Secure AuthenticationのトピックSE050E aead encryption

SE050E aead encryption

Zarein94 — Mon, 24 Jul 2023 13:55:41 GMT

Hi,

I am trying to implement aead encryption using the SE050E. As I checked the AES-GCM algorithm is supported by this version of SE. I am using plug and trust middleware and examples to implement a simple firmware doing the following steps:

1- Creating a key object of AES type

2- Storing it in the key-store

3- initializing the aead context

4. Doing aead encryption in one go.

To do so, I am using sss api in the plug and trust middleware and I am using the se05x api methods to implement.

I have the following qustions:

1. Is there an example for aead encryption and decryption for secure element?

2. I am using the symmetric example in the plug and trust middleware and modify it to my use. I have changed the algorithm -> kAlgorithm_SSS_AES_GCM and used sss_aead_context_init and sss_aead_one_go instead of sss_symmetric_context_init and sss_cipher_one_go, respectively. I am getting an error in sss_se05x_aead_one_go outpu ( could be that the symmetric initialization does not match aead functions?). I am confused on how to implement the aead encryption, could you please give me some hints and guidance.

Looking forward to your support. Thanks a lot in advance!

Re: SE050E aead encryption

Kan_Li — Tue, 25 Jul 2023 06:26:00 GMT

Hi @Zarein94 ,

Is it possible to share your code for a review?

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: SE050E aead encryption

Zarein94 — Tue, 25 Jul 2023 17:52:25 GMT

Hi @Kan_Li, thanks for your response. Here's the modified code of symmetric example on plug and trust middleware to do aead encryption:

sss_status_t ex_sss_entry(ex_sss_boot_ctx_t *pCtx) { sss_status_t status = kStatus_SSS_Success; sss_algorithm_t algorithm; sss_mode_t mode; /* clang-format off */ uint8_t srcData[16] = { 0x48 ,0x45 ,0x4c ,0x4c ,0x4f ,0x48 ,0x45 ,0x4c ,0x4c ,0x4f ,0x48 ,0x45 ,0x4c ,0x4c ,0x4f ,0x31 }; /*HELLOHELLOHELLO1*/ uint8_t keystring[KEY_BIT_LEN / 8] = { 0x48 ,0x45 ,0x4c ,0x4c ,0x4f ,0x48 ,0x45 ,0x4c ,0x4c ,0x4f ,0x48 ,0x45 ,0x4c ,0x4c ,0x4f ,0x31 }; /*HELLOHELLOHELLO1*/ uint8_t destData[16] = {0,}; size_t destDataLen = sizeof(destData); uint8_t iv[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfd, 0x15, 0x71, 0x99, 0x32, 0xd3, 0x56, 0x90}; size_t ivlen = sizeof(iv); uint32_t keyId = MAKE_TEST_ID(__LINE__); sss_key_part_t keyPart; sss_cipher_type_t cipherType; size_t keyByteLenMax = KEY_BIT_LEN/8; sss_object_t key = { 0 }; sss_aead_t ctx_aead_encrypt = { 0 }; size_t TAG_SIZE = (96 / 8); uint8_t tag[TAG_SIZE]; uint8_t *aad =(uint8_t*)"Extra authentication data"; size_t aadSize = strlen((char*)aad); algorithm = kAlgorithm_SSS_AES_GCM; keyPart = kSSS_KeyPart_Default; cipherType = kSSS_CipherType_AES; mode = kMode_SSS_Encrypt; /* doc:start ex_sss_symmetric-allocate-key */ /* Pre-requisite for encryption Part*/ ENSURE_OR_GO_CLEANUP(kType_SSS_SE_SE05x == pCtx->session.subsystem); status = sss_key_object_init(&key, &pCtx->ks); ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success); status = sss_key_object_allocate_handle(&key, keyId, keyPart, cipherType, keyByteLenMax, kKeyObject_Mode_Persistent); ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success); status = sss_key_store_set_key(&pCtx->ks, &key, keystring, sizeof(keystring), sizeof(keystring) * 8, NULL, 0); ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success); /* doc:end ex_sss_symmetric-allocate-key */ /* doc:start ex_sss_aead-encrypt */ status = sss_aead_context_init(&ctx_aead_encrypt, &pCtx->session, &key, algorithm, mode); ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success); LOG_I("Do Encryption"); LOG_MAU8_I("iv", iv, ivlen); LOG_MAU8_I("srcData", srcData, ivlen); /*Do Encryption*/ status = sss_aead_one_go(&ctx_aead_encrypt,srcData,destData, destDataLen, iv, ivlen, aad, aadSize, tag, &TAG_SIZE); ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success); /* doc:end ex_sss_aead-encrypt */ LOG_MAU8_I("encrypted data", destData, destDataLen); LOG_I("Encryption successful !!!"); cleanup: if (ctx_aead_encrypt.session != NULL) { sss_aead_context_free(&ctx_aead_encrypt); } sss_key_object_free(&key); return status; }

sss :WARN :nxEnsure:'status == SM_OK' failed. At Line:6082 Function:sss_se05x_aead_one_go
App :WARN :nxEnsure:'status == kStatus_SSS_Success' failed. At Line:116 Function:ex_sss_entry

Re: SE050E aead encryption

Kan_Li — Wed, 26 Jul 2023 09:15:42 GMT

Hi @Zarein94 ,

Thanks for the information!

For AEAD encryption, the length of the authentication tag is always 16 bytes, as mentioned in the APDU spec:

so please adjust the tag length in your application code accordingly (12 ==> 16).

Please kindly let me know if the problem is still there.

Have a great day,
Kan

Re: SE050E aead encryption

Zarein94 — Wed, 26 Jul 2023 13:51:04 GMT

Thanks @Kan_Li for your support! That was the problem! It works fine now!