OAD is a nice feature, many thanks to the TI guys for providing some sample code for this. Nevertheless I am not happy with the TI solution for OAD for 2 reasons:
1. Encrypting the bin files with the help of an evaluation board (which we do not have) and serial cables (our Macs have no serial ports) is a mess and does not allow to integrate the encryption into the SW production process automatically.
2. The encryption method chosen by TI seems to be vulnerable.
To solve the first problem we developed a tool to encrypt the .bin files and integrated this tool into the Xcode development process of our iPhone app. Whenever we create a new FW version with IAR, the build process will automatically encrypt the .bin files and will copy them into the iPhone app, which is the OAD master.
For this development we needed to do heavy reverse-engineering of the BEM sample code and the EBL sample code. During reverse engineering we found that it seems to be very simple to decrypt an encrypted .bin file even without knowing the key and iv. We did not test this security attack because we have no test file available, which has been encrypted with the TI sample code EBL.
We changed the encryption method in the following way.
1. We sign the bin file with AES128-CBC-MAC. During signing we skip the 16 Byte block where the signature will be stored.
2. For signing we use no salt, nonce or iv.
3. For signing we use a key which is distinct from the key used for encryption. This signature key is a shared secret between the Xcode development site and the CC2541 module.
4. We encrypt the complete file excluding the img header (First 16 bytes).
5. The signature is the first block to be encrypted and is different from ImgA, ImgB and different from version to version.
6. We encrypt using AES128-CBC. We encrypt the bin file as a whole. The key and the iv is a shared secret between the Xcode development site and the CC2541 module. The key and iv is always the same for the lifetime of the product.
7. We strip the padding, which is appended to the bin file by the standard encryption tools and rely on the fixed length of ImgA and ImgB.
My question to the reader is: Is there a security risk visible in this encryption strategy?
My advice for the reader is: Do not use the encryption strategy of the TI sample code. Change it!