forked from usnistgov/ACVP
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathacvp_sub_ecdsa.txt
1568 lines (1063 loc) · 58.3 KB
/
acvp_sub_ecdsa.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
TBD B. Fussell, Ed.
Internet-Draft Cisco Systems, Inc.
Intended status: Informational June 1, 2016
Expires: December 3, 2016
ACVP ECDSA Algorithm JSON Specification
draft-ietf-acvp-subecdsa-1.0
Abstract
This document defines the JSON schema for using ECDSA algorithms with
the ACVP specification.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 3, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Fussell Expires December 3, 2016 [Page 1]
Internet-Draft Sym Alg JSON June 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Supported ECDSA Algorithms . . . . . . . . . . . . . . . . . 3
3. Test Types and Test Coverage . . . . . . . . . . . . . . . . 3
3.1. Test Coverage . . . . . . . . . . . . . . . . . . . . . . 4
3.1.1. Requirements Covered . . . . . . . . . . . . . . . . 4
3.1.2. Requirements Not Covered . . . . . . . . . . . . . . 4
4. Capabilities Registration . . . . . . . . . . . . . . . . . . 5
4.1. Required Prerequisite Algorithms for ECDSA Validations . 5
4.2. ECDSA Algorithm Capabilities Registration . . . . . . . . 6
4.3. Supported ECDSA Modes Capabilities . . . . . . . . . . . 7
4.3.1. The keyGen Mode Capabilities . . . . . . . . . . . . 7
4.3.1.1. keyGen Full Set of Capabilities . . . . . . . . . 8
4.3.2. The keyVer Mode Capabilities . . . . . . . . . . . . 8
4.3.2.1. keyVer Full Set of Capabilities . . . . . . . . . 9
4.3.3. The sigGen Mode Capabilities . . . . . . . . . . . . 9
4.3.3.1. sigGen Full Set of Capabilities . . . . . . . . . 9
4.3.4. The sigVer Mode Capabilities . . . . . . . . . . . . 10
4.3.4.1. sigVer Full Set of Capabilities . . . . . . . . . 11
5. Supported DSA Conformances . . . . . . . . . . . . . . . . . 12
6. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. Test Groups JSON Schema . . . . . . . . . . . . . . . . . 13
6.2. Test Case JSON Schema . . . . . . . . . . . . . . . . . . 14
7. Test Vector Responses . . . . . . . . . . . . . . . . . . . . 15
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
10. Security Considerations . . . . . . . . . . . . . . . . . . . 16
11. Normative References . . . . . . . . . . . . . . . . . . . . 16
Appendix A. Example Capabilities JSON Object . . . . . . . . . . 17
Appendix B. Example Vector Set Request/Responses JSON Object . . 20
B.1. Example Test ECDSA KeyGen JSON Object . . . . . . . . . . 20
B.2. Example Test ECDSA KeyVer JSON Object . . . . . . . . . . 22
B.3. Example Test ECDSA Signature Generation JSON Object . . . 24
B.4. Example Test ECDSA SigVer JSON Object . . . . . . . . . . 26
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction
The Automated Crypto Validation Protocol (ACVP) defines a mechanism
to automatically verify the cryptographic implementation of a
software or hardware crypto module. The ACVP specification defines
how a crypto module communicates with an ACVP server, including
crypto capabilities negotiation, session management, authentication,
vector processing and more. The ACVP specification does not define
algorithm specific JSON constructs for performing the crypto
validation. A series of ACVP sub-specifications define the
Fussell Expires December 3, 2016 [Page 2]
Internet-Draft Sym Alg JSON June 2016
constructs for testing individual crypto algorithms. Each sub-
specification addresses a specific class of crypto algorithms. This
sub-specification defines the JSON constructs for testing ECDSA
algorithms using ACVP.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted in RFC 2119 [RFC2119].
