mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2026-05-09 03:04:24 +02:00
Ronald Cron
37
SECURITY.md
37
SECURITY.md
@@ -37,10 +37,6 @@ being implemented. (For example Mbed TLS alone won't guarantee that the
|
||||
messages will arrive without delay, as the TLS protocol doesn't guarantee that
|
||||
either.)
|
||||
|
||||
**Warning!** Block ciphers do not yet achieve full protection against attackers
|
||||
who can measure the timing of packets with sufficient precision. For details
|
||||
and workarounds see the [Block Ciphers](#block-ciphers) section.
|
||||
|
||||
### Local attacks
|
||||
|
||||
In this section, we consider an attacker who can run software on the same
|
||||
@@ -69,9 +65,6 @@ physical side channels as well. Remote and physical timing attacks are covered
|
||||
in the [Remote attacks](remote-attacks) and [Physical
|
||||
attacks](physical-attacks) sections respectively.
|
||||
|
||||
**Warning!** Block ciphers do not yet achieve full protection. For
|
||||
details and workarounds see the [Block Ciphers](#block-ciphers) section.
|
||||
|
||||
#### Local non-timing side channels
|
||||
|
||||
The attacker code running on the platform has access to some sensor capable of
|
||||
@@ -115,36 +108,6 @@ protection against a class of attacks outside of the above described threat
|
||||
model. Neither does it mean that the failure of such a countermeasure is
|
||||
considered a vulnerability.
|
||||
|
||||
#### Block ciphers
|
||||
|
||||
Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and
|
||||
DES. The pure software implementation in Mbed TLS implementation uses lookup
|
||||
tables, which are vulnerable to timing attacks.
|
||||
|
||||
These timing attacks can be physical, local or depending on network latency
|
||||
even a remote. The attacks can result in key recovery.
|
||||
|
||||
**Workarounds:**
|
||||
|
||||
- Turn on hardware acceleration for AES. This is supported only on selected
|
||||
architectures and currently only available for AES. See configuration options
|
||||
`MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` for details.
|
||||
- Add a secure alternative implementation (typically hardware acceleration) for
|
||||
the vulnerable cipher. See the [Alternative Implementations
|
||||
Guide](docs/architecture/alternative-implementations.md) for more information.
|
||||
- Use cryptographic mechanisms that are not based on block ciphers. In
|
||||
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
|
||||
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
|
||||
|
||||
#### Everest
|
||||
|
||||
The HACL* implementation of X25519 taken from the Everest project only protects
|
||||
against remote timing attacks. (See their [Security
|
||||
Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).)
|
||||
|
||||
The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED`
|
||||
configuration option is defined. This option is off by default.
|
||||
|
||||
#### Formatting of X.509 certificates and certificate signing requests
|
||||
|
||||
When parsing X.509 certificates and certificate signing requests (CSRs),
|
||||
|
||||
Reference in New Issue
Block a user