Electronic keys work with hardware algorithms according to the following general scheme:  a block of data is sent from the protected application to the key (question to key), this sequence of data is then converted (encrypted or decrypted) by the key using the symmetric hardware algorithm. This produces a key response to be sent to the protected program.
Most often, a protection system developer for any application is limited to a very small number of possible questions and answers that are used for a short period of time. This makes the task of building table emulators much easier, since it takes very little time to track all requests and responses. This is one of the most common mistakes in developing protection systems.
To ensure effective fight against table emulators the number of various requests and responses should be as large as possible, and the time during which they will all be used should be measured in months.
The AES algorithm, with a key length of 128 bits, implemented in Guardant dongles symmetrically encrypt and decrypt information inside the key. This allows to significantly expand the capabilities of Guardant electronic keys and increase the security of the software due to the fact that the data for encryption can change dynamically.

Symmetric algorithm of the AES family 

The AES (Advanced Encryption Standard) algorithm is a block symmetric encryption algorithm adopted as the US encryption standard. The length of the AES secret key is 16 bytes (128 bits). The minimum data block length transformed by the algorithm in one cycle is 16 bytes. The algorithm has modes that allow encryption of data blocks that are multiples of 16 bytes in length, and blocks of arbitrary length. The symmetry of the algorithm means using the same secret encryption key for both direct (encryption) and reverse (decryption) transformation. A detailed description of the AES algorithm can be found on the NIST website: http://csrc.nist.gov/archive/aes/index.html

Operating modes

ECB mode

"Electronic code book" mode. This is the simplest operating mode of the block symmetric algorithm. In ECB mode, each plaintext block sent to the algorithm input is transformed with the same key into a ciphertext block. Therefore, the transformation of 2 identical blocks will give an identical result.
If the data block length exceeds the minimum block length, it must be split into blocks equal to the minimum block length (16 bytes). If necessary, missing bytes must be added to the last block. It is highly recommended that the padding bytes are not constant. Random numbers can be used as padding bytes. In this case, the last encoded block must be stored entirely, together with the encrypted padding bytes (instead of discarding these bytes). Otherwise, the useful data bytes from this block cannot be decrypted.
ECB mode is suitable for encrypting small amounts of data, for example, initialization vectors used in other algorithm modes or encryption keys of other algorithms.

CBC mode

Ciphertext block chaining mode. In CBC mode, as in ECB, each plaintext block is transformed into a ciphertext block of the same length. In CBC mode, the transformation is performed with the same key for all blocks. CBC mode is more often used and is better suited for transforming data blocks that exceed the minimum block length.
However, unlike ECB, transforming two identical plaintext blocks located in different positions of the source data block will not give an identical result. This is achieved due to the fact that at each subsequent step, not the block itself is encrypted, but its XOR with the previous ciphertext block. To obtain the first encrypted block, XOR of the first encrypted block and some initialization vector IV is used. The IV value must be saved for the correct inverse transformation, but it is recommended if it is protected (for example, encrypted in ECB mode).
The transformation is position-dependent, since the encryption result depends not only on the plaintext block itself, but also on the one preceding it.
The inverse transformation is also performed blockwise.
The total length of the source data set must be a multiple of the minimum block length. Otherwise, padding bytes must be added to the last block, just like in ECB mode.
CBC mode can be used to calculate reliable checksums, authentication, and data verification. The last block of the ciphertext is used as such a checksum. This block depends on all previous blocks, as well as on the initialization vector, and is calculated based on the secret key of the algorithm. It does not provide information about the source data, but identifies them almost uniquely. Forging this block is as difficult as guessing the algorithm key.

Recommendations for working with the initialization vector IV

For the correct data conversion by the symmetric AES algorithm, it is necessary to take into account that:

• The IV initialization vector must have the same values ​​before the start of encryption and before the start of decryption
• It is necessary to save the value of the IV initialization vector between calls to GrdFeatureEncrypt/GrdFeatureDecrypt when continuing encryption/decryption of large blocks (more than 248 bytes)
• When encrypting data such as different database records or disk sectors, initialize the IV with this record/sector number so that each of them is always encrypted the same way, and different records with the same values ​​are encrypted differently.