arno
/
trezor-firmware
mirror of https://github.com/trezor/trezor-firmware.git
1
0
Fork 0
Code Issues Releases Wiki Activity

readme: remove future tense; and key derivation image; other small typos

Browse Source
pull/25/head
Tomas Susanka 5 years ago
parent f24c6e31f6
commit a73e147ceb
3 changed files with 454 additions and 34 deletions
Show Stats Download Patch File Download Diff File

77
README.md
Unescape View File

@ -10,12 +10,6 @@ The PIN is no longer stored in the flash storage. A new entry is added to the fl
## Storage format
The current format of the entries in the flash storage is:
| Data | KEY | APP | LEN | DATA |
|----------------|-----|-----|-----|------|
| Length (bytes) | 1 | 1 | 2 | LEN |
Entries fall into three categories:
| Category | Condition | Read | Write |
@ -24,33 +18,40 @@ Entries fall into three categories:
| Protected | 1 ≤ APP ≤ 127 | Only when unlocked | Only when unlocked |
| Public | 128 ≤ APP ≤ 255 | Always | Only when unlocked |
Private values are used to store storage-specific information and cannot be directly accessed through the storage interface. Currently the above conditions are enforced only in software, but not cryptographically. We propose that protected entries shall have the following new format:z
The format of public entries has remained unchanged, that is:
| Data | KEY | APP | LEN | DATA |
|----------------|-----|-----|-----|------|
| Length (bytes) | 1 | 1 | 2 | LEN |
Private values are used to store storage-specific information and cannot be directly accessed through the storage interface. Protected entries have the following new format:
| Data | KEY | APP | LEN | IV | ENCRDATA | TAG |
|----------------|-----|-----|-----|----|----------|-----|
| Length (bytes) | 1 | 1 | 2 | 12 | LEN - 28 | 16 |
The LEN value thus indicates the total length of IV, ENCRDATA and TAG. The format of public entries shall remain unchanged.
The LEN value thus indicates the total length of IV, ENCRDATA and TAG.
The random salt (32 bits), EDEK (256 bits), ESAK (128 bits) and PVC (64 bits) will be stored in a single entry under APP=0, KEY=2:
The random salt (32 bits), EDEK (256 bits), ESAK (128 bits) and PVC (64 bits) is stored in a single entry under APP=0, KEY=2:
| Data | KEY | APP | LEN | SALT | EDEK | ESAK | PVC |
|----------------|-----|-----|-------|------|------|------|-----|
| Length (bytes) | 1 | 1 | 2 | 4 | 32 | 16 | 8 |
| Value | 02 | 00 | 3C 00 | | | | |
The storage authentication tag (128 bits) will be stored in a single entry under APP=0, KEY=5:
The storage authentication tag (128 bits) is stored in a single entry under APP=0, KEY=5:
| Data | KEY | APP | LEN | TAG |
|----------------|-----|-----|-------|-----|
| Length (bytes) | 1 | 1 | 2 | 16 |
| Value | 05 | 00 | 20 00 | |
Furthermore, if any entry is overwritten, the old entry will be erased, i.e., overwritten with 0. We could then also use APP=0, KEY=0 as marker that the entry is erased (currently this is the marker for the PIN entry that we wouldn't need anymore).
Furthermore, if any entry is overwritten, the old entry is erased, i.e., overwritten with 0. We are also using APP=0, KEY=0 as marker that the entry is erased (this was formerly used for the PIN entry, which is not needed anymore).
## PIN verification and decryption of protected entries in flash storage
1. From the flash storage read the entry containing the random salt, EDEK and PVC.
2. Gather constant data from various system resources such as the ProcessorID (aka Unique device ID) and any hardware serial numbers that are available. The concatenation of this data with the random salt will be referred to as *salt*.
3. Prompt the user to enter the PIN. Prefix the entered PIN with a "1" digit in base 10 and convert the integer to 4 bytes in little endian byte order. Then compute:
@ -72,6 +73,8 @@ Furthermore, if any entry is overwritten, the old entry will be erased, i.e., ov
where the APP and KEY of the entry is used as two bytes of associated data. Compare the TAG read from the flash storage with the computed tag value. If there is a mismatch, then fail.
