This article has multiple issues. Please help improve it or discuss these issues on the talk page . (Learn how and when to remove these template messages) |
Developer(s) | Collaborative project managed by TrustedFirmware (formerly by Arm) |
---|---|
Initial release | January 15, 2009 |
Stable release | 3.5.1 [1] (8 November 2023 ) [±] |
Repository | |
Written in | C |
Operating system | Multi-platform |
Type | Security library |
License | Dual Apache-2.0 or GPL-2.0-or-later |
Website | www |
Mbed TLS (previously PolarSSL) is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on the website is that Mbed TLS aims to be "easy to understand, use, integrate and expand".
The PolarSSL SSL library is the official continuation fork of the XySSL SSL library. XySSL was created by the French "white hat hacker" Christophe Devine and was first released on November 1, 2006, under GNU GPL v2 and BSD licenses. In 2008, Christophe Devine was no longer able to support XySSL and allowed Paul Bakker to create the official fork, named PolarSSL. [2] In November 2014, PolarSSL was acquired by ARM Holdings. [3]
In 2011, the Dutch government approved an integration between OpenVPN and PolarSSL, which is named OpenVPN-NL. This version of OpenVPN has been approved for use in protecting government communications up to the level of Restricted. [4]
As of the release of version 1.3.10, PolarSSL has been rebranded to Mbed TLS to better show its fit inside the Mbed ecosystem. [5] Starting from version 2.1.0, the library was made available under both the GPL v2 and Apache License v2.0. [6]
In 2020, Mbed TLS joined the TrustedFirmware project. [7]
The core SSL library is written in the C programming language and implements the SSL module, the basic cryptographic functions and provides various utility functions. Unlike OpenSSL and other implementations of TLS, Mbed TLS is like wolfSSL in that it is designed to fit on small embedded devices, with the minimum complete TLS stack requiring under 60KB of program space and under 64 KB of RAM. It is also highly modular: each component, such as a cryptographic function, can be used independently from the rest of the framework. Versions are also available for Microsoft Windows and Linux. Because Mbed TLS is written in the C programming language, without external dependencies, it works on most operating systems and architectures.
Since version 1.3.0, it has abstraction layers for memory allocation and threading to the core "to support better integration with existing embedded operating systems". [8]
The Mbed TLS library expresses a focus on readability of the code, documentation, automated regression tests, a loosely coupled design and portable code. [9]
The following documentation is available for developers:
The automated testing of Mbed TLS includes:
Mbed TLS is used as the SSL component in large open source projects:
Mbed TLS is currently available for most Operating Systems including Linux, Microsoft Windows, OS X, OpenWrt, Android, iOS, RISC OS [15] and FreeRTOS. Chipsets supported at least include ARM, x86, PowerPC, MIPS.
Mbed TLS supports a number of different cryptographic algorithms:
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.
OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.
GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.
Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses UDP or SCTP, the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP, it avoids the "TCP meltdown problem", when being used to create a VPN tunnel.
strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates on smartcards through a PKCS#11 interface and on TPM 2.0.
Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.
cryptlib is an open-source cross-platform software security toolkit library. It is distributed under the Sleepycat License, a free software license compatible with the GNU General Public License. Alternatively, cryptlib is available under a proprietary license for those preferring to use it under proprietary terms.
In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.
wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.
The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.
Nettle is a cryptographic library designed to fit easily in a wide range of toolkits and applications. It began as a collection of low-level cryptography functions from lsh in 2001. Since June 2009 Nettle is a GNU package.
Mbed is a development platform and real-time operating system (RTOS) designed for internet-connected devices that utilize 32-bit ARM Cortex-M microcontrollers. These internet-enabled devices are often categorized under the Internet of Things (IoT) umbrella. The Mbed project is a collaborative effort led by Arm Holdings, in partnership with various technology companies and contributors.
OpenConnect is a free and open-source cross-platform multi-protocol virtual private network (VPN) client software which implement secure point-to-point connections.
MatrixSSL is an open-source TLS/SSL implementation designed for custom applications in embedded hardware environments.
LibreSSL is an open-source implementation of the Transport Layer Security (TLS) protocol. The implementation is named after Secure Sockets Layer (SSL), the deprecated predecessor of TLS, for which support was removed in release 2.3.0. The OpenBSD project forked LibreSSL from OpenSSL 1.0.1g in April 2014 as a response to the Heartbleed security vulnerability, with the goals of modernizing the codebase, improving security, and applying development best practices.
The tables below compare cryptography libraries that deal with cryptography algorithms and have API function calls to each of the supported features.
Probabilistic Signature Scheme (PSS) is a cryptographic signature scheme designed by Mihir Bellare and Phillip Rogaway.