2. Supported ECDSA Algorithms
The following ECDSA algorithms MAY be advertised by the ACVP
compliant cryptographic module:
o ECDSA / keyGen
o ECDSA / keyVer
o ECDSA / sigGen
o ECDSA / sigVer
3. Test Types and Test Coverage
The ACVP server performs a set of tests on the specified ECDSA
algorithm in order to assess the correctness and robustness of the
implementation. A typical ACVP validation session SHALL require
multiple tests to be performed for every supported permutation of
ECDSA capabilities. This section describes the design of the tests
used to validate implementations of the ECDSA algorithms.
ECDSA / keyGen "AFT" - Algorithm Functional Test. The IUT is
REQUIRED for each test case provided, to generate a key pair based
on an approved curve. This information is then communicated to
the ACVP server and validated.
ECDSA / keyVer "AFT" - Algorithm Functional Test. The ACVP server
is REQUIRED to generate a series of keys based on the IUT provided
NIST curve(s). The keys generated by the server MAY or MAY NOT be
valid, the IUT is REQUIRED to determine if the keys provided in
the test cases are valid or invalid keys as they relate to the
curve.
ECDSA / sigGen "AFT" - Algorithm Functional Test. This testing
mode expects the IUT to generate valid signatures based on the
ACVP provided message. The signature is then validated with the
Fussell Expires December 3, 2016 [Page 3]
Internet-Draft Sym Alg JSON June 2016
ACVP server given the IUT's communicated curve, public key, and
signature.
ECDSA / sigVer "AFT" - Algorithm Functional Test. The ACVP server
generates a series of signatures to communicate to the IUT. The
IUT is REQUIRED to determine the validity of the signature given
the curve, key, and message.
3.1. Test Coverage
The tests described in this document have the intention of ensuring
an implementation is conformant to [FIPS.186-4] and [SP.800-89].
3.1.1. Requirements Covered
FIPS.186-4 - 3 General Discussion. Domain parameter generation,
key generation, signature generation, and signature validation are
all within scope of ACVP server testing.
FIPS.186-4 - 6 The Eliliptic Curve Digital Signature Algorithm
(ECDSA). The ACVP server SHALL allow testing with the recommended
NIST curves. The ACVP server SHALL support a variety of curves/
hash function for creation and delivery to/from the IUT. Key pair
generation/verification testing SHALL be provided by the ACVP
server. Both Signature Generation and Validation testing
mechanmisms SHALL be provided by the ACVP server.
SP800-106 - (3) Randomized Hashing and (4) Digital Signatures
Using Randomized Hashing. The IUT SHALL be provided or provide a
random value that should be used to "randomize" a message prior to
signing and/or verifying an original message.
3.1.2. Requirements Not Covered
FIPS.186-4 - 3 General Discussion. Assurances of private key
secrecy and ownership SHALL NOT be within scope of ACVP testing.
FIPS.186-4 - 6 The Eliliptic Curve Digital Signature Algorithm
(ECDSA). Though the ACVP server SHALL support a variety of
parameter sizes/hash functions, the IUT's selection of these is
out of scope of testing. The ACVP server SHALL NOT provide
testing for the validity of domain parameters as testing is
(currently) limited to approved NIST curves. Testing SHALL NOT
provide assurances the IUT has validated a set of domain
parameters prior to their use. Domain parameter and key pair
management SHALL NOT be within scope of ACVP testing.
Fussell Expires December 3, 2016 [Page 4]
Internet-Draft Sym Alg JSON June 2016
SP800-106 - 3.3 The Random Value. DSA, ECDSA, and RSA have random
values generated as per their signing process, this random value
can be used as the input to the message randomization function,
doing so however is out of scope of this testing.
4. Capabilities Registration
ACVP requires crypto modules to register their capabilities. This
allows the crypto module to advertise support for specific
algorithms, notifying the ACVP server which algorithms need test
vectors generated for the validation process. This section describes
the constructs for advertising support of ECDSA algorithms to the
ACVP server.
The algorithm capabilities are advertised as JSON objects within the
'algorithms' value of the ACVP registration message. The
'algorithms' value is an array, where each array element is an
individual JSON object defined in this section. The 'algorithms'
value is part of the 'capability_exchange' element of the ACVP JSON
registration message. See the ACVP specification for details on the
registration message.