![summary](docs/key-derivation.svg)
## Initializing the EDEK
1. When the storage is initialized, generate the 32 bit random salt and 256 bit DEK using a cryptographically secure random number generator.
@ -104,31 +107,33 @@ Whenever the value of an entry needs to be updated, a fresh IV is generated usin
The storage authentication key (SAK) will be used to generate a storage authentication tag (SAT) for the list of all (APP, KEY) values of protected entries (1 ≤ APP ≤ 127) that have been set in the storage. The SAT will be checked during every get operation. When a new protected entry is added to the storage or when a protected entry is deleted from the storage, the value of the SAT will be updated. The value of the SAT is defined as the first 16 bytes of
`HMAC-SHA-256(SAK, ⨁i HMAC-SHA-256(SAK, KEYi || APPi))`
`HMAC-SHA-256(SAK, ⨁i HMAC-SHA-256(SAK, KEY_i || APP_i))`
where `⨁` denotes the n-ary bitwise XOR operation and KEYi || APPi is a two-byte encoding of the value of the i-th (APP, KEY) such that 1 ≤ APP ≤ 127.
where `⨁` denotes the n-ary bitwise XOR operation and KEY_i || APP_i is a two-byte encoding of the value of the *i*-th (APP, KEY) such that 1 ≤ APP ≤ 127.
## Design rationale
- The purpose of the PBKDF2 function is to thwart brute-force attacks in case the attacker is able to circumvent the PIN entry counter mechanism but does not have full access to the contents of the flash storage of the device, e.g. fault injection attacks. For an attacker that would be able to read the flash storage and obtain the salt, the PBKDF2 with 20000 iterations and a 4- to 9-digit PIN would not pose an obstacle.
- The reason why we propose to use a separate data encryption key rather than using the output of PBKDF2 directly to encrypt the sensitive entries is so that when the user decides to change their PIN, only the EDEK needs to be reencrypted, but the remaining entries do not need to be updated.
- The reason why we use a separate data encryption key rather than using the output of PBKDF2 directly to encrypt the sensitive entries is so that when the user decides to change their PIN, only the EDEK needs to be reencrypted, but the remaining entries do not need to be updated.
- We propose to use ChaCha20 for encryption, because as a stream cipher it has no padding overhead and its implementation is readily available in trezor-crypto. A possible alternative to using ChaCha20Poly1305 for DEK encryption is to use AES-CTR with HMAC in an encrypt-then-MAC scheme. A possible alternative to using ChaCha20 for encryption of other data entries is to use AES-XTS (XEX-based tweaked-codebook mode with ciphertext stealing), which was designed specifically for disk-encryption. The APP || KEY value would be used as the tweak.
- We se ChaCha20 for encryption, because as a stream cipher it has no padding overhead and its implementation is readily available in trezor-crypto. A possible alternative to using ChaCha20Poly1305 for DEK encryption is to use AES-CTR with HMAC in an encrypt-then-MAC scheme. A possible alternative to using ChaCha20 for encryption of other data entries is to use AES-XTS (XEX-based tweaked-codebook mode with ciphertext stealing), which was designed specifically for disk-encryption. The APP || KEY value would be used as the tweak.
- Advantages of AES-XTS:
- Does not require an initialization vector.
- Ensures better diffusion than a stream cipher, which eliminates the above concerns about malleability and fault injection attacks.
- Disadvantages of AES-XTS:
- Not implemented in trezor-crypto.
- Requires two keys of length at least 128 bits.
- A 32-bit PVC would be sufficient to verify the PIN value, since there would be less than a 1 in 4 chance that there exists a false PIN, which has the same PVC as the correct PIN. Nevertheless, we decided to go with a 64-bit PVC to achieve a larger security margin. The chance that there exists a false PIN, which has the same PVC as the correct PIN, then drops below 1 in 10^10. The existence of a false PIN does not appear to pose a security weakness, since the false PIN cannot be used to decrypt the protected entries.
- Instead of using separate IVs for each entry we considered using a single IV for the entire sector. Upon sector compaction a new IV would have to be generated and the encrypted data would have to be reencrypted under the new IV. A possible issue with this approach is that compaction cannot happen without the DEK, i.e. generally data could not be written to the flash storage without knowing the PIN. This property might not always be desirable.
