ARM mbed TLS makes it trivially easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) products, facilitating this functionality with a minimal code footprint. It offers an SSL library with an intuitive API and readable source code, and includes an elaborate test suite. You can build it out of the box on most systems, or manually select and configure features.
The mbed TLS library provides a set of cryptographic components that you can use and compile separately, and include or exclude using a single configuration header file. mbed TLS also provides a central SSL/TLS module that builds on the cryptographic components, the abstraction layers and the support components to provide a complete protocol implementation for SSL and TLS.
From a functional perspective, the library is split into three major parts:
- The SSL/TLS protocol implementation.
- A cryptographic library.
- An X.509 Certificate handling library.
SSL/TLS client and server
mbed TLS offers client-side and server-side support for all current SSL and TLS standards: SSL version 3 and TLS versions 1.0, 1.1 and 1.2. This of course includes support for most of the standardized protocol extensions, such as Server Name Indication (SNI), Session Tickets and Secure Renegotiation.
The mbed TLS implementation supports the predominant key exchange methods and over 100 of the different standardized ciphersuites.
The cryptographic part of mbed TLS has abstraction layers for Public Key cryptography, Hashing (Message Digests) and Symmetric Ciphers. It also contains standards-based random number generators and an entropy pool.
All cryptographic algorithms are implemented as loosely-coupled modules. You can just take the appropriate header files and source code files and drop them in your project as needed.
Symmetric encryption algorithms
The Cipher abstraction layer provides symmetric encryption and decryption functions for secrecy. It supports different block cipher modes for algorithms, ranging from Electronic Code Book (ECB) and Cipher Block Chaining (CBC) to Counter Mode (CTR), Cipher Feedback Mode (CFB) and Galois Counter Mode (GCM).
mbed TLS provides the most commonly used algorithms, such as AES, Blowfish and Camellia, as well as older or deprecated algorithms, such as DES and RC4.
For hashing and message digests mbed TLS provides a Message Digest abstraction layer, which can provide one-way hash and hash message authentication code (HMAC).
mbed TLS provides support for the most commonly used algorithms, such as SHA-256, SHA-512 and RIPEMD-160, as well as older or deprecated algorithms, such as MD2, MD4, MD5 and SHA-1.
You can use the Public Key abstraction layer for confidentiality, integrity, authentication and non-repudiation based on asymmetric algorithms, with either the traditional RSA or Elliptic Curves.
For Key Exchanges, support is available for:
- Elliptic Curve Diffie-Hellman-Merkle (ECDH).
- Elliptic Curve Digital Signature Algorithm (ECDSA).
Random number generation
For random number generation mbed TLS provides an entropy pool and specific implementations for CTR-DRBG and HMAC-DRBG, which are NIST standardized random number generators. The entropy pool system gathers entropy from standard sources and application-provided sources.
X.509 certificate handling
SSL/TLS authentication, and a few other protocols, need support for X.509 certificate handling. The X.509 certificate can convey an identity to other parties, but has to be checked for validity by the other party before use.
mbed TLS includes support for:
- X.509 certificate (CRT) parsing.
- X.509 certificate revocation list (CRL) parsing.
- X.509 (RSA/ECDSA) private key parsing.
- X.509 certificate verification: checks whether a certificate's signature chain is rooted with a trusted certificate authority, and whether the certificate (or one of the intermediate CAs in its chain) is in the certificate revocation list of its issuing CA.
Additionally, it is possible to perform certain Certificate Authority actions to create certificates from scratch, like:
- X.509 certificate (CRT) writing.
- X.509 (RSA/ECDSA) private key writing.
- X.509 certificate request (CSR) parsing.
- X.509 certificate request (CSR) writing.
mbed TLS uses a continuous integration system to make sure we maintain the highest possible code quality. Our system checks all committed code on an ever growing set of operating systems and chipsets, covering:
- Regression testing.
- Test vectors.
- Multiple static analyzers.
- Interoperability testing.
- Behavioural testing.
- Security testing through fuzzing.
- Function and unit testing against known values.
- Code coverage testing.
- Validation testing.
There are two ways to get mbed TLS:
- Open source, under the Apache 2.0 license.
- mbed Partnership. This provides mbed TLS under a commercial license, meaning:
- You do not have to distribute copyright notices and licenses for mbed TLS with your product.
- You receive priority support for bugs and feature requests.
For information about mbed Partnership, please contact: email@example.com.
Get mbed TLS
Other ways to get mbed TLS
View the latest releases and read the release notes for mbed TLS on tls.mbed.org.
Search our knowledge base by question or keyword on tls.mbed.org.
Read and respond to discussions other people have posted, or create your own discussion.