Skip to content

Commit 52a47c8

Browse files
gilles-peskine-armgilles-peskine-arm
committed
mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
The documentation of CTR_DRBG erroneously claimed that mbedtls_ctr_drbg_set_entropy_len() had an impact on the initial seeding. This is in fact not the case: mbedtls_ctr_drbg_seed() forces the initial seeding to grab MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy. Fix the documentation and rewrite the discussion of the entropy length and the security strength accordingly.
1 parent 7e27936 commit 52a47c8

File tree

1 file changed

+57
-51
lines changed

1 file changed

+57
-51
lines changed

include/mbedtls/ctr_drbg.h

Lines changed: 57 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,13 @@
1010
* Bit Generators</em>.
1111
*
1212
* The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
13-
* as the underlying block cipher, with a derivation function. The security
14-
* strength is:
1513
* (if \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
14+
* as the underlying block cipher, with a derivation function.
15+
* The initial seeding grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy.
16+
* See the documentation of mbedtls_ctr_drbg_seed() for more details.
17+
*
18+
* Based on NIST SP 800-90A §10.2.1 table 3 and NIST SP 800-57 part 1 table 2,
19+
* here are the security strengths achieved in typical configuration:
1620
* - 256 bits under the default configuration of the library, with AES-256
1721
* and with #MBEDTLS_CTR_DRBG_ENTROPY_LEN set to 48 or more.
1822
* - 256 bits if AES-256 is used, #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set
@@ -102,29 +106,31 @@
102106
* \{
103107
*/
104108

109+
/** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
110+
*
111+
* \brief The amount of entropy used per seed by default, in bytes.
112+
*/
105113
#if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
106114
#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
107-
/** The amount of entropy used per seed by default.
108-
*
109-
* This is 48 bytes because the entropy module uses SHA-512
115+
/** This is 48 bytes because the entropy module uses SHA-512
110116
* (\c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled).
111-
*
112-
* \note See mbedtls_ctr_drbg_set_entropy_len() regarding what values are
113-
* acceptable.
114117
*/
115118
#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48
116-
#else
117-
/** The amount of entropy used per seed by default.
118-
*
119-
* This is 32 bytes because the entropy module uses SHA-256
120-
* (the SHA512 module is disabled or #MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
121-
*
122-
* \note See mbedtls_ctr_drbg_set_entropy_len() regarding what values are
123-
* acceptable.
119+
120+
#else /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
121+
122+
/** This is 32 bytes because the entropy module uses SHA-256
123+
* (the SHA512 module is disabled or
124+
* \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
125+
*/
126+
#if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
127+
/** \warning To achieve a 256-bit security strength, you must pass a nonce
128+
* to mbedtls_ctr_drbg_seed().
124129
*/
130+
#endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
125131
#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 32
126-
#endif
127-
#endif
132+
#endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
133+
#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
128134

129135
#if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
130136
#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000
@@ -209,7 +215,10 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
209215
* entropy sources).
210216
*
211217
* \p f_entropy is always called with a buffer size equal to the entropy
212-
* length described in the documentation of mbedtls_ctr_drbg_set_entropy_len().
218+
* length. The entropy length is initially #MBEDTLS_CTR_DRBG_ENTROPY_LEN
219+
* and this value is always used for the initial seeding. You can change
220+
* the entropy length for subsequent seeding by calling
221+
* mbedtls_ctr_drbg_set_entropy_len().
213222
*
214223
* You can provide a personalization string in addition to the
215224
* entropy source, to make this instantiation as unique as possible.
@@ -221,9 +230,6 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
221230
* calling \p f_entropy and the \p custom string.
222231
* The origin of the nonce depends on the value of
223232
* the entropy length relative to the security strength.
224-
* See the documentation of
225-
* mbedtls_ctr_drbg_set_entropy_len() for information
226-
* about the entropy length.
227233
* - If the entropy length is at least 1.5 times the
228234
* security strength then the nonce is taken from the
229235
* string obtained with \p f_entropy.
@@ -233,7 +239,18 @@ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
233239
* you must pass a unique value of \p custom at
234240
* each invocation. See SP 800-90A §8.6.7 for more
235241
* details.
236-
*
242+
*/
243+
#if MBEDTLS_CTR_DRBG_ENTROPY_LEN < MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
244+
/** \warning When #MBEDTLS_CTR_DRBG_ENTROPY_LEN is less than
245+
* #MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2, to achieve the
246+
* maximum security strength permitted by CTR_DRBG,
247+
* you must pass a value of \p custom that is a nonce:
248+
* this value must never be repeated in subsequent
249+
* runs of the same application or on a different
250+
* device.
251+
*/
252+
#endif
253+
/**
237254
* \param ctx The CTR_DRBG context to seed.
238255
* \param f_entropy The entropy callback, taking as arguments the
239256
* \p p_entropy context, the buffer to fill, and the
@@ -281,37 +298,26 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
281298

282299
/**
283300
* \brief This function sets the amount of entropy grabbed on each
284-
* seed or reseed.
301+
* subsequent reseed.
285302
*
286303
* The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
287304
*
288-
* \note For compliance with NIST SP 800-90A, the entropy length
289-
* (\p len bytes = \p len * 8 bits)
290-
* must be at least the security strength.
291-
* Furthermore, if the entropy input is used to provide
292-
* the nonce, the entropy length must be 1.5 times
293-
* the security strength.
294-
* Per NIST SP 800-57A table 2, the achievable security
295-
* strength is 128 bits if using AES-128 and
296-
* 256 bits if using AES-256.
297-
*
298-
* To achieve 256-bit security,
299-
* you must use AES-256 and
300-
* the entropy input must be at least:
301-
* - 48 bytes if the \p custom argument to
302-
* mbedtls_ctr_drbg_seed() may repeat (for example
303-
* because it is empty, or more generally constant);
304-
* - 32 bytes if the \p custom argument to
305-
* mbedtls_ctr_drbg_seed() includes a nonce.
306-
*
307-
* To achieve 128-bit security,
308-
* whether AES-128 or AES-256 is used,
309-
* the entropy input must be at least:
310-
* - 24 bytes if the \p custom argument to
311-
* mbedtls_ctr_drbg_seed() may repeat (for example
312-
* because it is empty, or more generally constant);
313-
* - 16 bytes if the \p custom argument to
314-
* mbedtls_ctr_drbg_seed() includes a nonce.
305+
* \note The security strength of CTR_DRBG is bounded by the
306+
* entropy length. Thus:
307+
* - When using AES-256
308+
* (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled,
309+
* which is the default),
310+
* \p len must be at least 32 (in bytes)
311+
* to achieve a 256-bit strength.
312+
* - When using AES-128
313+
* (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
314+
* \p len must be at least 16 (in bytes)
315+
* to achieve a 128-bit strength.
316+
*
317+
* \note The initial seeding of the CTR_DRBG instance always
318+
* grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes. See
319+
* the documentation of mbedtls_ctr_drbg_seed()
320+
* for more information.
315321
*
316322
* \param ctx The CTR_DRBG context.
317323
* \param len The amount of entropy to grab, in bytes.

0 commit comments

Comments
 (0)