Speci¯¬¾cations of Cryptographic Algorithm ... 1 Introduction This document...

download Speci¯¬¾cations of Cryptographic Algorithm ... 1 Introduction This document describes the speci¯¬¾cations

of 23

  • date post

    12-Jul-2020
  • Category

    Documents

  • view

    1
  • download

    0

Embed Size (px)

Transcript of Speci¯¬¾cations of Cryptographic Algorithm ... 1 Introduction This document...

  • Japan Cryptographic Module Validation Program(JCMVP)

    Specifications of Cryptographic Algorithm Implementation Testing

    — Random Number Generators —

    June 22, 2018

    ATR-01-E-EN Cryptographic Algorithm Implementation Testing Requirements

    INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN

  • Contents 1 Introduction 1 1.1 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Outline of the JCATT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    2 Scope 2 2.1 Random Number Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    2.1.1 Deterministic Random Number Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

    3 The Tests Description of Random Number Generators 3 3.1 Deterministic Random Bit Generators specified in NIST SP800-90A . . . . . . . . . . . . . . . . . 3

    3.1.1 Hash DRBG, HMAC DRBG, and CTR DRBG in NIST SP 800-90A . . . . . . . . . . . . . . 3 3.1.1.1 Deterministic Random Bit Generators specified in NIST SP800-90A, and corresponding

    cryptographic algorithm implementation testing . . . . . . . . . . . . . . . . . . . . . . . 3 3.1.1.2 Interfaces for DRBG mechanisms for testing purpose . . . . . . . . . . . . . . . . . . . . 3

    3.1.1.2.1 InstantiateTestIF function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1.1.2.2 ReseedTestIF function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1.1.2.3 GenerateTestIF function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.1.2.4 UninstantiateTestIF function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

    3.1.1.3 Test of all mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1.1.3.1 Test method 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1.1.3.2 Test method 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.1.3.3 Test method 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    4 Conditions for Issuing Cryptographic Algorithm Validation Certificate 15 4.1 Details of Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    4.1.1 Deterministic random bit generators specified in NIST SP800-90A . . . . . . . . . . . . . . . . 15

    References 20

    i

  • 1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the random num- ber generators.

    1.1 Organization Section 2 specifies the random number generators that are in the scope of this document. Section 3 provides an overview of the tests of each algorithm that make up the JCATT.

    The following acronyms are used throughout this document.

    • JCATT: Japan Cryptographic Algorithm implementation Testing Tool • IUT: Implementation Under Test

    1.2 Outline of the JCATT The Japan Cryptographic Algorithm implementation Testing Tool is designed:

    • to test conformance to the cryptographic algorithm specifications, • to test each function of the cryptographic algorithm — for example, pseudo random number generation for

    random number generators. — • to allow the testing of an IUT at locations remote to the JCATT. The JCATT and the IUT communicate data

    via REQUEST and RESPONSE files.

    Once configuration information has been provided, appropriate REQUEST files will be generated. REQUEST files are the means by which test data is communicated to the IUT. The IUT is used to process the data in the REQUEST file, and the resulting data is placed in a RESPONSE file. The data in the RESPONSE file is then verified.

    The specification of the file format is available in ref. [1] and the sample files are available in ref. [2].

    Fig. 1.1 The Workflow of the Cryptographic Algorithm Implementation Testing

    1/21

  • 2 Scope This document specifies the tests required to validate IUTs implementing the following cryptographic algorithms.

    2.1 Random Number Generators 2.1.1 Deterministic Random Number Generators• Hash DRBG in NIST SP 800-90A

    • HMAC DRBG in NIST SP 800-90A • CTR DRBG with DF in NIST SP 800-90A • CTR DRBG without DF in NIST SP 800-90A

    2/21

  • 3 The Tests Description of Random Number Generators

    3.1 Deterministic Random Bit Generators specified in NIST SP800-90A 3.1.1 Hash DRBG, HMAC DRBG, and CTR DRBG in NIST SP 800-90A 3.1.1.1 Deterministic Random Bit Generators specified in NIST SP800-90A, and corresponding crypto-

    graphic algorithm implementation testing

    Detailed description is provided for the following Deterministic Random Bit Generators:

    • Hash DRBG in NIST SP 800-90A • HMAC DRBG in NIST SP 800-90A • CTR DRBG with DF in NIST SP 800-90A • CTR DRBG without DF in NIST SP 800-90A

    The Japan Cryptographic Algorithm implementation Testing Tool (JCATT) is designed to test the correct oper- ation for normal cases of a Deterministic Random Bit Generator specified in Sections 9 and 10 of NIST SP800- 90A[3]. Those requirements not verified through the cryptographic algorithm implementation testing by JCATT will be verified when the corresponding test requirements are clarified.