## New measures for PIN entry counter protection
Our current implementation of the PIN entry counter is vulnerable to fault injection attacks.
The former implementation of the PIN entry counter was vulnerable to fault injection attacks.
Under the current implementation the PIN counter storage entry consists of 32 words initialized to 0xFFFFFFFF. The first non-zero word in this area is the current PIN failure counter. Before verifying the PIN the lowest bit with value 1 is set to 0, i.e. a value of FFFFFFFC indicates two PIN entries. Upon successful PIN entry, the word is set to 0x00000000, indicating that the next word is the PIN failure counter. Allegedly, by manipulating the voltage on the USB input an attacker can convince the device to read the PIN entry counter as 0xFFFFFFFF even if some of the bits have been set to 0.
Under the former implementation the PIN counter storage entry consisted of 32 words initialized to 0xFFFFFFFF. The first non-zero word in this area was the current PIN failure counter. Before verifying the PIN the lowest bit with value 1 was set to 0, i.e. a value of FFFFFFFC indicated two PIN entries. Upon successful PIN entry, the word was set to 0x00000000, indicating that the next word was the PIN failure counter. Allegedly, by manipulating the voltage on the USB input an attacker could convince the device to read the PIN entry counter as 0xFFFFFFFF even if some of the bits had been set to 0.
### Design goals
@ -140,31 +145,34 @@ Under the current implementation the PIN counter storage entry consists of 32 wo
### Proposal summary
Under the current implementation, for every unsuccessful PIN entry we discard one bit from the counter, while for every successful PIN entry we discard an entire word. In the new implementation we would like to optimize the counter operations for successful PIN entry.
Under the former implementation, for every unsuccessful PIN entry we discarded one bit from the counter, while for every successful PIN entry we discard an entire word. In the new implementation we optimize the counter operations for successful PIN entry.
The basic idea is that there will be two binary logs stored in the flash storage, e.g.:
The basic idea is that there are two binary logs stored in the flash storage, e.g.:
```
...0001111111111111... pin_success_log
...0000001111111111... pin_entry_log
```
Before every PIN verification the highest 1-bit in the pin_entry_log will be set to 0. If the verification succeeds, then the corresponding bit in the pin_success_log will also be set to 0. The example above shows the status of the logs when the last three PIN entries were not successful.
Before every PIN verification the highest 1-bit in the pin_entry_log is set to 0. If the verification succeeds, then the corresponding bit in the pin_success_log is also set to 0. The example above shows the status of the logs when the last three PIN entries were not successful.
In actual fact the logs will not be written to the flash storage exactly as shown above, but they will be stored in a form that should protect them against fault injection attacks. Only half of the stored bits will carry information, the other half will act as "guard bits". So a stored value ...001110... could look like ...0g0gg1g11g0g..., where g denotes a guard bit. The positions and the values of the guard bits will be determined by a guard key. The guard_key will be a randomly generated uint32 value stored as an entry in the flash memory in cleartext. The assumption behind this is that an attacker attempting to reset or decrement the PIN counter by a fault injection is not able to read the flash storage. However, the value of guard_key also needs to be protected against fault injection, so the set of valid guard_key values should be limited by some condition which is easy to verify, such as guard_key mod M == C, where M and C a suitably chosen constants. The constants should be chosen so that the binary representation of any valid guard_key value has Hamming weight between 8 and 24.
In actual fact the logs are not written to the flash storage exactly as shown above, but they are stored in a form that should protect them against fault injection attacks. Only half of the stored bits carry information, the other half acts as "guard bits". So a stored value `...001110...` could look like `...0g0gg1g11g0g...`, where g denotes a guard bit. The positions and the values of the guard bits are determined by a guard key. The guard_key is a randomly generated uint32 value stored as an entry in the flash memory in cleartext. The assumption behind this is that an attacker attempting to reset or decrement the PIN counter by a fault injection is not able to read the flash storage. However, the value of guard_key also needs to be protected against fault injection, so the set of valid guard_key values should be limited by some condition which is easy to verify, such as guard_key mod M == C, where M and C a suitably chosen constants. The constants should be chosen so that the binary representation of any valid guard_key value has Hamming weight between 8 and 24. These conditions are discussed below.
