infineon4engineers Facebook

infineon@google+ Google+

infineon@linkedin linkedin

infineon4engi@twitter twitter

infineon@youtube youtube

+ Reply to Thread
Results 1 to 5 of 5

Thread: Encryption flaw in DAVE App

  1. #1
    Beginner Beginner S R is on a distinguished road
    Join Date
    Aug 2018
    Posts
    19
    Points
    71.25

    Encryption flaw in DAVE App

    See snip.

    The DAVE encryption library asks for a key and IV in ASCII only. Now, please correct me if I'm wrong here, but how is this not a massive failure in understanding encryption? This is a major warning to me that the rest of the Infineon encryption implementation is not to be trusted. I hope someone from Inf can point me to a security audit of the XMC / DAVE encryption libs.

    If the program requires your key and IV to be in ASCII, that's only 94 characters you can use to make the key/iv. Reducing each byte to 94 options from 255 whole-byte options if it was correctly entered in hex.

    3e+31 vs 3e+38 about 10 million times weaker / fewer options


    Am I missing something here? Because I'm hoping I'm just wrong and not that an intern wrote this. I don't know if the XMC4xxx is different than this XMC1xxx application.

    Click image for larger version

Name:	dave aes ascii.jpg
Views:	1
Size:	31.8 KB
ID:	3747

    And I did check, in code it's a const uint8_t array[] = "abcdefghijklmnop" ... which is at least fixable by not declaring it like a string.
    Last edited by S R; Jan 7th, 2019 at 01:45 PM.

  2. #2

    Infineon Employee
    Infineon Employee
    jferreira will become famous soon enough
    Join Date
    Oct 2012
    Posts
    509
    Hi,

    I would use the mbedTLS instead, https://tls.mbed.org/kb/how-to/encrypt-with-aes-cbc

    Regards,
    Jesus
    The views expressed here are my personal opinions, have not been reviewed or authorized by Infineon and do not necessarily represent the views of Infineon.

  3. #3
    Beginner Beginner S R is on a distinguished road
    Join Date
    Aug 2018
    Posts
    19
    Points
    71.25
    I'm happy to use a different AES source... But... Does Infineon care about it's microchip business at all? This is a fundamental mistake in something so simple. Can I at least be convinced that this was a mistake, someone is looking into it, and it will be fixed soon?

    Jesus, while I very much do appreciate you're support on the forums, I have to seriously wonder about Infineon's commitment to this business segment! And further, my willingness to ever select Infineon ARM processors again. I'll send an another email to support, but it's been five months of doing so and have never received a reply.

  4. #4

    Infineon Employee
    Infineon Employee
    jferreira will become famous soon enough
    Join Date
    Oct 2012
    Posts
    509
    Hi,

    The problem you reported will be fixed in the next APP release.
    In the mean time I would use mbedTLS.

    Regards,
    Jesus
    The views expressed here are my personal opinions, have not been reviewed or authorized by Infineon and do not necessarily represent the views of Infineon.

  5. #5
    Beginner Beginner S R is on a distinguished road
    Join Date
    Aug 2018
    Posts
    19
    Points
    71.25
    Thanks Jesus, I appreciate it.

    I'm glad you're around to help out here. Please let appropriate people in charge know that the official Infineon support for micros and libs is dangerously close to keeping customers away.

+ Reply to Thread

Tags for this Thread

Disclaimer

All content and materials on this site are provided “as is“. Infineon makes no warranties or representations with regard to this content and these materials of any kind, whether express or implied, including without limitation, warranties or representations of merchantability, fitness for a particular purpose, title and non-infringement of any third party intellectual property right. No license, whether express or implied, is granted by Infineon. Use of the information on this site may require a license from a third party, or a license from Infineon.


Infineon accepts no liability for the content and materials on this site being accurate, complete or up- to-date or for the contents of external links. Infineon distances itself expressly from the contents of the linked pages, over the structure of which Infineon has no control.


Content on this site may contain or be subject to specific guidelines or limitations on use. All postings and use of the content on this site are subject to the Usage Terms of the site; third parties using this content agree to abide by any limitations or guidelines and to comply with the Usage Terms of this site. Infineon reserves the right to make corrections, deletions, modifications, enhancements, improvements and other changes to the content and materials, its products, programs and services at any time or to move or discontinue any content, products, programs, or services without notice.