0

I am revising a Linux kernel module in Openwrt (mac80211 specifically). I need to use some encryption keys which are provided before the system is installed and run.

Specifically, each key is 32-bytes long. It serves as the key to generate HMAC(SHA256) for communication. The receiver then uses the same key to authenticate the message.

The first question is what is the correct way to load these keys?

  1. Store keys in files and read them? But here it says one should avoid reading files in kernel modules.
  2. Hardcode the keys in codes. Like u8 key={0xff, 0xaa, 0x33, 0x00};. This requires reflashing the system when I want to change the keys, which is acceptable but not desirable.

The second question is how should I use these keys in my code? Should I use keyring and key in Linux kernel? My keys will only be used in this sole module, so should I simply store them in u8 array?

Thanks for reading my questions and any related resources especially sample codes are appreciated.

Yi Zhao
  • 346
  • 2
  • 13
  • What kind of keys? Generally key management is the hard part of handling cryptography, but it very much depends on the use case and when the keys need to be available. "some encryption keys" is not specific enough. – Maarten Bodewes Jul 19 '20 at 13:11
  • @MaartenBodewes Thanks for your time. Specifically, each key is 32-bytes long. It serves as the key to generate HMAC(SHA256) for communication. The receiver then uses the same key to authenticate the message. I revise the question accordingly. – Yi Zhao Jul 19 '20 at 13:29
  • I want to use the keys in net/mac80211/mesh_hwmp.c to authenticate the message to send. @MaartenBodewes – Yi Zhao Jul 19 '20 at 13:31
  • 1
    OK, that does make it a bit more clear. However, generally we use device specific, ephemeral session keys for "communication". Those can for instance be generated using ephemeral DH or - more commonly nowadays - ECDH. You could also use authenticated / static ECDH, where you generate the key pairs in the device during provisioning and then store or sign the public key. – Maarten Bodewes Jul 19 '20 at 13:32
  • Sounds definitely that you need device specific keys for that; this requires quite a bit more than just "loading keys". – Maarten Bodewes Jul 19 '20 at 13:33
  • Thanks, I am new to this. I will look into ECDH and device specific keys. It would be really helpful if you can provide some startup links for me. @MaartenBodewes – Yi Zhao Jul 19 '20 at 13:36
  • 1
    Uh, that's trickier than you might expect, as I didn't follow any specific tutorial on the subject. Basically I started a job within a group of security specialists and went from there, mainly reading standards and white papers (which may not be the best way of proceeding for everyone). Both TLS and SSH use ephemeral DH nowadays, so you could have a look at those protocols. – Maarten Bodewes Jul 19 '20 at 13:38

0 Answers0