client driver from
USB HID keyboard key usages internally with a call to HidP_TranslateUsagesToI8042ScanCodes (one-way hid usage -> scan code table is baked inside Hidparse.lib that is usually not used by user code. You can find this table as PDF here).
Then Windows user subsystem converts scancode to VK code by means of active keyboard layout table (that is embedded in keyboard layout dll file - for example US English is kbdus.dll). And this VK code you're receive in WM_KEYDOWN etc message.
You can do this scan code <-> VK code conversion manually with a call to MapVirtualKeyEx.
There is also hidusage.h that comes with Windows SDK. It contains a bunch of HID usages pages/ids as defines that you can use in your code as constants if you need.
As for efficient translation between I8042 scan code and HID usage - you can use for this dom_code_data.inc table from Chromium authors. Here is my example code that is doing that.
I need to generate a keypair and give the public key to someone. They say it needs to be:
AES-256 CBC 128-bit block size.
random Initialization Victor IV of 16b fixed length.
PKCS7Padding
I don't even know if these are the defaults or not or even if I'm asking in the right place. How can I make a key like this?
Your requirements cannot be correct. AES is a symmetric algorithm, which means both parties should have the same secret key. Key pairs are generated for asymmetric encryption such as RSA.
Most of the time AES and RSA are used together for encryption. This is called hybrid encryption: a random AES key is generated and used to encrypt the plaintext. Then the AES key is encrypted with the RSA public key (using OAEP padding, for instance). Then the resulting ciphertext and the encrypted key are send to the other party, which can decrypt the AES key using the private key, and then the ciphertext with the AES key.
If you just need to give a secret key you must use secure transport. An AES key can be 256 bits secure random key, which can easily be extracted from /dev/urandom, e.g.:
dd bs=1 count=32 if=/dev/urandom of=aes-256-key.bin
for RSA, use the openssl command line, for instance.
I am using AES block cipher in CBC mode to encrypt by data. I am confused of using the appropriate error correcting code that can used with CBC block cipher for data retrievability? Can anyone help me?
You should use AES CMAC (different from AES MAC) to provide integrity protection and authentication of the message. To do this, you should use a different key. The AES-CMAC should be calculated over the encrypted message.