Thanks Janos for the clarification.
IIUC, ECB mode in MbedTLS refers to data and not the message, so it is still secure and can be used as the underlying API for CMAC/CTR/CBC modes?
This is why ECB is in the API as well and how users should use it (to
implement a secure standard operation mode that is not supplied by Mbed TLS): https://arm-software.github.io/psa-api/crypto/1.2/api/ops/ciphers.html#c.PSA...
From the link
It is recommended that applications only use ECB if they need to construct an operating mode that the implementation does not provide
I understand that this is the reason (to support unsupported implementations) for the ECB API to be publicly available, but based on that wording, for internal implementations that exist e.g., CBC/CMAC, we shouldn't be using ECB, is my understanding correct?
Cheers, Chaitanya.
On Thu, Aug 15, 2024 at 3:45 PM Janos Follath Janos.Follath@arm.com wrote:
Hi,
ECB mode means that the block cipher is applied block by block to the message directly. This is indeed insecure. However, all modes, CBC/CMAC/CTR etc apply the block cipher to blocks that might be related to individual message blocks but are constructed in a way that the result is safe.
When Mbed TLS uses ECB mode internally, it means that the block cipher is applied to a block of data (not to the message directly) in order to implement a secure operation mode. This is why ECB is in the API as well and how users should use it (to implement a secure standard operation mode that is not supplied by Mbed TLS):
https://arm-software.github.io/psa-api/crypto/1.2/api/ops/ciphers.html#c.PSA...
When we say PSA_ALG_ECB_NO_PADDING, we mean a single application of the block cipher to a single block of data and not the actual ECB mode (which means slicing up the message to blocks and applying the block cipher to each block directly).
This is why the code you linked is as expected, why using “ECB” to implement CMAC correct and why we can’t remove “ECB” mode.
Cheers,
Janos
*From: *Chaitanya Tata via mbed-tls mbed-tls@lists.trustedfirmware.org *Date: *Thursday, 15 August 2024 at 09:55 *To: *mbed-tls@lists.trustedfirmware.org < mbed-tls@lists.trustedfirmware.org> *Subject: *[mbed-tls] Usage of ECB in AES mode
Hi,
ECB is unsecure, see
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_code...) and shouldn't be used in production.
So, I have switched to one of CBC/CMAC/CTR modes, but in `mbedtls_cipher_cmac_starts` I see that it only accepts ECB variants, and also doesn't seem to be using the `type`.
From https://github.com/Mbed-TLS/mbedtls/issues/8617 I see that ECB for AES was intentional, even for the CMAC API.
Is this expected?
- Is using ECB for CMAC API correct?
2.Shouldn't we remove the ECB altogether?
Appreciate any clarifications.
Cheers, Chaitanya. -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org