https://devzone.nordicsemi.com/f/nordic-q-a/103395/enabling-config_psa_crypto_driver_cc3xx-causes-incorrect-tag-when-using-aes-gcmHello, Our devices utilize AES-GCM to establish a secure channel with our servers. The system works as expected without any issues when CONFIG_PSA_CRYPTO_DRIVER_CC3XX is disabled, but as soon as we enable that flag to take advantage of the cyrptocellen-USTelligent Community 13Tue, 12 Sep 2023 13:02:10 GMThttps://devzone.nordicsemi.com/thread/445643?ContentTypeID=1Tue, 12 Sep 2023 13:02:10 GMT137ad170-7792-4731-bb38-c0d22fbe4515:4fffa7f7-0140-42ff-8c7a-a3a24a91ed9edejans<p>Hi Diego,</p> [quote user="diegolt"]1. Is this an actual limitation with the hardware in the CryptoCell or with the driver for it provided by Nordic?[/quote] <p>The limitation comes from CryptoCell low-level driver. We are investigating if the source of this limitation is in hardware or software.&nbsp;</p> [quote user="diegolt"]2. In my opinion this is a bug since the nonce size is for the user to define as stated in section 8.2 here&nbsp;<a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf">https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf</a>. As long as it&#39;s unique, the size doesn’t matter. Why would this be a limitation with CyrpoCell?[/quote] <p><a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf">NIST special publication for GCM</a>&nbsp;mentions the following &quot;For IVs, it is recommended that implementations restrict support to the length of 96 bits, to promote interoperability, efficiency, and simplicity of design.&quot;.&nbsp;&nbsp;<a href="https://armmbed.github.io/mbed-crypto/PSA_Cryptography_API_Specification.pdf">PSA Crypto API Specification</a>&nbsp;mentions &quot;GCM requires a nonce of at least 1 byte in length. The maximum supported nonce size is IMPLEMENTATION DEFINED. Calling psa_aead_generate_nonce() will generate a random 12-byte nonce.&quot;. For CryptoCell the size of the nonce is hard-coded to 12 bytes (96 bits).&nbsp;</p> [quote user="diegolt"]3. At a minimum I would expect the driver to return an error such as&nbsp;PSA_ERROR_NOT_SUPPORTED if the nonce is not 12. With the current implementation there&#39;s no indication that something went wrong until you&#39;re testing against another valid implementation.[/quote] <p>Returning error code will be fixed in the updated version of the CryptoCell runtime library.<br /><br />Best regards,<br />Dejan</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/445492?ContentTypeID=1Mon, 11 Sep 2023 22:24:45 GMT137ad170-7792-4731-bb38-c0d22fbe4515:748d1426-8804-4e62-b640-02a4290e8b99Diego<p>Hi Dejan,</p> <p>Yes, that seems to be the issue. Using 12 bytes produces a consistent MAC across both. A couple of followup questions/notes:</p> <p>1. Is this an actual limitation with the hardware in the CryptoCell or with the driver for it provided by Nordic?</p> <p>2. In my opinion this is a bug since the nonce size is for the user to define as stated in section 8.2 here&nbsp;<a id="" href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf">https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf</a>. As long as it&#39;s unique, the size doesn&rsquo;t matter. Why would this be a limitation with CyrpoCell?</p> <p>3. At a minimum I would expect the driver to return an error such as&nbsp;PSA_ERROR_NOT_SUPPORTED if the nonce is not 12. With the current implementation there&#39;s no indication that something went wrong until you&#39;re testing against another valid implementation.</p> <p>Thanks,</p> <p>Diego</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/444766?ContentTypeID=1Wed, 06 Sep 2023 15:40:53 GMT137ad170-7792-4731-bb38-c0d22fbe4515:e2339fca-0df5-4c3d-967e-7656a969f01bdejans<p>Hi Diego,<br /><br />This issue might be related to the nonce length. You should ensure that you use nonce of size 12 bytes. If you want to use nonce value other than 12 bytes you would need to use software for that (nrf_oberon).<br /><br />Best regards,<br />Dejan</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/444607?ContentTypeID=1Wed, 06 Sep 2023 03:35:55 GMT137ad170-7792-4731-bb38-c0d22fbe4515:ede39319-5834-466f-bad6-15ad9f014022Diego<p>Hi Dejan</p> <p>NCS version 2.3.0</p> <p>We&#39;re using the mbed psa crypto libray with calls like&nbsp;psa_aead_encrypt</p> <p>Here&#39;s the relevant Kconfig flags in our project&nbsp;</p> <p>CONFIG_NRF_SECURITY=y<br />CONFIG_MBEDTLS_PSA_CRYPTO_C=y<br />CONFIG_MBEDTLS_ENABLE_HEAP=y<br />CONFIG_MBEDTLS_HEAP_SIZE=8192<br />CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y<br />CONFIG_PSA_NATIVE_ITS=y<br />CONFIG_BASE64=y<br />CONFIG_PSA_CRYPTO_DRIVER_OBERON=n<br />CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y<br /><br /><span style="font-family:arial, helvetica, sans-serif;">I don&#39;t have access to a devkit this week but I can try to reproduce with one of the samples next.<br /><br />Please let me know if you have any other questions.</span><br /><br /><span style="font-family:arial, helvetica, sans-serif;">Thanks,</span><br /><span style="font-family:arial, helvetica, sans-serif;">Diego</span></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/444293?ContentTypeID=1Mon, 04 Sep 2023 10:57:09 GMT137ad170-7792-4731-bb38-c0d22fbe4515:12da48b1-b192-4bb1-af41-d72d962e4ea4dejans<p>Hi,<br /><br />Which NCS version do you use?<br /><br />Which&nbsp;<a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/crypto/README.html">crypto library</a> do you use?<br /><br />Could you provide your project configuration file?<br /><br />Best regards,<br />Dejan</p><div style="clear:both;"></div>