SHA-1 is missing from FIPS 186-5 ECDSA signature verification

[jvdsn]

SHA-1 is missing from FIPS 186-5 ECDSA signature verification, see https://github.com/usnistgov/ACVP/blob/master/src/ecdsa/sections/05-ecdsa-sigver-capabilities.adoc.
Note that FIPS 186-5 RSA signature verification does have it: https://github.com/usnistgov/ACVP/blob/master/src/rsa/sections/05-sigver-capabilities.adoc

[jbrock24]

Hi @jvdsn , that's by design. 186-5 ECDSA SigVer doesn't support the EoL SHA-1, we won't be implementing support for that with ECDSA. 186-4 does support it, so that would need to be used instead. Thanks for the question!

[jvdsn]

@jbrock24 I'm sorry, but I don't understand this decision. There is nothing specifically in FIPS 186-5 that disallows the usage of SHA-1 for signature verification (or signature generation for that matter). And even if there was, why wouldn't it apply to RSA? Moreover, this change isn't included in the transitions in IG D.K, so I'm not even sure if we are allowed to claim FIPS 186-4 SHA-1 ECDSA signature verification after February 2024.

Vendors will always validate the most approved algorithms possible. This change (and others related to FIPS 186-5) means we now have to request the following FIPS 186 vector sets:

• RSA key pair generation (FIPS 186-5)
• RSA signature generation (FIPS 186-5)
• RSA signature verification (FIPS 186-5)
• RSA signature verification (ANS X9.31 padding and/or 1024-bit modulus) (FIPS 186-4)
• ECDSA key pair generation (P curves) (FIPS 186-5)
• ECDSA key pair verification (P curves) (FIPS 186-5)
• ECDSA key pair verification (P-192 and K/B curves) (FIPS 186-4)
• ECDSA signature generation (P curves) (FIPS 186-5)
• ECDSA signature generation (K/B curves) (FIPS 186-4)
• ECDSA signature verification (P curves) (FIPS 186-5)
• ECDSA signature verification (P-192 and K/B curves, and/or SHA-1) (FIPS 186-4)

As you can see, the number of vector sets almost doubled, and I don't really see the benefit. These are all FIPS approved/allowed algorithms. Is this really the intent of the CAVP?

[celic]

Hi. This was my decision, and I'll try to justify it here. IG D.K is on entropy, not anything related to algorithms. I only know that because coincidentally I have it open on my desktop to edit.

We have several versions of RSA SigVer testing available. FIPS 186-2, FIPS 186-4, and FIPS 186-5. Each of those SigVer tests is written specifically for that version of the standard. For example FIPS 186-5 is only guaranteed to test signatures generated using FIPS 186-5 SigGen routines. Because SHA-1 is not allowed for FIPS 186-5 SigGen, there is no reason to test it for SigVer. SHA-1 could only be used to generate FIPS 186-2 or FIPS 186-4 signatures, and so that is what we support for signature verification.

If we allowed SHA-1 within FIPS 186-5 testing, we would need to disallow it within capabilities included in FIPS 186-5 but not included in FIPS 186-4. There aren't a ton of these capabilities (only MGF changes come to mind). Rather than complicate the logic around FIPS 186-5, it is more appropriate to instead use the FIPS 186-4 SigVer testing. While the two standards are mostly compatible (an RSA signature is an RSA signature) they are not 100% compatible. A signature generated with FIPS 186-5 is not guaranteed to validate using FIPS 186-4. Because of this, we keep the testing distinct.

This notion is more prevalent if you look at the difference between FIPS 186-4 and FIPS 186-2. A FIPS 186-2 signature can very easily be rejected by a FIPS 186-4 signature verification algorithm. It could use a 1024-bit key, or it could use a small public exponent. So it is not appropriate to use FIPS 186-4 SigVer testing to ensure that an implementation can perform FIPS 186-2 signature verification.

I sympathize that this creates extra work through extra vector sets, but this is the solution we arrived at, and given the concerns I outlined, I'm not sure there is a simpler solution.

[celic]

This does mean that FIPS 186-5 RSA SigVer should probably not support SHA-1 though. I see it listed on the spec, and confirmed it is listed in the code.

[jvdsn]

OK, I understand that you want to keep the testing separate. But then in that case, I don't see why RSA SigVer would support SHA-1. It seems to me that your rationale would apply there as well.

[celic]

Yeah that part appears to be a slip up. Coincidentally I wrote that, though I probably wrote that back in 2019 when a draft of FIPS 186-5 was available.

[jvdsn]

@celic as of right now, the server still accepts SHA-1 for FIPS 186-5 RSA SigVer. Can we expect this to remain?

[celic]

I'll slip this in to our upcoming release. It should not be there technically.

[livebe01]

The fix for this is on Demo in release v1.1.0.33

[livebe01]

The fix for this is on Prod in release v1.1.0.33