pigweed / third_party / github / zephyrproject-rtos / zephyr / 61aa0e06f5ab2ff0c322818853d11363a7ddd167 / . / doc / crypto / tinycrypt.rst

.. _tinycrypt: | |

TinyCrypt Cryptographic Library | |

############################### | |

Copyright (C) 2015 by Intel Corporation, All Rights Reserved. | |

Overview | |

******** | |

The TinyCrypt Library provides an implementation for targeting constrained devices | |

with a minimal set of standard cryptography primitives, as listed below. To better | |

serve applications targeting constrained devices, TinyCrypt implementations differ | |

from the standard specifications (see the Important Remarks section for some | |

important differences). Certain cryptographic primitives depend on other | |

primitives, as mentioned in the list below. | |

Aside from the Important Remarks section below, valuable information on the usage, | |

security and technicalities of each cryptographic primitive are found in the | |

corresponding header file. | |

* SHA-256: | |

* Type of primitive: Hash function. | |

* Standard Specification: NIST FIPS PUB 180-4. | |

* Requires: -- | |

* HMAC-SHA256: | |

* Type of primitive: Message authentication code. | |

* Standard Specification: RFC 2104. | |

* Requires: SHA-256 | |

* HMAC-PRNG: | |

* Type of primitive: Pseudo-random number generator. | |

* Standard Specification: NIST SP 800-90A. | |

* Requires: SHA-256 and HMAC-SHA256. | |

* AES-128: | |

* Type of primitive: Block cipher. | |

* Standard Specification: NIST FIPS PUB 197. | |

* Requires: -- | |

* AES-CBC mode: | |

* Type of primitive: Encryption mode of operation. | |

* Standard Specification: NIST SP 800-38A. | |

* Requires: AES-128. | |

* AES-CTR mode: | |

* Type of primitive: Encryption mode of operation. | |

* Standard Specification: NIST SP 800-38A. | |

* Requires: AES-128. | |

* AES-CMAC mode: | |

* Type of primitive: Message authentication code. | |

* Standard Specification: NIST SP 800-38B. | |

* Requires: AES-128. | |

* AES-CCM mode: | |

* Type of primitive: Authenticated encryption. | |

* Standard Specification: NIST SP 800-38C. | |

* Requires: AES-128. | |

* ECC-DH: | |

* Type of primitive: Key exchange. | |

* Standard Specification: RFC 6090. | |

* Requires: ECC auxiliary functions (ecc.h/c). | |

* ECC-DSA: | |

* Type of primitive: Digital signature. | |

* Standard Specification: RFC 6090. | |

* Requires: ECC auxiliary functions (ecc.h/c). | |

Design Goals | |

************ | |

* Minimize the code size of each cryptographic primitive. This means minimize | |

the size of a board-independent implementation, as presented in TinyCrypt. | |

Note that various applications may require further features, optimizations with | |

respect to other metrics and countermeasures for particular threats. These | |

peculiarities would increase the code size and thus are not considered here. | |

* Minimize the dependencies among the cryptographic primitives. This means | |

that it is unnecessary to build and allocate object code for more primitives | |

than the ones strictly required by the intended application. In other words, | |

one can select and compile only the primitives required by the application. | |

Important Remarks | |

***************** | |

The cryptographic implementations in TinyCrypt library have some limitations. | |

Some of these limitations are inherent to the cryptographic primitives | |

themselves, while others are specific to TinyCrypt. Some of these limitations | |

are discussed in-depth below. | |

General Remarks | |

*************** | |

* TinyCrypt does **not** intend to be fully side-channel resistant. Due to the | |

variety of side-channel attacks, many of them making certain boards | |

vulnerable. In this sense, instead of penalizing all library users with | |

side-channel countermeasures such as increasing the overall code size, | |

TinyCrypt only implements certain generic timing-attack countermeasures. | |

Specific Remarks | |

**************** | |

* SHA-256: | |

* The number of bits_hashed in the state is not checked for overflow. Note | |

however that this will only be a problem if you intend to hash more than | |

2^64 bits, which is an extremely large window. | |

* HMAC: | |

* The HMAC verification process is assumed to be performed by the application. | |

