FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Setting AES-GCM Authentication Tag Length to 12 Bytes for DLMS with SE050E2

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Setting AES-GCM Authentication Tag Length to 12 Bytes for DLMS with SE050E2

Jump to solution
‎08-11-2025 11:06 AM
1,164 Views
Faizy98
Contributor I

Hi,

I am currently using the SE050E2 secure element for AES-GCM encryption and decryption operations. The encryption and decryption APIs work well, specifically the following function:

sss_status_t sss_aead_one_go( sss_aead_t *context, const uint8_t *srcData, uint8_t *destData, size_t size, uint8_t *nonce, size_t nonceLen, const uint8_t *aad, size_t aadLen, uint8_t *tag, size_t *tagLen);

This API functions perfectly when the authentication tag length is 16 bytes. However, I am working with DLMS protocol payloads that require the authentication tag to be only 12 bytes in length.

When I use this API to encrypt DLMS plain data, it generates an authentication tag of 16 bytes, but the DLMS standard expects a 12-byte tag. Similarly, for decryption, when the encrypted DLMS payload arrives with a 12-byte authentication tag, passing this 12-byte tag to the API results in a decryption failure, because the API expects the tag to be 16 bytes.

My question is:

Is there any way to configure or set the authentication tag length in the SE050E2 or its middleware so it can use a 12-byte tag as required by the DLMS standard?

Currently, the API always returns a 16-byte tag after encryption, and requires a 16-byte tag for decryption. I want to ensure compatibility with DLMS devices that use 12-byte tags without causing decryption errors.

Any guidance on configuring AES-GCM tag length for SE050E2, or recommended approaches for handling this DLMS tag size mismatch, would be highly appreciated.

Thanks in advance!

BR,
Faizy

0 Kudos
Reply
1 Solution

Jump to solution
‎08-14-2025 02:10 AM
1,107 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Faizy98 ,

 

This is defined when you create the key for AEAD operation. please kindly refer to the following for details.

Kan_Li_1-1755162576795.png

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

View solution in original post

Reply
2 Replies

Jump to solution
‎08-14-2025 02:10 AM
1,108 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @Faizy98 ,

 

This is defined when you create the key for AEAD operation. please kindly refer to the following for details.

Kan_Li_1-1755162576795.png

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

Reply

Jump to solution
‎08-14-2025 07:18 AM
1,088 Views
Faizy98
Contributor I

Thank you for your support.

