yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 13:45:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

CTR_DRBG: improve the discussion of entropy length vs strength

Browse Source
This commit is contained in:
Gilles Peskine 2019-09-25 20:22:40 +02:00
parent 3354f75bc1
commit c85dcb31d9
1 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
include/mbedtls/ctr_drbg.h
View File

@ -277,11 +277,30 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
* #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
*
* \note For compliance with NIST SP 800-90A, the entropy length
* must be at least 1.5 times security strength, since
* the entropy source is used both as the entropy input
* and to provide the initial nonce:
* - 24 bytes if using AES-128;
* - 48 bytes if using AES-256.
* (\p len bytes = \p len * 8 bits)
* must be at least the security strength.
* Furthermore, if the entropy input is used to provide
* the nonce, the entropy length must be 1.5 times
* the security strength.
* Per NIST SP 800-57A table 2, the achievable security
* strength is 128 bits if using AES-128 and
* 256 bits if using AES-256.
* Therefore, to provide full security,
* the entropy input must be at least:
* - 24 bytes if using AES-128 and the \p custom
* argument to mbedtls_ctr_drbg_seed() may repeat
* (for example because it is empty, or more generally
* constant);
* - 48 bytes if using AES-256 and the \p custom
* argument to mbedtls_ctr_drbg_seed() may repeat
* (for example because it is empty, or more generally
* constant);
* - 16 bytes if using AES-128 and the \p custom
* argument to mbedtls_ctr_drbg_seed() includes
* a nonce;
* - 32 bytes if using AES-256 and the \p custom
* argument to mbedtls_ctr_drbg_seed() includes
* a nonce.
*
* \param ctx The CTR_DRBG context.
* \param len The amount of entropy to grab, in bytes.