Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an optional capability for maximum exponent to RSA keyGen and sigVer #1061

Open
kwok-wong opened this issue Nov 10, 2020 · 2 comments
Open

Add an optional capability for maximum exponent to RSA keyGen and sigVer #1061

kwok-wong opened this issue Nov 10, 2020 · 2 comments

Comments

@kwok-wong
Copy link

FIPS 186-4 does not specify a required length, or lengths, for the RSA public key exponent 'e'.
CAVS, when random exponents were specified historically produced value of 'e' up to 3-bytes in length.
Several vendors have reported to us that their implementations only handle up to 4-bytes in length.
ACVP, when random exponents are specified seems to produce values of 'e' up to at least 7-bytes in length.

Request that ACVP add an optional capability to report the IUT's maximum supported public key exponent length (something like "pubExpMaxLen"). This could apply to KeyGen and SigVer tests when testing "random" exponents and would be the max length, in bits, the IUT supports for that random public key exponent 'e'.
@celic
Copy link
Collaborator

celic commented Nov 12, 2020

Interesting suggestion. Unless the implementation is operating in a closed environment, how would it prevent someone else's public key from being outside that range? That's not something the module itself has access to for something like SigVer. It is understandable in KeyGen.

@kwok-wong
Copy link
Author

Presumably if presented with a public key whose public exponent out of the range it can handle the IUT would have to report an error; and wouldn't be able to attempt to verify anything signed by the corresponding private key.

However, CAVP will validate an RSA implementation which uses only a single fixed public exponent, which is far more restrictive than an implementation that supports any exponent up to 4 bytes in length. That fixed exponent implementation would also be unable to verify signatures from keys that don't conform to its exponent restrictions.

Since FIPS 186-4 does not seem to require support for any particular public exponent, or length of public exponent, it seems vendors are free to set the limits of what they implement, whether a single fixed exponent, several fixed exponents, or maximum lengths of exponents. As such, it seems reasonable for CAVP to support as much flexibility as possible in validating whatever an RSA algorithm implementation may happen to support in the way of public exponents.

@celic celic mentioned this issue Feb 17, 2021
Closed
@jvdsn jvdsn mentioned this issue Aug 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@celic @kwok-wong