RSA [FIPS 186-4] issue

[Leon Brits]

Hi all,

 

We use the OpenSSL FIPS Object Module v.2.0, but are not allowed anymore (as of the start of this year) to submit new product for validation because the RSA implementation is only FIPS 186-2 compliant. Based on extensive review and research it seems to be possible to “patch” the RSA key generation to be FIPS 186-4 compliant and apparently (correct me if I am wrong) the sign/verify is close enough to FIPS 186-4 to pass.

 

I am in no way capable of writing such a patch and was hoping that someone is willing to share.

To be more specific I need a patch that will change the key generation from:

d = e-1 mod((p-1)(q-1))

to this:

d = e-1 mod(LCM(p-1, q-1))

 

I would appreciate any comment about the statement that the RSA implementation for sign and verify will pass the CAVP testing for FIPS 186-4.

 

As usual thanks for your help

Regards,

LJB

[Steve Marquess]

Well, you asked for any comment so you'll get one from me.

The easiest part of any FIPS 140-2 validation is the coding. The hard
part is figuring out the requirements, both written and unwritten, which
are subject to frequent change and inconsistent interpretation. The
OpenSSL FIPS Object Module series of open source based validations have
been funded with the intent of providing a ready made example of
something that does meet those requirements, or at least the
requirements in place at the time the validations were obtained. Those
examples can be (and have extensively been) used for obtaining privately
branded copycat ("private label") validations such as what you are
attempting.

Unfortunately a number of new requirements have been introduced since
the #1747 validation was obtained. We *think* we know what code changes
would suffice to satisfy them, but unfortunately we aren't allowed to
apply them to that existing validation. Since the interpretation of the
requirements can be very inconsistent (as we know from obtaining
multiple validations in parallel using exactly the same code) we can't
be sure until and if we succeed in obtaining a new validation. At that
time the resulting successful example will be available for all as a new
reference as has been the case with prior OpenSSL FIPS Object Module
validations.

If you do succeed in obtaining a validation under the new requirements
before we do (which is likely as we have no current plans or funding for
same) then please publish the results. Much of the mystery and
inconsistency of cryptographic module validation would be obviated if
the results of validations were more fully disclosed. At present details
about validations are treated as state secrets, with the singular
exception of our open source based validations.

I think you will find that a number of other code modifications will
also be required. I'll be interested to learn what works for your
validation.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marq...@opensslfoundation.com
marq...@openssl.com
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

[Salz, Rich]

> Much of the mystery and inconsistency of cryptographic module validation would be obviated if the results of validations were more fully disclosed. At present details about validations are treated as state secrets, with the singular exception of our open source based validations.

Sadly true. I think because, often, there's less there than meets the eye. One of the most important things OpenSSL FIPS does is bring some much-needed sunlight into this arena.

/r$

--
Principal Security Engineer
Akamai Technology
Cambridge, MA

[JDM]

Leon Brits wrote

> I am in no way capable of writing such a patch and was hoping that someone
> is willing to share.
> To be more specific I need a patch that will change the key generation
> from:
> d = e-1 mod((p-1)(q-1))
> to this:
> d = e-1 mod(LCM(p-1, q-1))

We’re also pursuing a patch to RSA Key Generation. Leon, are you saying
that you believe this is the change that is necessary in order for it to be
validated? What makes you think that? I think you’re further along in the
process than we are and I’d like to learn from what you’ve found.



--
View this message in context: http://openssl.6102.n7.nabble.com/RSA-FIPS-186-4-issue-tp48944p49309.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.

[JDM]

Steve Marquess-3 wrote

> I think you will find that a number of other code modifications will
> also be required.

Are you saying that you think more than just what Leon mentioned will have
to be changed in order to validate RSA Key Generation? Is there any chance
that OpenSSL would be willing to point to the sections of code that they
(you) believe would need to be changed?



--
View this message in context: http://openssl.6102.n7.nabble.com/RSA-FIPS-186-4-issue-tp48944p49310.html