Arm Mbed and Pelion Device Management support forum

AES-CCM tag calculation issue

Hi,

I have an issue with the tag calculation wih AES-CCM (Counter CBC-MAC) . The tags of the test vectors (verified using code written with Crypto++) to not match the calculated tags with the mbedtls_ccm_encrypt_and_tag() function . Hence the decryption of the test vector fails.

The code is rather long to paste it here. So here is a link to the Github repo:

Output of the above program:

gcc -g -o mbedtls mbedtls.c -lmbedcrypto

  CCM-AES #1: passed
  CCM-AES #2: passed
  CCM-AES #3: passed

Name       : AES-128 CCM NIST #25
Key        : F9FDCA4AC64FE7F014DE0F43039C7571
Iv         : 5A8AA485C316E9
Cipher     : 6BE31860CA271EF448DE8F8D8B39346DAF4B81D7E92D65B3
Plaintext  : A265480CA88D5F536DB0DC6ABC40FAF0D05BE7A966977768
Tag        : 38F125FA

MbedTLS    : Encryption successful
Ciphertext : 6BE31860CA271EF448DE8F8D8B39346DAF4B81D7E92D65B3
Tag        : FC24CF6A

MbedTLS    : Authenticated decryption failed.
Plaintext  : 000000000000000000000000000000000000000000000000

As you can see, the tags in the test vector and calculated do not match and hence decryption fails. If I would alter the tag in the test vector to use the calculated tag, the decryption succeeds.

For comparison, here is the equivalent code using Crypto++:

Output of the above program:
g++ -g -o cryptopp cryptopp.cpp -lcryptopp

Name       : AES-128 CCM NIST #25 
Key        : F9FDCA4AC64FE7F014DE0F43039C7571
Iv         : 5A8AA485C316E9
Cipher     : 6BE31860CA271EF448DE8F8D8B39346DAF4B81D7E92D65B3
Plaintext  : A265480CA88D5F536DB0DC6ABC40FAF0D05BE7A966977768
Tag        : 38F125FA

Crypto++   : Encrypted and verified data
Cipher     : 6BE31860CA271EF448DE8F8D8B39346DAF4B81D7E92D65B3
Tag        : 38F125FA

Crypto++   : Decrypted and verified data
Plaintext  : A265480CA88D5F536DB0DC6ABC40FAF0D05BE7A966977768

As you can see, here the decryption works with the unmodified tag as given in the test vector.

Back to my original question, how can I decrypt the test vectors with Mbed TLS?

Thank you very much for your help in advance.

Hi @pohl7567
As mentioned in this anouncement , Mbed TLS is now maintained under open governance at TrustedFirmware.org.
I would suggest you post your question there, as it doesn’t seem your question is Pelion related.

At a glance, I believe you are using a hardware acceleration AES-CCM. Is this correct? Is the static memory where the tests vectors are defined accessible by your hardware accelerator?
Have you tried copying testVectorCCM.authdata and testVectorCCM.plaintext to local authdata and plaintext buffers , before calling mbedtls_ccm_encrypt_and_tag() , and copying testVectorCCM.ciphertext to a local ciphertext before calling mbedtls_ccm_auth_decrypt() ?
Note that thsi is what’s done in teh ccm_selftest for similar reasons. Have ou tried the self test in your platform?
Regards,
mbed Support
Ron

Dear Ron,

thanks for your suggestion to post at TrustedFirmware.org. I have opened a new issue here.

Meanwhile I have added the ccm_selftest and it passes all 3 AES test vectors. I don’t think the tag calculation issue is hardware related. The code was tested on X64 (normal laptop) and also runs on ESP32 and is developed for ESPHome (hence Crypto++ is not an option).

I now believe it is a bug within MbedTLS, which encrypts to the same cipher text, but yields a different tag compared to Crypto++. I have tested many test vectors with both MbedTLS and Crypto++. The tags calculated with MbedTLS never match what is given in the test vector.

Regards,
Alexander