Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KAS-ECC: fixedInfoPattern restrictions #1466

Open
smuellerDD opened this issue Aug 28, 2023 · 17 comments
Open

KAS-ECC: fixedInfoPattern restrictions #1466

smuellerDD opened this issue Aug 28, 2023 · 17 comments

Comments

@smuellerDD
Copy link
Contributor

Protocol Section
See FixedInfoPatternConstruction in the KAS-ECC (and perhaps in the FFC specification).

Protocol Question
The specification outlines a number of options. It does not hint that the listed options can only be used once. With that in mind, I tried to define a fixedInfoPattern with multiple literals which is used by one of our clients.

E.g. I would like to define a fixedInfoPattern along the following line of tought:

literal1 || partyUId || literal2 || some other data || partyVId || some other data || literal3

Note, this "some other data" is even a part that is not yet defined in the specification. Anyhow, leaving that out for the moment, the server still returns me:

[
  {
    "acvVersion": "1.0"
  },
  {
    "error": "Validation error(s) on JSON payload.",
    "context": [
      "KAS-ECC-Sp800-56Ar3: Duplicate pieces of fixedInfoPattern found; pieces should be unique."
    ]
  }
]

Thus, the server seems to require the uniqueness of fixedInfoPattern components. Is there a reason for that?

Can we add additional components to the fixedInfoPattern which implies that the protocol is extended by more possibilities?

@livebe01
Copy link
Collaborator

Hi @smuellerDD, no I don't think there's a particularly good reason for that. I'm sure KAS could be updated to allow multiple literals in the construction. But I wonder if it would be more productive to update KAS to remove the fixedInfo construction from the testing scope, i.e., allow the tester to specify the fixedInfo value that was used?

@rnunez83
Copy link

rnunez83 commented Sep 6, 2023

Hi @livebe01. I am working with @smuellerDD on this issue and wanted to add a bit of background. The implementation we are attempting to test is protocol specific format used for PIVP. Our customer implements the fixed inf as such: literal1 || partyU ID || literal2 || partyU leftmost 16 bytes public key || partyV ID || partyV nonce || literal3
Is this format something we could have assistance testing?

@livebe01
Copy link
Collaborator

livebe01 commented Sep 7, 2023

Sure, can you get me the registration you would like to use?

@smuellerDD
Copy link
Contributor Author

So, you are saying that we shall have a generic registration, send the test session to you and you will "fix" the fixed info definition?

@livebe01
Copy link
Collaborator

livebe01 commented Sep 7, 2023

Not quite. I'm saying, can you send me the registration that you would use for the algorithm assuming that ACVTS supported the fixedInfoPattern you need. I'd like to look at the registration and think about how to handle it. ACVTS doesn't support the fixedInfoPattern you need, but pretend that it does. I'm thinking that we'll want to accomplish this testing by CAVP generating a custom vector set for your IUT.

@smuellerDD
Copy link
Contributor Author

smuellerDD commented Sep 7, 2023 via email

@livebe01
Copy link
Collaborator

livebe01 commented Sep 7, 2023

Hi Stephan, you and @rnunez83 have described your needs in relation to fixedInfoPattern. But there is much more to describing a KAS-ECC Sp800-56Ar3 algorithm implementation. For example see section 7 of the KAS-ECC Sp800-56Ar3 algo spec. Can you describe for me the remainder of your IUT's KAS-ECC Sp800-56Ar3 capabilities?

@rnunez83
Copy link

rnunez83 commented Oct 2, 2023

Hi Stephan, you and @rnunez83 have described your needs in relation to fixedInfoPattern. But there is much more to describing a KAS-ECC Sp800-56Ar3 algorithm implementation. For example see section 7 of the KAS-ECC Sp800-56Ar3 algo spec. Can you describe for me the remainder of your IUT's KAS-ECC Sp800-56Ar3 capabilities?

@livebe01, this is the FixedInfo usually prepared to derive the keys:

[literal1 : e.g: 0x0409090909] || [partyU ID] || [literal2 : 0x0100] || [partyU leftmost 16 bytes public key] || [partyV ID] || [partyV nonce (16 bytes for ECC P-256, 24 bytes for ECC P-384/512)] || [literal3 : 0x0100]

Is this what you are looking for?

@livebe01
Copy link
Collaborator

livebe01 commented Oct 3, 2023

Not exactly. I think that I understand how the IUT in question is preparing the FixedInfo. What I'm asking for is for you to describe its other attributes in relation to its implementing/conforming to KAS-ECC Sp800-56Ar3. What would the rest of its registration look like? E.g., https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-ecc-sp800-56ar3.html#name-example-kas-ecc-registratio.

@rnunez83
Copy link

rnunez83 commented Oct 4, 2023

Hi @livebe01

Not exactly. I think that I understand how the IUT in question is preparing the FixedInfo. What I'm asking for is for you to describe its other attributes in relation to its implementing/conforming to KAS-ECC Sp800-56Ar3. What would the rest of its registration look like? E.g., https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-ecc-sp800-56ar3.html#name-example-kas-ecc-registratio.

