commit 94f102c06cf8e7b6b13ff882d287940537148c54
author Ronald Cron <ronald.cron@arm.com> Tue Sep 30 12:19:29 2025 +0200
committer Ronald Cron <ronald.cron@arm.com> Wed Oct 01 12:28:16 2025 +0200
tree 7f808cee40f0d56e52233949c3f8feaa6348abac
parent 28d1d61d72721ae0128184a39b3edf21bf7af8c0

Update SECURITY.md

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
index 4682f7a..4e7bb14 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -37,10 +37,6 @@
 messages will arrive without delay, as the TLS protocol doesn't guarantee that
 either.)
 
-**Warning!** Block ciphers do not yet achieve full protection against attackers
-who can measure the timing of packets with sufficient precision. For details
-and workarounds see the [Block Ciphers](#block-ciphers) section.
-
 ### Local attacks
 
 In this section, we consider an attacker who can run software on the same
@@ -69,9 +65,6 @@
 in the [Remote attacks](remote-attacks) and [Physical
 attacks](physical-attacks) sections respectively.
 
-**Warning!** Block ciphers do not yet achieve full protection. For
-details and workarounds see the [Block Ciphers](#block-ciphers) section.
-
 #### Local non-timing side channels
 
 The attacker code running on the platform has access to some sensor capable of
@@ -115,36 +108,6 @@
 model. Neither does it mean that the failure of such a countermeasure is
 considered a vulnerability.
 
-#### Block ciphers
-
-Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and
-DES. The pure software implementation in Mbed TLS implementation uses lookup
-tables, which are vulnerable to timing attacks.
-
-These timing attacks can be physical, local or depending on network latency
-even a remote. The attacks can result in key recovery.
-
-**Workarounds:**
-
-- Turn on hardware acceleration for AES. This is supported only on selected
-  architectures and currently only available for AES. See configuration options
-  `MBEDTLS_AESCE_C`, `MBEDTLS_AESNI_C` for details.
-- Add a secure alternative implementation (typically hardware acceleration) for
-  the vulnerable cipher. See the [Alternative Implementations
-Guide](docs/architecture/alternative-implementations.md) for more information.
-- Use cryptographic mechanisms that are not based on block ciphers. In
-  particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
-  block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
-
-#### Everest
-
-The HACL* implementation of X25519 taken from the Everest project only protects
-against remote timing attacks. (See their [Security
-Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).)
-
-The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED`
-configuration option is defined. This option is off by default.
-
 #### Formatting of X.509 certificates and certificate signing requests
 
 When parsing X.509 certificates and certificate signing requests (CSRs),