• State
  • Replies 3 replies
  • Subscribers 51 subscribers
  • Views 45 views
  • Users 0 members are here
Support feedback
Options
Options
Related

CC2745R10-Q1: About AESCBC_oneStepDecrypt

youkyou ryu
Prodigy 60 points
Part Number: CC2745R10-Q1
Other Parts Discussed in Thread: SYSCONFIG

Tool/software:

Hello,

My environment is as follows:
Board: CC2745R10-Q1
Debugger: XDS110
SDK: SimpleLink Lowpower f3 ver.9.10.00.83
IDE: IAR Embedded Workbench for ARM 9.60.3.7274

Looking at the SDK source, it only processes key encodings CryptoKey_PLAINTEXT_HSM or CryptoKey_KEYSTORE_HSM.

Does this mean that CBC decryption is not possible unless the key is stored on an HSM?

Is it possible to perform CBC decryption using a key stored in PSA storage (with a lifetime of KEYSTORE_PSA_KEY_LIFETIME_PERSISTENT)?

Also, could you tell me how to enable ENABLE_KEY_STORAGE (a SysConfig setting?)?

※If the key encoding is CryptoKey_KEYSTORE_HSM, ENABLE_KEY_STORAGE must be enabled in the compilation software.

Best,

  • 0
    TI__Expert 5190 points

    Hi !

    1) You are correct, on the CC27XX and CC35XX family of boards, AESCBC encryption and decryption require the key to be stored on the HSM. This can be done by calling CryptoKeyPlaintextHSM_initKey instead of CryptoKeyPlaintext_initKey.

    2) When initializing a key using the PSA API, you can use the KeyStore_PSA_initKeyHSM function, which will create a key with the CryptoKey_KEYSTORE_HSM encoding. This encoding is accepted by the AESCBC_OneStepDecrypt function.

    3) According to the user guide, simply adding a PSA crypto + keystore module in SysConfig is enough to enable the use of these functions.

    HSM, PSA and crypto are difficult subjects, and I invite you to read the user guide chapter about KeyStore and about PSA for more guidance on how to use these APIs.

    Kind regards,
    Maxence

  • 0 in reply to Maxence Mathieu
    Prodigy 60 points

    Hello,

    1) Is there a way to decrypt AESCBC using CryptoKey_KEYSTORE encoding (initializing the key with KeyStore_PSA_initKey)?
    If so, please tell me how.
    Will CryptoKey_KEYSTORE encoding be supported in future SDK versions?

    2)3)

    Below is test code for AESCBC decryption using the KeyStore_PSA_initKeyHSM function.

    static void vos_CBC_test( void )
{
    KeyStore_PSA_KeyFileId      stt_keyID;
    KeyStore_PSA_KeyAttributes  stt_attributes = KEYSTORE_PSA_KEY_ATTRIBUTES_INIT;
    AESCBC_Operation     stS_CryptIf_AESCBC_Operation;
    CryptoKey            stt_CryptoKey;
    AESCBC_Handle        psts_AesCbcHandle;
    int_fast16_t s2s_status;

    uint8_t au1s_Key[16] = {0x06, 0xa9, 0x21, 0x40, 0x36, 0xb8, 0xa1, 0x5b, 0x51, 0x2e, 0x03, 0xd5, 0x34, 0x12, 0x00, 0x06};
    uint8_t au1s_iv[16] =  {0x2f, 0xe2, 0xb3, 0x33, 0xce, 0xda, 0x8f, 0x98, 0xf4, 0xa9, 0x9b, 0x40, 0xd2, 0xcd, 0x34, 0xa8};
    uint8_t au1s_In[16] =  {0x47, 0x48, 0x7F, 0xAC, 0x8f, 0xa4, 0xfa, 0x72, 0x9B, 0xB7, 0xC6, 0x62, 0x36, 0x1a, 0x51, 0x94};
    uint8_t au1s_Out[16] = {0};    
    
    s2s_status = KeyStore_PSA_init();
    if (s2s_status != KEYSTORE_PSA_STATUS_SUCCESS)
    {
        while(1);
    }

    s2s_status = HSMLPF3_provisionHUK();
    if (s2s_status != HSMLPF3_STATUS_SUCCESS)
    {
        while(1);
    }
    
    GET_KEY_ID(stt_keyID, KEYSTORE_PSA_KEY_ID_USER_MIN);
    KeyStore_PSA_setKeyId(&stt_attributes, stt_keyID);
    KeyStore_PSA_setKeyType(&stt_attributes, KEYSTORE_PSA_KEY_TYPE_AES);
    KeyStore_PSA_setKeyUsageFlags(&stt_attributes, KEYSTORE_PSA_KEY_USAGE_DECRYPT);
    KeyStore_PSA_setKeyAlgorithm(&stt_attributes, KEYSTORE_PSA_ALG_CBC_NO_PADDING);
    KeyStore_PSA_setKeyLifetime(&stt_attributes, KEYSTORE_PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(KEYSTORE_PSA_KEY_PERSISTENCE_DEFAULT, KEYSTORE_PSA_KEY_LOCATION_HSM_ASSET_STORE));
    KeyStore_PSA_setKeyBits(&stt_attributes, 128);
    /* Import the keyingMaterial */
    s2s_status = KeyStore_PSA_importKey(&stt_attributes, au1s_Key, (size_t)16, &stt_keyID);
    
    AESCBC_init();
    s2s_status = KeyStore_PSA_initKeyHSM( &stt_CryptoKey, stt_keyID, (size_t)16, NULL );
    if (s2s_status != KEYSTORE_PSA_STATUS_SUCCESS)
    {
        while(1);
    }

    psts_AesCbcHandle = AESCBC_open(0, NULL);
    
    AESCBC_OneStepOperation_init( &stS_CryptIf_AESCBC_Operation );
    stS_CryptIf_AESCBC_Operation.key               = &stt_CryptoKey;
    stS_CryptIf_AESCBC_Operation.input             = (uint8_t*)au1s_In;
    stS_CryptIf_AESCBC_Operation.output            = (uint8_t*)au1s_Out;
    stS_CryptIf_AESCBC_Operation.inputLength       = sizeof(au1s_Out);
    stS_CryptIf_AESCBC_Operation.iv                = (uint8_t*)au1s_iv;
        
    s2s_status = AESCBC_oneStepDecrypt( psts_AesCbcHandle, &stS_CryptIf_AESCBC_Operation );
    
    AESCBC_close(psts_AesCbcHandle);
    
    if(s2s_status != AESCBC_STATUS_SUCCESS)
    {
        while(1);
    }
}

    When I debugged it, I found that ENABLE_KEY_STORAGE was disabled, so the error message AESCBC_STATUS_FEATURE_NOT_SUPPORTED was displayed and the code terminated.
    Please tell me how to resolve this.

    The SysConfig settings are as follows:

    Best,

  • 0 in reply to youkyou ryu
    TI__Expert 5190 points

    Hi !

    There is currently no way to AESCBC using CryptoKey_KEYSTORE encoding by initializing the key with KeyStore_PSA_initKey, and we have no future plan to support it, as we want to push towards only using the PSA API.

    I'm looking into how to enable ENABLE_KEY_STORAGE. From what I understand, those files are pre-compiled into a .a file and then linked against your project. Defining manually ENABLE_KEY_STORAGE would not change anything unless you re-built the library. If you're looking for an example of AESCBC decryption, you can look at the C:\ti\simplelink_lowpower_f3_sdk_9_11_00_18\examples\rtos\LP_EM_CC2745R10_Q1\drivers\aescbc example.

    Kind regards,
    Lea