Threat Model: move the block cipher section
The block cipher exception affects both remote and local timing attacks. Move them to the Caveats section and reference it from both the local and the remote attack section. Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
parent
ecaa293d32
commit
3d377605f3
1 changed files with 27 additions and 17 deletions
44
SECURITY.md
44
SECURITY.md
|
@ -35,6 +35,11 @@ protection is limited to providing security guarantees offered by the protocol
|
|||
in question. (For example Mbed TLS alone won't guarantee that the messages will
|
||||
arrive without delay, as the TLS protocol doesn't guarantee that either.)
|
||||
|
||||
**Warning!** Depending on network latency, the timing of messages might be
|
||||
enough to launch some timing attacks. Block ciphers do not yet achieve full
|
||||
protection against these. For details and workarounds see the [Block
|
||||
Ciphers](#block-ciphers) section.
|
||||
|
||||
### Local attacks
|
||||
|
||||
The attacker is capable of running code on the same hardware as Mbed TLS, but
|
||||
|
@ -60,23 +65,7 @@ limited. We are only aiming to provide protection against **publicly
|
|||
documented** attacks, and this protection is not currently complete.
|
||||
|
||||
**Warning!** Block ciphers do not yet achieve full protection. For
|
||||
details and workarounds see the section below.
|
||||
|
||||
Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and DES.
|
||||
The pure software implementation in Mbed TLS implementation uses lookup tables,
|
||||
which are vulnerable to timing attacks.
|
||||
|
||||
**Workarounds:**
|
||||
|
||||
- Turn on hardware acceleration for AES. This is supported only on selected
|
||||
architectures and currently only available for AES. See configuration options
|
||||
`MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
|
||||
- Add a secure alternative implementation (typically hardware acceleration) for
|
||||
the vulnerable cipher. See the [Alternative Implementations
|
||||
Guide](docs/architecture/alternative-implementations.md) for more information.
|
||||
- Use cryptographic mechanisms that are not based on block ciphers. In
|
||||
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
|
||||
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
|
||||
details and workarounds see the [Block Ciphers](#block-ciphers) section.
|
||||
|
||||
#### Local non-timing side channels
|
||||
|
||||
|
@ -123,3 +112,24 @@ The presence of such countermeasures don't mean that Mbed TLS provides
|
|||
protection against a class of attacks outside of the above described threat
|
||||
model. Neither does it mean that the failure of such a countermeasure is
|
||||
considered a vulnerability.
|
||||
|
||||
#### Block ciphers
|
||||
|
||||
Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and
|
||||
DES. The pure software implementation in Mbed TLS implementation uses lookup
|
||||
tables, which are vulnerable to timing attacks.
|
||||
|
||||
These timing attacks can be physical, local or depending on network latency
|
||||
even a remote. The attacks can result in key recovery.
|
||||
|
||||
**Workarounds:**
|
||||
|
||||
- Turn on hardware acceleration for AES. This is supported only on selected
|
||||
architectures and currently only available for AES. See configuration options
|
||||
`MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
|
||||
- Add a secure alternative implementation (typically hardware acceleration) for
|
||||
the vulnerable cipher. See the [Alternative Implementations
|
||||
Guide](docs/architecture/alternative-implementations.md) for more information.
|
||||
- Use cryptographic mechanisms that are not based on block ciphers. In
|
||||
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
|
||||
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
|
||||
|
|
Loading…
Reference in a new issue