### Storage format
The PIN log will replace the current PIN_FAIL_KEY entry (APP = 0, KEY = 1). The DATA part of the entry will consist of 33 words (132 bytes, assuming 32-bit words):
guard_key (1 word), pin_success_log (16 words), pin_entry_log (16 words)
The PIN log has APP = 0 and KEY = 1. The DATA part of the entry consists of 33 words (132 bytes, assuming 32-bit words):
Each log will be stored in big-endian word order. The byte order of each word is platform dependent.
- guard_key (1 word)
- pin_success_log (16 words)
- pin_entry_log (16 words)
Each log is stored in big-endian word order. The byte order of each word is platform dependent.
### Guard key validation
The guard_key is said to be valid if the following three conditions hold true:
1. Each byte of the binary representation of the guard_key has a balanced number of zeros and ones at the positions corresponding to the guard values (that is those bits in the mask 0xAAAAAAAA)
1. Each byte of the binary representation of the guard_key has a balanced number of zeros and ones at the positions corresponding to the guard values (that is those bits in the mask 0xAAAAAAAA).
2. The guard_key binary representation does not contain a run of 5 (or more) zeros or ones.
3. The guard_key integer representation is congruent to 15 modulo 6311.
@ -193,9 +201,9 @@ int key_validity(uint32_t guard_key)
The guard_key may be generated in the following way:
1. Generate a random integer r in such that 0 ≤ r ≤ 680552 with uniform probability.
2. Set r = r * 6311 + 15.
3. If key_validity(r) is not true go back to the step 1.
1. Generate a random integer *r* in such that 0 ≤ *r* ≤ 680552 with uniform probability.
2. Set *r* = *r* * 6311 + 15.
3. If *key_validity(r)* is not true go back to the step 1.
Note that on average steps 1 to 3 are repeated about one hundred times.
@ -223,23 +231,24 @@ and the `y` bits to its corresponding complement:
`(~guard_key) & LOW_MASK`
That ensures that only one 1 bit is present in each pair xy. The guard value is equal to the bits labelled "v" in the guard_key but only at the positions indicated by the guard_mask. The guard value is therefore equal to:
That ensures that only one 1 bit is present in each pair `xy`. The guard value is equal to the bits labelled `v` in the guard_key but only at the positions indicated by the guard_mask. The guard value is therefore equal to:
```
--------- x bits mask -------- & -- guard_key --
-------- x bits mask --------- & -- guard_key --
guard = (((guard_key & LOW_MASK) << 1) & guard_key) |
----- y bits mask ---- & - guard_key shifted to v bits
(((~guard_key) & LOW_MASK) & (guard_key >> 1))
```
### Log initialization
Each log will be stored as 16 consecutive words each initialized to:
Each log is stored as 16 consecutive words each initialized to:
`guard | ~guard_mask`
### Removing and adding guard bits
After reading a word from the flash storage we will verify the format by checking the condition
After reading a word from the flash storage we verify the format by checking the condition:
`(word & guard_mask) == guard`
@ -251,7 +260,7 @@ word = ((word >> 1) | word ) & LOW_MASK
word = word | (word << 1)
```
This operation replaces each guard bit with the value of its neighbouring bit, e.g. ...0g0gg1g11g0g… is converted to ...000011111100… Thus each non-guard bit is duplicated.
This operation replaces each guard bit with the value of its neighbouring bit, e.g. `…0g0gg1g11g0g…` is converted to `…000011111100…` Thus each non-guard bit is duplicated.
The guard bits can be added back as follows:
@ -259,7 +268,7 @@ The guard bits can be added back as follows:
### Determining the number of PIN failures
Remove the guard bits from the words of the pin_entry_log using the operations described above and verify that the result has form 0*1* by checking the condition:
Remove the guard bits from the words of the pin_entry_log using the operations described above and verify that the result has form 0\*1\* by checking the condition:
`word & (word + 1) == 0`

BIN
docs/key-derivation.odg
View File

Binary file not shown.

