Re: FIPS Object Module 2.0 - Compliance with 186-3

2012-07-12 Thread Steve Marquess 
On 07/09/2012 03:55 PM, John Foley wrote:
 According to the NIST web site, the 2.0 FIPS Object Module claims
 compliance for FIPS 186-3 using the Extra Random Bits method for EC
 public key generation.

The implementation is FIPS 186-3 Section B.4.2, Key Pair Generation by
Testing Candidates. The ExtraRandomBits reference is inaccurate.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS Object Module 2.0 - Compliance with 186-3

2012-07-12 Thread John Foley 

OK, thanks for clarifying this.


On 07/12/2012 02:53 PM, Steve Marquess wrote:

On 07/09/2012 03:55 PM, John Foley wrote:

According to the NIST web site, the 2.0 FIPS Object Module claims
compliance for FIPS 186-3 using the Extra Random Bits method for EC
public key generation.

The implementation is FIPS 186-3 Section B.4.2, Key Pair Generation by
Testing Candidates. The ExtraRandomBits reference is inaccurate.

-Steve M.

attachment: foleyj.vcf

FIPS Object Module 2.0 - Compliance with 186-3

2012-07-09 Thread John Foley 
According to the NIST web site, the 2.0 FIPS Object Module claims 
compliance for FIPS 186-3 using the Extra Random Bits method for EC 
public key generation.  This is taken from:


http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html#270

The extra random bits method is defined in FIPS 186-3 Appendix B.4.1.  
After inspecting EC_KEY_generate_key(), it's not clear how the 
requirements in appendix B.4.1 have been met.  The following code from 
EC_KEY_generate_key() appears to be used to generate a random number to 
be used as the private key.


do
if (!BN_rand_range(priv_key, order))
goto err;
while (BN_is_zero(priv_key));

Can someone explain how this complies with appendix B.4.1, which states 
an additional 64 bits of random data should be generated when deriving 
the key?


Thank you.


attachment: foleyj.vcf