# xxtea implementation

hi all, I would like to try the xxtea encryption routine so after a bit searching I found this arduino library:

the library has other functions (hashing hmac etc.) so I cutted just the functions that I need in my project and pasted them in my sketch:

``````#define	BLOCK_SIZE	(128/8)
#define	KEY_SIZE	(128/8)

#define DELTA 0x9e3779b9
#define MX ((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (k[(p&3)^e] ^ z));

void btea(uint32_t *v, int n, uint32_t *k) {
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1) {          /* Coding Part */
rounds = 6 + 52/n;
sum = 0;
z = v[n-1];
do {
sum += DELTA;
e = (sum >> 2) & 3;
for (p=0; p<n-1; p++)
y = v[p+1], z = v[p] += MX;
y = v[0];
z = v[n-1] += MX;
} while (--rounds);
} else if (n < -1) {  /* Decoding Part */
n = -n;
rounds = 6 + 52/n;
sum = rounds*DELTA;
y = v[0];
do {
e = (sum >> 2) & 3;
for (p=n-1; p>0; p--)
z = v[p-1], y = v[p] -= MX;
z = v[n-1];
y = v[0] -= MX;
} while ((sum -= DELTA) != 0);
}
}

int xxteaEncrypt(char *inputText, unsigned int inputTextLength, uint32_t *k)
{
unsigned int numBlocks = (inputTextLength <= BLOCK_SIZE ? 1 : inputTextLength/BLOCK_SIZE);
unsigned int offset, i;

// Padding if necessary till a full block size
if ((offset = inputTextLength % BLOCK_SIZE) != 0)
memset(inputText+inputTextLength, 0x00, BLOCK_SIZE - offset);

for (i=0; i<numBlocks;i++){
btea((uint32_t *)inputText, BLOCK_SIZE/4,k);
inputText+=BLOCK_SIZE;
}

return numBlocks;
}

int xxteaDecrypt(char *inputText, unsigned int inputTextLength, uint32_t *k)
{
unsigned int numBlocks = (inputTextLength <= BLOCK_SIZE ? 1 : inputTextLength/BLOCK_SIZE), i;

for (i=0; i<numBlocks;i++){
btea((uint32_t *)inputText, BLOCK_SIZE/4*(-1),k);
inputText+=BLOCK_SIZE;
}

return numBlocks;
}
``````

I've tried different ways to use them but without any luck, can someone tell me how to call the encription and decription functions?
thank you!

To encrypt, call like this:

``````#define KEY_SIZE 5   //set acording to your needs

char data[]="Hello World!";
unsigned int length=sizeof(data);
uint32_t k[KEY_SIZE]={1000, 2000, 3000, 4000, 5000};

xxteaEncrypt(data, length, &k);
printf("Encrypted data: %s", data);           //this line is C code. Replace with arduino code(I couldnt remember )

xxteaEncrypt(data, length, &k);
printf("Decrypted data: %s", data);
``````

This MIGHT work. I dont know how big a key the code takes. So replace KEY_SIZE 5 with appropriate value.

Thank you!
but I have another question.. xxteaEncrypt on arduino returns me unprintable or strange characters.. I need to send them and in this form I don't know how to do it.
I've tried to pass them in base64.. but neither that was useful, the characters decoded aren't the same that I encoded and so the result can't be decrypted.
Maybe I'm wrong but have I need a result inside the ascii charset? How can I do it?

All encryption functions work on binary values, its up to you to decide how to handle them. Base64 is as good a method as any - if you failed to get back the same string after decryption them you have either used a different key at decryption time or have a bug - post your code perhaps?

By the way XXTEA has known issues with large blocks, I would stick to 128 or 256 bit block sizes only.

You really need to read up about cryptography before implementing it yourself, there are plenty of pitfalls that result in a totally insecure system if you don't know what you're doing - post your code here and more eyes will get to check out how you are using it.

For instance what block-cipher mode are you using? Are you doing authentication? (Authentication is often more important that secrecy).

Thank you mark.. I read a lot about cryptography.. I just chose xxTea because it seems to be the better solution due to speed/security.. I have just to encrypt command strings between my application (pc/iphone) and an arduino connected to the ethernet (public static ip).. I've thought also to rc4 and xor encryption (with a key as long as the content or more and random salt for better security).
What do you mean with Authentication? How can I authenticate that the command came from my pc/iphone?

Ah good - I was perhaps jumping the gun then. Yes, XXTEA does seem a reasonable compromise for size/security (AES is quite a bit larger, though will fit on an Arduino). The guidance in "Cryptography Engineering" Ferguson/Schneier/Kohno (formerly "Practical Cryptography") is a great resource I've found.

ok.. from what I understand you are telling me to put a system of username/password to login the arduino?
I'm trying to make a telnet server not a webserver.

Authentication just means you can distinguish commands from a valid source from those from an attacker. The usual method is a MAC plus enough information to foil replay attacks.

But before anything you need to define your threat-model - ie what are you protecting against?

I've designed a kind of plc that controls the projector, the lights and the audio processor in a cinema.. It's a public place with also a wifi and i just saw that is not so difficult find out my arduino ip..
Using an HMAC as you suggest me, should I send a 'packet' formed by plaintext message + HMAC?
Isn't this solution weak against sniffing attacks? A 'possible' attacker could just sniff this 'packet' and use it to resend the command.. (the plaintext command is always the same and I can't add a random nonce because the hmac will never corrispond)
I know that this could be an improbably scenario but I really would like to find out a solution to use it with other projects, that could run in my house for example..

A nonce is the simplest way to prevent replay attacks - the sender and receiver have to keep in step, and since you always ignore any message that doesn't authenticate then the worst an attacker can do is swallow packets, not forge or replay.

Hi, i need some help here,i post to stackoverflow but still without response