search

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
36 stars 13 forks source link

RSA keyGen FIPS186-5 with modulo 15360 runs into timeout #313

Closed Karen32123 closed 1 month ago

Karen32123 commented 4 months ago

environment Demo

testSessionId 487084

vsId 2166562

Algorithm registration Testing capabilities (part of it): "algorithm": "RSA", "mode": "keyGen", "revision": "FIPS186-5" "modulo": 15360

Endpoint in which the error is experienced https://demo.acvts.nist.gov:443/acvp/v1/

Expected behavior Hello, According to https://pages.nist.gov/ACVP/draft-celi-acvp-rsa.html#name-keygen-registration-table-2 it should now be possible to request a keyGen RSA test vector with "modulo"=15360. However, when trying to do so, I do not get any response back. After two hours the following error message occurs:

ACVP [STATUS][acvp_retry_handler:2467]--> 200 OK KAT values not ready, server requests we wait 30 seconds and try again... ACVP [INFO][log_network_status:1064]--> GET Vector Set... Status: 200 Url: https://demo.acvts.nist.gov:443/acvp/v1/testSessions/487084/vectorSets/2166562 Resp: [ { "acvVersion": "1.0" }, { "retry": 30 } ]

***ACVP [STATUS][acvp_retry_handler:2467]--> 200 OK KAT values not ready, server requests we wait 30 seconds and try again...

ACVP [STATUS][acvp_process_vsid:2607]--> Maximum wait time with server reached! (Max: 7200 seconds) ACVP [ERR][acvp_process_tests:2432]--> Unable to process vector set! Error: 3 ***ACVP [ERR][acvp_run:3294]--> Failed to process vectors

SUMMARY

Done 1 actions: 0 succeeded, 1 failed Failures: rsa-keygen, End of program at 2024-02-19 16:04:45. Duration: 125.82 minutes.

Could you please help me with that?

livebe01 commented 4 months ago

Hi @Karen32123, your vector set should now be available for download. It just took a long time to generate. Keys take a while to generate for that modulo. We normally pre-compute values such as these, but we may not be doing that here. We'll look into computing these ahead of time to make vector set generation more or less instantaneous.

Karen32123 commented 4 months ago

Hello @livebe01, thank you, I was now able to download the test vector for that test session. So generally, if the request runs into a timeout, the demo server will still continue the calculation and I can get the results later? How long approximately does it take?

livebe01 commented 4 months ago

That's correct. It looks like the client you used to interact with ACVTS Demo is set to time out after ~1 hour and 30 minutes. It actually took the Demo server over 5 hours to create the vector set you requested. This follows as RSA keys with a 15360 modulo take a l long time to generate. But it's unusual for a vector set to take 5 hours to generate. There are some things that we can do on our end to speed up the process. We'll keep this ticket open until we've been able to put those things in place to speed up RSA keyGen FIPS186-5 modulo 15360 testing.

livebe01 commented 4 months ago

Hi @Karen32123, we took a closer look at supporting the 15360 modulus for RSA keyGen FIPS186-5 modulo testing and we've decided to remove support for testing that modulus. The runtimes involved are just too high. We plan to remove support for RSA keyGen FIPS186-5 15360 modulus testing sometime next week in updates to the Demo and Prod servers.

Karen32123 commented 4 months ago

Hello livebe01, thanks for the information.

livebe01 commented 3 months ago

The fix for this is on Demo in release v1.1.0.34.

livebe01 commented 1 month ago

The fix for this is now on Prod as part of the v1.1.0.34 release.