AES 256 - Options?

mblackler · February 1, 2019, 1:33am

In order to be compliant with some client specifications on an RFP, they are asking for AES 256 for comms. Now, we know that we have AES 128 for comms (we are using an Electron, FWIW), but I need to provide assurance that we can use it.

There seems to have been some work done here:

But this is for a TCP client. Particle uses UDP on the Electron, and I sure don’t want to be doing any TCP comms if I can help it.

I was thinking that we could encrypt our messages using AES 256, then throwing it across the wire as a publish. Is it even possible? Is this something I can do in software, or am I going to need to specify a new hardware encryption part to do it for me?

Interested in people’s take on this.

hirotakaster · February 1, 2019, 5:44am

Hi @mblackler
Here is sample code for AES 256 bits tested on WebIDE&Photon.

#include "application.h"

#include "TlsTcpClient.h"
#include "mbedtls/aes.h"

void setup() {
    Serial.begin(9600);

    unsigned char key[32];
    unsigned char iv_enc[16] = {'i', 'n', 'i', 't', 'i', 'a', 'l', 'v', 'e', 'c', 't', 'o', 'r', ' ', ' ', ' '};
    unsigned char iv_dec[16] = {'i', 'n', 'i', 't', 'i', 'a', 'l', 'v', 'e', 'c', 't', 'o', 'r', ' ', ' ', ' '};
    unsigned char encbuff[128];
    unsigned char decbuff[128];
    unsigned char str[128];

    memset(str, 0, sizeof(str));
    memset(encbuff, 0, sizeof(encbuff));
    memset(decbuff, 0, sizeof(decbuff));
    
    for (int i = 0; i < 32; i++) key[i] = i;
    strcpy((char *)str, "Some text for AES 256 bytes :)");
    
    mbedtls_aes_context aes_ctx;
    
    mbedtls_aes_init(&aes_ctx);
    mbedtls_aes_setkey_enc(&aes_ctx, key, 256);
    mbedtls_aes_crypt_cbc(&aes_ctx, MBEDTLS_AES_ENCRYPT, 128, iv_enc, str, encbuff);

    mbedtls_aes_setkey_dec(&aes_ctx, key, 256);
    mbedtls_aes_crypt_cbc(&aes_ctx, MBEDTLS_AES_DECRYPT, 128, iv_dec, encbuff, decbuff);
    mbedtls_aes_free(&aes_ctx);
    Serial.print("Dec:"); Serial.println((char *)decbuff);

}

void loop() {
    delay(1000);
}

mblackler · February 1, 2019, 1:25pm

That’s excellent, thanks so much! Exactly what I was looking for.

developer_bt · February 4, 2019, 3:10pm

Hi @hirotakaster!
Do you have an example for mbedtls_aes_crypt_cfb128 function.
https://tls.mbed.org/api/aes_8h.html#a944946adabbc344f2c6cf6e6f51a21e3
Which parameter need for iv_off?

hirotakaster · February 4, 2019, 3:30pm

hi @developer_bt,
sorry, I don’t have a mbedtls_aes_crypt_cfb128 example, but maybe you could find iv_off parameter requirements from AES source code.(0-15 int value)

github.com

ARMmbed/mbedtls/blob/development/library/aes.c

/*
 *  FIPS-197 compliant AES implementation
 *
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */

This file has been truncated. show original

developer_bt · February 8, 2019, 2:49pm

Thanks @hirotakaster!
I tried with standard value for v_off = 8 and work perfectly