From c85dcb31d9c3ae4d5a2f2457f5e4ff18e944494d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 25 Sep 2019 20:22:40 +0200 Subject: [PATCH] CTR_DRBG: improve the discussion of entropy length vs strength --- include/mbedtls/ctr_drbg.h | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h index 03ce87f72..32d9adf33 100644 --- a/include/mbedtls/ctr_drbg.h +++ b/include/mbedtls/ctr_drbg.h @@ -277,11 +277,30 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, * #MBEDTLS_CTR_DRBG_ENTROPY_LEN. * * \note For compliance with NIST SP 800-90A, the entropy length - * must be at least 1.5 times security strength, since - * the entropy source is used both as the entropy input - * and to provide the initial nonce: - * - 24 bytes if using AES-128; - * - 48 bytes if using AES-256. + * (\p len bytes = \p len * 8 bits) + * must be at least the security strength. + * Furthermore, if the entropy input is used to provide + * the nonce, the entropy length must be 1.5 times + * the security strength. + * Per NIST SP 800-57A table 2, the achievable security + * strength is 128 bits if using AES-128 and + * 256 bits if using AES-256. + * Therefore, to provide full security, + * the entropy input must be at least: + * - 24 bytes if using AES-128 and the \p custom + * argument to mbedtls_ctr_drbg_seed() may repeat + * (for example because it is empty, or more generally + * constant); + * - 48 bytes if using AES-256 and the \p custom + * argument to mbedtls_ctr_drbg_seed() may repeat + * (for example because it is empty, or more generally + * constant); + * - 16 bytes if using AES-128 and the \p custom + * argument to mbedtls_ctr_drbg_seed() includes + * a nonce; + * - 32 bytes if using AES-256 and the \p custom + * argument to mbedtls_ctr_drbg_seed() includes + * a nonce. * * \param ctx The CTR_DRBG context. * \param len The amount of entropy to grab, in bytes.