tinycrypt.rst - OpenGrok cross reference for /mcuboot-latest/ext/tinycrypt/documentation/tinycrypt.rst

Lines Matching +full:- +full:a
9 with a minimal set of standard cryptography primitives, as listed below. To better
19 * SHA-256:
22   * Standard Specification: NIST FIPS PUB 180-4.
23   * Requires: --
25 * HMAC-SHA256:
29   * Requires: SHA-256
31 * HMAC-PRNG:
33   * Type of primitive: Pseudo-random number generator (256-bit strength).
34   * Standard Specification: NIST SP 800-90A.
35   * Requires: SHA-256 and HMAC-SHA256.
37 * AES-128:
41   * Requires: --
43 * AES-CBC mode:
46   * Standard Specification: NIST SP 800-38A.
47   * Requires: AES-128.
49 * AES-CTR mode:
52   * Standard Specification: NIST SP 800-38A.
53   * Requires: AES-128.
55 * AES-CMAC mode:
58   * Standard Specification: NIST SP 800-38B.
59   * Requires: AES-128.
61 * AES-CCM mode:
64   * Standard Specification: NIST SP 800-38C.
65   * Requires: AES-128.
67 * CTR-PRNG:
69   * Type of primitive: Pseudo-random number generator (128-bit strength).
70   * Standard Specification: NIST SP 800-90A.
71   * Requires: AES-128.
73 * ECC-DH:
75   * Type of primitive: Key exchange based on curve NIST p-256.
79 * ECC-DSA:
81   * Type of primitive: Digital signature based on curve NIST p-256.
89  the size of a platform-independent implementation, as presented in TinyCrypt.
108 limitations are discussed in-depth below.
113 * TinyCrypt does **not** intend to be fully side-channel resistant. Due to the
114   variety of side-channel attacks, many of them only relevant to certain 
116   side-channel countermeasures such as increasing the overall code size,
117   TinyCrypt only implements certain generic timing-attack countermeasures.
122 * SHA-256:
125     however that this will only be a problem if you intend to hash more than
132     Note that conventional memory-comparison methods (such as memcmp function)
133     might be vulnerable to timing attacks; thus be sure to use a constant-time
141     currently relying on this good-practice/feature of TinyCrypt.
143 * HMAC-PRNG:
145   * Before using HMAC-PRNG, you *must* find an entropy source to produce a seed.
146     PRNGs only stretch the seed into a seemingly random output of arbitrary
150   * NIST SP 800-90A requires three items as seed material in the initialization
151     step: entropy seed, personalization and a nonce (which is not implemented).
153     the entropy seed using a mandatory call to the re-seed function.
155 * AES-128:
157   * The current implementation does not support other key-lengths (such as 256
158     bits). Note that if you need AES-256, it doesn't sound as though your
159     application is running in a constrained environment. AES-256 requires keys
160     twice the size as for AES-128, and the key schedule is 40% larger.
164   * The AES-CTR mode limits the size of a data message they encrypt to 2^32
168 * CTR-PRNG:
170   * Before using CTR-PRNG, you *must* find an entropy source to produce a seed.
171     PRNGs only stretch the seed into a seemingly random output of arbitrary
178     contiguous (as produced by TinyCrypt CBC encryption). This allows for a
183   * AES128-CMAC mode of operation offers 64 bits of security against collision
186     collision property of AES128-CMAC, an external attacker would need the
190     most 2^48 calls to tc_cmac_update function before re-calling tc_cmac_setup
191     (allowing a new key to be set), as suggested in Appendix B of SP 800-38B.
195   * There are a few tradeoffs for the selection of the parameters of CCM mode.
196     In special, there is a tradeoff between the maximum number of invocations
197     of CCM under a given key and the maximum payload length for those
199     maximum number of invocations of CCM under a given key is determined by
200     the nonce size, which is: 15-q bytes. The maximum payload length for those
204     which is a quite reasonable choice for constrained applications. The
214     accepts any even integer between 4 and 16, as suggested in SP 800-38C.
217     0 and (2^16 - 2^8) = 65280 bytes.
221         * Both non-empty payload and associated data (it encrypts and
224         * Non-empty payload and empty associated data (it encrypts and
227         * Non-empty associated data and empty payload (it degenerates to an
228           authentication-only mode on the associated data).
230    * RFC-3610, which also specifies CCM, presents a few relevant security
231      suggestions, such as: it is recommended for most applications to use a
236 * ECC-DH and ECC-DSA:
238   * TinyCrypt ECC implementation is based on micro-ecc (see
239     https://github.com/kmackay/micro-ecc). In the original micro-ecc 
244     represented using little-endian words - so the least significant word is
250     {95, 94, ..., 64}, {127, 126, ..., 96} for a very-long-integer (vli)
253   * A cryptographically-secure PRNG function must be set (using uECC_set_rng())
259 primitives. With this list of primitives it becomes feasible to support a range
266  * Construct keys (HMAC-SHA256);
268  * Extract entropy from strings containing some randomness (HMAC-SHA256);
270  * Construct random mappings (HMAC-SHA256);
272  * Construct nonces and challenges (HMAC-PRNG, CTR-PRNG);
274  * Authenticate using a shared secret (HMAC-SHA256);
276  * Create an authenticated, replay-protected session (HMAC-SHA256 + HMAC-PRNG);
278  * Authenticated encryption (AES-128 + AES-CCM);
280  * Key-exchange (EC-DH);
282  * Digital signature (EC-DSA);
287 The library provides a test program for each cryptographic primitive (see 'test'
290 well-known publicly validated test vectors.
292 For the case of the HMAC-PRNG, due to the necessity of performing an extensive
297 For the case of the EC-DH and EC-DSA implementations, most of the test vectors
304 * `NIST FIPS PUB 180-4 (SHA-256)`_
306 .. _NIST FIPS PUB 180-4 (SHA-256):
307    http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
309 * `NIST FIPS PUB 197 (AES-128)`_
311 .. _NIST FIPS PUB 197 (AES-128):
312    http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
314 * `NIST SP800-90A (HMAC-PRNG)`_
316 .. _NIST SP800-90A (HMAC-PRNG):
317    http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
319 * `NIST SP 800-38A (AES-CBC and AES-CTR)`_
321 .. _NIST SP 800-38A (AES-CBC and AES-CTR):
322    http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
324 * `NIST SP 800-38B (AES-CMAC)`_
326 .. _NIST SP 800-38B (AES-CMAC):
327    http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
329 * `NIST SP 800-38C (AES-CCM)`_
331 .. _NIST SP 800-38C (AES-CCM):
332     http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
334 * `NIST Statistical Test Suite (useful for testing HMAC-PRNG)`_
336 .. _NIST Statistical Test Suite (useful for testing HMAC-PRNG):
344 * `RFC 2104 (HMAC-SHA256)`_
346 .. _RFC 2104 (HMAC-SHA256):
349 * `RFC 6090 (ECC-DH and ECC-DSA)`_
351 .. _RFC 6090 (ECC-DH and ECC-DSA):