I have an embedded application that needs to occasionally get secure updates from a server. The only crypto library I have available for the chip is an AES-256 cipher (ECB and CBC, encrypt/decrypt).
Is there any worthwhile way to authenticate the message using only these functions and simple checksums? If I just did something like a 32 bit checksum of the plaintext and appended it before encryption, would that be vulnerable to attack (other than being only 32 bits of protection)?
Is there any worthwhile way to authenticate the message using only these functions and simple checksums?
As usual, of course there is: AES-CCM!
AES-CCM basically is CTR mode with a tagged-on CBC-MAC and length prepending. You can implement CTR trivially using your ECB primitive and CBC-MAC shouldn't be too hard to implement given a CBC primitive and direct function access.
If implementig CTR is infeasible, CBC should do the job just as well.
If you want to go fancy (and don't live with length-prepending) you can also go for AES-EAX although it's a bit more difficult to implement.
If I just did something like a 32 bit checksum of the plaintext and appended it before encryption, would that be vulnerable to attack (other than being only 32 bits of protection)?
No, this is a bad idea. Not only is a checksum usually not safe in the sense that a proper cryptographic hash would be, but also is this composition already insecure as fgrieu explained much better than I ever could in his answer to "Why is plain-hash-then-encrypt not a secure MAC?".
Relevant standards: CCM: RFC 3610, NIST SP 800-38C (PDF); EAX: The original specification