411
docs/key-derivation.svg
Unescape View File

@ -0,0 +1,411 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 888 456"
height="456"
width="888"
xml:space="preserve"
id="svg2"
version="1.1"><metadata
id="metadata8"><rdf:RDF><cc:Work
rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" /></cc:Work></rdf:RDF></metadata><defs
id="defs6"><clipPath
id="clipPath18"
clipPathUnits="userSpaceOnUse"><path
id="path16"
d="M 0,0 H 792 V 612 H 0 Z" /></clipPath><clipPath
id="clipPath22"
clipPathUnits="userSpaceOnUse"><path
style="clip-rule:evenodd"
id="path20"
d="M 0,0.028 H 791.971 V 611.999 H 0 Z" /></clipPath></defs><g
transform="matrix(1.3333333,0,0,-1.3333333,0,456)"
id="g10"><g
transform="translate(-62,-234)"
id="g12"><g
id="g14" /><g
id="g316"><g
id="g314"
clip-path="url(#clipPath18)"><g
id="g312"><g
id="g310"
clip-path="url(#clipPath22)"><path
id="path24"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="M 0,612 H 791.972 V 0.028 L 0,0.028 Z" /><path
id="path26"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 409.011,513.836 h -23.102 v 21.458 h 46.204 v -21.458 z" /><g
id="g30"><path
id="path28"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 409.011,513.836 h -23.102 v 21.458 h 46.204 v -21.458 z" /></g><g
id="g36"><text
id="text34"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,393.307,519.987)"><tspan
id="tspan32"
y="0"
x="0 8.6913481 17.30463 23.510878">SALT</tspan></text>
</g><path
id="path38"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 652.28,513.836 h -29.083 v 21.458 h 58.167 v -21.458 z" /><g
id="g42"><path
id="path40"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 652.28,513.836 h -29.083 v 21.458 h 58.167 v -21.458 z" /></g><g
id="g48"><text
id="text46"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,639.014,519.987)"><tspan
id="tspan44"
y="0"
x="0 8.6132822 17.226564">PVC</tspan></text>
</g><path
id="path50"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 486.397,513.836 h -54.595 v 21.458 h 109.162 v -21.458 z" /><g
id="g54"><path
id="path52"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 486.397,513.836 h -54.595 v 21.458 h 109.162 v -21.458 z" /></g><g
id="g60"><text
id="text58"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,468.709,519.987)"><tspan
id="tspan56"
y="0"
x="0 8.6913481 17.994213 26.68556">EDEK</tspan></text>
</g><g
id="g66"><text
id="text64"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,404.504,537.506)"><tspan
id="tspan62"
y="0"
x="0 5.5933542 11.096654">32b</tspan></text>
</g><g
id="g72"><text
id="text70"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,475.398,537.392)"><tspan
id="tspan68"
y="0"
x="0 5.5933542 11.096654 16.599955">256b</tspan></text>
</g><g
id="g78"><text
id="text76"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,643.209,537.392)"><tspan
id="tspan74"
y="0"
x="0 5.5033002 11.0066">64b</tspan></text>
</g><path
id="path80"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 191.197,410.627 h -57.6 v 35.546 h 115.2 v -35.546 z" /><g
id="g84"><path
id="path82"
style="fill:none;stroke:#729fcf;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 191.197,410.627 h -57.6 v 35.546 h 115.2 v -35.546 z" /></g><g
id="g90"><text
id="text88"
style="font-variant:normal;font-weight:normal;font-size:14.99499989px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,162.113,423.213)"><tspan
id="tspan86"
y="0"
x="0 9.9866695 19.883369 29.870041 40.666439 49.768406">PBKDF2</tspan></text>
</g><path
id="path92"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 97.2,427.323 h 23.811" /><path
id="path94"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 133.2,427.323 -12.756,4.252 v -8.504 z" /><g
id="g100"><text
id="text98"
style="font-variant:normal;font-weight:normal;font-size:14.99499989px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#ce181e;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,66.813,421.597)"><tspan
id="tspan96"
y="0"
x="0 9.8966999 14.080305">PIN</tspan></text>
</g><path
id="path102"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="M 409.011,513.808 V 479.991 H 191.197 v -25.682" /><path
id="path104"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 191.197,446.173 2.834,8.504 h -5.669 z" /><g
id="g110"><text
id="text108"
style="font-variant:normal;font-weight:normal;font-size:10.99800014px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,275.613,482.995)"><tspan
