FIPS186-5 SIGVER, test vector incorrect oid for SHA3 digests #257
Comments
|
Thanks @mwcw. Do you know where the OIDs for SHA3 are defined by chance? |
Hi Take a look at this https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration MW |
|
Ah, I’d been there, but only to the bottom of the page. Thanks MW!
Ben
On Mar 28, 2023, at 5:34 PM, MW ***@***.***> wrote:
Thanks @mwcw<https://github.com/mwcw>. Do you know where the OIDs for SHA3 are defined by chance?
Hi
Take a look at this
https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration
MW
—
Reply to this email directly, view it on GitHub<#257>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGMA5AUXWNV7M6VZJXFO2SLW6NKMTANCNFSM6AAAAAAWJYY6GM>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
@mwcw Do you understand or have any suggestions for how to go from an OID to its hex equivalent? For example, we have the hex for SHA1 through SHA2 512/256 defined here and the OIDs are defined as the following in RFC 4055 Section 2.1: I see the OIDs for SHA3 on https://csrc.nist.gov/Projects/Computer-Security-Objects-Register/algorithm-registration#External are defined as the following. But I don't know how to convert those definitions to hex. PS I'll keep looking to understand this better... |
|
Hi, Ah, okay, those oids are for HMAC, not the same thing. Just to clarify, a PKCS 1.5 signature is actually a DER encoding of a DigestInfo structure encrypted with the RSA private key using PKCS 1.5 padding. The DigestInfo structure is based on DigestAlgorithm is an AlgorithmIdentifier, in this case made up of (note this is a very old school way of describing it) You can find more details on this in RFC 8017 ( https://www.rfc-editor.org/rfc/rfc8017.html ) It uses the modern approach to describing the ASN.1 but at the end of the day it's the same thing. algorithm in this case is the OID for the digest algorithm. For SHA-3 the prefixes for the different hashes would look like: SHA3-224: 302d300d06096086480165030402070500041c which are based on the encodings for: hashAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 2 } id-sha3-224 OBJECT IDENTIFIER ::= { hashAlgs 7 } id-sha3-256 OBJECT IDENTIFIER ::= { hashAlgs 8 } id-sha3-384 OBJECT IDENTIFIER ::= { hashAlgs 9 } id-sha3-512 OBJECT IDENTIFIER ::= { hashAlgs 10 } The pattern is basically the same for each, but to break up SHA3-224 30 - sequence after that comes the actual digest value - in this case 28 (hex 1c) octets. Note, the NULL is an "historical artifact" as such has caused a lot confusion over the years so for these digests you should probably follow the pattern with SHA-2 and accept either NULL or ABSENT for the parameters. FIPS 186-5 defers to RFC 8017, which states: -- However, implementations MUST accept AlgorithmIdentifier values on this as well). Absent parameters are easy to pick up - it reduces the length of the prefix by two bytes. The prefixes for ABSENT parameters are: SHA3-224: 302b300b0609608648016503040207041c If you look at the SHA3-224 encoding you can see the length byte for the outer sequence is now 2b instead of 2d, and the inner sequence holding the AlgorithmIdentifier sequence is now 0b rather than 0d. What you produce is kind of up to you, we have found we've caused the least grief by always including the NULL (so the slightly longer string). We'll accept either NULL or ABSENT though, as we'd recommend you do (there's always someone who leaves them out, and they'll probably be a bit cross if the ACVP server knocks them back because of it). |
|
Thanks. I appreciate the explainer. |
|
Apologies for sounding like a bit of a nag, but how is the progress looking on this one and also #258 ? We were going full throttle for a 140-3 submission with 186-5 prior to running into these, so it's starting to have an impact on the schedule - our lab is going to have to suspend work on the certification and reschedule us. If there is anything myself or @mwcw can do to help, please let us know. Thanks. |
|
Hi @dghgit, this is my highest priority for this week. I am actively working on it and thank you for your help. |
|
Thanks, appreciate the quick response. |
|
No worries, I have submitted the changes for testing, hopefully release it next week. I'll post here when it's available for use. |
|
Great, we'll give it a whirl as soon as it goes up. Thanks. |
|
The fix for this is now on Demo in release v1.1.0.29. |
|
Hi, slight issue on the ASN.1 for the prefixes for NULL parameters should be: 302d300d06096086480165030402070500041c What's in there at the moment is the length for ABSENT parameters (byte 2) but the NULL parameters are present. The OIDs appear to be correct I think if the prefix is fixed so the length is correct these will now be good to go. |
|
@dghgit I'll look into this, thanks. |
|
OK, I see the error and have fixed it, sorry about that. It will be out with the next HOTFIX ASAP. |
|
The fix for this is on Demo with release v1.1.0.29-hotfix-1 |
|
It's a print! We've been able to submit successfully for both SigGen and SigVer. Thanks! |
|
Great! Once this goes to Prod we'll close this out, appreciated. |
|
The fix for this is on Prod in release v1.1.0.29-hotfix-1. |
Hi,
Vector Set: 1545230
Dumping the ASN1 yeilded:
Message digest when calculated with SHA3 implementation is correct.
Please let me know if you need any more information.
MW
The text was updated successfully, but these errors were encountered: