Comments (7)
rweather
commented on July 28, 2024
1
XTS is very heavy - it needs two AES128 objects internally. That will use up to 400 bytes of RAM, which is nearly a quarter of all RAM on a Uno.
The random number generator RNG also consumes about 150 bytes even if you don't use it. So if you don't need that you could remove it from the library or comment it out.
I assume that you are using XTS to encrypt sectors on the SD card? It may be possible to rearrange the code to use only 1 BlockCipher object but keeping the key passed to XTSCommon::setKey() around and then setting each half of the key on the cipher during setTweak(), encryptSector(), and decryptSector(). But it would be slower to set up keys at the start of each sector encrypt/decrypt operation.
You may have to switch to an Arduino with more memory, sorry.
from arduinolibs.
rweather
commented on July 28, 2024
1
Another thing you could try is to use the AESSmall128 version of AES instead of AES128. It is slower, but it uses a lot less RAM for the key schedule.
from arduinolibs.
RicardoPires19
commented on July 28, 2024
Ok, I'll try to start by removing the RNG function, I think 150 bytes will be enough. But is the random() Arduino built-in function not secure?
from arduinolibs.
rweather
commented on July 28, 2024
If you need a source of random numbers for your application, then random() is not secure enough and you'll need RNG. But if you are encrypting/decrypting the SD card contents with a fixed XTS key then you may not need RNG.
from arduinolibs.
RicardoPires19
commented on July 28, 2024
Why isn't is secure? Because of the lack of randomness? Isn't the randomSeed() function good enough to compensate?
from arduinolibs.
rweather
commented on July 28, 2024
System random number generators like random() in Arduino and rand() in C are never safe to use for cryptographic purposes.
The randomSeed() function takes an unsigned long, which is only 32 bits of entropy, even assuming that you have a good source to get entropy from. And the random() function uses a predictable algorithm for converting one seed value into the next.
Such random number generators are fine for controlling the random firing from a monster in a video game. But not for cryptography.
Here is some more information on system random number generators: https://crypto.stackexchange.com/questions/15662/how-vulnerable-is-the-c-rand-in-public-cryptography-protocols
from arduinolibs.
profdc9
commented on July 28, 2024
A source of entropy based of avalanche noise of a transistor is easy to
build and a schematic is included with the library. I can answer questions
about it if desired. You can get several bits of entropy per sample by
connecting it to the ADC of the Arduino. I made a device called the
ParanoiaBox which uses a pair of such transistors. You can see the
schematic and software on the github
https://github.com/profdc9/ParanoiaBox/
Incidentally, the Bluepill (STM32F103CBT6) can also be used with Arduino
and has much more flash, RAM, and is usually even cheaper than the Arduino
Uno, being $2 to $3. You will have no problems fitting in cryptography in
there and they will run much faster.
…On Mon, Jun 1, 2020 at 11:25 PM rweather ***@***.***> wrote:
System random number generators like random() in Arduino and rand() in C
are never safe to use for cryptographic purposes.
The randomSeed() function takes an unsigned long, which is only 32 bits of
entropy, even assuming that you have a good source to get entropy from. And
the random() function uses a predictable algorithm for converting one seed
value into the next.
Such random number generators are fine for controlling the random firing
from a monster in a video game. But not for cryptography.
Here is some more information on system random number generators:
https://crypto.stackexchange.com/questions/15662/how-vulnerable-is-the-c-rand-in-public-cryptography-protocols
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#55 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKFIJZGAQX3GDOFNSQTHDL3RURWJ7ANCNFSM4NP5LNGA>
.
from arduinolibs.
Related Issues (20)
- Encrypt String longer than blockSize() HOT 5
- Asymmetric encryption/decryption? HOT 3
- Error compiling for new Arduino core for the ESP32 HOT 4
- Support for XChaCha20 Poly1305 HOT 2
- Need help with ChaCha and Strings HOT 1
- TestSpeck.ino fails on samd21 M0 after changing the plaintext HOT 1
- Asymmetric encryption HOT 1
- Including libraries does not work in platformio HOT 1
- default key? HOT 4
- Bug of Ascon128.c++ in Arduino Cryptography Library HOT 3
- TestSpeck.ino - Decryption fails for SpeckTiny with all key sizes HOT 1
- Crypto doesn't support next generation AVRs HOT 18
- ’SHA256‘ was not declared in this scope ESP32S3 HOT 6
- Crypto library "Hash.h" conflicting with ESP866 Arduino package "Hash.h" HOT 5
- Ascon128::decrypt doesn't seem to allow for inplace decryption, despite documentation saying so
- Support for SHA-512/256?
- crypto_feed_watchdog was not declared in this scope [ESP8266 & ESP32] HOT 3
- RNG.cpp include of <Arduino.h> makes native builds for unit testing and debugging fail
- Error Compiling for ESP8266 or ESP32 clean() not declared in scope AES CFB example
- calculated shared secret doesn't match (Diffie-Hellman, Curve25519)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from arduinolibs.