4.1. Required Prerequisite Algorithms for ECDSA Validations
Each ECDSA implementation relies on other cryptographic primitives.
For example, ECDSA uses an underlying SHA algorithm. Each of these
underlying algorithm primitives must be validated, either separately
or as part of the same submission. ACVP provides a mechanism for
specifying the required prerequisites:
Fussell Expires December 3, 2016 [Page 5]
Internet-Draft Sym Alg JSON June 2016
+-------------+--------------+--------------+------------+----------+
| JSON Value | Description | JSON type | Valid | Optional |
| | | | Values | |
+-------------+--------------+--------------+------------+----------+
| algorithm | a | value | DRBG, | No |
| | prerequisite | | DRBG_OPT2, | |
| | algorithm | | SHA, | |
| | | | SHA_OPT2, | |
| | | | SHA_OPT3 | |
| valValue | algorithm | value | actual | No |
| | validation | | number or | |
| | number | | "same" | |
| prereqAlgVa | prerequistie | object with | see above | No |
| l | algorithm | algorithm | | |
| | validation | and valValue | | |
| | | properties | | |
| prereqVals | prerequistie | array of | see above | No |
| | algorithm | prereqAlgVal | | |
| | validations | objects | | |
+-------------+--------------+--------------+------------+----------+
Table 1: Required ECDSA Prerequisite Algorithms JSON Values
4.2. ECDSA Algorithm Capabilities Registration
Each algorithm capability advertised is a self-contained JSON object
using the following values
+--------------+--------------+--------------+-----------+----------+
| JSON Value | Description | JSON type | Valid | Optional |
| | | | Values | |
+--------------+--------------+--------------+-----------+----------+
| algorithm | The | value | "ECDSA" | No |
| | algorithm | | | |
| | under test | | | |
| mode | The ECDSA | value | "keyGen", | No |
| | mode to be | | "keyVer", | |
| | validated | | "sigGen", | |
| | | | or | |
| | | | "sigVer" | |
| revision | The | value | "1.0" | No |
| | algorithm | | | |
| | testing | | | |
| | revision to | | | |
| | use. | | | |
| prereqVals | prerequistie | array of | See Secti | No |
| | algorithm | prereqAlgVal | on 4.1 | |
| | validations | objects | | |
Fussell Expires December 3, 2016 [Page 6]
Internet-Draft Sym Alg JSON June 2016
| capabilities | array of | Array of | See Secti | Yes |
| | JSON | JSON objects | on 4.3 | |
| | objects, | | | |
| | each with | | | |
| | fields | | | |
| | pertaining | | | |
| | to the | | | |
| | global ECDSA | | | |
| | mode | | | |
| | indicated | | | |
| | above and | | | |
| | identified | | | |
| | uniquely by | | | |
| | the | | | |
| | combination | | | |
| | of the ECDSA | | | |
| | "mode" and | | | |
| | indicated | | | |
| | properties | | | |
| conformances | Used to | Array of | See | Yes |
| | denote the | strings | Section 5 | |
| | conformances | | | |
| | that can | | | |
| | apply to | | | |
| | specific | | | |
| | modes of | | | |
| | DSA. | | | |
+--------------+--------------+--------------+-----------+----------+
Table 2: ECDSA Algorithm Capabilities JSON Values
4.3. Supported ECDSA Modes Capabilities
The ECDSA mode capabilities are advertised as JSON objects within the
'capabilities' value of the ACVP registration message - see Table 2 .
The 'capabilities' value is an array, where each array element is a
JSON object corresponding to a particular ECDSA mode defined in this
section. The 'capabilities' value is part of the
'capability_exchange' element of the ACVP JSON registration message.
See the ACVP specification for details on the registration message.
Each ECDSA mode's capabilities are advertised as JSON objects.
