search

usnistgov / ACVP

Industry Working Group on Automated Cryptographic Algorithm Validation
https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program
157 stars 65 forks source link

KAS-ECC: fixedInfoPattern restrictions #1466

Open smuellerDD opened 1 year ago

smuellerDD commented 1 year ago

Protocol Section See FixedInfoPatternConstruction in the KAS-ECC (and perhaps in the FFC specification).

Protocol Question The specification outlines a number of options. It does not hint that the listed options can only be used once. With that in mind, I tried to define a fixedInfoPattern with multiple literals which is used by one of our clients.

E.g. I would like to define a fixedInfoPattern along the following line of tought:

literal1 || partyUId || literal2 || some other data || partyVId || some other data || literal3

Note, this "some other data" is even a part that is not yet defined in the specification. Anyhow, leaving that out for the moment, the server still returns me:

[
  {
    "acvVersion": "1.0"
  },
  {
    "error": "Validation error(s) on JSON payload.",
    "context": [
      "KAS-ECC-Sp800-56Ar3: Duplicate pieces of fixedInfoPattern found; pieces should be unique."
    ]
  }
]

Thus, the server seems to require the uniqueness of fixedInfoPattern components. Is there a reason for that?

Can we add additional components to the fixedInfoPattern which implies that the protocol is extended by more possibilities?

livebe01 commented 1 year ago

Hi @smuellerDD, no I don't think there's a particularly good reason for that. I'm sure KAS could be updated to allow multiple literals in the construction. But I wonder if it would be more productive to update KAS to remove the fixedInfo construction from the testing scope, i.e., allow the tester to specify the fixedInfo value that was used?

rnunez83 commented 1 year ago

Hi @livebe01. I am working with @smuellerDD on this issue and wanted to add a bit of background. The implementation we are attempting to test is protocol specific format used for PIVP. Our customer implements the fixed inf as such: literal1 || partyU ID || literal2 || partyU leftmost 16 bytes public key || partyV ID || partyV nonce || literal3 Is this format something we could have assistance testing?

livebe01 commented 1 year ago

Sure, can you get me the registration you would like to use?

smuellerDD commented 1 year ago

So, you are saying that we shall have a generic registration, send the test session to you and you will "fix" the fixed info definition?

livebe01 commented 1 year ago

Not quite. I'm saying, can you send me the registration that you would use for the algorithm assuming that ACVTS supported the fixedInfoPattern you need. I'd like to look at the registration and think about how to handle it. ACVTS doesn't support the fixedInfoPattern you need, but pretend that it does. I'm thinking that we'll want to accomplish this testing by CAVP generating a custom vector set for your IUT.

smuellerDD commented 1 year ago

Am Donnerstag, 7. September 2023, 18:07:49 CEST schrieb livebe01:

Hi livebe01,

Not quite. I'm saying, can you send me the registration that you would use for the algorithm assuming that ACVTS supported the fixedInfoPattern you need. I'd like to look at the registration and think about how to handle it. ACVTS doesn't support the fixedInfoPattern you need, but pretend that it does. I'm thinking that we'll want to accomplish this testing by CAVP generating a custom vector set for your IUT.

Well, this would require adding new keywords, such as a reference to the used key and a substring thereof.

Ciao Stephan

livebe01 commented 1 year ago

Hi Stephan, you and @rnunez83 have described your needs in relation to fixedInfoPattern. But there is much more to describing a KAS-ECC Sp800-56Ar3 algorithm implementation. For example see section 7 of the KAS-ECC Sp800-56Ar3 algo spec. Can you describe for me the remainder of your IUT's KAS-ECC Sp800-56Ar3 capabilities?

rnunez83 commented 11 months ago

Hi Stephan, you and @rnunez83 have described your needs in relation to fixedInfoPattern. But there is much more to describing a KAS-ECC Sp800-56Ar3 algorithm implementation. For example see section 7 of the KAS-ECC Sp800-56Ar3 algo spec. Can you describe for me the remainder of your IUT's KAS-ECC Sp800-56Ar3 capabilities?

@livebe01, this is the FixedInfo usually prepared to derive the keys:

[literal1 : e.g: 0x0409090909] || [partyU ID] || [literal2 : 0x0100] || [partyU leftmost 16 bytes public key] || [partyV ID] || [partyV nonce (16 bytes for ECC P-256, 24 bytes for ECC P-384/512)] || [literal3 : 0x0100]

Is this what you are looking for?

livebe01 commented 11 months ago

Not exactly. I think that I understand how the IUT in question is preparing the FixedInfo. What I'm asking for is for you to describe its other attributes in relation to its implementing/conforming to KAS-ECC Sp800-56Ar3. What would the rest of its registration look like? E.g., https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-ecc-sp800-56ar3.html#name-example-kas-ecc-registratio.

rnunez83 commented 11 months ago

Hi @livebe01

Not exactly. I think that I understand how the IUT in question is preparing the FixedInfo. What I'm asking for is for you to describe its other attributes in relation to its implementing/conforming to KAS-ECC Sp800-56Ar3. What would the rest of its registration look like? E.g., https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-ecc-sp800-56ar3.html#name-example-kas-ecc-registratio.

