cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

CTR_DRBG: improve the discussion of entropy length vs strength

Browse Source
This commit is contained in:
Gilles Peskine 2019-09-25 20:22:40 +02:00
parent 223deea86b
commit 6fdf0b3a47
1 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
include/mbedtls/ctr_drbg.h
View File

@ -24,10 +24,6 @@
* and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is * and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is
* always the case unless it is explicitly set to a different value * always the case unless it is explicitly set to a different value
* in `config.h`). * in `config.h`).
*
* \warning Using 128-bit keys for CTR_DRBG or using SHA-256 as the entropy
* compression function limits the security of generated
* keys and operations that use random values generated to 128-bit security.
*/ */
/* /*
* Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved * Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved
@ -278,11 +274,30 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
* #MBEDTLS_CTR_DRBG_ENTROPY_LEN. * #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
* *
* \note For compliance with NIST SP 800-90A, the entropy length * \note For compliance with NIST SP 800-90A, the entropy length
* must be at least 1.5 times security strength, since * (\p len bytes = \p len * 8 bits)
* the entropy source is used both as the entropy input * must be at least the security strength.
* and to provide the initial nonce: * Furthermore, if the entropy input is used to provide
* - 24 bytes if using AES-128; * the nonce, the entropy length must be 1.5 times
* - 48 bytes if using AES-256. * the security strength.
* Per NIST SP 800-57A table 2, the achievable security
* strength is 128 bits if using AES-128 and
* 256 bits if using AES-256.
* Therefore, to provide full security,
* the entropy input must be at least:
* - 24 bytes if using AES-128 and the \p custom
* argument to mbedtls_ctr_drbg_seed() may repeat
* (for example because it is empty, or more generally
* constant);
* - 48 bytes if using AES-256 and the \p custom
* argument to mbedtls_ctr_drbg_seed() may repeat
* (for example because it is empty, or more generally
* constant);
* - 16 bytes if using AES-128 and the \p custom
* argument to mbedtls_ctr_drbg_seed() includes
* a nonce;
* - 32 bytes if using AES-256 and the \p custom
* argument to mbedtls_ctr_drbg_seed() includes
* a nonce.
* *
* \param ctx The CTR_DRBG context. * \param ctx The CTR_DRBG context.
* \param len The amount of entropy to grab, in bytes. * \param len The amount of entropy to grab, in bytes.