Ok. how about this then:

  {
    "isSample":true,
    "operation":"register",
    "certificateRequest":"no",
    "debugRequest":"yes",
    "production":"no",
    "encryptAtRest":"yes",
    "algorithms":[
      {
        "prereqVals":[
          {
            "algorithm":"SHA",
            "valValue":"same"
          },
          {
            "algorithm":"DRBG",
            "valValue":"same"
          },
          {
            "algorithm":"ECDSA",
            "valValue":"same"
          },
          {
            "algorithm":"HMAC",
            "valValue":"same"
          }
        ],
        "revision":"Sp800-56Ar3",
        "algorithm":"KAS-ECC",
        "function":[
          "keyPairGen"
        ],
        "iutId":"1234567890abcdef",
        "scheme":{
          "onePassDh":{
            "kasRole":[
              "responder"
            ],
            "kdfMethods":{
              "oneStepKdf":{
                "auxFunctions":[
                  {
                    "auxFunctionName":"SHA2-256"
                  },
                  {
                    "auxFunctionName":"SHA2-384"
                  },
                  {
                    "auxFunctionName":"SHA2-512"
                  }
                ],
                "fixedInfoPattern":"literal[040909090908000000000000000001001000000000000000000000000000000000080000000000000000100000000000000000000000000000000001000400]||l||uPartyInfo||vPartyInfo",
                "encoding":[
                  "concatenation"
                ]
              }
            },
            "l":1024
          }
        },
        "domainParameterGenerationMethods":[
          "P-256"
        ]
      }
    ]
  }
]

@livebe01
Copy link
Collaborator

livebe01 commented Oct 5, 2023

Thanks @rnunez83, this is helpful. Let me take a look and come up with some options for addressing this.

@rnunez83
Copy link

Thanks @rnunez83, this is helpful. Let me take a look and come up with some options for addressing this.

Hi @livebe01. I just wanted to check if you had any update for this?

@celic
Copy link
Collaborator

celic commented Oct 16, 2023

Hi, I'm picking this item up from Ben, @livebe01. From what I see, you tried a registration that was rejected because it contained duplicate fixedInfoPatterns. It looks like our tests expect distinct patterns here to do a wider range of testing rather than just a single value. I think we want to continue supporting this.

If you have the Gen/Vals running yourself, you can remove the lines around https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/src/generation/src/NIST.CVP.ACVTS.Libraries.Generation/KAS/Sp800_56Ar3/ParameterValidator.cs#L621. Otherwise if you send me a registration that was failing previously, I can generate some files for you. The registration @rnunez83 provided a couple weeks ago runs without issue already.

@rnunez83
Copy link

hi @celic.

the registration request is the following:
{
"isSample":true,
"operation":"register",
"certificateRequest":"no",
"debugRequest":"yes",
"production":"no",
"encryptAtRest":"yes",
"algorithms":[
{
"prereqVals":[
{
"algorithm":"SHA",
"valValue":"same"
},
{
"algorithm":"DRBG",
"valValue":"same"
},
{
"algorithm":"ECDSA",
"valValue":"same"
},
{
"algorithm":"HMAC",
"valValue":"same"
}
],
"revision":"Sp800-56Ar3",
"algorithm":"KAS-ECC",
"function":[
"keyPairGen"
],
"iutId":"1234567890abcdef",
"scheme":{
"onePassDh":{
"kasRole":[
"responder"
],
"kdfMethods":{
"oneStepKdf":{
"auxFunctions":[
{
"auxFunctionName":"SHA2-256"
},
{
"auxFunctionName":"SHA2-384"
},
{
"auxFunctionName":"SHA2-512"
}
],
"fixedInfoPattern":"literal[040909090908000000000000000001001000000000000000000000000000000000080000000000000000100000000000000000000000000000000001000400]||l||uPartyInfo||vPartyInfo",
"encoding":[
"concatenation"
]
}
},
"l":1024
}
},
"domainParameterGenerationMethods":[
"P-256"
]
}
]
}
]

@celic
Copy link
Collaborator

celic commented Oct 19, 2023

This is the same one that you posted a couple comments ago? This ran with no issues. I'm looking for the one that you all want to run but are prevented due to the original error message.

@rnunez83
Copy link

@celic, see that is the thing. I am unable to create a request that allows two different literal values. What I am trying to form is the following fixedinfo:
[literal1 : e.g: 0x0409090909] || [partyU ID] || [literal2 : 0x0100] || [partyU leftmost 16 bytes public key] || [partyV ID] || [partyV nonce (16 bytes for ECC P-256, 24 bytes for ECC P-384/512)] || [literal3 : 0x0100]
but ACVTS does not have a field for more than 1 literal definition, so how do we create the request with the above fixedinfo?

@ylu0926
Copy link

ylu0926 commented Sep 26, 2024

But I wonder if it would be more productive to update KAS to remove the fixedInfo construction from the testing scope, i.e., allow the tester to specify the fixedInfo value that was used?

Totally agree. Why do we need to test fixedInfo construction? Allow the tester to specify fixedInfo would be more favourable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants