PSA Cryptocell with MbedTLS for unsupported ciphers

RE: PSA Cryptocell with MbedTLS for unsupported ciphers

Hieu — Mon, 13 Jan 2025 10:04:52 GMT

Am I right that you are working on upstream Zephyr and is receiving support here?
https://discord.com/channels/720317445772017664/884102502021210152/1326274299962593360

I found that the members there have explained that to add support for DES, you can make a small custom PSA driver based on the Mbed TLS implementation. It seems however that you are heading on a different direction, however.

Do you still have any questions here?

RE: PSA Cryptocell with MbedTLS for unsupported ciphers

kwolff — Thu, 09 Jan 2025 21:18:51 GMT

Yes. It's to communicate with a third-party and I can't use another cryptography method. No choice but to use it.

RE: PSA Cryptocell with MbedTLS for unsupported ciphers

Hieu — Thu, 09 Jan 2025 20:31:16 GMT

Hi kwolff,

My apology, I must have misread something to think the CryptoCell can support DES. You are right that it doesn't.

And you are also perfectly right in your investigation that none of the software driver for nRF Security support DES.

As for legacy Mbed TLS APIs, I find that DES isn't supported there either, but I am checking with someone more experienced on it to see if I missed anything.

That being said, while looking this up, it appears to me that DES is rather weak and is being deprecated in most systems. Do you absolutely need DES?

RE: PSA Cryptocell with MbedTLS for unsupported ciphers

kwolff — Wed, 08 Jan 2025 22:38:28 GMT

Hi Hieu,

If I try to add CONFIG_PSA_WANT_KEY_TYPE_DES, I get the following compile time error:

<path>/subsys/nrf_security/include/psa/core_unsupported_ciphers_check.h:678:2: error: #error "No crypto implementation for DES-CBC-no-padding"
  678 | #error "No crypto implementation for DES-CBC-no-padding"
      |  ^~~~~

If I don't include CONFIG_PSA_WANT_KEY_TYPE_DES, I get the error described in the original post where the return from psa_import_key returns the error PSA_ERROR_NOT_SUPPORTED. Following the path to the error, this is because PSA_WANT_KEY_TYPE_DES is not enabled.

This issue can be reproduced by modifying the sample at samples/crypto/aes_cbc as my current PSA configuration looks the exact same. I want the same thing this sample wants with the addition of being able to encrypt/decrypt using DES.

Cryptocell is incapable of handling DES as noted here:

https://docs.nordicsemi.com/bundle/ps_nrf5340/page/cryptocell.html
CONFIG_PSA_HAS_KEY_SUPPORT from subsys/nrf_security/Kconfig.psa.nordic does not show support for DES keys.

config PSA_HAS_KEY_SUPPORT
	bool
	default y
	depends on PSA_WANT_KEY_TYPE_AES 			|| \
		   PSA_WANT_KEY_TYPE_CHACHA20			|| \
		   PSA_WANT_KEY_TYPE_DERIVE			|| \
		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT	|| \
		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT	|| \
		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE	|| \
		   PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE	|| \
		   PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY		|| \
		   PSA_WANT_KEY_TYPE_HMAC			|| \
		   PSA_WANT_KEY_TYPE_PASSWORD			|| \
		   PSA_WANT_KEY_TYPE_PASSWORD_HASH		|| \
		   PSA_WANT_KEY_TYPE_PEPPER			|| \
		   PSA_WANT_KEY_TYPE_RAW_DATA			|| \
		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT	|| \
		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT	|| \
		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE	|| \
		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE	|| \
		   PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY		|| \
		   PSA_WANT_KEY_TYPE_SPAKE2P_KEY_PAIR_IMPORT	|| \
		   PSA_WANT_KEY_TYPE_SPAKE2P_KEY_PAIR_EXPORT	|| \
		   PSA_WANT_KEY_TYPE_SPAKE2P_KEY_PAIR_GENERATE	|| \
		   PSA_WANT_KEY_TYPE_SPAKE2P_KEY_PAIR_DERIVE	|| \
		   PSA_WANT_KEY_TYPE_SPAKE2P_PUBLIC_KEY		|| \
		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_IMPORT	|| \
		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_EXPORT	|| \
		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_EXPORT	|| \
		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_GENERATE	|| \
		   PSA_WANT_KEY_TYPE_SRP_KEY_PAIR_DERIVE	|| \
		   PSA_WANT_KEY_TYPE_SRP_PUBLIC_KEY
	help
	  Prompt-less configuration that states that key types are supported.

doc/nrf/libraries/security/nrf_security/doc/driver_config.rst

RE: PSA Cryptocell with MbedTLS for unsupported ciphers

Hieu — Wed, 08 Jan 2025 22:10:36 GMT

Hi kwolff,

Could you please give more details on the issue?

Is it a compile time error, or is it a run time?

If compile time, what is the full error log?

How can the issue be reproduced? The .conf file you shared are just the aes_cbc sample's file unmodified.

I am not clear about your plan to connect Mbed TLS implementation to NCS PSA (nRF Security) implementation yet. However, nRF Security seems capable of DES keys. You will have to enable CONFIG_PSA_WANT_KEY_TYPE_DES.

Also, why do you think the CryptoCell cannot handle DES key?

Hieu