cancel
Showing results for 
Search instead for 
Did you mean: 

Using AES-GCM encryption and the results of ciphertext and tag are incorrect.

WayneTao
Associate II
 

Hello,

 

I am trying to use AES-GCM from the STM32 cryptographic library V4.2.0 to encrypt data.

When running the example program, encryption and decryption work smoothly.

However, when I integrate the library and function into my existing program, the encrypted ciphertext differs from expected_ciphertext.

Additionally, using this incorrect ciphertext and incorrect tag still decrypts to the correct plaintext.

Could you please advise where the error might be causing this result?

 

 

const uint8_t Key[] =
{
  0x46, 0x3b, 0x41, 0x29, 0x11, 0x76, 0x7d, 0x57, 0xa0, 0xb3, 0x39, 0x69, 0xe6, 0x74, 0xff, 0xe7,
  0x84, 0x5d, 0x31, 0x3b, 0x88, 0xc6, 0xfe, 0x31, 0x2f, 0x3d, 0x72, 0x4b, 0xe6, 0x8e, 0x1f, 0xca
};
const uint8_t IV[] =
{
  0x61, 0x1c, 0xe6, 0xf9, 0xa6, 0x88, 0x07, 0x50, 0xde, 0x7d, 0xa6, 0xcb
};
const uint8_t Plaintext[] =
{
  0xe7, 0xd1, 0xdc, 0xf6, 0x68, 0xe2, 0x87, 0x68, 0x61, 0x94, 0x0e, 0x01, 0x2f, 0xe5, 0x2a, 0x98,
  0xda, 0xcb, 0xd7, 0x8a, 0xb6, 0x3c, 0x08, 0x84, 0x2c, 0xc9, 0x80, 0x1e, 0xa5, 0x81, 0x68, 0x2a,
  0xd5, 0x4a, 0xf0, 0xc3, 0x4d, 0x0d, 0x7f, 0x6f, 0x59, 0xe8, 0xee, 0x0b, 0xf4, 0x90, 0x0e, 0x0f,
  0xd8, 0x50, 0x42
};
const uint8_t AddData[] =
{
  0x0a, 0x68, 0x2f, 0xbc, 0x61, 0x92, 0xe1, 0xb4, 0x7a, 0x5e, 0x08, 0x68, 0x78, 0x7f, 0xfd, 0xaf,
  0xe5, 0xa5, 0x0c, 0xea, 0xd3, 0x57, 0x58, 0x49, 0x99, 0x0c, 0xdd, 0x2e, 0xa9, 0xb3, 0x59, 0x77,
  0x49, 0x40, 0x3e, 0xfb, 0x4a, 0x56, 0x68, 0x4f, 0x0c, 0x6b, 0xde, 0x35, 0x2d, 0x4a, 0xee, 0xc5
};
const uint8_t Expected_Ciphertext[] =
{
  0x88, 0x86, 0xe1, 0x96, 0x01, 0x0c, 0xb3, 0x84, 0x9d, 0x9c, 0x1a, 0x18, 0x2a, 0xbe, 0x1e, 0xea,
  0xb0, 0xa5, 0xf3, 0xca, 0x42, 0x3c, 0x36, 0x69, 0xa4, 0xa8, 0x70, 0x3c, 0x0f, 0x14, 0x6e, 0x8e,
  0x95, 0x6f, 0xb1, 0x22, 0xe0, 0xd7, 0x21, 0xb8, 0x69, 0xd2, 0xb6, 0xfc, 0xd4, 0x21, 0x6d, 0x7d,
  0x4d, 0x37, 0x58,
};
const uint8_t Expected_Tag[] =
{
  0x24, 0x69, 0xce, 0xcd, 0x70, 0xfd, 0x98, 0xfe, 0xc9, 0x26, 0x4f, 0x71, 0xdf, 0x1a, 0xee, 0x9a
};
incorrect_ciphertext:
{
	0xA3, 0x0A, 0x42, 0x8A, 0xCA, 0x35, 0x1C, 0x9A, 0x40, 0x45, 0x06, 0xF0, 0xA1, 0xB9, 0x29, 0x6C,
	0x20, 0xE8, 0x43, 0x35, 0x4D, 0xF2, 0xFD, 0x12, 0x98, 0x5E, 0xE3, 0x22, 0xC0, 0xF6, 0xD8, 0xEF,
	0x47, 0x17, 0x6C, 0x36, 0xC7, 0x09, 0x4D, 0x3B, 0xCE, 0xC0, 0xAD, 0xC0, 0xB9, 0xD2, 0x06, 0xC3,
	0x6D, 0x4F, 0x8C,
}

incorrect_tag:
{
	0x8D, 0xF4, 0x2D, 0x51, 0x9A, 0x60, 0x48, 0xD6, 0x9C, 0x93, 0xD7, 0xA3, 0xF1, 0x84, 0xAA, 0xB4,
}
retval = cmox_aead_encrypt(CMOX_AES_GCM_ENC_ALGO,                  /* Use AES GCM algorithm */
                             Plaintext, sizeof(Plaintext),           /* Plaintext to encrypt */
                             sizeof(Expected_Tag),                   /* Authentication tag size */
                             Key, sizeof(Key),                       /* AES key to use */
                             IV, sizeof(IV),                         /* Initialization vector */
                             AddData, sizeof(AddData),               /* Additional authenticated data */
                             Computed_Ciphertext, &computed_size);   /* Data buffer to receive generated ciphertext
                                                                        and authentication tag */

 

The model used in the example program is NUCLEO-L476RG.

My development board model is STM32L431CBT6.

Using KEIL5.

1 ACCEPTED SOLUTION

Accepted Solutions

Make sure CRC Peripheral clock is enabled when using ST libraries 

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

View solution in original post

5 REPLIES 5

Make sure CRC Peripheral clock is enabled when using ST libraries 

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..
BarryWhit
Lead II

This could be due to a difference in default padding scheme between the STM32 lib and whatever impl you're using as a reference. GCM padding is defined as part of the spec, so that's not it. Sorry.

- If someone's post helped resolve your issue, please thank them by clicking "Accept as Solution".
- Please post an update with details once you've solved your issue. Your experience may help others.
BarryWhit
Lead II

@WayneTao , (assuming you haven't vanished into thin air, as most people who ask for help here do after a couple of days without an answer),

I've verified the test vector your provided using the cmox_aead_encrypt API, by modifying the AES_GCM_AEAD_EncryptDecrypt example bundled with the STM32 cryptographic library V4.2.0, and both ciphertext and auth tag match expected values. So there must be some bug in your program, not the library.

 

It's not possible to debug that code without seeing it.

- If someone's post helped resolve your issue, please thank them by clicking "Accept as Solution".
- Please post an update with details once you've solved your issue. Your experience may help others.

Thank you for your response.
Actually, I got the correct solution the day after I posted the question, but it was my first time using this forum, I didn't find out where to mark the correct answer until now.

 

Thank you for your response.

I didn't realize that the CRC clock is required for this library.