4.3.1. The keyGen Mode Capabilities
The ECDSA keyGen mode capabilities are advertised as JSON objects,
which are elements of the 'capabilities' array in the ACVP
Fussell Expires December 3, 2016 [Page 7]
Internet-Draft Sym Alg JSON June 2016
registration message. See the ACVP specification for details on the
registration message.
Each ECDSA keyGen mode capability set is advertised as a self-
contained JSON object.
4.3.1.1. keyGen Full Set of Capabilities
The complete list of ECDSA key generation capabilities may be
advertised by the ACVP compliant crypto module:
+--------------------+------------+-------+--------------+----------+
| JSON Value | Descriptio | JSON | Valid Values | Optional |
| | n | type | | |
+--------------------+------------+-------+--------------+----------+
| curve | The curve | array | Any non- | No |
| | names | | empty subset | |
| | supported | | of {"P-224", | |
| | for the | | "P-256", | |
| | IUT in | | "P-384", | |
| | keyGen. | | "P-521", | |
| | | | "B-233", | |
| | | | "B-283", | |
| | | | "B-409", | |
| | | | "B-571", | |
| | | | "K-233", | |
| | | | "K-283", | |
| | | | "K-409", | |
| | | | "K-571"} | |
| secretGenerationMo | The method | array | Any non- | No |
| de | used to | | empty subset | |
| | generate | | of {"extra | |
| | the | | bits", | |
| | randomness | | "testing | |
| | incoporate | | candidates"} | |
| | d in the | | | |
| | key. | | | |
+--------------------+------------+-------+--------------+----------+
Table 3: ECDSA keyGen Capabilities JSON Values
4.3.2. The keyVer Mode Capabilities
The ECDSA keyVer mode capabilities are advertised as JSON objects,
which are elements of the 'capabilities' array in the ACVP
registration message. See the ACVP specification for details on the
registration message.
Fussell Expires December 3, 2016 [Page 8]
Internet-Draft Sym Alg JSON June 2016
Each ECDSA keyVer mode capability set is advertised as a self-
contained JSON object.
4.3.2.1. keyVer Full Set of Capabilities
The complete list of ECDSA key verification capabilities may be
advertised by the ACVP compliant crypto module:
+-------+-------------+-------+--------------------------+----------+
| JSON | Description | JSON | Valid Values | Optional |
| Value | | type | | |
+-------+-------------+-------+--------------------------+----------+
| curve | The curve | array | Any non-empty subset of | No |
| | names | | {"P-192", "P-224", | |
| | supported | | "P-256", "P-384", | |
| | for the IUT | | "P-521", "B-163", | |
| | in keyVer. | | "B-233", "B-283", | |
| | | | "B-409", "B-571", | |
| | | | "K-163", "K-233", | |
| | | | "K-283", "K-409", | |
| | | | "K-571"} | |
+-------+-------------+-------+--------------------------+----------+
Table 4: ECDSA keyVer Capabilities JSON Values
4.3.3. The sigGen Mode Capabilities
The ECDSA sigGen mode capabilities are advertised as JSON objects,
which are elements of the 'capabilities' array in the ACVP
registration message. See the ACVP specification for details on the
registration message.
Each ECDSA sigGen mode capability set is advertised as a self-
contained JSON object.
