search

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
46 stars 16 forks source link

HMAC using SHA-3 is not testable in ACVP, yet listed in IG 10.3.A as a valid self test #218

Closed dsikkema-atsec closed 2 years ago

dsikkema-atsec commented 2 years ago

environment Prod

Algorithm registration HMAC using SHA3-224/256/384/512

Additional context In FIPS 140-3 IG 10.3.A (just under Note 4) it states the following. if the module implements a HMAC function (FIPS 198-1), a CAST for HMAC is required and shall be performed with the HMAC function using at least one of the implemented underlying SHA-1, SHA-2 or SHA-3 algorithms.

But HMAC using SHA-3 is not testable under ACVP, so this would still be non-approved service.

There is a vendor that is making use of HMAC with SHA3-224/256/384/512 and would like to have it listed as an approved service.

blackbird1999 commented 2 years ago

https://pages.nist.gov/ACVP/draft-fussell-acvp-mac.html includes HMAC-SHA3.

dsikkema-atsec commented 2 years ago

agree it is testable, closing the issue