Threat Model: move the block cipher section

The block cipher exception affects both remote and local timing attacks.
Move them to the Caveats section and reference it from both the local
and the remote attack section.

Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
Janos Follath 2023-03-08 16:53:50 +00:00
parent ecaa293d32
commit 3d377605f3

View file

@ -35,6 +35,11 @@ protection is limited to providing security guarantees offered by the protocol
in question. (For example Mbed TLS alone won't guarantee that the messages will
arrive without delay, as the TLS protocol doesn't guarantee that either.)
**Warning!** Depending on network latency, the timing of messages might be
enough to launch some timing attacks. Block ciphers do not yet achieve full
protection against these. For details and workarounds see the [Block
Ciphers](#block-ciphers) section.
### Local attacks
The attacker is capable of running code on the same hardware as Mbed TLS, but
@ -60,23 +65,7 @@ limited. We are only aiming to provide protection against **publicly
documented** attacks, and this protection is not currently complete.
**Warning!** Block ciphers do not yet achieve full protection. For
details and workarounds see the section below.
Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and DES.
The pure software implementation in Mbed TLS implementation uses lookup tables,
which are vulnerable to timing attacks.
**Workarounds:**
- Turn on hardware acceleration for AES. This is supported only on selected
architectures and currently only available for AES. See configuration options
`MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
- Add a secure alternative implementation (typically hardware acceleration) for
the vulnerable cipher. See the [Alternative Implementations
Guide](docs/architecture/alternative-implementations.md) for more information.
- Use cryptographic mechanisms that are not based on block ciphers. In
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
details and workarounds see the [Block Ciphers](#block-ciphers) section.
#### Local non-timing side channels
@ -123,3 +112,24 @@ The presence of such countermeasures don't mean that Mbed TLS provides
protection against a class of attacks outside of the above described threat
model. Neither does it mean that the failure of such a countermeasure is
considered a vulnerability.
#### Block ciphers
Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and
DES. The pure software implementation in Mbed TLS implementation uses lookup
tables, which are vulnerable to timing attacks.
These timing attacks can be physical, local or depending on network latency
even a remote. The attacks can result in key recovery.
**Workarounds:**
- Turn on hardware acceleration for AES. This is supported only on selected
architectures and currently only available for AES. See configuration options
`MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
- Add a secure alternative implementation (typically hardware acceleration) for
the vulnerable cipher. See the [Alternative Implementations
Guide](docs/architecture/alternative-implementations.md) for more information.
- Use cryptographic mechanisms that are not based on block ciphers. In
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.