Using AES-GCM encryption and the results of ciphertext and tag are incorrect.

WayneTao · ‎2024-07-18

Hello,

I am trying to use AES-GCM from the STM32 cryptographic library V4.2.0 to encrypt data.

When running the example program, encryption and decryption work smoothly.

However, when I integrate the library and function into my existing program, the encrypted ciphertext differs from expected_ciphertext.

Additionally, using this incorrect ciphertext and incorrect tag still decrypts to the correct plaintext.

Could you please advise where the error might be causing this result?

const uint8_t Key[] =
{
  0x46, 0x3b, 0x41, 0x29, 0x11, 0x76, 0x7d, 0x57, 0xa0, 0xb3, 0x39, 0x69, 0xe6, 0x74, 0xff, 0xe7,
  0x84, 0x5d, 0x31, 0x3b, 0x88, 0xc6, 0xfe, 0x31, 0x2f, 0x3d, 0x72, 0x4b, 0xe6, 0x8e, 0x1f, 0xca
};
const uint8_t IV[] =
{
  0x61, 0x1c, 0xe6, 0xf9, 0xa6, 0x88, 0x07, 0x50, 0xde, 0x7d, 0xa6, 0xcb
};
const uint8_t Plaintext[] =
{
  0xe7, 0xd1, 0xdc, 0xf6, 0x68, 0xe2, 0x87, 0x68, 0x61, 0x94, 0x0e, 0x01, 0x2f, 0xe5, 0x2a, 0x98,
  0xda, 0xcb, 0xd7, 0x8a, 0xb6, 0x3c, 0x08, 0x84, 0x2c, 0xc9, 0x80, 0x1e, 0xa5, 0x81, 0x68, 0x2a,
  0xd5, 0x4a, 0xf0, 0xc3, 0x4d, 0x0d, 0x7f, 0x6f, 0x59, 0xe8, 0xee, 0x0b, 0xf4, 0x90, 0x0e, 0x0f,
  0xd8, 0x50, 0x42
};
const uint8_t AddData[] =
{
  0x0a, 0x68, 0x2f, 0xbc, 0x61, 0x92, 0xe1, 0xb4, 0x7a, 0x5e, 0x08, 0x68, 0x78, 0x7f, 0xfd, 0xaf,
  0xe5, 0xa5, 0x0c, 0xea, 0xd3, 0x57, 0x58, 0x49, 0x99, 0x0c, 0xdd, 0x2e, 0xa9, 0xb3, 0x59, 0x77,
  0x49, 0x40, 0x3e, 0xfb, 0x4a, 0x56, 0x68, 0x4f, 0x0c, 0x6b, 0xde, 0x35, 0x2d, 0x4a, 0xee, 0xc5
};
const uint8_t Expected_Ciphertext[] =
{
  0x88, 0x86, 0xe1, 0x96, 0x01, 0x0c, 0xb3, 0x84, 0x9d, 0x9c, 0x1a, 0x18, 0x2a, 0xbe, 0x1e, 0xea,
  0xb0, 0xa5, 0xf3, 0xca, 0x42, 0x3c, 0x36, 0x69, 0xa4, 0xa8, 0x70, 0x3c, 0x0f, 0x14, 0x6e, 0x8e,
  0x95, 0x6f, 0xb1, 0x22, 0xe0, 0xd7, 0x21, 0xb8, 0x69, 0xd2, 0xb6, 0xfc, 0xd4, 0x21, 0x6d, 0x7d,
  0x4d, 0x37, 0x58,
};
const uint8_t Expected_Tag[] =
{
  0x24, 0x69, 0xce, 0xcd, 0x70, 0xfd, 0x98, 0xfe, 0xc9, 0x26, 0x4f, 0x71, 0xdf, 0x1a, 0xee, 0x9a
};

incorrect_ciphertext:
{
	0xA3, 0x0A, 0x42, 0x8A, 0xCA, 0x35, 0x1C, 0x9A, 0x40, 0x45, 0x06, 0xF0, 0xA1, 0xB9, 0x29, 0x6C,
	0x20, 0xE8, 0x43, 0x35, 0x4D, 0xF2, 0xFD, 0x12, 0x98, 0x5E, 0xE3, 0x22, 0xC0, 0xF6, 0xD8, 0xEF,
	0x47, 0x17, 0x6C, 0x36, 0xC7, 0x09, 0x4D, 0x3B, 0xCE, 0xC0, 0xAD, 0xC0, 0xB9, 0xD2, 0x06, 0xC3,
	0x6D, 0x4F, 0x8C,
}

incorrect_tag:
{
	0x8D, 0xF4, 0x2D, 0x51, 0x9A, 0x60, 0x48, 0xD6, 0x9C, 0x93, 0xD7, 0xA3, 0xF1, 0x84, 0xAA, 0xB4,
}

retval = cmox_aead_encrypt(CMOX_AES_GCM_ENC_ALGO,                  /* Use AES GCM algorithm */
                             Plaintext, sizeof(Plaintext),           /* Plaintext to encrypt */
                             sizeof(Expected_Tag),                   /* Authentication tag size */
                             Key, sizeof(Key),                       /* AES key to use */
                             IV, sizeof(IV),                         /* Initialization vector */
                             AddData, sizeof(AddData),               /* Additional authenticated data */
                             Computed_Ciphertext, &computed_size);   /* Data buffer to receive generated ciphertext
                                                                        and authentication tag */

The model used in the example program is NUCLEO-L476RG.

My development board model is STM32L431CBT6.

Using KEIL5.

Tesla DeLorean · ‎2024-07-18

Make sure CRC Peripheral clock is enabled when using ST libraries

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

View solution in original post

Tesla DeLorean · ‎2024-07-18

Make sure CRC Peripheral clock is enabled when using ST libraries

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

BarryWhit · ‎2024-07-18

~~This could be due to a difference in default padding scheme between the STM32 lib and whatever impl you're using as a reference.~~ GCM padding is defined as part of the spec, so that's not it. Sorry.

- If a post has answered your question, please acknowledge the help you received by clicking "Accept as Solution".
- Once you've solved your issue, please consider posting a summary of any additional details you've learned. Your new knowledge may help others in the future.

BarryWhit · ‎2024-07-24

@WayneTao , (assuming you haven't vanished into thin air, as most people who ask for help here do after a couple of days without an answer),

I've verified the test vector your provided using the cmox_aead_encrypt API, by modifying the AES_GCM_AEAD_EncryptDecrypt example bundled with the STM32 cryptographic library V4.2.0, and both ciphertext and auth tag match expected values. So there must be some bug in your program, not the library.

It's not possible to debug that code without seeing it.

- If a post has answered your question, please acknowledge the help you received by clicking "Accept as Solution".
- Once you've solved your issue, please consider posting a summary of any additional details you've learned. Your new knowledge may help others in the future.

WayneTao · ‎2024-07-26

Thank you for your response.
Actually, I got the correct solution the day after I posted the question, but it was my first time using this forum, I didn't find out where to mark the correct answer until now.

WayneTao · ‎2024-07-26

Thank you for your response.

I didn't realize that the CRC clock is required for this library.