4.3.3.1. sigGen Full Set of Capabilities
The complete list of ECDSA signature generation capabilities may be
advertised by the ACVP compliant crypto module:
Fussell Expires December 3, 2016 [Page 9]
Internet-Draft Sym Alg JSON June 2016
+--------------+--------------+-------+------------------+----------+
| JSON Value | Description | JSON | Valid Values | Optional |
| | | type | | |
+--------------+--------------+-------+------------------+----------+
| capabilities | An array | array | Any non-empty | No |
| | containing | | subset of | |
| | capability | | capability | |
| | objects | | objects | |
| | defined as | | | |
| | an array of | | | |
| | 'curve' and | | | |
| | an array of | | | |
| | 'hashAlg' as | | | |
| | listed | | | |
| | below. | | | |
| curve | The curves | array | Any non-empty | No |
| | supported | | subset of | |
| | with a | | {"P-224", | |
| | particular | | "P-256", | |
| | set of hash | | "P-384", | |
| | algorithms. | | "P-521", | |
| | | | "B-233", | |
| | | | "B-283", | |
| | | | "B-409", | |
| | | | "B-571", | |
| | | | "K-233", | |
| | | | "K-283", | |
| | | | "K-409", | |
| | | | "K-571"} | |
| hashAlg | The hash | array | Any non-empty | No |
| | functions | | subset of | |
| | supported | | {"SHA2-224", | |
| | when signing | | "SHA2-256", | |
| | a message | | "SHA2-384", | |
| | for a | | "SHA2-512", | |
| | particular | | "SHA2-512/224", | |
| | set of | | "SHA2-512/256"}. | |
| | curves. | | | |
+--------------+--------------+-------+------------------+----------+
Table 5: ECDSA sigGen Capabilities JSON Values
4.3.4. The sigVer Mode Capabilities
The ECDSA sigVer mode capabilities are advertised as JSON objects,
which are elements of the 'capabilities' array in the ACVP
registration message. See the ACVP specification for details on the
registration message.
Fussell Expires December 3, 2016 [Page 10]
Internet-Draft Sym Alg JSON June 2016
Each ECDSA sigVer mode capability set is advertised as a self-
contained JSON object.
4.3.4.1. sigVer Full Set of Capabilities
The complete list of ECDSA signature verification capabilities may be
advertised by the ACVP compliant crypto module:
+--------------+-------------+-------+-------------------+----------+
| JSON Value | Description | JSON | Valid Values | Optional |
| | | type | | |
+--------------+-------------+-------+-------------------+----------+
| capabilities | An array | array | Any non-empty | No |
| | containing | | subset of | |
| | capability | | capability | |
| | objects | | objects | |
| | defined as | | | |
| | an array of | | | |
| | 'curve' and | | | |
| | an array of | | | |
| | 'hashAlg' | | | |
| | as listed | | | |
| | below. | | | |
| curve | The curves | array | Any non-empty | No |
| | supported | | subset of | |
| | with a | | {"P-192", | |
| | particular | | "P-224", "P-256", | |
| | set of hash | | "P-384", "P-521", | |
| | algorithms. | | "B-163", "B-233", | |
| | | | "B-283", "B-409", | |
| | | | "B-571", "K-163", | |
| | | | "K-233", "K-283", | |
| | | | "K-409", "K-571"} | |
| hashAlg | The hash | array | Any non-empty | No |
| | functions | | subset of | |
| | supported | | {"SHA-1", | |
| | when | | "SHA2-224", | |
| | signing a | | "SHA2-256", | |
| | message for | | "SHA2-384", | |
| | a | | "SHA2-512", | |
| | particular | | "SHA2-512/224", | |
| | set of | | "SHA2-512/256"}. | |
| | curves. | | | |
+--------------+-------------+-------+-------------------+----------+
Table 6: ECDSA sigVer Capabilities JSON Values
Fussell Expires December 3, 2016 [Page 11]
Internet-Draft Sym Alg JSON June 2016
5. Supported DSA Conformances
Conformances MAY be used to test additional features of certain
algorithms.
+-----------+--------------------------------+-----------+----------+
| String | Description | Valid | Optional |
| Value | | algorithm | |
| | | modes | |
+-----------+--------------------------------+-----------+----------+
| SP800-106 | This conformance signifies the | SigGen, | Yes |
| | SigGen and/or SigVer modes | SigVer | |
| | support randomized message | | |
| | hashing as described in | | |
| | [SP.800-106]. Utilizing this | | |
| | conformance SHALL generate | | |
| | additional test groups, | | |
| | denoted with a group level | | |
| | property of `"conformance": | | |
| | "SP800-106"`. | | |
+-----------+--------------------------------+-----------+----------+
Table 7: DSA Conformances
6. Test Vectors
The ACVP server provides test vectors to the ACVP client, which are
then processed and returned to the ACVP server for validation. A
typical ACVP validation session would require multiple test vector
sets to be downloaded and processed by the ACVP client. Each test
vector set represents an individual ECDSA function. This section
describes the JSON schema for a test vector set used with ECDSA
algorithms.
