jmg
/
lora-irrigation
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Implement a secure ICS protocol targeting LoRa Node151 microcontroller for controlling irrigation.
120 Commits
4 Branches
18 MiB
Tree: 550ee42cfb
lora-irrigation/strobe/README.txt

README.txt 4.0 KiB
Raw Normal View History

Squashed 'strobe/' content from commit 66b501f git-subtree-dir: strobe git-subtree-split: 66b501fdde0e25ba77ad0f732aa88cced2e71024
3 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990 
  1. STROBE protocol framework

  2. 

  3. This is a development release of the STROBE framework.  Although the

  4. specification of the framework is at release level (1.0.0), the code is

  5. development-quality and not yet ready for production use.

  6. 

  7. STROBE's framework spec versioning (not software versioning) is a little

  8. bit funny.  Every protocol hashes the spec version into the cryptographic

  9. state, so any change to the spec version string breaks interoperability.

  10. However, minor and patch revisions shouldn't break application

  11. compatibility, so protocol specifications that make sense with 1.0.0

  12. should also work with 1.0.1 and 1.1.0.

  13. 

  14. TODO: Update this README to include worthwhile documentation and use cases

  15. for STROBE.

  16. 

  17. #############

  18. Side channels

  19. #############

  20. 

  21. The STROBE code is designed to resist timing side-channels that would

  22. recover secret keys and messages.  Obviously, timing is affected by other

  23. variables such as message lengths.

  24. 

  25. The compact X25519 code is designed to resist timing side-channels, including

  26. attacks on timing, caching, and branch prediction.  However, the code

  27. is incomplete in that regard, and should be tested on your particular CPU

  28. and compiler.  This warning is mainly in regard to embedded or old processors

  29. such as the Cortex-M0, Cortex-M3, 80386, 80486, Via Nano 2000, PowerPC G3,

  30. PowerPC G4, and RISC-V Rocket.  These processors have a multiplication

  31. instruction which takes a variable amount of time depending on its operands.

  32. Since X25519 uses multiplication on sensitive data, some of that data will

  33. leak to an attacker who can observe timing information. There are per-CPU

  34. workarounds for this problem, but none of them are yet included in STROBE's

  35. X25519 implementation.

  36. 

  37. Newer CPUs such as the Cortex-M4 and higher, and modern X86 processors, should

  38. be safe.  However, the test suite does not currently test resistance to timing

  39. attacks (TODO).

  40. 

  41. On vulnerable processors, I expect that ephemeral Curve25519 is safe, and that

  42. signature verification leaks information that's public in most threat models

  43. (eg, the signer, signature and hashed message).  Signing and long-term X25519

  44. are probably vulnerable to key compromise.

  45. 

  46. I would like to eventually place a warning on the X25519 code for this, but

  47. there are so many CPUs affected that it would be difficult to test the warning

  48. code.

  49. 

  50. None of this code is designed to resist physically invasive attacks such as

  51. power side channels, electromagnetic side channels, or fault attacks.

  52. 

  53. Remember of course that this is alpha-quality software, and probably contains

  54. bugs which are more serious than timing attacks.

  55. 

  56. #############

  57. Mailing lists

  58. #############

  59. 

  60. If you use STROBE, please subscribe to at least the strobe-security mailing

  61. list:

  62.      strobe-security@lists.sourceforge.net

  63.      https://lists.sourceforge.net/lists/listinfo/strobe-security

  64. 

  65. This mailing list is moderated and low-volume.  It will be used only to

  66. announce security issues in STROBE, should they arise.

  67.     

  68. You may also be interested in the strobe-announce and strobe-discuss

  69. mailing lists.

  70. 

  71.      strobe-discuss@lists.sourceforge.net

  72.      https://lists.sourceforge.net/lists/listinfo/strobe-discuss

  73. 

  74.      strobe-announce@lists.sourceforge.net

  75.      https://lists.sourceforge.net/lists/listinfo/strobe-announce

  76. 

  77. ###########################

  78. Export control notification

  79. ###########################

  80. 

  81. Downloading of this software may constitute an export or re-export of

  82. cryptographic software from the United States of America. The U.S.

  83. government prohibits export of encryption source code to certain countries

  84. and individuals, including, but not limited to, the countries of Cuba, Iran,

  85. North Korea, Sudan, Syria, and residents and nationals of those countries.

  86. Other countries may also have restrictions on the import, possession, use,

  87. and/or re-export to another country, of encryption software. BEFORE using

  88. any encryption software, please check your country's laws, regulations and

  89. policies concerning the import, possession, or use, and re-export of

  90. encryption software, to see if this is permitted.