• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Subscribers 30 subscribers
  • Views 741 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TM4C129XNCZAD: Example projects implementing AES-GCM Encryption for TIVA Devices

Eike Belgardt
Prodigy 10 points
Part Number: TM4C129XNCZAD

I'm currently playing around with the TI provided example programs. When using AES-GCM-256, I encountered a possible issue within the example projects:

aes_gcm_encrypt

aes_gcm_decrypt

When using public test vectors the AES-GCM-256 procedure will fail. This is caused by a parameter given in the following call, which is part of AESGCMY0Get():

//
// Next, perform the GHASH operation.
//
AESGHASH(ui32Keysize, pui32HashSubkey, pui32IV, ui32IVLength, pui32Y0);

According to my research the subkey H always has a length of 128 bits, while here it might become 192 bits or 256 bits (in case of AES-GCM-256). So in my opinion the call should be changed into:

AESGHASH(AES_CFG_KEY_SIZE_128BIT, pui32HashSubkey, pui32IV, ui32IVLength, pui32Y0);

Using this modification the example projects will pass all public test vectors.

Could you please verify this potential issue?

  • 0
    TI__Guru*** 135355 points

    Hello Eike,

    Myself and the original developers for this example are not security experts or have substantial cryptography backgrounds - the example projects were put together to show how to use TivaWare API calls to leverage the hardware encryption on the devices but they were not tested against public test vectors as you have done.

    Your explanation makes perfect sense to me and I can even put it in as a future improvement, but I am not sure how I can offer any 'verification' here since I do not have any cryptography background. From what I can see, the hardware module is setup to receive up to 256 bit keys but if the proper use case is for 128 bit due to public cryptography tests etc. that is really an application specific element that needs to be vetted and validated on your end. I am not in a position to comment whether or not a specific implementation is properly secured - I can only guide you how to use the peripheral to get outputs which in this case it looks like you are getting the right outputs with that adjustment.

    Again, good information to have and I'd be happy to ensure we update the example when the next TivaWare is worked on based on your feedback here for what is expected by these public test vectors.

    Best Regards,

    Ralph Jacobi

  • 0 in reply to Ralph Jacobi
    Prodigy 10 points

    Hello Ralph,

    I can absolutely understand that. We are in the process of moving to Tiva from another ARM platform, so your sample projects are very helpful. It would have taken me many days to implement the whole hardware accelerated GCM process on Tiva by myself.

    I took the test vectors from https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf and selected test case 18 for AES-GCM-256.

    Thank you very much for your answer!

    Eike

  • 0 in reply to Eike Belgardt
    TI__Guru*** 135355 points

    Hi Eike,

    Glad to hear that overall TivaWare has been able to speed your development!

    I went ahead and submitted an improvement ticket to our tracker with the details you provided and that link. Thanks in return for the feedback on the example project.

    Best Regards,

    Ralph Jacobi