Crypto: AES CBC

The AES CBC sample demonstrates how to use the PSA Crypto API to perform AES encryption and decryption operations using the CBC block cipher mode without padding and a 128-bit AES key.

Requirements

The sample supports the following development kits:

Hardware platforms

PCA

Board name

Board target

nRF9161 DK

PCA10153

nrf9161dk

nrf9161dk/nrf9161/ns nrf9161dk/nrf9161

nRF9160 DK

PCA10090

nrf9160dk

nrf9160dk/nrf9160/ns nrf9160dk/nrf9160

nRF9151 DK

PCA10171

nrf9151dk

nrf9151dk/nrf9151/ns nrf9151dk/nrf9151

nRF7120 DK

nrf7120dk

nrf7120dk/nrf7120/cpuapp/ns nrf7120dk/nrf7120/cpuapp

nRF54LV10 DK

PCA10188

nrf54lv10dk

nrf54lv10dk/nrf54lv10a/cpuapp/ns nrf54lv10dk/nrf54lv10a/cpuapp

nRF54LS05 DK

PCA10214

nrf54ls05dk

nrf54ls05dk/nrf54ls05b/cpuapp nrf54ls05dk/nrf54ls05a/cpuapp

nRF54LM20 DK

PCA10184

nrf54lm20dk

nrf54lm20dk/nrf54lm20b/cpuapp/ns nrf54lm20dk/nrf54lm20b/cpuapp nrf54lm20dk/nrf54lm20a/cpuapp/ns nrf54lm20dk/nrf54lm20a/cpuapp

nRF54LC10 DK

PCA10226

nrf54lc10dk

nrf54lc10dk/nrf54lc10a/cpuapp

nRF54L15 DK

PCA10156

nrf54l15dk

nrf54l15dk/nrf54l15/cpuapp/ns nrf54l15dk/nrf54l15/cpuapp

nRF54L15 DK (emulating nRF54L10)

PCA10156

nrf54l15dk

nrf54l15dk/nrf54l10/cpuapp/ns nrf54l15dk/nrf54l10/cpuapp

nRF54L15 DK (emulating nRF54L05)

PCA10156

nrf54l15dk

nrf54l15dk/nrf54l05/cpuapp

nRF54H20 DK

PCA10175

nrf54h20dk

nrf54h20dk/nrf54h20/cpuapp

nRF5340 DK

PCA10095

nrf5340dk

nrf5340dk/nrf5340/cpuapp/ns nrf5340dk/nrf5340/cpuapp

nRF52840 DK

PCA10056

nrf52840dk

nrf52840dk/nrf52840

For more security, it is recommended to use the */ns variant of the board target. When built for this variant, the sample is configured to compile and run as a non-secure application using security by separation. Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.

Overview

The sample enables PSA Crypto API and configures the following Kconfig options for the cryptographic features:

The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the boards directory.

These Kconfig options are then used by the build system to compile the required cryptographic PSA directives and make the configured cryptographic drivers available at runtime. See Driver selection for more information about this process.

Once built and run, the sample performs the following operations:

  1. Initialization:

    1. The PSA Crypto API is initialized using psa_crypto_init().

    2. A random 128-bit AES key is generated using psa_generate_key() and stored in the PSA crypto keystore. The key is configured with usage flags for both encryption and decryption.

  2. Encryption and decryption of a sample plaintext:

    1. An encryption operation is set up using psa_cipher_encrypt_setup() with the PSA_ALG_CBC_NO_PADDING algorithm.

    2. A random initialization vector (IV) is generated using psa_cipher_generate_iv().

    3. Encryption is performed using psa_cipher_update() and finalized with psa_cipher_finish().

    4. A decryption operation is set up using psa_cipher_decrypt_setup().

    5. The IV from the encryption step is set using psa_cipher_set_iv().

    6. Decryption is performed using psa_cipher_update() and finalized with psa_cipher_finish().

    7. The decrypted text is compared with the original plaintext to verify correctness.

  3. Cleanup:

    1. The AES key is removed from the PSA crypto keystore using psa_destroy_key().

Building and running

This sample can be found under samples/crypto/aes_cbc in the nRF Connect SDK folder structure.

