tinycrypt.rst - OpenGrok cross reference for /Zephyr-Core-3.5.0/doc/services/crypto/tinycrypt.rst

Lines Matching +full:90 +full:-
19 * SHA-256:
22   * Standard Specification: NIST FIPS PUB 180-4.
23   * Requires: --
25 * HMAC-SHA256:
29   * Requires: SHA-256
31 * HMAC-PRNG:
33   * Type of primitive: Pseudo-random number generator.
34   * Standard Specification: NIST SP 800-90A.
35   * Requires: SHA-256 and HMAC-SHA256.
37 * AES-128:
41   * Requires: --
43 * AES-CBC mode:
46   * Standard Specification: NIST SP 800-38A.
47   * Requires: AES-128.
49 * AES-CTR mode:
52   * Standard Specification: NIST SP 800-38A.
53   * Requires: AES-128.
55 * AES-CMAC mode:
58   * Standard Specification: NIST SP 800-38B.
59   * Requires: AES-128.
61 * AES-CCM mode:
64   * Standard Specification: NIST SP 800-38C.
65   * Requires: AES-128.
67 * ECC-DH:
73 * ECC-DSA:
83   the size of a board-independent implementation, as presented in TinyCrypt.
100 are discussed in-depth below.
105 * TinyCrypt does **not** intend to be fully side-channel resistant. Due to the
106   variety of side-channel attacks, many of them making certain boards
108   side-channel countermeasures such as increasing the overall code size,
109   TinyCrypt only implements certain generic timing-attack countermeasures.
114 * SHA-256:
124     Note that conventional memory-comparison methods (such as memcmp function)
125     might be vulnerable to timing attacks; thus be sure to use a constant-time
129 * HMAC-PRNG:
131   * Before using HMAC-PRNG, you *must* find an entropy source to produce a seed.
136   * NIST SP 800-90A requires three items as seed material in the initialization
139     the entropy seed using a mandatory call to the re-seed function.
141 * AES-128:
143   * The current implementation does not support other key-lengths (such as 256
144     bits). Note that if you need AES-256, it doesn't sound as though your
145     application is running in a constrained environment. AES-256 requires keys
146     twice the size as for AES-128, and the key schedule is 40% larger.
150   * The AES-CTR mode limits the size of a data message they encrypt to 2^32
162   * AES128-CMAC mode of operation offers 64 bits of security against collision
165     collision property of AES128-CMAC, an external attacker would need the
169     most 2^48 calls to tc_cmac_update function before re-calling tc_cmac_setup
170     (allowing a new key to be set), as suggested in Appendix B of SP 800-38B.
179     the nonce size, which is: 15-q bytes. The maximum payload length for those
193     accepts any even integer between 4 and 16, as suggested in SP 800-38C.
196     0 and (2^16 - 2^8) = 65280 bytes.
200         * Both non-empty payload and associated data (it encrypts and
203         * Non-empty payload and empty associated data (it encrypts and
206         * Non-empty associated data and empty payload (it degenerates to an
207           authentication-only mode on the associated data).
209    * RFC-3610, which also specifies CCM, presents a few relevant security
215 * ECC-DH and ECC-DSA:
217   * TinyCrypt ECC implementation is based on nano-ecc (see
218     https://github.com/iSECPartners/nano-ecc) which in turn is based on
219     micro-ecc (see https://github.com/kmackay/micro-ecc). In the original
220     nano and micro-ecc documentation, there is an important remark about the
224     represented using little-endian words - so the least significant word is
239  * Construct keys (HMAC-SHA256);
241  * Extract entropy from strings containing some randomness (HMAC-SHA256);
243  * Construct random mappings (HMAC-SHA256);
245  * Construct nonces and challenges (HMAC-PRNG);
247  * Authenticate using a shared secret (HMAC-SHA256);
249  * Create an authenticated, replay-protected session (HMAC-SHA256 + HMAC-PRNG);
251  * Authenticated encryption (AES-128 + AES-CCM);
253  * Key-exchange (EC-DH);
255  * Digital signature (EC-DSA);
263 well-known publicly validated test vectors.
265 For the case of the HMAC-PRNG, due to the necessity of performing an extensive
270 For the case of the EC-DH and EC-DSA implementations, most of the test vectors
277 * `NIST FIPS PUB 180-4 (SHA-256)`_
279 .. _NIST FIPS PUB 180-4 (SHA-256):
280    http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
282 * `NIST FIPS PUB 197 (AES-128)`_
284 .. _NIST FIPS PUB 197 (AES-128):
285    http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
287 * `NIST SP800-90A (HMAC-PRNG)`_
289 .. _NIST SP800-90A (HMAC-PRNG):
290    http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
292 * `NIST SP 800-38A (AES-CBC and AES-CTR)`_
294 .. _NIST SP 800-38A (AES-CBC and AES-CTR):
295    http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
297 * `NIST SP 800-38B (AES-CMAC)`_
299 .. _NIST SP 800-38B (AES-CMAC):
300    http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
302 * `NIST SP 800-38C (AES-CCM)`_
304 .. _NIST SP 800-38C (AES-CCM):
305     http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
317 * `RFC 2104 (HMAC-SHA256)`_
319 .. _RFC 2104 (HMAC-SHA256):
322 * `RFC 6090 (ECC-DH and ECC-DSA)`_
324 .. _RFC 6090 (ECC-DH and ECC-DSA):