Jan 07, 2019
01:37 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jan 07, 2019
01:37 PM
See snip.
The DAVE encryption library asks for a key and IV in ASCII only. Now, please correct me if I'm wrong here, but how is this not a massive failure in understanding encryption? This is a major warning to me that the rest of the Infineon encryption implementation is not to be trusted. I hope someone from Inf can point me to a security audit of the XMC / DAVE encryption libs.
If the program requires your key and IV to be in ASCII, that's only 94 characters you can use to make the key/iv. Reducing each byte to 94 options from 255 whole-byte options if it was correctly entered in hex.
3e+31 vs 3e+38 about 10 million times weaker / fewer options
Am I missing something here? Because I'm hoping I'm just wrong and not that an intern wrote this. I don't know if the XMC4xxx is different than this XMC1xxx application.
And I did check, in code it's a const uint8_t array[] = "abcdefghijklmnop" ... which is at least fixable by not declaring it like a string.
The DAVE encryption library asks for a key and IV in ASCII only. Now, please correct me if I'm wrong here, but how is this not a massive failure in understanding encryption? This is a major warning to me that the rest of the Infineon encryption implementation is not to be trusted. I hope someone from Inf can point me to a security audit of the XMC / DAVE encryption libs.
If the program requires your key and IV to be in ASCII, that's only 94 characters you can use to make the key/iv. Reducing each byte to 94 options from 255 whole-byte options if it was correctly entered in hex.
3e+31 vs 3e+38 about 10 million times weaker / fewer options
Am I missing something here? Because I'm hoping I'm just wrong and not that an intern wrote this. I don't know if the XMC4xxx is different than this XMC1xxx application.
And I did check, in code it's a const uint8_t array[] = "abcdefghijklmnop" ... which is at least fixable by not declaring it like a string.
- Tags:
- encryption
- IFX
4 Replies
Jan 08, 2019
07:37 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jan 08, 2019
07:37 AM
Hi,
I would use the mbedTLS instead, https://tls.mbed.org/kb/how-to/encrypt-with-aes-cbc
Regards,
Jesus
I would use the mbedTLS instead, https://tls.mbed.org/kb/how-to/encrypt-with-aes-cbc
Regards,
Jesus
Jan 08, 2019
09:07 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jan 08, 2019
09:07 AM
I'm happy to use a different AES source... But... Does Infineon care about it's microchip business at all? This is a fundamental mistake in something so simple. Can I at least be convinced that this was a mistake, someone is looking into it, and it will be fixed soon?
Jesus, while I very much do appreciate you're support on the forums, I have to seriously wonder about Infineon's commitment to this business segment! And further, my willingness to ever select Infineon ARM processors again. I'll send an another email to support, but it's been five months of doing so and have never received a reply.
Jesus, while I very much do appreciate you're support on the forums, I have to seriously wonder about Infineon's commitment to this business segment! And further, my willingness to ever select Infineon ARM processors again. I'll send an another email to support, but it's been five months of doing so and have never received a reply.
Jan 09, 2019
08:04 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jan 09, 2019
08:04 AM
Hi,
The problem you reported will be fixed in the next APP release.
In the mean time I would use mbedTLS.
Regards,
Jesus
The problem you reported will be fixed in the next APP release.
In the mean time I would use mbedTLS.
Regards,
Jesus
Jan 10, 2019
10:23 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jan 10, 2019
10:23 AM
Thanks Jesus, I appreciate it.
I'm glad you're around to help out here. Please let appropriate people in charge know that the official Infineon support for micros and libs is dangerously close to keeping customers away.
I'm glad you're around to help out here. Please let appropriate people in charge know that the official Infineon support for micros and libs is dangerously close to keeping customers away.