CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG
Title |
CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG |
|---|---|
CVE |
CVE-2024-45157 |
Date |
30 August 2024 |
Affects |
All versions of Mbed TLS since 2.26.0 |
Severity |
Low |
Vulnerability
Mbed TLS 2.26.0 introduced the configuration option MBEDTLS_PSA_HMAC_DRBG_MD_TYPE and documented that enabling it explicitly would cause the PSA cryptography subsystem to use HMAC_DRBG as its pseudorandom generator component. However, this feature was accidentally documented but not implemented. In fact, all versions of Mbed TLS and Mbed Crypto have used CTR_DRBG in the PSA subsystem if MBEDTLS_CTR_DRBG_C is enabled, regardless of whether MBEDTLS_PSA_HMAC_DRBG_MD_TYPE is set.
Impact
Both HMAC_DRBG (using a hash such as SHA-256 or SHA-512) and CTR_DRBG (using AES) are generally acceptable choices as pseudorandom generators, and both are secure in terms of the quality of their output. However, they have different security postures with respect to side channels. In particular, when AES is implemented in software, it is more prone to timing and power side channels than hashes, so CTR_DRBG is weaker against side channel attacks than HMAC_DRBG. Hence some users may prefer to use HMAC_DRBG.
Resolution
Starting with Mbed TLS 3.6.1 and 2.28.9, the documentation accurately represents the behavior. The behavior does not change: MBEDTLS_PSA_HMAC_DRBG_MD_TYPE is ignored when PSA uses CTR_DRBG.
Work-around
To use HMAC_DRBG as the pseudorandom generator in the PSA subsystem, make sure that the compile-time option MBEDTLS_CTR_DRBG_C is disabled.