Aes Ciphertext Stealing And Data Padding; Figure 233. Encryption Key Derivation For Ecb/Cbc Decryption (Mode 2) - ST STM32F423 Reference Manual

Advanced arm-based 32-bit mcus

Hide thumbs Also See for STM32F423:

Table of Contents

If the software stores the initial key prepared for decryption, it is enough to do the key

schedule operation only once for all the data to be decrypted with a given cipher key.

The operation of the key preparation lasts 80 or 109 clock cycles, depending on the key size

(128- or 256-bit).

Alternative key preparation is to select Mode 4 by setting to 11 the MODE[1:0] bitfield of the

AES_CR register. In this case Mode 3 cannot be used.

AES ciphertext stealing and data padding

When using AES in ECB or CBC modes to manage messages the size of which is not a

multiple of the block size (128 bits), ciphertext stealing techniques are used, such as those

described in NIST Special Publication 800-38A, Recommendation for Block Cipher Modes

of Operation: Three Variants of Ciphertext Stealing for CBC Mode. Since the AES peripheral

on the device does not support such techniques, the last two blocks of input data must be

handled in a special way by the application.

Ciphertext stealing techniques are not documented in this reference manual.

Similarly, when AES is used in other modes than ECB or CBC, an incomplete input data

block (that is, block with input data shorter than 128 bits) must be padded with zeros prior to

encryption (that is, extra bits must be appended to the trailing end of the data string). After

decryption, the extra bits must be discarded. As AES does not implement automatic data

padding operation to the last block, the application must follow the recommendation given

Section 24.4.4: AES procedure to perform a cipher operation on page 698

messages the size of which is not a multiple of 128 bits.

Padding data are swapped in a similar way as normal data, according to the

DATATYPE[1:0] field of the AES_CR register (see

data swapping on page 724

A workaround is required in order to properly compute authentication tags for GCM

encryption, when the input data in the last block is inferior to 128 bits. During GCM

encryption payload phase and before inserting a last plaintext block smaller than 128 bits,

then application must apply the following steps:

for details).

RM0430 Rev 8

AES hardware accelerator (AES)

Section 24.4.13: .AES data registers and

Do you have a question about the STM32F423 and is the answer not in the manual?