Investigate OpenBSD SSH protections against side-channel attacks

[awnumar]

https://marc.info/?l=openbsd-cvs&m=156109087822676&w=2

Commit: openbsd/src@707316f

[awnumar]

Essentially what they do is store a 16 KiB "prekey" and use it to derive the actual key when it is needed. The rationale is that the prekey has to be recovered with high accuracy by the attacker and current generation side-channel attacks are slow and have error-rates that make this unlikely.

In order to implement something like this ourselves, I was thinking something along the lines of:

1. Have each partition of a Coffer object be a whole page size in length.
2. The data value that is derived when "unlocking" this object would be hashed to get the 32 byte key.

Some issues:

1. Iterating over a whole page every 8ms is a lot more computationally expensive than iterating over 32 bytes.
2. Hashing the data would require re-writing the hashing algorithm to use securely-allocated memory, as the output is used as a key.
3. I'm not confident that the scheme would provide substantial security gains over current Coffer objects.
4. The value would still be vulnerable to side channel attacks in its "unlocked" form.

The current scheme changes the value very rapidly and so exfiltrating both partitions fast enough to recover the key may be difficult. We also minimise the time the unlocked key spends existing.

I may revisit this in the future but for now our current scheme seems sufficient.