    In NIST SP800-90A, it is prohibited to input the random seed to initialize the internal sate of Deterministic Random Bit Generator (DRBG) from a DRBG consuming application. However, it is allowed to input the random seed only through cryptographic algorithm implementation testing interface for validation test purpose.

    Therefore, in 3.1.1.2 the cryptographic algorithm implementation testing interfaces are defined, which are exten- sion of DRBG mechanism functions specified in Section 9 of NIST SP800-90A. In 3.1.1.3, test methods 1∼3 are defined by using cryptographic algorithm implementation testing interfaces defined in 3.1.1.2. These test methods conform to NIST DRBGVS[4].

    Also note that the description of test methods for DRBG in 3.1.1.3 is common to four types of DRBGs listed above.

    3.1.1.2 Interfaces for DRBG mechanisms for testing purpose

    3.1.1.2.1 InstantiateTestIF function

    Function overview

    This function initializes the DRBG with the parameters provided for cryptographic algorithm implementation testing.

    Function prototype

    (status,state handle) = InstatiateTestIF(requested instantiation security strength, prediction resistance f lag, personalization string, entropy input, nonce)

    Return values

    variable type explanation status - One of returned values of InstantiateTestIF function, which

    is specified in 9.1 of NIST SP800-90A, either SUCCESS or a kind of ERROR.

    state handle integer One of returned values of InstantiateTestIF function, which is a pointer to an instantiated DRBG instance and is specified in 9.1 of NIST SP800-90A.

    Parameters 3/21

  • variable type explanation requested instantiation security strength integer integer representing security strength in

    bits supported by the DRBG instance, which is specified in 9.1 of NIST SP800- 90A.

    prediction resistance f lag integer variable indicating whether the prediction resistance is requested to the DRBG in- stance from a consuming application of the DRBG, which is specified in 9.1 of NIST SP800-90A.

    personalization string bitstring bitstring to personalize the DRBG in- stance from the other DRBG instances, which is specified in 9.1 of NIST SP800- 90A.

    Parameters for extented interface for testing purpose

    variable type explanation entropy input bitstring input bitstring containing entropy, and its length in bits is

    specified for each DRBG mechanism selected in Section 10 of NIST SP800-90A. This parameter is fed for cryptographic algorithm implementation testing. Originally entropy input was obtained as a return value of Get entropy input as shown in Step 6 of 9.1 of NIST SP800-90A. In order for crypto- graphic algorithm implementation testing, the interface was extended so that the parameter can be set from the outside of the IUT.

    nonce bitstring bitstring specified in 8.6.7 of NIST SP800-90A. This param- eter is fed for cryptographic algorithm implementation test- ing. Originally the parameter is generated inside of the IUT as described in Section 9 of NIST SP800-90A. In order for cryptographic algorithm implementation testing, the inter- face was extended so that the parameter can be set from the outside of the IUT.

    3.1.1.2.2 ReseedTestIF function

    Function overview

    This function reseeds the DRBG instance with the parameters provided for cryptographic algorithm implementa- tion testing.

    Function prototype

    status = ReseedTestIF(state handle, additional input, entropy input)

    Return values

    variable type explanation status - One of return values of ReseedTestIF function, which is spec-

    ified in 9.2 of NIST SP800-90A, either SUCCESS or a kind of ERROR.

    4/21

  • Parameters

    variable type explanation state handle integer One of returned values of ReseedTestIF function, which is

    a pointer to a DRBG instance to be reseeded and is specified in 9.2 of NIST SP800-90A. The internal state of the DRBG is updated through the invocation of ReseedTestIF function.

    additional input bitstring Optional input bitstring and its length in bits is specified for each DRBG mechanism selected in Section 10 of NIST SP800-90A.

    Parameters for extented interface for testing purpose