diff --git a/SECURITY.md b/SECURITY.md index 4682f7aacc..4e7bb14316 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -37,10 +37,6 @@ being implemented. (For example Mbed TLS alone won't guarantee that the messages will arrive without delay, as the TLS protocol doesn't guarantee that either.) -**Warning!** Block ciphers do not yet achieve full protection against attackers -who can measure the timing of packets with sufficient precision. For details -and workarounds see the [Block Ciphers](#block-ciphers) section. - ### Local attacks In this section, we consider an attacker who can run software on the same @@ -69,9 +65,6 @@ physical side channels as well. Remote and physical timing attacks are covered in the [Remote attacks](remote-attacks) and [Physical attacks](physical-attacks) sections respectively. -**Warning!** Block ciphers do not yet achieve full protection. For -details and workarounds see the [Block Ciphers](#block-ciphers) section. - #### Local non-timing side channels The attacker code running on the platform has access to some sensor capable of @@ -115,36 +108,6 @@ protection against a class of attacks outside of the above described threat model. Neither does it mean that the failure of such a countermeasure is considered a vulnerability. -#### Block ciphers - -Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and -DES. The pure software implementation in Mbed TLS implementation uses lookup -tables, which are vulnerable to timing attacks. - -These timing attacks can be physical, local or depending on network latency -even a remote. The attacks can result in key recovery. - -**Workarounds:** - -- Turn on hardware acceleration for AES. This is supported only on selected - architectures and currently only available for AES. See configuration options - `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` for details. -- Add a secure alternative implementation (typically hardware acceleration) for - the vulnerable cipher. See the [Alternative Implementations -Guide](docs/architecture/alternative-implementations.md) for more information. -- Use cryptographic mechanisms that are not based on block ciphers. In - particular, for authenticated encryption, use ChaCha20/Poly1305 instead of - block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG. - -#### Everest - -The HACL* implementation of X25519 taken from the Everest project only protects -against remote timing attacks. (See their [Security -Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).) - -The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED` -configuration option is defined. This option is off by default. - #### Formatting of X.509 certificates and certificate signing requests When parsing X.509 certificates and certificate signing requests (CSRs),