Ok. how about this then:

  {
    "isSample":true,
    "operation":"register",
    "certificateRequest":"no",
    "debugRequest":"yes",
    "production":"no",
    "encryptAtRest":"yes",
    "algorithms":[
      {
        "prereqVals":[
          {
            "algorithm":"SHA",
            "valValue":"same"
          },
          {
            "algorithm":"DRBG",
            "valValue":"same"
          },
          {
            "algorithm":"ECDSA",
            "valValue":"same"
          },
          {
            "algorithm":"HMAC",
            "valValue":"same"
          }
        ],
        "revision":"Sp800-56Ar3",
        "algorithm":"KAS-ECC",
        "function":[
          "keyPairGen"
        ],
        "iutId":"1234567890abcdef",
        "scheme":{
          "onePassDh":{
            "kasRole":[
              "responder"
            ],
            "kdfMethods":{
              "oneStepKdf":{
                "auxFunctions":[
                  {
                    "auxFunctionName":"SHA2-256"
                  },
                  {
                    "auxFunctionName":"SHA2-384"
                  },
                  {
                    "auxFunctionName":"SHA2-512"
                  }
                ],
                "fixedInfoPattern":"literal[040909090908000000000000000001001000000000000000000000000000000000080000000000000000100000000000000000000000000000000001000400]||l||uPartyInfo||vPartyInfo",
                "encoding":[
                  "concatenation"
                ]
              }
            },
            "l":1024
          }
        },
        "domainParameterGenerationMethods":[
          "P-256"
        ]
      }
    ]
  }
]
livebe01 commented 11 months ago

Thanks @rnunez83, this is helpful. Let me take a look and come up with some options for addressing this.

rnunez83 commented 11 months ago

Thanks @rnunez83, this is helpful. Let me take a look and come up with some options for addressing this.

Hi @livebe01. I just wanted to check if you had any update for this?

celic commented 11 months ago

Hi, I'm picking this item up from Ben, @livebe01. From what I see, you tried a registration that was rejected because it contained duplicate fixedInfoPatterns. It looks like our tests expect distinct patterns here to do a wider range of testing rather than just a single value. I think we want to continue supporting this.

If you have the Gen/Vals running yourself, you can remove the lines around https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/src/generation/src/NIST.CVP.ACVTS.Libraries.Generation/KAS/Sp800_56Ar3/ParameterValidator.cs#L621. Otherwise if you send me a registration that was failing previously, I can generate some files for you. The registration @rnunez83 provided a couple weeks ago runs without issue already.

rnunez83 commented 10 months ago

hi @celic.

the registration request is the following: { "isSample":true, "operation":"register", "certificateRequest":"no", "debugRequest":"yes", "production":"no", "encryptAtRest":"yes", "algorithms":[ { "prereqVals":[ { "algorithm":"SHA", "valValue":"same" }, { "algorithm":"DRBG", "valValue":"same" }, { "algorithm":"ECDSA", "valValue":"same" }, { "algorithm":"HMAC", "valValue":"same" } ], "revision":"Sp800-56Ar3", "algorithm":"KAS-ECC", "function":[ "keyPairGen" ], "iutId":"1234567890abcdef", "scheme":{ "onePassDh":{ "kasRole":[ "responder" ], "kdfMethods":{ "oneStepKdf":{ "auxFunctions":[ { "auxFunctionName":"SHA2-256" }, { "auxFunctionName":"SHA2-384" }, { "auxFunctionName":"SHA2-512" } ], "fixedInfoPattern":"literal[040909090908000000000000000001001000000000000000000000000000000000080000000000000000100000000000000000000000000000000001000400]||l||uPartyInfo||vPartyInfo", "encoding":[ "concatenation" ] } }, "l":1024 } }, "domainParameterGenerationMethods":[ "P-256" ] } ] } ]

celic commented 10 months ago

This is the same one that you posted a couple comments ago? This ran with no issues. I'm looking for the one that you all want to run but are prevented due to the original error message.

rnunez83 commented 10 months ago

@celic, see that is the thing. I am unable to create a request that allows two different literal values. What I am trying to form is the following fixedinfo: [literal1 : e.g: 0x0409090909] || [partyU ID] || [literal2 : 0x0100] || [partyU leftmost 16 bytes public key] || [partyV ID] || [partyV nonce (16 bytes for ECC P-256, 24 bytes for ECC P-384/512)] || [literal3 : 0x0100] but ACVTS does not have a field for more than 1 literal definition, so how do we create the request with the above fixedinfo?