Wednesday, November 2, 2016


We are confused about CMAC and CCM. Especially what does mean AES-CMAC or AES-CCM? They are defined in the following specfications.
  • NIST 800-38B CMAC
  • NIST 800-38C CCM
  • RFC 4493 AES-CMAC
  • RFC 3610 Counter with CBC-MAC (CCM)
After I read them. I made conclusion that:
  • CMAC is used for authentication.
  • CCM is used for authentication and confidentiality.
  • CBC-MAC, CMAC, and CCM have some differences.

I draw the below picture to explain their relationships.

  • MAC - Message Authentication Code
  • HMAC - Hash-Based MAC
  • CBC-MAC - Cipher Block Chaining MAC
  • CMAC - Cipher-Based MAC
  • CBC - Cipher Block Chaining
  • CCM - Counter with CBC-MAC
  • ECB - Electronic Code Book

MAC is a short piece of information used to authetnicate a message. There are two types of MAC, hash function based MAC and cipher based MAC.

The implementations of  hash function based MAC, abbreviated HMAC, are HMAC-MD5, HMAC-SHA1, and HMAC-SHA256. The postfix (e.g -MDB, -SHA1, or -SHA256)  is the hash function used in the MAC.

CBC-MAC is a cipher based MAC. CMAC is variation of CBC-MAC that has security deficiencies. AES-CMAC and TDEA CMAC are implementation of CMAC.

ECB, CBC, and CCM are block cipher modes. CCM is an adaption of CBC and is counter with CBC-MAC. AES-CCM is only one implementation of CCM.

In conclusion,

  1. AES-CMAC is a MAC, implemented by AES algorithm for authentication. 
  2. AES-CCM is an AES cipher with CCM mode for authenticatino and confidentiality.


Sunday, October 30, 2016

Use a computer to emulate devices of temperature connecting to AWS IoT

I modified the sample basicPubSub of the project aws-iot-device-sdk-python to develop the Python tool to test AWS IoT service.

My project is AwsIotPythonTest.

We can use the tool to emulate 3 connected devices, two sensors of temperature and one monitor. They are run in PC environment by opening 3 consoles. When running, they connect to AWS IoT service and exchange temperature information via MQTT as below picture.

The Sensor 1 and Sensor 2 devices connect to AWS IoT Service and publish temperature information to the service. The Monitor device connects to the service and subscribe it to receive temperature information coming from sensor devices. The publish/subscribe model follows MQTT. I described the idea of emulator in the project AwsIotPythonTest in details.


Thursday, October 27, 2016

How to use a computer as an IoT device to connect AWS IoT service?

Although we don't have Amazon IoT Button or other devices to try AWS IoT, please remember that our computers are devices. Therefore make them IoT.

The sample in AWS IoT Python SDK can help us do it.

We follow AWS IoT tutorial to create a device certificate. We download the device certificate, its root CA, and its private key in our local path where the sample exists.

We also create a policy, and a device. We attach both resources into the device certificate.

Because the command arguments of the sample are too long, I prefer to write a makefile to test it.

E1 = a2uc?????????? 
R1 = VeriSign-Class\ 3-Public-Primary-Certification-Authority-G5.pem
C1 = 5988??????-certificate.pem.crt
K1 = 5988??????-private.pem.key

    python3 -e $(E1) -r $(R1) -c $(C1) -k $(K1)

Run the sample.

>make -f dev1

It will publish messages and receive subscribed messages in loop.


Install AWS IoT Python SDK in Mac

I followed the steps in the page to install AWS IoT Python SDK in my MacBook but I occurred problem.

I checked my Python is version 3.

>python3 -V
Python 3.5.2

But the OpenSSL used by the Python is not 1.0.x that is required by the SDK.

>>>import ssl
'OpenSSL 0.9.8zh 14 Jan 2016'

I used brew to download the new OpenSSL.

>brew update
>brew install openssl
>brew link —force openssl

The above command occurred warning.

The command cannot built a link in /usr/bin/openssl because the position is occupied by a real openssl file. I wanted to remove the below openssl but I couldn't.

>cd /usr/bin
>sudo rm -rf openssl
rm: openssl: Operation not permitted

I followed the page to remove it.

>csrutil disable
>cd /usr/bin
>sudo rm -rf openssl
>csrutil enable

At that time, I made sure that the old openssl was killed.

I built OpenSSL links.

>ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/
>ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/
>ln -s /usr/local/Cellar/openssl/1.0.2j/bin/openssl /usr/bin/openssl

I checked the Python's OpenSSL again, it was still 0.9.