The test vector set JSON schema is a multi-level hierarchy that
contains meta data for the entire vector set as well as individual
test vectors to be processed by the ACVP client.The following table
describes the JSON elements at the top level of the hierarchy.
Fussell Expires December 3, 2016 [Page 12]
Internet-Draft Sym Alg JSON June 2016
+------------+---------------------------------------------+--------+
| JSON Value | Description | JSON |
| | | type |
+------------+---------------------------------------------+--------+
| acvVersion | Protocol version identifier | value |
| vsId | Unique numeric identifier for the vector | value |
| | set | |
| algorithm | ECDSA | value |
| mode | The ECDSA mode used for the test vectors | value |
| revision | The algorithm testing revision to use. | value |
| testGroups | Array of test group JSON objects, which are | array |
| | defined in Section 6.1 | |
+------------+---------------------------------------------+--------+
Table 8: Vector Set JSON Object
6.1. Test Groups JSON Schema
The testGroups element at the top level in the test vector JSON
object is an array of test groups. Test vectors are grouped into
similar test cases to reduce the amount of data transmitted in the
vector set. For instance, all test vectors that use the same key
size would be grouped together. The Test Group JSON object contains
meta data that applies to all test vectors within the group. The
following table describes the secure hash JSON elements of the Test
Group JSON object.
The test group for ECDSA is as follows:
Fussell Expires December 3, 2016 [Page 13]
Internet-Draft Sym Alg JSON June 2016
+----------------------+-------------------+-------------+----------+
| JSON Value | Description | JSON type | Optional |
+----------------------+-------------------+-------------+----------+
| curve | The curve type | value | No |
| | used for the test | | |
| | vectors. | | |
| secretGenerationMode | The method of | value | Yes |
| | generating a | | |
| | secret used for | | |
| | key generation in | | |
| | the test vectors. | | |
| hashAlg | SHA version used | value | Yes |
| qx | The public key | value | Yes |
| | curve point x | | |
| qy | The public key | value | Yes |
| | curve point y | | |
| conformance | Signifies all | "SP800-106" | Yes |
| | test cases within | | |
| | the group should | | |
| | utilize random | | |
| | message hashing | | |
| | as described in | | |
| | [SP.800-106]. | | |
| tests | Array of | array | No |
| | individual test | | |
| | vector JSON | | |
| | objects, which | | |
| | are defined in | | |
| | Section 6.2 | | |
+----------------------+-------------------+-------------+----------+
Table 9: Vector Group JSON Object
6.2. Test Case JSON Schema
Each test group contains an array of one or more test cases. Each
test case is a JSON object that represents a single test vector to be
processed by the ACVP client. The following table describes the JSON
elements for each ECDSA test vector.
Fussell Expires December 3, 2016 [Page 14]
Internet-Draft Sym Alg JSON June 2016
+----------------+-------------------------------+-------+----------+
| JSON Value | Description | JSON | Optional |
| | | type | |
+----------------+-------------------------------+-------+----------+
| tcId | Numeric identifier for the | value | No |
| | test case, unique across the | | |
| | entire vector set. | | |
| qx | The public key curve point x | value | Yes |
| qy | The public key curve point y | value | Yes |
| r | The signature component R | value | Yes |
| s | The signature component S | value | Yes |
| message | The message used to generate | value | Yes |
| | signature or verify signature | | |
| randomValue | The random value to be used | value | Yes |
| | as an input into the message | | |
| | randomization function as | | |
| | described in [SP.800-106]. | | |
| randomValueLen | The random value's bit | value | Yes |
| | length. | | |
+----------------+-------------------------------+-------+----------+
Table 10: Test Case JSON Object
7. Test Vector Responses
After the ACVP client downloads and processes a vector set, it must
send the response vectors back to the ACVP server. The following
table describes the JSON object that represents a vector set
response.