id="tspan106"
y="0"
x="0 6.4888201 9.6782398 15.78213 21.886021 25.570351 31.67424 39.570805 45.762676 49.447006 55.5509 58.641335 64.140335 70.332207 72.630791">+ hardware salt</tspan></text>
</g><path
id="path112"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="M 447.165,417.458 H 410.57 v 21.459 h 73.162 v -21.459 z" /><g
id="g116"><path
id="path114"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="M 447.165,417.458 H 410.57 v 21.459 h 73.162 v -21.459 z" /></g><g
id="g122"><text
id="text120"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,432.397,423.694)"><tspan
id="tspan118"
y="0"
x="0 8.6132822 17.30463 20.908676">KEIV</tspan></text>
</g><path
id="path124"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 356.003,417.458 h -54.595 v 21.459 H 410.57 v -21.459 z" /><g
id="g128"><path
id="path126"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 356.003,417.458 h -54.595 v 21.459 H 410.57 v -21.459 z" /></g><g
id="g134"><text
id="text132"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,342.992,423.694)"><tspan
id="tspan130"
y="0"
x="0 8.6913481 17.30463">KEK</tspan></text>
</g><g
id="g140"><text
id="text138"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,345.005,441.099)"><tspan
id="tspan136"
y="0"
x="0 5.5933542 11.096654 16.599955">256b</tspan></text>
</g><g
id="g146"><text
id="text144"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,439.087,440.986)"><tspan
id="tspan142"
y="0"
x="0 5.5033002 11.0066">96b</tspan></text>
</g><path
id="path148"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 248.4,428.4 h 41.811" /><path
id="path150"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 302.4,428.4 -12.756,4.252 v -8.504 z" /><path
id="path152"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 621.609,342.595 h -91.19 v 35.547 h 182.353 v -35.547 z" /><g
id="g156"><path
id="path154"
style="fill:none;stroke:#729fcf;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 621.609,342.595 h -91.19 v 35.547 h 182.353 v -35.547 z" /></g><g
id="g162"><text
id="text160"
style="font-variant:normal;font-weight:normal;font-size:14.99499989px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,554.202,355.209)"><tspan
id="tspan158"
y="0"
x="0 10.7964 19.178604 27.56081 38.357208 46.739414 55.12162 63.503826 71.886032 81.78273 90.164932 93.553802 101.14127 109.43351 117.92068 126.30289">ChaCha20Poly1305</tspan></text>
</g><path
id="path164"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="M 356.003,417.43 V 354.954 H 522.369" /><path
id="path166"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="M 530.504,354.954 522,357.789 v -5.669 z" /><path
id="path168"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 447.165,417.43 v -51.137 h 75.204" /><path
id="path170"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="M 530.504,366.293 522,369.128 v -5.67 z" /><path
id="path172"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="M 486.397,513.808 V 464.4 h 135.212 v -78.123" /><path
id="path174"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 621.609,378.142 2.835,8.504 h -5.669 z" /><g
id="g180"><text
id="text178"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,506.211,368.986)"><tspan
id="tspan176"
y="0"
x="0 2.1012599">iv</tspan></text>
</g><g
id="g186"><text
id="text184"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,588.189,394.809)"><tspan
id="tspan182"
y="0"
x="0 5.0930538 7.194314 12.697614 18.200914 23.794268">cipher</tspan></text>
</g><g
id="g192"><text
id="text190"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,593.688,383.613)"><tspan
id="tspan188"
y="0"
x="0 2.7916739 8.2949743 13.388028">text</tspan></text>
</g><path
id="path194"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 675.978,250.186 h -27.326 v 21.458 h 54.624 v -21.458 z" /><g
id="g198"><path
id="path196"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 675.978,250.186 h -27.326 v 21.458 h 54.624 v -21.458 z" /></g><g
id="g204"><text
id="text202"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,661.209,256.394)"><tspan
id="tspan200"
y="0"
x="0 8.6913481 17.30463 26.698572">PVC</tspan></text>
</g><path
id="path206"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 606.926,250.186 h -41.754 v 21.458 h 83.48 v -21.458 z" /><g
id="g210"><path
id="path208"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 606.926,250.186 h -41.754 v 21.458 h 83.48 v -21.458 z" /></g><g
