Threat Model: move the block cipher section
The block cipher exception affects both remote and local timing attacks.
Move them to the Caveats section and reference it from both the local
and the remote attack section.
Signed-off-by: Janos Follath <janos.follath@arm.com>
diff --git a/SECURITY.md b/SECURITY.md
index 95e549f..677e685 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -35,6 +35,11 @@
in question. (For example Mbed TLS alone won't guarantee that the messages will
arrive without delay, as the TLS protocol doesn't guarantee that either.)
+**Warning!** Depending on network latency, the timing of messages might be
+enough to launch some timing attacks. Block ciphers do not yet achieve full
+protection against these. For details and workarounds see the [Block
+Ciphers](#block-ciphers) section.
+
### Local attacks
The attacker is capable of running code on the same hardware as Mbed TLS, but
@@ -60,23 +65,7 @@
documented** attacks, and this protection is not currently complete.
**Warning!** Block ciphers do not yet achieve full protection. For
-details and workarounds see the section below.
-
-Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and DES.
-The pure software implementation in Mbed TLS implementation uses lookup tables,
-which are vulnerable to timing attacks.
-
-**Workarounds:**
-
-- Turn on hardware acceleration for AES. This is supported only on selected
- architectures and currently only available for AES. See configuration options
- `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
-- Add a secure alternative implementation (typically hardware acceleration) for
- the vulnerable cipher. See the [Alternative Implementations
-Guide](docs/architecture/alternative-implementations.md) for more information.
-- Use cryptographic mechanisms that are not based on block ciphers. In
- particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
- block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
+details and workarounds see the [Block Ciphers](#block-ciphers) section.
#### Local non-timing side channels
@@ -123,3 +112,24 @@
protection against a class of attacks outside of the above described threat
model. Neither does it mean that the failure of such a countermeasure is
considered a vulnerability.
+
+#### Block ciphers
+
+Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and
+DES. The pure software implementation in Mbed TLS implementation uses lookup
+tables, which are vulnerable to timing attacks.
+
+These timing attacks can be physical, local or depending on network latency
+even a remote. The attacks can result in key recovery.
+
+**Workarounds:**
+
+- Turn on hardware acceleration for AES. This is supported only on selected
+ architectures and currently only available for AES. See configuration options
+ `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
+- Add a secure alternative implementation (typically hardware acceleration) for
+ the vulnerable cipher. See the [Alternative Implementations
+Guide](docs/architecture/alternative-implementations.md) for more information.
+- Use cryptographic mechanisms that are not based on block ciphers. In
+ particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
+ block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.