Specifications of Cryptographic Algorithm Implementation Testing Message Authentication

Transcription

1 Japan Cryptographic Module Validation Program(JCMVP) Specifications of Cryptographic Algorithm Implementation Testing Message Authentication September 30, 2009 ATR-01-D-EN Cryptographic Algorithm Implementation Testing Requirements INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN

2 Contents 1 Introduction Organization Outline of the JCATT Scope Message Authentication The Tests Description of Message Authentication Message Authentication HMAC CMAC The CMAC Generation Test The Short Messages Test (SMT) The Selected Long Messages Test (SLMT) The Pseudorandomly Generated Messages Test (PGMT)) The CMAC Verification Process Test CCM Mode Tests for Encryption The Variable Associated Data Test The Variable Payload Test The Variable Nonce Test The Variable Tag Test Tests for Decryption Conditions for Issuing Cryptographic Algorithm Validation Certificate Details of Conditions References 9 i

3 1 Introduction This document describes the specifications of cryptographic algorithm implementation testing of the message authentication algorithm. 1.1 Organization Section 2 specifies the message authentication algorithms that are in the scope of this document. Section 3 provides an overview of the tests of each algorithm that make up the JCATT. The following acronyms are used throughout this document. JCATT: Japan Cryptographic Algorithm implementation Testing Tool IUT: Implementation Under Test 1.2 Outline of the JCATT The Japan Cryptographic Algorithm implementation Testing Tool is designed: to test conformance to the cryptographic algorithm specifications, to test each function of the cryptographic algorithm for example, MAC generation, MAC verification, etc for message authentication. to allow the testing of an IUT at locations remote to the JCATT. The JCATT and the IUT communicate data via REQUEST and RESPONSE files. Once configuration information has been provided, appropriate REQUEST files will be generated. REQUEST files are the means by which test data is communicated to the IUT. The IUT is used to process the data in the REQUEST file, and the resulting data is placed in a RESPONSE file. The data in the RESPONSE file is then verified. The specification of the file format is available in ref. [4] and the sample files are available in ref. [5]. Figure 1.1: The Workflow of the Cryptographic Algorithm Implementation Testing 1/10

4 2 Scope This document specifies the tests required to validate IUTs implementing the following cryptographic algorithms. 2.1 Message Authentication HMAC CMAC CCM Mode 2/10

5 3 The Tests Description of Message Authentication 3.1 Message Authentication This section provides the tests required to validate the following algorithms of message authentication: HMAC CMAC CCM Mode HMAC The following function of HMAC is tested: Message authentication code generation There are three types of tests for message authentication code generation: The short messages test (SMT) The selected long messages test (SLMT) The pseudorandomly generated messages test (PGMT) These tests are the same as SMT, SLMT, and PGMT described in section 3 of Specifications of Cryptographic Algorithm Implementation Testing Hash (ATR-01-C) CMAC The following functions of CMAC are tested: CMAC generation CMAC verification The CMAC Generation Test The specification of CMAC generation test has been made referring to the CMACVS[1] and SHAVS[2]. There are following types of tests. The short messages test (SMT) The selected long messages test (SLMT) The pseudorandomly generated messages test (PGMT) The Short Messages Test (SMT) Let m be the block length (in bit) of the underlying block cipher algorithm. This test generates a number of short messages equal to the number of bytes in the hash block plus one (m/8 + 1). For testing, (m/8 + 1) unpredictable messages will be generated with lengths 0,8,16,...,m bits. The lengths of key and message authentication code are defined in section The Selected Long Messages Test (SLMT) Let m be the block length (in bit) of the underlying block cipher algorithm. This test generates a number of long messages equal to the number of bytes in the block, m/8. The bit size of these messages is m + 8 i ( Upperbound of SLMT 1) bits, where 1 i m/8. Upperbound of SLMT is defined in section 4. The length of key and the length of message authentication code are also defined in section 4. 3/10

6 The Pseudorandomly Generated Messages Test (PGMT)) JCATT tests the correctness of CMACs generated from pseudorandomly generated messages by supplying a seed. The procedure used to generate innerloop outerloop CMACs. outerloop of the innerloop outerloop CMACs, once every innerloop hashes, are recorded as checkpoints to the operation of the generator. The IUT uses the same procedure to generate the same innerloop outerloop CMACs and outerloop checkpoint values. The JCATT compares each of the recorded outerloop CMACs with those generated by IUT. The length of key, the length of message authentication code, innerloop and outerloop are defined in section 4. for (j=0; j<outerloop; j++) { MAC[0] = Seed; MAC[1] = Seed; MAC[2] = Seed; for (i=3; i<innerloop+3; i++) { M[i] = MAC[i-3] MAC[i-2] MAC[i-1]; // Concatenate data MAC[i] = CMAC(M[i], key); } MAC[j] = MAC[i-1]; Seed = MAC[i-1]; OUTPUT MAC[j]; } The CMAC Verification Process Test The CMAC verification process test is performed as follows: IUT shall successfully verify the message authentication code with the valid key and the valid message given by JCATT. The verification result shall be FAIL for the message authentication code, the key, and the message either of which has been altered. The length of key, the length of message, and the length of message authentication code are defined in section 4. 4/10

