FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

K81 KSDK MBEDTLS RSA 2048 bit key check error

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

K81 KSDK MBEDTLS RSA 2048 bit key check error

‎10-13-2017 09:13 AM
1,336 Views
ste
Contributor I

My current project requires RSA 2048 bit operations performed on K81 MCU.

I am using KSDK 2.1 and mbedtls 2.2.1.

I can successfully generate a RSA 2048bit key pair using mbedtls_rsa_gen_key function.

Then I perform mbedtls_rsa_check_privkey at the newly generated key.

The problem is that this check fails when the key is longer than 2016 bits, e.g 2044 or 2048bits

I followed the execution path like this:

bignum.c:mbedtls_rsa_check_privkey: Line 210: MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L1, &L2, &H, &G2 ) );

bignum.c:mbedtls_mpi_div_mpi: Line 1400: MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &T1 ) );

bignum.c:mbedtls_mpi_sub_mpi: Line 1043: MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );

ksdk_mbedtls.c: mbedtls_mpi_sub_abs:
Line 767:
if ((sizeA > sizeN) || (sizeB > sizeN))
    {
        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
    }

mbedtls_mpi_sub_abs returns MBEDTLS_ERR_MPI_BAD_INPUT_DATA because the size of A and/or B (260 bytes) is greater than size of N (256 bytes), i.e. A.n (or B.n) == 0x41.

Apparently the maximum value(number of limbs) of A.n (or B.n) that can be handled by this function is 0x40.

It looks like at some point earlier in this execution path due to left shift the size of X is increased above 0x40.

My question is:

Is this limitation known to NXP and is it possible that this limitation could affect encryption/decryption functions when used with an RSA 2048bit keys ?

0 Kudos
Reply
2 Replies

‎10-19-2017 01:33 AM
935 Views
juying_zhong
NXP Employee
NXP Employee

Hello,

We don't make any limitation on this, LTC of K81 could support keysize up to 2048bit.

For RSA algorithm principle, A, B must be no more than N.

Upon my experience, there have a bug behind the line 406 of rsa.c when you enable CRT function.

See the below picture as reference:

rsa_genkey_issue.jpg

If you also open CRT function, you could try it.

Best regards,

Juying

0 Kudos
Reply

‎10-19-2017 05:06 AM
935 Views
ste
Contributor I

Hi  Juying!

Thank you for your reply !

I will apply the suggested fix in the mbedtls_rsa_private function and will test it.

However, please note that the issue I reported is with the RSA key check function and AFAIK there is an updated KSDK version which deals with it and is not related to the K81 capability to handle 2048bit operands in the LTC module. It is the MBEDTLS library which fails to stick to max 2048bit operands.

This issue is detected with keys generated with various PC software and imported in the K81 firmware. It is clearly linked to the size of the key.

Kind regards !

Stefko

0 Kudos
Reply