MID-027: Validated Cryptographic Libraries
Mitigation Tier: Foundational
Description
Devices should use validated cryptographic libraries (e.g., adhering to FIPS-140 or equivalent). These are libraries that have been examined, tested, and vetted for safety, security, and protection against side-channels by independent laboratories according to industry approved specifications. Building cryptographic libraries is a complex and difficult process that oftentimes results in libraries that have issues either with the generation or processing of cryptographic primitives or the processing of implemented algorithms over the input data.
Additionally, if any of the above issues do arise, using libraries that aren’t validated and aren’t maintained could lead to vulnerabilities persisting while fixes are developed. Therefore, using widely used, well maintained, and validated cryptographic libraries is a safer way to manage device cryptography. Vulnerabilities will be less likely to arise and, if/when they do, the wide level of use and maintenance will mean that patches should come quickly for it.
Limitations: By using a widely used library, a device’s cryptographic library is more likely to be targeted, which could lead to the device being vulnerable to exploitation.
Consideration: Devices that use cryptographic algorithms may introduce threats via the choice or implementation of the cryptographic algorithm or software. Device builders should take precautionary steps wherever possible to mitigate this threat. See MID-044 - Strong Cryptographic Algorithms and Protocols for more information about choosing a good algorithm.
IEC 62443 4-2 Mappings
- CR 4.3 - Use of cryptography
References
[1] NIST. “Cryptographic Module Validation Program.” nist.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://csrc.nist.gov/projects/cryptographic-module-validation-program
[2] J. Flores. “Microsoft SDL cryptographic recommendations.” microsoft.com. Accessed: Aug. 28, 2024. [Online.] Available: https://learn.microsoft.com/en-us/security/sdl/cryptographic-recommendations
[3] J. van Woudenberg. “Top 10 Secure Boot mistakes.” Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. [Online]. Available: https://hardwear.io/usa-2019/presentations/Top-10-Secure-Boot-Mistakes-v1.1-hardwear-io-usa-2019-jasper-van-woudenberg.pdf