AES peripheral works differently

JR2963 · ‎2024-03-18

I want to use AES peripheral for encryption in ECB mode (256). I am able to encrypt and decrypt on the same MCU, but if I compare the encryption results, the HW peripheral has a different result than the SW library AES.c or encryption in Python - the last two have the same result.

hcryp.Instance = AES;

hcryp.Init.DataType = CRYP_DATATYPE_32B;

hcryp.Init.KeySize = CRYP_KEYSIZE_256B;

hcryp.Init.pKey = (uint32_t *)aAES256key;

hcryp.Init.Algorithm = CRYP_AES_ECB;

hcryp.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;

hcryp.Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_BYTE;

hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ALWAYS;

if (HAL_CRYP_Init(&hcryp) != HAL_OK)

I use it like that: HAL_CRYP_Encrypt(&hcryp,(uint32_t*) plain_text, 16,(uint32_t*) tmp_encrypt,0xffff);

uint8_t aAES256key[32] =
{
  0x4d, 0xf0, 0x2c, 0x47, 0x64, 0xa4, 0x28, 0xd9,
  0xe5, 0x36, 0x83, 0x38, 0x4c, 0x3e, 0x69, 0xfa,
  0x14, 0x4d, 0xb9, 0xb4, 0xdf, 0x4d, 0x77, 0x43,
  0x4c, 0xf3, 0xf6, 0xff, 0x5d, 0x5c, 0xde, 0x81
};

uint8_t plain_text[] = {0xff, 0xff, 0xff, 0xff, 0xca, 0x9d, 0xcf, 0x09,
		        0x5c, 0xba, 0xb7, 0x1d, 0x2e, 0x00, 0xf2, 0x20,
			0xff, 0x54, 0x03, 0x02, 0xbd};

I should get cipher starting like 0x6e,0x55,0x3e,0xae,.. instead of it I get 0x28,0x8b,0xd9,0x17,0x31,...

JR2963 · ‎2024-03-19

I've already solved it; the whole problem was in the correct comparison of the AES key and setting of AES

if you have KEY:

 uint8_t aes_key_8bit[] = {
      0x4d, 0xf0, 0x2c, 0x47, 0x64, 0xa4, 0x28, 0xd9,
      0xe5, 0x36, 0x83, 0x38, 0x4c, 0x3e, 0x69, 0xfa,
      0x14, 0x4d, 0xb9, 0xb4, 0xdf, 0x4d, 0x77, 0x43,
      0x4c, 0xf3, 0xf6, 0xff, 0x5d, 0x5c, 0xde, 0x81
  };

you have to convert it to:

 uint32_t aes_key2_32bit[] = {
      0x4df02c47, 0x64a428d9, 0xe5368338, 0x4c3e69fa,
      0x144db9b4, 0xdf4d7743, 0x4cf3f6ff, 0x5d5cde81
  };

also AES setting for ECB can be like that:

 hcryp.Instance = AES;
  hcryp.Init.DataType = CRYP_DATATYPE_8B;
  hcryp.Init.KeySize = CRYP_KEYSIZE_256B;
  hcryp.Init.pKey = (uint32_t *)aes_key2_32bit;
  hcryp.Init.Algorithm = CRYP_AES_ECB;
  hcryp.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;
  hcryp.Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_WORD;
  hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ALWAYS;

View solution in original post

SofLit · ‎2024-03-18

Hello,

You need also to provide the product you're using!

To give better visibility on the answered topics, please click on "Accept as Solution" on the reply which solved your issue or answered your question.

JR2963 · ‎2024-03-18

...STM32WL55jc1

Andrew Neil · ‎2024-03-18

Duplicate: https://community.st.com/t5/stm32-mcus-security/aes-ecb-256-peripheral-encrypts-differently/td-p/651469 ?

EDIT: it's now been deleted.

SofLit · ‎2024-03-18

In the other thread, the product mentioned is STM32U5. Here STM32WL55 .. confusion!

To give better visibility on the answered topics, please click on "Accept as Solution" on the reply which solved your issue or answered your question.

Tesla DeLorean · ‎2024-03-18

It does tend to be endian related.

I tend to use PC/X86 builds to test and contrast.

I seem to recall some NIST/FIPS type test cases in some of the examples. And definitely have some of my own test cases to validate the build functions properly.

TBH I'd hope the behaviour across STM32 families to be consistent. Some of the library code is crippled / STM32 locked via the CRC peripheral

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

JR2963 · ‎2024-03-18

It is really for STM32WL.. When I use tinyAES on STM32 it calculates also the same as on windows (python). Only the HW peri calculates it differently. https://github.com/kokke/tiny-AES-c/blob/master/aes.c

Any idea what else to try?

JR2963 · ‎2024-03-19

The issue may be in sending an array of uint8_t values for encryption, instead of an array of uint32_t values, because NO_SWAPPING is intended only for uint32_t types? But I wan to encrypt only 16 Bytes.. Any Idea please?

#define CRYP_DATATYPE_32B         0x00000000U  /*!< 32-bit data type (no swapping)        */
#define CRYP_DATATYPE_16B         AES_CR_DATATYPE_0       /*!< 16-bit data type (half-word swapping) */
#define CRYP_DATATYPE_8B          AES_CR_DATATYPE_1       /*!< 8-bit data type (byte swapping)       */
#define CRYP_DATATYPE_1B          AES_CR_DATATYPE         /*!< 1-bit data type (bit swapping)        */

 hcryp.Instance = AES;
  hcryp.Init.DataType = CRYP_DATATYPE_8B;
  hcryp.Init.KeySize = CRYP_KEYSIZE_256B;
  hcryp.Init.pKey = (uint32_t *)aAES256key;
  hcryp.Init.Algorithm = CRYP_AES_ECB;
  hcryp.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;
  hcryp.Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_WORD;
  hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ALWAYS;

JR2963 · ‎2024-03-19

I've already solved it; the whole problem was in the correct comparison of the AES key and setting of AES

if you have KEY:

 uint8_t aes_key_8bit[] = {
      0x4d, 0xf0, 0x2c, 0x47, 0x64, 0xa4, 0x28, 0xd9,
      0xe5, 0x36, 0x83, 0x38, 0x4c, 0x3e, 0x69, 0xfa,
      0x14, 0x4d, 0xb9, 0xb4, 0xdf, 0x4d, 0x77, 0x43,
      0x4c, 0xf3, 0xf6, 0xff, 0x5d, 0x5c, 0xde, 0x81
  };

you have to convert it to:

 uint32_t aes_key2_32bit[] = {
      0x4df02c47, 0x64a428d9, 0xe5368338, 0x4c3e69fa,
      0x144db9b4, 0xdf4d7743, 0x4cf3f6ff, 0x5d5cde81
  };

also AES setting for ECB can be like that:

 hcryp.Instance = AES;
  hcryp.Init.DataType = CRYP_DATATYPE_8B;
  hcryp.Init.KeySize = CRYP_KEYSIZE_256B;
  hcryp.Init.pKey = (uint32_t *)aes_key2_32bit;
  hcryp.Init.Algorithm = CRYP_AES_ECB;
  hcryp.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;
  hcryp.Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_WORD;
  hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ALWAYS;