Quantcast

RSA [FIPS 186-4] issue

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RSA [FIPS 186-4] issue

Leon Brits

Hi all,

 

We use the OpenSSL FIPS Object Module v.2.0, but are not allowed anymore (as of the start of this year) to submit new product for validation because the RSA implementation is only FIPS 186-2 compliant. Based on extensive review and research it seems to be possible to “patch” the RSA key generation to be FIPS 186-4 compliant and apparently (correct me if I am wrong) the sign/verify is close enough to FIPS 186-4 to pass.

 

I am in no way capable of writing such a patch and was hoping that someone is willing to share.

To be more specific I need a patch that will change the key generation from:

d = e-1 mod((p-1)(q-1))

to this:

d = e-1 mod(LCM(p-1, q-1))

 

I would appreciate any comment about the statement that the RSA implementation for sign and verify will pass the CAVP testing for FIPS 186-4.

 

As usual thanks for your help

Regards,

LJB

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RSA [FIPS 186-4] issue

Steve Marquess-3
On 03/26/2014 03:19 AM, Leon Brits wrote:

> Hi all,
>
>  
>
> We use the OpenSSL FIPS Object Module v.2.0, but are not allowed anymore
> (as of the start of this year) to submit new product for validation
> because the RSA implementation is only FIPS 186-2 compliant. Based on
> extensive review and research it seems to be possible to “patch” the RSA
> key generation to be FIPS 186-4 compliant and apparently (correct me if
> I am wrong) the sign/verify is close enough to FIPS 186-4 to pass.
>
>  
>
> I am in no way capable of writing such a patch and was hoping that
> someone is willing to share.
>
> To be more specific I need a patch that will change the key generation from:
>
> d = e-1 mod((p-1)(q-1))
>
> to this:
>
> d = e-1 mod(LCM(p-1, q-1))
>
>  
>
> I would appreciate any comment about the statement that the RSA
> implementation for sign and verify will pass the CAVP testing for FIPS
> 186-4.

Well, you asked for any comment so you'll get one from me.

The easiest part of any FIPS 140-2 validation is the coding. The hard
part is figuring out the requirements, both written and unwritten, which
are subject to frequent change and inconsistent interpretation. The
OpenSSL FIPS Object Module series of open source based validations have
been funded with the intent of providing a ready made example of
something that does meet those requirements, or at least the
requirements in place at the time the validations were obtained. Those
examples can be (and have extensively been) used for obtaining privately
branded copycat ("private label") validations such as what you are
attempting.

Unfortunately a number of new requirements have been introduced since
the #1747 validation was obtained. We *think* we know what code changes
would suffice to satisfy them, but unfortunately we aren't allowed to
apply them to that existing validation. Since the interpretation of the
requirements can be very inconsistent (as we know from obtaining
multiple validations in parallel using exactly the same code) we can't
be sure until and if we succeed in obtaining a new validation. At that
time the resulting successful example will be available for all as a new
reference as has been the case with prior OpenSSL FIPS Object Module
validations.

If you do succeed in obtaining a validation under the new requirements
before we do (which is likely as we have no current plans or funding for
same) then please publish the results. Much of the mystery and
inconsistency of cryptographic module validation would be obviated if
the results of validations were more fully disclosed. At present details
about validations are treated as state secrets, with the singular
exception of our open source based validations.

I think you will find that a number of other code modifications will
also be required. I'll be interested to learn what works for your
validation.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: RSA [FIPS 186-4] issue

Salz, Rich
> Much of the mystery and inconsistency of cryptographic module validation would be obviated if the results of validations were more fully disclosed. At present details about validations are treated as state secrets, with the singular exception of our open source based validations.

Sadly true.  I think because, often, there's less there than meets the eye.  One of the most important things OpenSSL FIPS does is bring some much-needed sunlight into this arena.

        /r$

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
JDM
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RSA [FIPS 186-4] issue

JDM
In reply to this post by Leon Brits
Leon Brits wrote
I am in no way capable of writing such a patch and was hoping that someone is willing to share.
To be more specific I need a patch that will change the key generation from:
d = e-1 mod((p-1)(q-1))
to this:
d = e-1 mod(LCM(p-1, q-1))
We’re also pursuing a patch to RSA Key Generation.  Leon, are you saying that you believe this is the change that is necessary in order for it to be validated?  What makes you think that?  I think you’re further along in the process than we are and I’d like to learn from what you’ve found.
JDM
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RSA [FIPS 186-4] issue

JDM
In reply to this post by Steve Marquess-3
Steve Marquess-3 wrote
I think you will find that a number of other code modifications will
also be required.
Are you saying that you think more than just what Leon mentioned will have to be changed in order to validate RSA Key Generation?  Is there any chance that OpenSSL would be willing to point to the sections of code that they (you) believe would need to be changed?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: RSA [FIPS 186-4] issue

Leon Brits
In reply to this post by JDM
JDM,

> Leon Brits wrote
> > I am in no way capable of writing such a patch and was hoping that
> > someone is willing to share.
> > To be more specific I need a patch that will change the key generation
> > from:
> > d = e-1 mod((p-1)(q-1))
> > to this:
> > d = e-1 mod(LCM(p-1, q-1))
>
> We’re also pursuing a patch to RSA Key Generation.  Leon, are you saying
> that you believe this is the change that is necessary in order for it to
> be validated?  What makes you think that?  I think you’re further along in
> the process than we are and I’d like to learn from what you’ve found.

The information I've given comes from a discussion our validation company had with someone at NIST. It seems to be the crux of the matter for NIST to go from 186-2 to 4. I am not sure what else may need to be changed.
:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�
Loading...