id="g216"><text
id="text214"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,594,256.394)"><tspan
id="tspan212"
y="0"
x="0 8.6132822 17.30463">SAK</tspan></text>
</g><g
id="g222"><text
id="text220"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,597.288,239.811)"><tspan
id="tspan218"
y="0"
x="0 5.5033002 11.0066 16.509899">128b</tspan></text>
</g><g
id="g228"><text
id="text226"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,668.608,239.698)"><tspan
id="tspan224"
y="0"
x="0 5.5933542 11.096654">64b</tspan></text>
</g><path
id="path230"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="M 621.609,342.595 V 307.106 H 511.88 v -27.355" /><path
id="path232"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 511.88,271.616 2.835,8.504 h -5.669 z" /><path
id="path234"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 621.609,342.595 v -35.489 h 54.369 v -27.355" /><path
id="path236"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 675.978,271.616 2.835,8.504 h -5.67 z" /><g
id="g242"><text
id="text240"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,628.299,309.402)"><tspan
id="tspan238"
y="0"
x="0 2.7016201 4.9029398 8.2049198 13.297974 15.999594 18.791267 24.294567 29.797869 35.39122 38.092842 43.686195 46.387817 49.179489 57.48447 64.088432">first 64b of MAC</tspan></text>
</g><g
id="g248"><text
id="text246"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,574.413,309.288)"><tspan
id="tspan244"
y="0"
x="0 5.5933542 7.6946139 13.287968 15.389228 20.892529 23.684202 26.385822 31.979176 36.982178">plain text</tspan></text>
</g><g
id="g252"><path
id="path250"
style="fill:none;stroke:#808080;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="M 541.417,490.904 H 360 v 79.2 h 362.835 v -79.2 z" /></g><g
id="g258"><text
id="text256"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#808080;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,687.997,558.198)"><tspan
id="tspan254"
y="0"
x="0 7.9106879 10.79913 18.007223 24.512724">Flash</tspan></text>
</g><g
id="g264"><text
id="text262"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,501.109,342.51)"><tspan
id="tspan260"
y="0"
x="0 5.0029998 10.596354">key</tspan></text>
</g><path
id="path266"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 581.471,513.808 h -41.754 v 21.458 h 83.508 v -21.458 z" /><g
id="g270"><path
id="path268"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 581.471,513.808 h -41.754 v 21.458 h 83.508 v -21.458 z" /></g><g
id="g276"><text
id="text274"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,564.208,519.987)"><tspan
id="tspan272"
y="0"
x="0 8.6913481 17.30463 25.917912">ESAK</tspan></text>
</g><g
id="g282"><text
id="text280"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,572.287,537.392)"><tspan
id="tspan278"
y="0"
x="0 5.5033002 11.0066 16.509899">128b</tspan></text>
</g><path
id="path284"
style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 511.88,250.186 h -54.595 v 21.458 h 109.162 v -21.458 z" /><g
id="g288"><path
id="path286"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 511.88,250.186 h -54.595 v 21.458 h 109.162 v -21.458 z" /></g><g
id="g294"><text
id="text292"
style="font-variant:normal;font-weight:normal;font-size:13.01099968px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,498.614,256.394)"><tspan
id="tspan290"
y="0"
x="0 9.302865 17.994213">DEK</tspan></text>
</g><g
id="g300"><text
id="text298"
style="font-variant:normal;font-weight:normal;font-size:10.00599957px;font-family:'Liberation Sans';-inkscape-font-specification:LiberationSans;writing-mode:lr-tb;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none"
transform="matrix(1,0,0,-1,500.91,239.811)"><tspan
id="tspan296"
y="0"
x="0 5.5033002 11.0066 16.599955">256b</tspan></text>
</g><path
id="path302"
style="fill:none;stroke:#000000;stroke-width:0.1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 603.071,307.106 v -10.63 h 3.855 v -16.725" /><path
id="path304"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none"
d="m 606.926,271.616 2.835,8.504 h -5.67 z" /><g
id="g308"><path
id="path306"
style="fill:none;stroke:#000000;stroke-width:0.75;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:10;stroke-dasharray:none;stroke-opacity:1"
d="m 581.471,513.78 v -31.777 h 40.138 V 464.4" /></g></g></g></g></g></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

Write Preview
Loading…
Cancel
Save