This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PSA support for 256-bit AES CBC Encryption/Decryption

Hi,

I am trying to determine if PSA supports AES-256 encryption and decryption. From the documentation, it appears that it does. However, the aes-cbc example in the nRF Connect SDK 1.7.1 ran correctly with a 128-bit key. Then I changed the key size to 256-bit and nothing else, it failed in the call to psa_cipher_encrypt_setup() with an error code of -134, which I thinks means PSA_ERROR_NOT_SUPPORTED. What else do I need to modify or add to be able to use 256-bit keys in AES-CBC? Thanks in advance.

int generate_key(void)
{
    psa_status_t status;

    LOG_INF("Generating random AES key...");

    /* Configure the key attributes */
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
    psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
    psa_set_key_algorithm(&key_attributes, PSA_ALG_CBC_NO_PADDING);
    psa_set_key_type(&key_attributes, PSA_KEY_TYPE_AES);
    psa_set_key_bits(&key_attributes, 256);

    /* Generate a random key. The key is not exposed to the application,
     * we can use it to encrypt/decrypt using the key handle
     */
    status = psa_generate_key(&key_attributes, &key_handle);
    if (status != PSA_SUCCESS) {
        LOG_INF("psa_generate_key failed! (Error: %d)", status);
        return APP_ERROR;
    }

    /* After the key handle is acquired the attributes are not needed */
    psa_reset_key_attributes(&key_attributes);

    LOG_INF("AES key generated successfully!");

    return APP_SUCCESS;
}

int encrypt_cbc_aes(void)
{
    uint32_t olen;
    psa_status_t status;
    psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;

    LOG_INF("Encrypting using AES CBC MODE...");

    /* Setup the encryption operation */
    status = psa_cipher_encrypt_setup(&operation, key_handle, PSA_ALG_CBC_NO_PADDING);
    if (status != PSA_SUCCESS) {
        LOG_INF("psa_cipher_encrypt_setup failed! (Error: %d)", status);
        return APP_ERROR;
    }

...

}

Parents
  • Hello,

    PSA uses the cc310 for HW accellerated crypto by default, and it lacks support for the AES-256 chiper, unlike the c312 used in the nRF53 that has both.

    The fix to this is to include the oberon library that implements AES-256 in SW. Simply add CONFIG_OBERON_BACKEND=y to include it in your project.

    Note that the PSA API will continue to use the cc310 for crypto operations that are supported.

    Best regards,

    Vidar

Reply
  • Hello,

    PSA uses the cc310 for HW accellerated crypto by default, and it lacks support for the AES-256 chiper, unlike the c312 used in the nRF53 that has both.

    The fix to this is to include the oberon library that implements AES-256 in SW. Simply add CONFIG_OBERON_BACKEND=y to include it in your project.

    Note that the PSA API will continue to use the cc310 for crypto operations that are supported.

    Best regards,

    Vidar

Children
No Data
Related