mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Threat Model: Miscellaneous clarifications

Browse Source 
Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
Janos Follath 2023-03-03 14:56:38 +00:00
parent 24792d0a33
commit 144dd7d2fa
1 changed files with 26 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
SECURITY.md
View File

@ -24,8 +24,8 @@ Users are urged to always use the latest version of a maintained branch.
We use the following classification of attacks: We use the following classification of attacks:
- **Remote Attacks:** The attacker can observe and modify data sent over the - **Remote Attacks:** The attacker can observe and modify data sent over the
network. This includes observing timing of individual packets and potentially network. This includes observing the content and timing of individual packets,
delaying legitimate messages. as well as suppressing or delaying legitimate messages, and injecting messages.
- **Timing Attacks:** The attacker can gain information about the time taken - **Timing Attacks:** The attacker can gain information about the time taken
by certain sets of instructions in Mbed TLS operations. by certain sets of instructions in Mbed TLS operations.
- **Physical Attacks:** The attacker has access to physical information about - **Physical Attacks:** The attacker has access to physical information about
@ -34,20 +34,19 @@ We use the following classification of attacks:
### Remote attacks ### Remote attacks
Mbed TLS aims to fully protect against remote attacks. Mbed Crypto aims to Mbed TLS aims to fully protect against remote attacks and to enable the user
enable the user application in providing full protection against remote application in providing full protection against remote attacks. Said
attacks. Said protection is limited to providing security guarantees offered by protection is limited to providing security guarantees offered by the protocol
the protocol in question. (For example Mbed TLS alone won't guarantee that the in question. (For example Mbed TLS alone won't guarantee that the messages will
messages will arrive without delay, as the TLS protocol doesn't guarantee that arrive without delay, as the TLS protocol doesn't guarantee that either.)
either.)
### Timing attacks ### Timing attacks
Mbed TLS and Mbed Crypto provide limited protection against timing attacks. The Mbed TLS provides limited protection against timing attacks. The cost of
cost of protecting against timing attacks widely varies depending on the protecting against timing attacks widely varies depending on the granularity of
granularity of the measurements and the noise present. Therefore the protection the measurements and the noise present. Therefore the protection in Mbed TLS is
in Mbed TLS and Mbed Crypto is limited. We are only aiming to provide protection limited. We are only aiming to provide protection against publicly documented
against publicly documented attacks, and this protection is not currently complete. attacks, and this protection is not currently complete.
**Warning!** Block ciphers do not yet achieve full protection. For **Warning!** Block ciphers do not yet achieve full protection. For
details and workarounds see the section below. details and workarounds see the section below.
@ -55,26 +54,26 @@ details and workarounds see the section below.
#### Block Ciphers #### Block Ciphers
Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and DES. Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and DES.
The Mbed TLS implementation uses lookup tables, which are vulnerable to timing The pure software implementation in Mbed TLS implementation uses lookup tables,
attacks. which are vulnerable to timing attacks.
**Workarounds:** **Workarounds:**
- Turn on hardware acceleration for AES. This is supported only on selected - Turn on hardware acceleration for AES. This is supported only on selected
architectures and currently only available for AES. See configuration options architectures and currently only available for AES. See configuration options
`MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details. `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
- Add a secure alternative implementation (typically a bitsliced implementation or - Add a secure alternative implementation (typically hardware acceleration) for
hardware acceleration) for the vulnerable cipher. See the [Alternative the vulnerable cipher. See the [Alternative Implementations
Implementations Guide](docs/architecture/alternative-implementations.md) for Guide](docs/architecture/alternative-implementations.md) for more information.
more information. - Use cryptographic mechanisms that are not based on block ciphers. In
- Instead of a block cipher, use ChaCha20/Poly1305 for encryption and data particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
origin authentication. block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
### Physical attacks ### Physical attacks
Physical attacks are out of scope. Any attack using information about or Physical attacks are out of scope (eg. power analysis or radio emissions). Any
influencing the physical state of the hardware is considered physical, attack using information about or influencing the physical state of the
independently of the attack vector. (For example Row Hammer and Screaming hardware is considered physical, independently of the attack vector. (For
Channels are considered physical attacks.) If physical attacks are present in a example Row Hammer and Screaming Channels are considered physical attacks.) If
use case or a user application's threat model, it needs to be mitigated by physical attacks are present in a use case or a user application's threat
physical countermeasures. model, it needs to be mitigated by physical countermeasures.