This compares the computed tag with some given tag. | |

Note that conventional memory-comparison methods (such as memcmp function) | |

might be vulnerable to timing attacks; thus be sure to use a constant-time | |

memory comparison function (such as compare_constant_time | |

function provided in lib/utils.c). | |

* HMAC-PRNG: | |

* Before using HMAC-PRNG, you *must* find an entropy source to produce a seed. | |

PRNGs only stretch the seed into a seemingly random output of arbitrary | |

length. The security of the output is exactly equal to the | |

unpredictability of the seed. | |

* NIST SP 800-90A requires three items as seed material in the initialization | |

step: entropy seed, personalization and a nonce (which is not implemented). | |

TinyCrypt requires the personalization byte array and automatically creates | |

the entropy seed using a mandatory call to the re-seed function. | |

* AES-128: | |

* The current implementation does not support other key-lengths (such as 256 | |

bits). Note that if you need AES-256, it doesn't sound as though your | |

application is running in a constrained environment. AES-256 requires keys | |

twice the size as for AES-128, and the key schedule is 40% larger. | |

* CTR mode: | |

* The AES-CTR mode limits the size of a data message they encrypt to 2^32 | |

blocks. If you need to encrypt larger data sets, your application would | |

need to replace the key after 2^32 block encryptions. | |

* CBC mode: | |

* TinyCrypt CBC decryption assumes that the iv and the ciphertext are | |

contiguous (as produced by TinyCrypt CBC encryption). This allows for a | |

very efficient decryption algorithm that would not otherwise be possible. | |

* CMAC mode: | |

* AES128-CMAC mode of operation offers 64 bits of security against collision | |

attacks. Note however that an external attacker cannot generate the tags | |

him/herself without knowing the MAC key. In this sense, to attack the | |

collision property of AES128-CMAC, an external attacker would need the | |

cooperation of the legal user to produce an exponentially high number of | |

tags (e.g. 2^64) to finally be able to look for collisions and benefit | |

from them. As an extra precaution, the current implementation allows to at | |

most 2^48 calls to tc_cmac_update function before re-calling tc_cmac_setup | |

(allowing a new key to be set), as suggested in Appendix B of SP 800-38B. | |

* CCM mode: | |

* There are a few tradeoffs for the selection of the parameters of CCM mode. | |

In special, there is a tradeoff between the maximum number of invocations | |

of CCM under a given key and the maximum payload length for those | |

invocations. Both things are related to the parameter 'q' of CCM mode. The | |

maximum number of invocations of CCM under a given key is determined by | |

the nonce size, which is: 15-q bytes. The maximum payload length for those | |

invocations is defined as 2^(8q) bytes. | |

To achieve minimal code size, TinyCrypt CCM implementation fixes q = 2, | |

which is a quite reasonable choice for constrained applications. The | |

implications of this choice are: | |

The nonce size is: 13 bytes. | |

The maximum payload length is: 2^16 bytes = 65 KB. | |

The mac size parameter is an important parameter to estimate the security | |

against collision attacks (that aim at finding different messages that | |

produce the same authentication tag). TinyCrypt CCM implementation | |

accepts any even integer between 4 and 16, as suggested in SP 800-38C. | |

* TinyCrypt CCM implementation accepts associated data of any length between | |

0 and (2^16 - 2^8) = 65280 bytes. | |

* TinyCrypt CCM implementation accepts: | |

* Both non-empty payload and associated data (it encrypts and | |

authenticates the payload and only authenticates the associated data); | |

* Non-empty payload and empty associated data (it encrypts and | |

authenticates the payload); | |

* Non-empty associated data and empty payload (it degenerates to an | |

authentication-only mode on the associated data). | |

