Mbed TLS

Last updated
Mbed TLS
Developer(s) Collaborative project managed by TrustedFirmware (formerly by Arm)
Initial releaseJanuary 15, 2009 (2009-01-15)
Stable release 3.5.1 [1] OOjs UI icon edit-ltr-progressive.svg (8 November 2023;2 months ago (8 November 2023)) [±]
Repository
Written in C
Operating system Multi-platform
Type Security library
License Dual Apache-2.0 or GPL-2.0-or-later
Website www.trustedfirmware.org/projects/mbed-tls/

Mbed TLS (previously PolarSSL) is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on the website is that Mbed TLS aims to be "easy to understand, use, integrate and expand".

Contents

History

The PolarSSL SSL library is the official continuation fork of the XySSL SSL library. XySSL was created by the French "white hat hacker" Christophe Devine and was first released on November 1, 2006, under GNU GPL v2 and BSD licenses. In 2008, Christophe Devine was no longer able to support XySSL and allowed Paul Bakker to create the official fork, named PolarSSL. [2] In November 2014, PolarSSL was acquired by ARM Holdings. [3]

In 2011, the Dutch government approved an integration between OpenVPN and PolarSSL, which is named OpenVPN-NL. This version of OpenVPN has been approved for use in protecting government communications up to the level of Restricted. [4]

As of the release of version 1.3.10, PolarSSL has been rebranded to Mbed TLS to better show its fit inside the Mbed ecosystem. [5] Starting from version 2.1.0, the library was made available under both the GPL v2 and Apache License v2.0. [6]

In 2020, Mbed TLS joined the TrustedFirmware project. [7]

Library

The core SSL library is written in the C programming language and implements the SSL module, the basic cryptographic functions and provides various utility functions. Unlike OpenSSL and other implementations of TLS, Mbed TLS is like wolfSSL in that it is designed to fit on small embedded devices, with the minimum complete TLS stack requiring under 60KB of program space and under 64 KB of RAM. It is also highly modular: each component, such as a cryptographic function, can be used independently from the rest of the framework. Versions are also available for Microsoft Windows and Linux. Because Mbed TLS is written in the C programming language, without external dependencies, it works on most operating systems and architectures.

Since version 1.3.0, it has abstraction layers for memory allocation and threading to the core "to support better integration with existing embedded operating systems". [8]

Design priorities

The Mbed TLS library expresses a focus on readability of the code, documentation, automated regression tests, a loosely coupled design and portable code. [9]

Development documentation

The following documentation is available for developers:

Automated testing

The automated testing of Mbed TLS includes:

Use

Mbed TLS is used as the SSL component in large open source projects:

Platforms

Mbed TLS is currently available for most Operating Systems including Linux, Microsoft Windows, OS X, OpenWrt, Android, iOS, RISC OS [15] and FreeRTOS. Chipsets supported at least include ARM, x86, PowerPC, MIPS.

Algorithms

Mbed TLS supports a number of different cryptographic algorithms:

Cryptographic hash functions
MD2, MD4, MD5, RIPEMD160, SHA-1, SHA-2, SHA-3
MAC modes
CMAC, HMAC
Ciphers
AES, ARIA, Blowfish, Camellia, ChaCha, DES, RC4, Triple DES, XTEA
Cipher modes
ECB, CBC, CFB, CTR, OFB, XTS
Authenticated encryption modes
CCM, GCM, NIST Key Wrap,
ChaCha20-Poly1305
Key derivation
HKDF
Key stretching
PBKDF2, PKCS #5 PBE2, PKCS #12 key derivation
Public-key cryptography
RSA, Diffie–Hellman key exchange,
Elliptic curve cryptography (ECC), Elliptic curve Diffie–Hellman (ECDH), Elliptic Curve DSA (ECDSA), Elliptic curve J-PAKE

See also

Related Research Articles

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

<span class="mw-page-title-main">GnuTLS</span> Free software library implementing TLS

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses UDP or SCTP, the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP, it avoids the "TCP meltdown problem", when being used to create a VPN tunnel.

strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates on smartcards through a PKCS#11 interface and on TPM 2.0.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

cryptlib is an open-source cross-platform software security toolkit library. It is distributed under the Sleepycat License, a free software license compatible with the GNU General Public License. Alternatively, cryptlib is available under a proprietary license for those preferring to use it under proprietary terms.

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

Nettle is a cryptographic library designed to fit easily in a wide range of toolkits and applications. It began as a collection of low-level cryptography functions from lsh in 2001. Since June 2009 Nettle is a GNU package.

Mbed is a development platform and real-time operating system (RTOS) designed for internet-connected devices that utilize 32-bit ARM Cortex-M microcontrollers. These internet-enabled devices are often categorized under the Internet of Things (IoT) umbrella. The Mbed project is a collaborative effort led by Arm Holdings, in partnership with various technology companies and contributors.

OpenConnect is a free and open-source cross-platform multi-protocol virtual private network (VPN) client software which implement secure point-to-point connections.

MatrixSSL is an open-source TLS/SSL implementation designed for custom applications in embedded hardware environments.

<span class="mw-page-title-main">LibreSSL</span> Open-source implementation of TLS protocols; forked from OpenSSL in 2014

LibreSSL is an open-source implementation of the Transport Layer Security (TLS) protocol. The implementation is named after Secure Sockets Layer (SSL), the deprecated predecessor of TLS, for which support was removed in release 2.3.0. The OpenBSD project forked LibreSSL from OpenSSL 1.0.1g in April 2014 as a response to the Heartbleed security vulnerability, with the goals of modernizing the codebase, improving security, and applying development best practices.

The tables below compare cryptography libraries that deal with cryptography algorithms and have API function calls to each of the supported features.

Probabilistic Signature Scheme (PSS) is a cryptographic signature scheme designed by Mihir Bellare and Phillip Rogaway.

References

  1. "Release 3.5.1". 8 November 2023. Retrieved 19 November 2023.
  2. "About us". PolarSSL. Retrieved 2014-05-08.
  3. "PolarSSL is now a part of ARM". 2014-11-24.
  4. Archived January 29, 2013, at the Wayback Machine
  5. "mbed TLS 1.3.10 released". 2015-02-08. Retrieved 2015-02-09.
  6. "Download". Mbed TLS. Arm. Archived from the original on 2019-03-24. Retrieved 2021-04-05.
  7. "Hafnium, MbedTLS, PSA Crypto join the Trusted Firmware Project". TrustedFirmware. TrustedFirmware. Archived from the original on 2020-08-12. Retrieved 2021-04-05.
  8. "New features in PolarSSL 1.3.0 – Tech Updates". Polarssl.org. Retrieved 2014-05-08.
  9. "PolarSSL Features: easy to use SSL library and well-documented". Polarssl.org. Retrieved 2014-05-08.
  10. "PolarSSL High Level Design". Polarssl.org. Retrieved 2014-05-08.
  11. "v1.3.6 source code documentation – API Documentation". PolarSSL. Retrieved 2014-05-08.
  12. "polarssl/polarssl — GitHub". Github.com. Retrieved 2014-05-08.
  13. executable file (2020-04-26). "mbedtls/compat.sh at development · ARMmbed/mbedtls · GitHub". Github.com. Retrieved 2021-04-05.
  14. "Mbed TLS continuous integration". Trusted Firmware. Trusted Firmware. Retrieved 2021-04-05.
  15. "Connecting with the 21st century". RISC OS Open. Steve Revill. Retrieved 2022-04-19.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.