Adding encryption library to application using nRF Connect for VS Code

Hello Tim,

Most of our crypto examples utilize mbedTLS or the PSA crypto API, with Oberon being one of the available backends. However, since neither of these support EAX, it appears that the option at the moment is to use the Oberon library directly, as you mentioned. 

I put together a small demo based on the Hello World sample which I have included below. To link in the Oberon library with this project I had to add CONFIG_NRF_OBERON=y to the prj.conf file, and 'zephyr_library_link_libraries(nrfxlib_crypto)' to the project CMakelists.txt file. 

Test project

5228.hello_world_aes_eax_test.zip

Disclaimer: this project has not been tested or validated by our R&D team. Please keep this in mind if you use the code implementation as a reference.

Best regards,

Vidar

API doc:

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.3.0/nrfxlib/crypto/doc/api.html#aes-eax-apis 

Vidar,

Thank you so much for your prompt response.  I have your sample program running in my environment, correctly encrypting and decrypting data.  Thanks again for your assistance.

Regards,

Tim

No problem. Thank you for confirming that it worked.

Regards,

Vidar

No problem. Thank you for confirming that it worked.

Regards,

Vidar

I am trying to decrypt data in a message sent from a BLE beacon.  I have a few questions about the authentication tag.  Is this an optional parameter to the API and what is it's length.  In the sample you sent me it's length is 16 bytes.  The documentation for the BLE beacon I'm working with says the tag is optional and if it uses it the length is 2 bytes.

Sorry, but I wasn't able to confirm today whether the Oberon API requires the auth. tag to be 16 bytes or not. Have you had an opportunity to test this with the beacon payload to see if it can decrypt it despite the shorter tag length?

Yes, if I pass the function the smaller auth tag the decryption works correctly (the decrypted data is what I expected it to be), but the decryption function returns -1 indicating that the auth tag isn't valid.  I think that the oberon encrypt/decrypt functions expect a 16-byte buffer for the auth tag.  I went back to the "hello world" sample that you sent me and changed the tag buffer to be 2 bytes long instead 16.  If I step through the code in the debugger, when the encrypt function gets called (tag is an output parameter) I see the tag buffer being overrun.  If I change one of the values in the overrun part of memory before calling the decrypt function, it returns -1 indicating an invalid tag.  Based on this it looks like it's expecting 16 bytes.  So if I'm not using authentication it still encrypts/decrypts correctly.

Thanks for your help.

Tim

I am also very interested in this question. I am trying to implement AES-EAX with a 4 byte tag for authentication and running into these same limitations. Have you made any progress on this?