Anyone know how to decrypt with mbed aes CTR mode?

Posts: 19
Joined: Mon Jun 10, 2019 4:01 pm

Anyone know how to decrypt with mbed aes CTR mode?

Postby phantomBlurrr » Tue Aug 13, 2019 3:08 pm

I'm trying to encrypt/decrypt data using mbed aes CTR mode. I can get the encryption to work, but I can't figure out how to make it decrypt. Below is my code:

Code: Select all

        mbedtls_aes_context aes;
	unsigned char key[16];
	unsigned char input[128] = {0x48, 0x45, 0x4c, 0x4c, 0x4f};
	unsigned char output[128];
	unsigned char decrypt[128];
	size_t input_len = 40;
	unsigned char nonce_counter[16] = {0};
	unsigned char stream_block[16];
	unsigned int nc_off = 0;

	memcpy(key, key_128, 16);

	printf("aes Key: \n");
	for(int i = 0; i < 16; i++)

	mbedtls_aes_setkey_enc(&aes, key, 128);
	mbedtls_aes_setkey_dec(&aes, key, 128);
	mbedtls_aes_crypt_ctr(&aes, input_len, &nc_off, nonce_counter, stream_block, input, output);

	printf("aes input: \n");
	for(int i = 0; i < 5; i++)

	printf("aes encrypt: \n");
	for(int i = 0; i < 5; i++)

	mbedtls_aes_crypt_ctr(&aes, input_len, &nc_off, nonce_counter, stream_block, output, decrypt);

	printf("aes decrypt: \n");
	for(int i = 0; i < 5; i++)
I get the following:
aes input: 48454c4c4f
aes encrypt: 3856ba1f36
aes decrypt: 3853a9924d

As you can see, aes input =/= aes decrypt. Any ideas?

Posts: 2121
Joined: Sun May 08, 2016 4:11 am

Re: Anyone know how to decrypt with mbed aes CTR mode?

Postby ESP_Angus » Wed Aug 14, 2019 1:22 am

When you use an mbedTLS CTR function it updates the nonce counter block and the stream block contents, in preparation for additional bytes. So the "decrypt" is not using the same nonce & counter block data as the initial "encrypt".

If you set the nonce block back to the same value used for the initial encryption (the initial nonce is all zeroes in your case, which not recommended), then you'll be able to decrypt.

Posts: 1078
Joined: Wed Jun 14, 2017 9:00 pm

Re: Anyone know how to decrypt with mbed aes CTR mode?

Postby chegewara » Wed Aug 14, 2019 8:32 pm ... ain/main.c

As Angus said, nonce value is changed by encrypt/decrypt function and you cant pass it to the next function. You can see i have 2 nonce, one for encrypt and one for decrypt function.

Code: Select all

static void ctr()
    size_t nc_off = 0;
    size_t nc_off1 = 0;
    unsigned char nonce_counter[16] = {0};
    unsigned char stream_block[16] = {0};
    unsigned char nonce_counter1[16] = {0};
    unsigned char stream_block1[16] = {0};
    unsigned char encrypt_output[INPUT_LENGTH] = {0};
    unsigned char decrypt_output[INPUT_LENGTH] = {0};
    size_t iv_offset = 0;
    size_t iv_offset1 = 0;
    mbedtls_aes_crypt_ctr(&aes, INPUT_LENGTH, &nc_off, nonce_counter, stream_block, input, encrypt_output);
    mbedtls_aes_crypt_ctr(&aes, INPUT_LENGTH, &nc_off1, nonce_counter1, stream_block1, encrypt_output, decrypt_output);
    ESP_LOG_BUFFER_HEX("ctr", encrypt_output, INPUT_LENGTH);
    ESP_LOG_BUFFER_HEX("ctr", decrypt_output, INPUT_LENGTH);
    ESP_LOGI("ctr", "%s", decrypt_output);

Posts: 2
Joined: Mon Jun 17, 2019 10:47 pm

Re: Anyone know how to decrypt with mbed aes CTR mode?

Postby monkey » Tue Jan 07, 2020 3:44 am

Hi all,

I'm using BLE on ESP32 to run the provisioning. This uses AES CTR mode encrypt & decryption. I've got a related question. I noticed during the session establishment process that I had to increment the nonce to get the link to work. After exchanging the initial random IV (nonce). I used this to send the first message, and incremented it by 2 to account for the 32 bytes I'd just sent. I was then able to decrypt the response from the subsequent read. So, it seems that both sides are keeping track of the nonce and using a single shared key and nonce. Am I right?

I've found 2 stumbling blocks.

1. When I write repeatedly to the start scan or another scan endpoint, only the first works. I'm continuing the increase the nonce by what I believe to be the correct amount. But the second attempt always kills the connection due to this error:

Code: Select all

E (165849) proto_wifi_scan: Unable to unpack scan message
E (165859) protocomm: Request handler for prov-scan failed
E (165859) protocomm_ble: Invalid content received, killing connection
2. When I read back from the scan status endpoint, weirdly the encrypted data doesn't seem to change. So, clearly the nonce is not being incremented on the device as part of the readback... It's all very confusing...

I'm using CryptoJS on my end, and I haven't figured out how to let it handle the nonce for me, not that I'm sure it could do so given the odd things I've observed... N.B. The whole things works fine with the supplied ESP Provisioning app. So, I'm clearly not understanding something here. Or something very 'bespoke' is going on to make it more difficult to port.

Who is online

Users browsing this forum: ntremble and 42 guests