For more security, it is recommended to use the */ns variant of the board target (see the Requirements section above.) When built for this variant, the sample is configured to compile and run as a non-secure application using security by separation. Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.

To build the sample, follow the instructions in Building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.

Note

When building repository applications in the SDK repositories, building with sysbuild is enabled by default. If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild parameter to every build command or configure west to always use it.

Testing

After programming the sample to your development kit, complete the following steps to test it:

  1. Connect to the kit with a terminal emulator (for example, the Serial Terminal app). See Testing and optimization for the required settings and steps.

  2. Build and program the application.

  3. Observe the logs from the application using the terminal emulator. For example, the log output should look like this:

*** Booting nRF Connect SDK v3.1.0-6c6e5b32496e ***
*** Using Zephyr OS v4.1.99-1612683d4010 ***
[00:00:00.251,159] <inf> aes_cbc: Starting AES-CBC-NO-PADDING example...
[00:00:00.251,190] <inf> aes_cbc: Generating random AES key...
[00:00:00.251,342] <inf> aes_cbc: AES key generated successfully!
[00:00:00.251,373] <inf> aes_cbc: Encrypting using the AES CBC mode...
[00:00:00.251,708] <inf> aes_cbc: Encryption successful!
[00:00:00.251,708] <inf> aes_cbc: ---- IV (len: 16): ----
[00:00:00.251,739] <inf> aes_cbc: Content:
                                 c3 1e 5b 35 97 25 ee a3  ef ba 66 c3 f9 81 37 2a |..[5.%.. ..f...7*
[00:00:00.251,770] <inf> aes_cbc: ---- IV end  ----
[00:00:00.251,800] <inf> aes_cbc: ---- Plaintext (len: 64): ----
[00:00:00.251,831] <inf> aes_cbc: Content:
                                 45 78 61 6d 70 6c 65 20  73 74 72 69 6e 67 20 74 |Example  string t
                                 6f 20 64 65 6d 6f 6e 73  74 72 61 74 65 20 62 61 |o demons trate ba
                                 73 69 63 20 75 73 61 67  65 20 6f 66 20 41 45 53 |sic usag e of AES
                                 20 43 42 43 20 6d 6f 64  65 2e 00 00 00 00 00 00 | CBC mod e.......
[00:00:00.251,831] <inf> aes_cbc: ---- Plaintext end  ----
[00:00:00.251,861] <inf> aes_cbc: ---- Encrypted text (len: 64): ----
[00:00:00.251,892] <inf> aes_cbc: Content:
                                 cc 7d c0 ed 63 5b df 28  08 2b 03 33 a4 3c dc 1d |.}..c[.( .+.3.<..
                                 76 9d a9 cb 1c 49 4f 6d  ef b8 a2 aa 11 2c fc bd |v....IOm .....,..
                                 39 56 54 b5 96 6e 13 e2  7d 22 26 1e 3c 7c 3e eb |9VT..n.. }"&.<|>.
                                 15 60 31 d3 58 02 b6 85  98 63 2c e6 ad dc aa 19 |.`1.X... .c,.....
[00:00:00.251,922] <inf> aes_cbc: ---- Encrypted text end  ----
[00:00:00.251,953] <inf> aes_cbc: Decrypting using the AES CBC mode...
[00:00:00.252,166] <inf> aes_cbc: ---- Decrypted text (len: 64): ----
[00:00:00.252,197] <inf> aes_cbc: Content:
                                 45 78 61 6d 70 6c 65 20  73 74 72 69 6e 67 20 74 |Example  string t
                                 6f 20 64 65 6d 6f 6e 73  74 72 61 74 65 20 62 61 |o demons trate ba
                                 73 69 63 20 75 73 61 67  65 20 6f 66 20 41 45 53 |sic usag e of AES
                                 20 43 42 43 20 6d 6f 64  65 2e 00 00 00 00 00 00 | CBC mod e.......
[00:00:00.252,227] <inf> aes_cbc: ---- Decrypted text end  ----
[00:00:00.252,258] <inf> aes_cbc: Decryption successful!
[00:00:00.252,288] <inf> aes_cbc: Example finished successfully!