Encryption flaw in DAVE App

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
User15596
Level 2
Level 2
See snip.

The DAVE encryption library asks for a key and IV in ASCII only. Now, please correct me if I'm wrong here, but how is this not a massive failure in understanding encryption? This is a major warning to me that the rest of the Infineon encryption implementation is not to be trusted. I hope someone from Inf can point me to a security audit of the XMC / DAVE encryption libs.

If the program requires your key and IV to be in ASCII, that's only 94 characters you can use to make the key/iv. Reducing each byte to 94 options from 255 whole-byte options if it was correctly entered in hex.

3e+31 vs 3e+38 about 10 million times weaker / fewer options


Am I missing something here? Because I'm hoping I'm just wrong and not that an intern wrote this. I don't know if the XMC4xxx is different than this XMC1xxx application.

3381.attach

And I did check, in code it's a const uint8_t array[] = "abcdefghijklmnop" ... which is at least fixable by not declaring it like a string.
0 Likes
4 Replies
jferreira
Employee
Employee
10 sign-ins 5 sign-ins First like received
Hi,

I would use the mbedTLS instead, https://tls.mbed.org/kb/how-to/encrypt-with-aes-cbc

Regards,
Jesus
0 Likes
User15596
Level 2
Level 2
I'm happy to use a different AES source... But... Does Infineon care about it's microchip business at all? This is a fundamental mistake in something so simple. Can I at least be convinced that this was a mistake, someone is looking into it, and it will be fixed soon?

Jesus, while I very much do appreciate you're support on the forums, I have to seriously wonder about Infineon's commitment to this business segment! And further, my willingness to ever select Infineon ARM processors again. I'll send an another email to support, but it's been five months of doing so and have never received a reply.
0 Likes
jferreira
Employee
Employee
10 sign-ins 5 sign-ins First like received
Hi,

The problem you reported will be fixed in the next APP release.
In the mean time I would use mbedTLS.

Regards,
Jesus
0 Likes
User15596
Level 2
Level 2
Thanks Jesus, I appreciate it.

I'm glad you're around to help out here. Please let appropriate people in charge know that the official Infineon support for micros and libs is dangerously close to keeping customers away.
0 Likes