I need to generate M1, M2, and M3 in order to reprogram a security key within a SHE module. I have verified that both my AES_128_ECB function, as well as my CMAC function are working properly against NIST test vectors. I am also able to generate M1 and M2 correctly without issue, however, when I input M1||M2 into my CMAC function, the result I am getting is not the result for M3 that I should be getting according to the SHE test vector for memory reprogramming in the SHE documentation.
Here are all of the inputs and results for each of the steps of the M1,M2,M3 generating process:
New Key: 0f 0e 0d 0c 0b 0a 09 08 07 06 05 04 03 02 01 00
Auth Key: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
M1: 0 0 0 0 0 0 0 0 0 0 0 0 0 1 4 1
KDF result 1 K1: 7a cb d da b8 d3 ea 7b 97 9e 4c 6d 1a eb ac 8d
KDF result 1 K2: 7a cb d da b8 d3 ea 7b 97 9e 4c 6d 1a eb ac 8d
KDF result 2 K1: 6a 40 18 d6 87 a4 67 fc 15 14 25 af 38 9 7d 43
KDF result 2 K2: 55 72 74 af 5b fe d7 1f 26 15 ea 24 24 74 12 1f
K1: 11 8a 46 44 7a 77 d 87 82 8a 69 c2 22 e2 d1 7e
K2: 2e bb 2a 3d a6 2d bd 64 b1 8b a6 49 3e 9f be 22
input 1 M2: 0 0 0 10 0 0 0 0 0 0 0 0 0 0 0 0
output 1 M2: 2b 11 1e 2d 93 f4 86 56 6b cb ba 1d 7f 7a 97 97
output 1 xor input 2 M2: 24 1f 13 21 98 fe 8f 5e 6c cd bf 19 7c 78 96 97
output 2 M2: c9 46 43 b0 50 fc 5d 4d 7d e1 4c ff 68 22 3 c3
M2: 2b 11 1e 2d 93 f4 86 56 6b cb ba 1d 7f 7a 97 97 c9 46 43 b0 50 fc 5d 4d 7d e1 4c ff 68 22 3 c3
input M3: 0 0 0 0 0 0 0 0 0 0 0 0 0 1 4 1 2b 11 1e 2d 93 f4 86 56 6b cb ba 1d 7f 7a 97 97 c9 46 43 b0 50 fc 5d 4d 7d e1 4c ff 68 22 3 c3
M3: c 12 41 48 ff d6 fa f7 e4 25 6a 84 53 b2 81 8d
This is driving me crazy. The input data to the generation algorithm were taken directly from the SHE test vector. According to the algorithm all I should have to do to get M3 is to run a CMAC over M1||M2, but my result does not match what it should be.
I can only assume I am missing some extra step that is needed for M3, beyond just running the CMAC over M1||M2. Does anybody here have any experience with SHE modules and generating the data to reprogram a key?
Tried rearranging the order of M1||M2 with no luck
byte KEY_UPDATE_ENC_C[16] = { 0x01, 0x01, 0x53, 0x48, 0x45, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB0 };
byte KEY_UPDATE_MAC_C[16] = { 0x01, 0x02, 0x53, 0x48, 0x45, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB0 };
byte keyAuth[16] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F };
byte keyNew[16] = { 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00 } ;
byte iniVec[16];
byte k1_o1[16];
byte k1[16];
byte k2_o1[16];
byte k2[16];
byte m1[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x04, 0x01 }
byte m2_i1[16] = { 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
byte m2_o1[16];
byte m2_o2[16];
byte m2[32];
byte m3_i[48];
byte m3[16];
qword i;
...
// Generate K1, K2
encrypt( KEY_LEN_128, iniVec, BLOCK_LEN_128, keyAuth, k2_o1 );
for( i = 0; i < BLOCK_LEN_128; i++ )
k1_o1[i] = k2_o1[i] ^= keyAuth[i];
encrypt( KEY_LEN_128, k1_o1, BLOCK_LEN_128, KEY_UPDATE_ENC_C, k1 );
encrypt( KEY_LEN_128, k2_o1, BLOCK_LEN_128, KEY_UPDATE_MAC_C, k2 );
for( i = 0; i < BLOCK_LEN_128; i++ ) {
k1[i] ^= k1_o1[i] ^ KEY_UPDATE_ENC_C[i];
k2[i] ^= k2_o1[i] ^ KEY_UPDATE_MAC_C[i]; }
// Generate M2
encrypt( KEY_LEN_128, k1, BLOCK_LEN_128, m2_i1, m2_o1 );
for( i = 0; i < BLOCK_LEN_128; i++ )
keyNew[i] ^= m2_o1[i];
encrypt( KEY_LEN_128, k1, BLOCK_LEN_128, keyNew, m2_o2 );
for( i = 0; i < 32; i++ ) {
if( i < 16 )
m2[i] = m2_o1[i];
else
m2[i] = m2_o2[i-16]; }
// Generate M3
for( i = 0; i < 48; i++ ) {
if( i < 16 )
m3_i[i] = m1[i];
else
m3_i[i] = m2[i-16]; }
LocalSecurityGenerateCMAC( k2, KEY_LEN_128, m3_i, 48, m3, BLOCK_LEN_128 );
M3 / CMAC result should be: b9 d7 45 e5 ac e7 d4 18 60 bc 63 c2 b9 f5 bb 46