Hi,
ECB mode means that the block cipher is applied block by block to the message directly. This is indeed insecure. However, all modes, CBC/CMAC/CTR etc apply the block cipher to blocks that might be related to individual message blocks but are constructed in a way that the result is safe.
When Mbed TLS uses ECB mode internally, it means that the block cipher is applied to a block of data (not to the message directly) in order to implement a secure operation mode. This is why ECB is in the API as well and how users should use it (to implement a secure standard operation mode that is not supplied by Mbed TLS): https://arm-software.github.io/psa-api/crypto/1.2/api/ops/ciphers.html#c.PSA...
When we say PSA_ALG_ECB_NO_PADDING, we mean a single application of the block cipher to a single block of data and not the actual ECB mode (which means slicing up the message to blocks and applying the block cipher to each block directly).
This is why the code you linked is as expected, why using “ECB” to implement CMAC correct and why we can’t remove “ECB” mode.
Cheers, Janos
From: Chaitanya Tata via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Thursday, 15 August 2024 at 09:55 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Usage of ECB in AES mode Hi,
ECB is unsecure, see https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_code...) and shouldn't be used in production.
So, I have switched to one of CBC/CMAC/CTR modes, but in `mbedtls_cipher_cmac_starts` I see that it only accepts ECB variants, and also doesn't seem to be using the `type`.
From https://github.com/Mbed-TLS/mbedtls/issues/8617 I see that ECB for AES was intentional, even for the CMAC API.
Is this expected?
1. Is using ECB for CMAC API correct? 2.Shouldn't we remove the ECB altogether?
Appreciate any clarifications.
Cheers, Chaitanya. -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org