KAS-ECC-SSC tests failing for go/crypto/elliptic module #1196
Comments
|
Hi, Any inputs here would be very helpful. I would also like to add that I'm running these test vectors against Go lang crypto library version 1.12.1. I would like to know if there is anything specific to SP800 56A R3 that needs to be handled. Thanks! |
|
Hi, We tried with new set of vectors and now we observe the following error - { Please let us know how we may proceed. Thanks! |
|
It appears that the IUT provided
Here is a repro of the calculation specified in the output section of C.2: https://replit.com/@Kritner/ExpectedBitLengthOfZ#main.py The https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf
For the P-521 curve, the expected length of using tcId 27 as an example, the IUT provided:
The ACVP Server generated value for that same test id of 27 is:
I would imagine it'd be a similar situation with the other failing test cases from the vector set, but I did not check. Additionally, there is a regarding your comment in #1196 (comment), I would need to know what endpoint you're trying to hit, the verb being used, and the payload. |
|
Hi,
|
|
|
Sorry to bombard you with questions, here is another one. Is there a way we can limit the number of test cases we receive for a given vsid? For instance SHA tests have about 512 individual tests for Algorithm validations. Can that number be configured? Appreciate your prompt responses and it really helps! Thanks very much. |
This is only the root URL that's being hit, not the actual endpoint - though looking through our code, the only time this response is returned is if you try to get "results" for a vector set, without having uploaded your responses. The full endpoint that can return that response is: Regarding the ACVP Proxy command you're using, I can't really speak to that as it's not our product.
The file you attached is a response file from IUT to ACVP Server, but I don't see any indication of it having been uploaded to us, can you try again? Additionally knowing that datetime the upload was attempted so I can double check our logs.
No there is no controlling from the client perspective how many test cases are generated for a vector set. the Just to circle back to the issue at hand, did my response in #1196 (comment) make sense? |
|
about your comment in #1196, yes that helped. |
I'm not exactly sure what you mean by "test driver code" - if that's the harness or proxy sitting above the actual implementation, then probably not. The padding here is important for KAS-*-SSC, since SSC's intention is to be used in conjunction with a KAS-KDF to make up a "KAS validation". The KDFs (in I believe all instances?) perform one way functions (such as a hash) upon the shared secret, so it's quite important that the length of the output shared secret is appropriate, since hashing a shared secret z value of So this padding seems like it should be the responsibility of the implementation itself, rather than the test harness/proxy calling into the implementation. Either that or the KDF implementation would need to account for this "domain parameter dependent (in this case P-521)" padding, but since the KDF should be shared secret generation (and domain parameter) agnostic, it seems to make the most sense that the SSC implementation performs the padding. |
|
Hi, I had another question about the KAS component tests where I notice the error "IUT should detect issue in ACVP server ephemeral public key" for some tests. I did notice that you have shared some information for the exact same error - usnistgov/ACVP-Server#60 I would just like to ask this question - does the verification require to check both ephemeral public server key pair and public IUT key pair in VAL type tests to determine if they individually are points on the specified curve? |
|
It depends on the capabilities registered, and the revision of testing you're testing against. The best bet is to run all provided public keys through the partial and/or full validation process as a part of the routine regardless of whether or not we're actually testing against "bad values" IMO. |
Hi,
I noticed that in the case of kas role as initiator, a few test cases were failing with the verdict shown as Z does not match. Also, the z value is variable as we generate keys with a random input. How does the server match the z value in such cases? Any pointers on why these specific tests failed would be very helpful in proceeding further.
These are the details of the tests -
vsId: 587668,
curve: P-521
KAS role: initiator
scheme: ephemeralUnified
These are the failed tests -
"tcId": 27,
"result": "failed",
"reason": "Z does not match"
},
{
"tcId": 28,
"result": "passed"
},
{
"tcId": 29,
"result": "failed",
"reason": "Z does not match"
},
{
"tcId": 30,
"result": "failed",
"reason": "Z does not match"
},
{
"tcId": 31,
"result": "passed"
},
{
"tcId": 32,
"result": "failed",
"reason": "Z does not match"
},
{
"tcId": 33,
"result": "passed"
},
{
"tcId": 34,
"result": "failed",
"reason": "Z does not match"
},
Thanks,
Krishna
The text was updated successfully, but these errors were encountered: