Skip to content

Mbed Crypto 0.1.0b2

Pre-release
Pre-release
Compare
Choose a tag to compare
@Patater Patater released this 17 Dec 13:56
· 3775 commits to development since this release
mbedcrypto-0.1.0b2
59fd5ae
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Introduction

Mbed Crypto 0.1.0b2 has now been released.

The Mbed cryptography library is a reference implementation of the cryptography interface of the Arm Platform Security (PSA) architecture. This is a preview release of Mbed Crypto, provided for evaluation purposes only. As this is an beta and evaluation release, APIs are under development and subject to change based on feedback.

New features

This release of Mbed Crypto adds support for the following features:

  • The interface now includes key agreement. The implementation supports ECDH.
  • The key derivation interface supports two new function families: the TLS 1.2 PRF (pseudorandom function) and the transformation from TLS 1.2 PSK (pre-shared key) to master secret.
  • Truncated MAC algorithms and AEAD with shorter tags are defined in the interface, and they are implemented for all algorithms for which the base algorithm is implemented.
  • The implementation now supports persistent keys. Keys can be saved either to stdio files or to PSA ITS (Internal Trusted Storage) objects, based on a compilation option. To declare a key as persistent, call psa_set_key_lifetime() before creating or using the key. Note that this implementation is considered experimental and future releases are unlikely to maintain backward compatibility with the current storage format or to provide an upgrade path.
  • We provide a mechanism for injecting initial entropy into a device that has trusted storage but may lack a hardware random number generator. Note that this implementation is considered experimental and future releases are unlikely to maintain backward compatibility with the current storage format or to provide a generic upgrade path. We will provide an upgrade path for the integration of this feature in Mbed OS 5.11.

Driver model

This release includes a specification of the interface that drivers for cryptography accelerators, entropy sources and secure elements must implement. This specification is a work in progress, provided for review purposes only. The implementation does not support drivers yet. The specification is provided in the distribution as docs/PSACryptoDriverModelSpec.pdf.

Other changes

The following changes may affect existing application code:

  • Many macros to compose and decompose key types and algorithms have been added or modified to offer a more consistent interface.
  • The import/export format of elliptic curve key pairs has changed from the RFC 5915 private key to the raw secret value.

In addition, the interface and the implementation include many tweaks and bug fixes that should not require changes in application source code.

Intended future changes

APIs are under development and subject to change based on feedback. The following is a list of major changes that we intend to make in the near future. This list may be revised without notice at any time.

  • Instead of using key slots transparently, applications will access slots via handles. To obtain a handle to a volatile key slot, the application will allocate a slot. To obtain a handle to a persistent key slot, the application will open the key from storage.
  • Simplify the format of public keys to remove the SubjectPublicKeyInfo encoding layer.
  • Enrich the policy language to support concrete use cases which require a different trade-off between safety and flexibility. In particular, X.509 makes it impractical to commit a signature key to a specific hash mechanism.
Assets 2
Loading