+-------------+---------------------------------------------+-------+
| JSON Value | Description | JSON |
| | | type |
+-------------+---------------------------------------------+-------+
| acvVersion | Protocol version identifier | value |
| vsId | Unique numeric identifier for the vector | value |
| | set | |
| testResults | Array of JSON objects that represent each | array |
| | test vector result, as defined by the | |
| | tables below | |
+-------------+---------------------------------------------+-------+
Table 11: Vector Set Response JSON Object
The following table describes the JSON object that represents a
vector set response for ECDSA.
Fussell Expires December 3, 2016 [Page 15]
Internet-Draft Sym Alg JSON June 2016
+----------------+-----------------------------+---------+----------+
| JSON Value | Description | JSON | Optional |
| | | type | |
+----------------+-----------------------------+---------+----------+
| d | The private key | value | Yes |
| qx | The public key curve point | value | Yes |
| | x | | |
| qy | The public key curve point | value | Yes |
| | y | | |
| r | The signature component R | value | Yes |
| s | The signature component S | value | Yes |
| randomValue | The random value to be used | value | Yes |
| | as an input into the | | |
| | message randomization | | |
| | function as described in | | |
| | [SP.800-106]. | | |
| randomValueLen | The random value's bit | value | Yes |
| | length. | | |
| testPassed | The Pass or Fail result of | boolean | Yes |
| | the verify or validation | | |
+----------------+-----------------------------+---------+----------+
Table 12: Vector Set Response JSON Object
8. Acknowledgements
TBD...
9. IANA Considerations
This memo includes no request to IANA.
10. Security Considerations
Security considerations are addressed by the ACVP specification.
11. Normative References
[ACVP] authSurName, authInitials., "ACVP Specification", 2016.
[FIPS.186-4]
NIST, "Digital Signature Standard (DSS)", July 2013,
<https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.186-4.pdf>.
Fussell Expires December 3, 2016 [Page 16]
Internet-Draft Sym Alg JSON June 2016
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[SP.800-106]
NIST, "Randomized Hashing for Digital Signatures",
February 2009,
<https://nvlpubs.nist.gov/nistpubs/Legacy/SP/
nistspecialpublication800-106.pdf>.
[SP.800-89]
NIST, "Recommendation for Obtaining Assurances for Digital
Signature Applications", July 2013,
<https://nvlpubs.nist.gov/nistpubs/Legacy/SP/
nistspecialpublication800-89.pdf>.
Appendix A. Example Capabilities JSON Object
The following sections contain example JSON for the various ECDSA
modes: keyGen, keyVer, sigGen, and sigVer. Note that all binary HEX
representations are in big-endian format.
[{
"algorithm": "ECDSA",
"mode": "keyGen",
"revision": "1.0",
"prereqVals": [{
"algorithm": "SHA",
"valValue": "123456"
},
{
"algorithm": "DRBG",
"valValue": "123456"
}
],
"curve": [
"P-224",
"P-256",
"P-384",
"P-521",
"B-233",
"B-283",
"B-409",
"B-571",
"K-233",
"K-283",
Fussell Expires December 3, 2016 [Page 17]
Internet-Draft Sym Alg JSON June 2016
"K-409",
"K-571"
],
"secretGenerationMode": [
"extra bits",
"testing candidates"
]
},
{
"algorithm": "ECDSA",
"mode": "keyVer",
"revision": "1.0",
"prereqVals": [{
"algorithm": "SHA",
"valValue": "123456"
},
{
"algorithm": "DRBG",
"valValue": "123456"
}
],
"curve": [
"P-192",
"P-224",
"P-256",
"P-384",
"P-521",
"B-163",
"B-233",
"B-283",
"B-409",
"B-571",
"K-163",
"K-233",
"K-283",
"K-409",
"K-571"
]
},
{
"algorithm": "ECDSA",
"mode": "sigGen",
"revision": "1.0",
"prereqVals": [{