7 3.1.3 CCM Mode The tests for CCM mode is performed as described in CCMVS[3]. The following functions are tested: Encryption Decryption Tests for Encryption There are following types of tests for encryption: The Variable Associated Data Test The Variable Payload Test The Variable Nonce Test The Variable Tag Test The Variable Associated Data Test The Variable Associated Data Test provides a number of sets of associated data and payload to the IUT. The IUT generates a ciphertext as specified by CCM using the data provided. JCATT verifies the correctness of the ciphertext produced by the IUT. The length of key, the length of payload, the length of message authentication code, the length of nonce and the length of associated data are defined in section The Variable Payload Test The Variable Payload Test provides a number of sets of associated data and payload to the IUT. The IUT generates a ciphertext as specified by CCM using the data provided. JCATT verifies the correctness of the ciphertext produced by the IUT. The length of key, the length of payload, the length of message authentication code, the length of nonce, and the length of associated data are defined in section The Variable Nonce Test the Variable Nonce Test provides a number of sets of associated data and payload to the IUT. The IUT generates a ciphertext as specified by CCM using the data provided. The CCMVS verifies the correctness of the ciphertext produced by the IUT. The length of key, the length of payload, the length of message authentication code, the length of nonce, and the length of associated data are defined in section The Variable Tag Test The Variable Tag Test provides a number of sets of associated data and payload to the IUT. The IUT generates a ciphertext as specified by CCM using the data provided. The CCMVS verifies the correctness of the ciphertext produced by the IUT. The length of key, the length of payload, the length of message authentication code, the length of nonce, and the length of associated data are defined in section Tests for Decryption There are following types of tests for decryption: The IUT decrypts the given ciphertext, the key, the message authentication code, the nonce, and the associated data. The data produced from decryption process shall be identical to the original plaintext. The IUT shall output INVALID against the ciphertext, the key, the message authentication code, the nonce, and the associated data that the decryption process should output INVALID. 5/10

8 The length of key and the length of plaintext are defined in section 4. 6/10

9 4 Conditions for Issuing Cryptographic Algorithm Validation Certificate 4.1 Details of Conditions Requirements and default values of the parameters used for cryptographic algorithm implementation testing are shown in table 4.1, table 4.2, and table 4.3. In these tables, the first columns indicate the functions to be tested. There are two classes of functions. One is the class of mandatory functions for validation. The other is the class of optional functions. Mandatory functions are indicated by highlighted text in these tables. For message authentication algorithms, the conditions for issuing cryptographic algorithm validation certificate are: IUT shall implement at least one mandatory function. IUT shall pass the cryptographic algorithm implementation test. Table 4.1: HMAC Function Parameter Default Conditions Hash Function SHA-256 SHA-1, SHA-224, SHA-256, SHA- 384, or SHA-512 Bit length of the key 128 Multiple of 8 and Message Authentication (The size of hash / 2) x Upperbound of SLMT PGMT Inner loop iteration Outer loop iteration Table 4.2: CMAC Function Parameter Default Conditions Block cipher AES AES or 3-Key Triple DES The length of key , 192, or 256 for AES. 192 for 3-Key Triple DES CMAC Generation Bit length of MAC 128 Multiple of for AES, 64 for 3-Key Triple DES Upperbound of SLMT PGMT Inner loop iteration Outer loop iteration Block cipher AES AES or 3-Key Triple DES The length of key , 192, or 256 for AES. 192 for 3-Key Triple DES CMAC Verification Bit length of MAC 128 Multiple of for AES, 64 for 3-Key Triple DES Bit length of the message 256 Multiple of 8 and The number of messages The percentage of altered data (%) 30 1 x 99 7/10

10 Table 4.3: CCM Mode Function Parameter Default Conditions Block cipher AES One of 128-bit block cipher The length of key , 192, or 256 VADT The bit length of associated data 240 Multiple of 8 and The number of payloads Encryption VPT The bit length of payload 256 Multiple of 8 and The number of payloads VNT The bit length of nonce , 64, 72, 80, 88, 96, or 104 The number of payloads VTT The bit length of MAC , 48, 64, 80, 96, 112, or 128 The number of payloads Block cipher AES One of 128-bit block cipher The length of key , 192, or 256 Decryption The bit length of MAC , 48, 64, 80, 96, 112, or 128 The bit length of payload 256 Multiple of 8 and The number of ciphertexts The percentage of altered data (%) 30 1 x 99 8/10

11 Supplementary Provision This procedure shall come into force as of April 1, 2009, and shall be applicable as of April 1, Supplementary Provision This procedure shall come into force as of September 30, 2009, and shall be applicable as of September 30, References [1] Sharon S. Keller, The CMAC Validation System (CMACVS), National Institute of Standards and Technology, March 30, [2] L. E. Bassham III, The secure hash algorithm validation system (SHAVS), National Institute of Standards and Technology, July 22, [3] L. E. Bassham III, The CCM validation system (CCMVS), National Institute of Standards and Technology, July 30, [4] Information-technology Promotion Agency, Japan, JCATT File Format Specification Message Authentication [in Japanese], jcatt fileformat d.zip [5] Information-technology Promotion Agency, Japan, JCATT Sample Files Message Authentication, sample d.zip 9/10

12 Revision Record ID ATR-01-D-EN Date of Revision Prepared / Approved by Revision Details April 1, 2009 Hashimoto / Nakata Newly Created September 30, 2009 Hashimoto / Nakata Partially Revised (Removed HMAC-RIPEMD-160.) 10/10