>>>import ssl
'OpenSSL 0.9.8zh 14 Jan 2016'

The python was installed in a PKG way and the OpenSSL 0.9.8 is embedded in the python. Therefore I wanted to remove the python.

I followed the page to uninstall the old Python 3.

1. Goto Finder>Applications>Python 3.0. Right click, select Move to Trash.

>cd /Library/Frameworks/
>sudo rm -rf Python.framework

I used brew to install Python 3 with OpenSSL 1.0.2.

>brew install python3 --with-brewed-openssl

I checked the Python's OpenSSL again.

>>>import ssl
'OpenSSL 1.0.2j  26 Sep 2016'

OKAY. I had upgrated Python and OpenSSL.

Then I downloaded the SDK and run a sample in my MacBook. The final steps followed the end of the page.


Install AWS IoT Python SDK in Windows

AWS IoT is an IoT platform provided by Amazon to connect devices in cloud. We can use the AWS IoT Python SDK to write Python script to access the AWS IoT platform through MQTT to interact with connected devices. The following are steps of installing the SDK.

Check if the current Python is version 3.

>python -V
Python 3.5.2 ...

I prefer to use Python 3. If it is not, we can download the newest Python 3.5.2 from the website and install it.

Check the OpenSSL version used by the Python.

>>> import ssl
'OpenSSL 1.0.2h  3 May 2016'

Install the AWS IoT Python SDK from source that contains samples.

>git clone
>cd aws-iot-device-sdk-python
>python install

Indeed, we can also install the SDK from pip, but it doesn't have samples.

>pip install AWSIoTPythonSDK

Run a sample

>cd samples/basicPubSub

An error occurs.

This page has a workaround:
import os
import sys
import AWSIoTPythonSDK
sys.path.insert(0, os.path.dirname(AWSIoTPythonSDK.__file__))
# Now the import statement should work
from AWSIoTPythonSDK.MQTTLib import AWSIoTMQTTClient

Run the sample again.

>python -h


Monday, October 24, 2016

Why cannot S-box of DES cipher be linear?

We cannot specify any S-box in DES cipher. One of the rules to choice of S-box is that, it cannot be linear. How do we understand it? Below is my explanation, but I'm not sure it is correct.

The Stanford on-line course, Cryptography I, describes that, if S-box is chosen as linear, the DES cipher would be linear.

DES(k, m) = B x |m  |= c    (statement 1)
                |k1 |
                |k2 |
                |.  |
                |.  |
                |.  |

|m| = |c| = 64 (bits)
|ki| = 48 (bits)
B is a 64x832 matrix.

The course describes that, "You just need 832 input output pairs, and you'll be able recover the entire secret key." How to explain the description? We can use a simple example:

B is 2 x 4 matrix.
|m| = |c| = |k| = 2 (bits)

We transform the statement 1 as below.

|b1 b2 b3 b4| x |m1| = |c1|
|b5 b6 b7 b8|   |m2|   |c2|

We give the below statement.

b1m1 xor b2m2 xor b3k1 xor b4k2 = c1    (statement 2)
b5m1 xor b6m2 xor b7k1 xor b8k2 = c2    (statement 3) 

We assume that, we don't know any b and any k, but we know the input m and output c.

For statement 2, the number of unknown variables is 4. They are,
b1, b2, b3k1, b4k2.

For statement 3, the number of unknown variables is 4. They are,
b5, b6, b7k1, b8k2.

Total number of unknown variables is 8. Therefore we need 8 equations to derive all values of b and k.


|m| = |c| = 2

Each input/output pair has 2 equations. That is why we need 8/2 = 4 pairs of  input/output to derive all values of b and k.


Sunday, October 23, 2016

Use to analyze UEFI BIOS

We can use to analyze UEFI BIOS. Below is the input files.

  • BIOS.rom - A capsule file built by EDK build system.
  • SPI0.bin - A binary file dumped from SPI ROM 0 after first booting.
  • SPI1.bin - A binary file dumped from SPI ROM 1 after first booting.
The tool transfers a byte to 8 pixels with black-white color. For example,

Byte = 55h = 01010101
  = 1 -> 0 -> 1 -> 0 -> 1 -> 0 ->1 -> 0
  = black, white, black, white, black, white, black, white

We use the below commands to generate PNG files with black-white bit pixels from the input files.

python3 -w 6000 BIOS.rom
python3 -w 6000 SPI0.bin
python3 -w 6000 SPI1.bin

The option -w 6000 means that the tool generates an image of which width is 6000 pixels.

Below are the generated PNG files. I consider any BIOS engineer know what happens by observing  these images, especially for BIOS.rom.png and SPI1.bin.png.