In a recent(ish) Sigma Designs presentation it was mentioned that the S2 used the Output Feedback (OFB) mode of operation for AES, just as S0 does. The Transport Encapsulation spec, however, says that S2 uses the authenticated mode of encryption, CCM (Counter [CTR]+ CBC MAC).
I’m inclined to believe the official spec, however, and assume the presentation had a typo in the slide. Can anyone comment for sure?
Also, I was a little surprised to see that Counter mode is used as that would need both the node and controller to keep track of the counter used… I had assumed that some devices would not have the resource capable of doing this.