AES CBC 256 encryption on nrf52840

Hi,

I need to use AES CBC 256 encryption/decryption on nrf52840 but since its cyrpto cell only supports AES 128, I tried using mbedtls to do AES 256 encryption. It works fine but if then I add 

CONFIG_NRF_SECURITY=y in the prj.conf, the decrypted data doesn't match with original string anymore. It works if either I use 128 bits key size of set 
CONFIG_NRF_SECURITY=n.
My problem is that I need to use hardware support for running some other RSA related operations, but I would also like to run AES 256 via software. 
How can I do that?
  • Hi,

    I would recommend that you use the PSA crypto APIs, as the legacy APIs are deprecated and will be removed. You can use the Oberon backend fro AES256. To test it you can use the AES CBC sample, modify nrf/samples/crypto/aes_cbc/boards/nrf52840dk_nrf52840.conf so that CONFIG_PSA_CRYPTO_DRIVER_OBERON is enabled isntead of being disabled, and add CONFIG_PSA_WANT_AES_KEY_SIZE_256=y to prj.conf. Lastly, modify the call to psa_set_key_bits() in the sample to set 256 bit key size instead of 128.

    This is a full diff of my modifications from SDK 2.9.1 that works for me on the nRF52840 DK:

  • Thanks, I could make it run in the sample. I have couple of questions though. 


    1) Does CONFIG_PSA_CRYPTO_DRIVER_OBERON=y mean that all crypto related work then be run in software and hardware cell will no longer be used for the app?

    2) I could make it work in aes_cbc sample based on 2.9.0 but the project I have to port this to is based on 2.4.2. If I upgrade that project, it will open up new work scope, so I tried aes_cbc sample based on 2.4.2 and followed exact steps, but over there I still got -134 at psa_cipher_encrypt_setup. Any guesses what could be wrong?

  • I get following error when using 2.4.2


    error: PSA_WANT_KEY_TYPE_AES (defined at modules/mbedtls/Kconfig.psa:55,
    /opt/nordic/ncs/v2.4.2/nrf/modules/trusted-firmware-m/Kconfig.mbedtls_minimal.defconfig:89,
    /opt/nordic/ncs/v2.4.2/nrf/modules/trusted-firmware-m/Kconfig.psa.defconfig:11,
    modules/mbedtls/Kconfig.psa:55, modules/mbedtls/Kconfig.psa:55) is assigned in a configuration file,
    but is not directly user-configurable (has no prompt). It gets its value indirectly from other
    symbols. See docs.zephyrproject.org/.../kconfig.html and/or
    look up PSA_WANT_KEY_TYPE_AES in the menuconfig/guiconfig interface. The Application Development
    Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
    might be helpful too.


    I can make it work if I set the following value in ./aes_cbc/boards/nrf52840dk_nrf52840.conf, but I guess that disables the hardware crypto (not something I want).