AVR Freaks

This question is related to https://community.atmel.com/forum/ataes132a-help-decryption-mac-error

I am asking in a new thread because I believe my question has changed from why am I getting a MAC error to, this question "How to generate a MAC for Decryption". I am trying to do a simple Encryption and decryption on the same ATAES132a device. Am calculating the MAC correctly? I don't think I need to use CTR mode, as I am not using the AUTH command.

I.3 MAC Generation

The following example shows how the integrity MAC is calculated for an authentication operation requiring up to 14 bytes of authenticate-only data. This operation involves three passes through the AES crypto engine; all three using the same key. If there are more than 14 bytes of authenticate-only data, then another pass through the AES crypto engine is required. There are two passes through the AES crypto engine in CBC mode to create the cleartext MAC. The inputs to the crypto engine for those blocks are labeled B0 and B1, and the outputs are B’0 and B’1, respectively.

 

• B0 is composed of the following 128 bits:

– 1 byte flag, a fixed value of b0111 1001.
– 12 byte Nonce, as generated by the Nonce command.
– 1 byte MacCount, one for first MAC generation.
– 2 byte length field, always 0x00 00 for authentication only.

• B1 is the XOR of B’0 with the following 128 bits:
– 2 byte length field, size of authenticate-only data.
– 14 byte data to be authenticated only.

• B’1 is the cleartext MAC, which must be encrypted before being sent to the system.

There is one additional pass through the AES crypto engine in CTR mode to create the key block that is used to encrypt the MAC. The input to the crypto engine for this block is labeled A0 and the output is A’0. A’0 is the MAC sent to the system as the output parameter of the Auth command.

• A0 is composed of the following 128 bits:
– 1 byte flag – fixed value of b0000 0001.
– 12 byte Nonce – as generated by ATAES132A during Nonce command.
– 1 byte MacCount – one for first MAC generation.
– 2 byte counter field – always 0x00 00 for A0.

• A’0 is XOR’d with the cleartext MAC (B’1) and sent to the system.

Input integrity MACs for Auth, Counter, KeyCreate, and Lock are also calculated using this procedure. If the input MAC does not match A’0, then the command returns an AUTH error.

Code:

 uint8_t key[16] = {0x4D,0x79,0x53,0x65,0x63,0x72,0x65,0x74,0x6B,0x65,0x79,0x32,0x30,0x31,0x38,0x40};
 uint8_t b0[16] =  {0x79,0xA5,0xA5,0xA5,0xA5,0xA5,0xA5,0xA5,0xA5,0xA5,0xA5,0xA5,0xA5,0x01,0x00,0x00};
 uint8_t b1[16] =  {0x00,0x0E,0x06,0x00,0x00,0x00,0x00,0x0B,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

 uint8_t b0_result[16];
 uint8_t b1_result[16];

 int i;
 // pass 1 (CBC Mode)
 for(i = 0; i < 16;i++){
     b0_result[i] = b0[i] ^ key[i];
 }
 // pass 2 (CBC Mode)
 for(i = 0; i < 16;i++){
     b1_result[i] = b0_result[i] ^ b1[i];
 }

 printf("Out Mac [Clear Text]:\t");
 for(i = 0; i < 16;i++){
     printf("0x%02X ",b1_result[i]);
 }
 printf("\n");
 printf("Out Mac [Clear Text]:\t");
 for(i = 0; i < 16;i++){
     printf("%02X ",b1_result[i]);
 }
 printf("\n");

Output:

Out Mac [Clear Text]:   0x34 0xD2 0xF0 0xC0 0xC6 0xD7 0xC0 0xDA 0xCF 0xC0 0xDC 0x97 0x95 0x30 0x38 0x40
Out Mac [Clear Text]:   34 D2 F0 C0 C6 D7 C0 DA CF C0 DC 97 95 30 38 40