PSA Cryptocell with MbedTLS for unsupported ciphers

I am working off of the NRF SDK Zephyr repository where I am using the NRF Security subsystem in order to use PSA for AES encrypt/decrypt. I need additional ciphers such as DES which the cryptocell on the nRF5340 does not support. MbedTLS has a software implementation of this and I believe should be able to connect to PSA. However, I'm having trouble configuring this correctly.

My Kconfig configuration for PSA looks identical to the samples/crypto/aes_cbc sample.

boards/nrf5340dk_nrf5340_cpuapp.conf

CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

# Mbedtls configuration
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192

prj.conf

# The Zephyr CMSIS emulation assumes that ticks are ms, currently
CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

CONFIG_MAIN_STACK_SIZE=4096
CONFIG_HEAP_MEM_POOL_SIZE=4096

# Enable logging
CONFIG_CONSOLE=y
CONFIG_LOG=y

# Enable nordic security backend and PSA APIs
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_PSA_WANT_GENERATE_RANDOM=y
CONFIG_PSA_WANT_KEY_TYPE_AES=y
CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y

What am I missing in order to get allow a DES cipher? Currently if I try to import a PSA_KEY_TYPE_DES key, I will get the PSA_ERROR_NOT_SUPPORTED response.

Parents
  • Hi kwolff,

    Could you please give more details on the issue?

    Is it a compile time error, or is it a run time?

    If compile time, what is the full error log?

    How can the issue be reproduced? The .conf file you shared are just the aes_cbc sample's file unmodified.

    I am not clear about your plan to connect Mbed TLS implementation to NCS PSA (nRF Security) implementation yet. However, nRF Security seems capable of DES keys. You will have to enable CONFIG_PSA_WANT_KEY_TYPE_DES.

    Also, why do you think the CryptoCell cannot handle DES key?

    Hieu

  • Hi ,

    If I try to add CONFIG_PSA_WANT_KEY_TYPE_DES, I get the following compile time error:

    <path>/subsys/nrf_security/include/psa/core_unsupported_ciphers_check.h:678:2: error: #error "No crypto implementation for DES-CBC-no-padding"
      678 | #error "No crypto implementation for DES-CBC-no-padding"
          |  ^~~~~

    If I don't include CONFIG_PSA_WANT_KEY_TYPE_DES, I get the error described in the original post where the return from psa_import_key returns the error PSA_ERROR_NOT_SUPPORTED. Following the path to the error, this is because PSA_WANT_KEY_TYPE_DES is not enabled.

    This issue can be reproduced by modifying the sample at samples/crypto/aes_cbc as my current PSA configuration looks the exact same. I want the same thing this sample wants with the addition of being able to encrypt/decrypt using DES.

    Cryptocell is incapable of handling DES as noted here:

    config PSA_HAS_KEY_SUPPORT
    	bool
    	default y
    	depends on PSA_WANT_KEY_TYPE_AES 			|| \
    		   PSA_WANT_KEY_TYPE_CHACHA20			|| \
    		   PSA_WANT_KEY_TYPE_DERIVE			|| \
    		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT	|| \
    		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT	|| \
    		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE	|| \
    		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE	|| \
    		   PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY		|| \
    		   PSA_WANT_KEY_TYPE_HMAC			|| \
    		   PSA_WANT_KEY_TYPE_PASSWORD			|| \
    		   PSA_WANT_KEY_TYPE_PASSWORD_HASH		|| \
    		   PSA_WANT_KEY_TYPE_PEPPER			|| \
    		   PSA_WANT_KEY_TYPE_RAW_DATA			|| \
    		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT	|| \
    		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT	|| \
    		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE	|| \
    		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE	|| \
    		   PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY		|| \
    		   PSA_WANT_KEY_TYPE_SPAKE2P_KEY_PAIR_IMPORT	|| \
    		   PSA_WANT_KEY_TYPE_SPAKE2P_KEY_PAIR_EXPORT	|| \
    		   PSA_WANT_KEY_TYPE_SPAKE2P_KEY_PAIR_GENERATE	|| \
    		   PSA_WANT_KEY_TYPE_SPAKE2P_KEY_PAIR_DERIVE	|| \
    		   PSA_WANT_KEY_TYPE_SPAKE2P_PUBLIC_KEY		|| \
    		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_IMPORT	|| \
    		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_EXPORT	|| \
    		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_EXPORT	|| \
    		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_GENERATE	|| \
    		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_DERIVE	|| \
    		   PSA_WANT_KEY_TYPE_SRP_PUBLIC_KEY
    	help
    	  Prompt-less configuration that states that key types are supported.

  • Hi kwolff,

    My apology, I must have misread something to think the CryptoCell can support DES. You are right that it doesn't.

    And you are also perfectly right in your investigation that none of the software driver for nRF Security support DES.

    As for legacy Mbed TLS APIs, I find that DES isn't supported there either, but I am checking with someone more experienced on it to see if I missed anything.

    That being said, while looking this up, it appears to me that DES is rather weak and is being deprecated in most systems. Do you absolutely need DES?

  • Yes. It's to communicate with a third-party and I can't use another cryptography method. No choice but to use it.

  • Am I right that you are working on upstream Zephyr and is receiving support here?
    https://discord.com/channels/720317445772017664/884102502021210152/1326274299962593360

    I found that the members there have explained that to add support for DES, you can make a small custom PSA driver based on the Mbed TLS implementation. It seems however that you are heading on a different direction, however.

    Do you still have any questions here?

Reply Children
No Data
Related