2024-05-20 07:51 AM
I'm trying to create ECDSA keys on a STM32WL55 using the X-Cube/HAL Crypto library. I can generate NIST keys no problem, however when I try using the Brainpool curves, it mostly returns the following error: CMOX_ECC_ERR_WRONG_RANDOM ((cmox_ecc_retval_t)0x0006000B) /*!< Random not compliant with the API (Recall with other random material) */
I've tried the following curves: CMOX_ECC_CURVE_BPP256R1 and CMOX_ECC_CURVE_BPP384R1. Sometimes BPP256R1 works, but BPP384R1 seems to always fail. That's very strange so it almost seems the library is validating the randomness in some way? I'm using the RNG to create a buffer of randoms the same size as the public key in bytes.
Here is the jist of the code:
// inputs: size_t pubLen, ecc_key_t* keypair
uint16_t randSize = pubLen;
uint8_t randBuff[randSize];
// ... set randoms via HAL_RNG_GenerateRandomNumber
if ((result = cmox_ecdsa_keyGen(&eccHandle, CMOX_ECC_CURVE_BPP256R1, randBuff, randSize,
keypair->private, &keypair->privLen, keypair->public, &keypair->pubLen)) != CMOX_ECC_SUCCESS) {
return result;
}
// ecc_key_t defined as...
typedef struct {
size_t privLen;
size_t pubLen;
uint8_t* private;
uint8_t* public;
} ecc_key_t;
Any ideas?
Solved! Go to Solution.
2024-05-20 11:24 PM
Hello @antfarmer
there is a related statement in in the https://wiki.st.com/stm32mcu/wiki/Security:Secure_usage_of_the_Cryptographic_Library
"Even if the random array has the correct length, a failure might occur with return value CMOX_ECC_ERR_WRONG_RANDOM. A security check is done inside the ECC functions, assuring not only that the byte length is correct, but also that the value is compatible with the chosen curve N parameter.
For NIST curves, that have the N parameter starting with 0xFFFFFFFF…, this scenario is highly improbable, while for other curves (for example brainpoolP384r1) the probability can almost reach 50%.
The solution to this is to generate a new random byte array and recall the cryptographic API."
Br,
Frantz
2024-05-20 08:47 AM
2024-05-20 11:24 PM
Hello @antfarmer
there is a related statement in in the https://wiki.st.com/stm32mcu/wiki/Security:Secure_usage_of_the_Cryptographic_Library
"Even if the random array has the correct length, a failure might occur with return value CMOX_ECC_ERR_WRONG_RANDOM. A security check is done inside the ECC functions, assuring not only that the byte length is correct, but also that the value is compatible with the chosen curve N parameter.
For NIST curves, that have the N parameter starting with 0xFFFFFFFF…, this scenario is highly improbable, while for other curves (for example brainpoolP384r1) the probability can almost reach 50%.
The solution to this is to generate a new random byte array and recall the cryptographic API."
Br,
Frantz
2024-05-21 12:17 PM
I missed this section. Wow, got it working. At first I tried running a HKDF routine on the random buffer with extra random salt, but only after multiple retries does it work. Interesting. Any point to running HKDF on the random to improve the "quality", or should I just do simple retries?