CTR_DRBG: improve the discussion of entropy length vs strength

2019-09-25 20:22:40 +02:00 · 2019-09-25 20:22:40 +02:00 · 6fdf0b3a47
commit 6fdf0b3a47
parent 223deea86b
1 changed files with 24 additions and 9 deletions
--- a/include/mbedtls/ctr_drbg.h
+++ b/include/mbedtls/ctr_drbg.h
@ -24,10 +24,6 @@
 *   and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is
 *   always the case unless it is explicitly set to a different value
 *   in `config.h`).
- *
- *  \warning Using 128-bit keys for CTR_DRBG or using SHA-256 as the entropy
- *  compression function limits the security of generated
- *  keys and operations that use random values generated to 128-bit security.
 */
 /*
 *  Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved
@ -278,11 +274,30 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
 *                      #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
 *
 * \note                For compliance with NIST SP 800-90A, the entropy length
- *                      must be at least 1.5 times security strength, since
- *                      the entropy source is used both as the entropy input
- *                      and to provide the initial nonce:
- *                      - 24 bytes if using AES-128;
- *                      - 48 bytes if using AES-256.
+ *                      (\p len bytes = \p len * 8 bits)
+ *                      must be at least the security strength.
+ *                      Furthermore, if the entropy input is used to provide
+ *                      the nonce, the entropy length must be 1.5 times
+ *                      the security strength.
+ *                      Per NIST SP 800-57A table 2, the achievable security
+ *                      strength is 128 bits if using AES-128 and
+ *                      256 bits if using AES-256.
+ *                      Therefore, to provide full security,
+ *                      the entropy input must be at least:
+ *                      - 24 bytes if using AES-128 and the \p custom
+ *                        argument to mbedtls_ctr_drbg_seed() may repeat
+ *                        (for example because it is empty, or more generally
+ *                        constant);
+ *                      - 48 bytes if using AES-256 and the \p custom
+ *                        argument to mbedtls_ctr_drbg_seed() may repeat
+ *                        (for example because it is empty, or more generally
+ *                        constant);
+ *                      - 16 bytes if using AES-128 and the \p custom
+ *                        argument to mbedtls_ctr_drbg_seed() includes
+ *                        a nonce;
+ *                      - 32 bytes if using AES-256 and the \p custom
+ *                        argument to mbedtls_ctr_drbg_seed() includes
+ *                        a nonce.
 *
 * \param ctx           The CTR_DRBG context.
 * \param len           The amount of entropy to grab, in bytes.