BR,

Faizy

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2150265%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ESetting%20AES-GCM%20Authentication%20Tag%20Length%20to%2012%20Bytes%20for%20DLMS%20with%20SE050E2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2150265%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%20class%3D%22%22%3EHi%2C%3C%2FP%3E%3CP%20class%3D%22%22%3EI%20am%20currently%20using%20the%20SE050E2%20secure%20element%20for%20AES-GCM%20encryption%20and%20decryption%20operations.%20The%20encryption%20and%20decryption%20APIs%20work%20well%2C%20specifically%20the%20following%20function%3A%3C%2FP%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CSPAN%3E%3CSTRONG%3Esss_status_t%20sss_aead_one_go(%20sss_aead_t%20*context%2C%20const%20uint8_t%20*srcData%2C%20uint8_t%20*destData%2C%20size_t%20size%2C%20uint8_t%20*nonce%2C%20size_t%20nonceLen%2C%20const%20uint8_t%20*aad%2C%20size_t%20aadLen%2C%20uint8_t%20*tag%2C%20size_t%20*tagLen)%3B%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CSPAN%3EThis%20API%20functions%20perfectly%20when%20the%20authentication%20tag%20length%20is%2016%20bytes.%20However%2C%20I%20am%20working%20with%20DLMS%20protocol%20payloads%20that%20require%20the%20authentication%20tag%20to%20be%20only%2012%20bytes%20in%20length.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%20class%3D%22%22%3EWhen%20I%20use%20this%20API%20to%20encrypt%20DLMS%20plain%20data%2C%20it%20generates%20an%20authentication%20tag%20of%2016%20bytes%2C%20but%20the%20DLMS%20standard%20expects%20a%2012-byte%20tag.%20Similarly%2C%20for%20decryption%2C%20when%20the%20encrypted%20DLMS%20payload%20arrives%20with%20a%2012-byte%20authentication%20tag%2C%20passing%20this%2012-byte%20tag%20to%20the%20API%20results%20in%20a%20decryption%20failure%2C%20because%20the%20API%20expects%20the%20tag%20to%20be%2016%20bytes.%3C%2FP%3E%3CP%20class%3D%22%22%3EMy%20question%20is%3A%3C%2FP%3E%3CP%20class%3D%22%22%3E%3CSTRONG%3EIs%20there%20any%20way%20to%20configure%20or%20set%20the%20authentication%20tag%20length%20in%20the%20SE050E2%20or%20its%20middleware%20so%20it%20can%20use%20a%2012-byte%20tag%20as%20required%20by%20the%20DLMS%20standard%3F%3C%2FSTRONG%3E%3C%2FP%3E%3CP%20class%3D%22%22%3ECurrently%2C%20the%20API%20always%20returns%20a%2016-byte%20tag%20after%20encryption%2C%20and%20requires%20a%2016-byte%20tag%20for%20decryption.%20I%20want%20to%20ensure%20compatibility%20with%20DLMS%20devices%20that%20use%2012-byte%20tags%20without%20causing%20decryption%20errors.%3C%2FP%3E%3CP%20class%3D%22%22%3EAny%20guidance%20on%20configuring%20AES-GCM%20tag%20length%20for%20SE050E2%2C%20or%20recommended%20approaches%20for%20handling%20this%20DLMS%20tag%20size%20mismatch%2C%20would%20be%20highly%20appreciated.%3C%2FP%3E%3CP%20class%3D%22%22%3EThanks%20in%20advance!%3CBR%20%2F%3E%3CBR%20%2F%3EBR%2C%3CBR%20%2F%3EFaizy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2152408%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Setting%20AES-GCM%20Authentication%20Tag%20Length%20to%2012%20Bytes%20for%20DLMS%20with%20SE050E2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2152408%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EThank%20you%20for%20your%20support.%3C%2FP%3E%3CP%3EBR%2C%3C%2FP%3E%3CP%3EFaizy%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2152249%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Setting%20AES-GCM%20Authentication%20Tag%20Length%20to%2012%20Bytes%20for%20DLMS%20with%20SE050E2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2152249%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F253702%22%20target%3D%22_blank%22%3E%40Faizy98%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EThis%20is%20defined%20when%20you%20create%20the%20key%20for%20AEAD%20operation.%20please%20kindly%20refer%20to%20the%20following%20for%20details.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Kan_Li_1-1755162576795.png%22%20style%3D%22width%3A%20569px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22Kan_Li_1-1755162576795.png%22%20style%3D%22width%3A%20569px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F352423iF3080388BF9D9892%2Fimage-dimensions%2F569x498%3Fv%3Dv2%22%20width%3D%22569%22%20height%3D%22498%22%20role%3D%22button%22%20title%3D%22Kan_Li_1-1755162576795.png%22%20alt%3D%22Kan_Li_1-1755162576795.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EHave%20a%20great%20day%2C%3CBR%20%2F%3EKan%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E-------------------------------------------------------------------------------%3CBR%20%2F%3ENote%3A%3CBR%20%2F%3E-%20If%20this%20post%20answers%20your%20question%2C%20please%20click%20the%20%22Mark%20Correct%22%20button.%20Thank%20you!%3CBR%20%2F%3E-%20We%20are%20following%20threads%20for%207%20weeks%20after%20the%20last%20post%2C%20later%20replies%20are%20ignored%3CBR%20%2F%3EPlease%20open%20a%20new%20thread%20and%20refer%20to%20the%20closed%20one%2C%20if%20you%20have%20a%20related%20question%20at%20a%20later%20point%20in%20time.%3CBR%20%2F%3E-------------------------------------------------------------------------------%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E