* RFC-3610, which also specifies CCM, presents a few relevant security | |

suggestions, such as: it is recommended for most applications to use a | |

mac size greater than 8. Besides, it is emphasized that the usage of the | |

same nonce for two different messages which are encrypted with the same | |

key obviously destroys the security properties of CCM mode. | |

* ECC-DH and ECC-DSA: | |

* TinyCrypt ECC implementation is based on nano-ecc (see | |

https://github.com/iSECPartners/nano-ecc) which in turn is based on | |

micro-ecc (see https://github.com/kmackay/micro-ecc). In the original | |

nano and micro-ecc documentation, there is an important remark about the | |

way integers are represented: | |

"Integer representation: To reduce code size, all large integers are | |

represented using little-endian words - so the least significant word is | |

first. You can use the 'ecc_bytes2native()' and 'ecc_native2bytes()' | |

functions to convert between the native integer representation and the | |

standardized octet representation." | |

Examples of Applications | |

************************ | |

It is possible to do useful cryptography with only the given small set of | |

primitives. With this list of primitives it becomes feasible to support a range | |

of cryptography usages: | |

* Measurement of code, data structures, and other digital artifacts (SHA256); | |

* Generate commitments (SHA256); | |

* Construct keys (HMAC-SHA256); | |

* Extract entropy from strings containing some randomness (HMAC-SHA256); | |

* Construct random mappings (HMAC-SHA256); | |

* Construct nonces and challenges (HMAC-PRNG); | |

* Authenticate using a shared secret (HMAC-SHA256); | |

* Create an authenticated, replay-protected session (HMAC-SHA256 + HMAC-PRNG); | |

* Authenticated encryption (AES-128 + AES-CCM); | |

* Key-exchange (EC-DH); | |

* Digital signature (EC-DSA); | |

Test Vectors | |

************ | |

The library provides a test program for each cryptographic primitive (see 'test' | |

folder). Besides illustrating how to use the primitives, these tests evaluate | |

the correctness of the implementations by checking the results against | |

well-known publicly validated test vectors. | |

For the case of the HMAC-PRNG, due to the necessity of performing an extensive | |

battery test to produce meaningful conclusions, we suggest the user to evaluate | |

the unpredictability of the implementation by using the NIST Statistical Test | |

Suite (see References). | |

For the case of the EC-DH and EC-DSA implementations, most of the test vectors | |

were obtained from the site of the NIST Cryptographic Algorithm Validation | |

Program (CAVP), see References. | |

References | |

********** | |

* `NIST FIPS PUB 180-4 (SHA-256)`_ | |

.. _NIST FIPS PUB 180-4 (SHA-256): | |

http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf | |

* `NIST FIPS PUB 197 (AES-128)`_ | |

.. _NIST FIPS PUB 197 (AES-128): | |

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf | |

* `NIST SP800-90A (HMAC-PRNG)`_ | |

.. _NIST SP800-90A (HMAC-PRNG): | |

http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf | |

* `NIST SP 800-38A (AES-CBC and AES-CTR)`_ | |

.. _NIST SP 800-38A (AES-CBC and AES-CTR): | |

http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf | |

* `NIST SP 800-38B (AES-CMAC)`_ | |

.. _NIST SP 800-38B (AES-CMAC): | |

http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf | |

* `NIST SP 800-38C (AES-CCM)`_ | |

.. _NIST SP 800-38C (AES-CCM): | |

http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf | |

* `NIST Statistical Test Suite`_ | |

.. _NIST Statistical Test Suite: | |

http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html | |

* `NIST Cryptographic Algorithm Validation Program (CAVP) site`_ | |

.. _NIST Cryptographic Algorithm Validation Program (CAVP) site: | |

http://csrc.nist.gov/groups/STM/cavp/ | |

* `RFC 2104 (HMAC-SHA256)`_ | |

.. _RFC 2104 (HMAC-SHA256): | |

https://www.ietf.org/rfc/rfc2104.txt | |

* `RFC 6090 (ECC-DH and ECC-DSA)`_ | |

.. _RFC 6090 (ECC-DH and ECC-DSA): | |

https://www.ietf.org/rfc/rfc6090.txt |