Vin McLellan (vin@shore.net)
Wed, 3 Mar 1999 05:11:17 -0500
Eric Rescorla <ekr@rtfm.com> wrote:
>There's more to correctly implementing RSA than simply
>correctly implementing PKCS-1. Consequently, PKCS-1 test
>vectors don't do the whole job.
Well, maybe. Over the past couple of years, however, the work of
Bob Silverman of RSA Labs seems to have shown that a lot of the
pre-qualifications and conditional tests previously required in the process
of generating RSA keys were unnecessary. Busy-work which complicated
everything but made no appreciable difference in the security of RSAPKC
implementations.
The last few drafts of ANSI X9.32 -- the new ABA/ANSI standard,
"Digital Signatures Using Reversible Public Key Cryptography for the
financial Services Industry (rDSA)" -- were pretty explicit in
acknowledging this.
See also: "The Requirement of Strong Primes in RSA" by R.D.
Silverman, in RSA Labs' Technical Notes, 5/97, at
http://www.rsa.com/rsalabs/html/tech_notes.html
_or "Fast Generation of Random, Strong RSA Primes," (pdf), by R.D.
Silverman, in RSA Labs' CryptoBytes
http://www.rsa.com/rsalabs/pubs/cryptobytes/html/article_index.html
_or
"A Statistical Limited-Knowledge Proof for Secure RSA Keys" by Moses Liskov
and R.D. Silverman at:
http://grouper.ieee.org/groups/1363/contributions/ifkeyval.ps
http://grouper.ieee.org/groups/1363/contributions/ifkeyval.pdf
EKR suggested:
>The tricky bit is correctly generating the key. I don't know
>of any test vectors for this, a la the test vectors in FIPS-186a
>for DSS parameter and key generation.
Generating RSA keys may have become less complicated, rather than
(like everything else) more complicated.
An appendix of ANSI X9.32 -- and FIPS-186-1, since it will subsume
X9.32 to govern the form of RSA-based digital signatures -- provides a
similar test vectors for RSA key generation.
(FIPS 186, as EKR and most US readers will know, is the US Federal
IP Standard that governs the US government's purchase or use of digital
signature implementations. FIPS 186-1 is a new rewrite of the original
NSA-sponsored FIPS-186 that NIST pushed down the throat of the federal
agencies five years ago.
(FIPS 186-1, the rewrite, will allow the use of the RSAPKC as a
digital signature algorithm -- as specified in ANSI X9.31, the new US
bankers' standard governing the use of RSA digital signatures in financial
transactions -- in addition to digital signatures created using the the
NSA-designed Digital Signature Algorithm (DSA) promoted in the '94 FIPS.
ABA draft docs like X9.32 are not always easily accessible to those
of us in the humble classes, but I believe the IEEE's P1363 group -- which
is also developing standard specifications for public key cryptography --
has recently published an example of test vectors for RSA key generations
(originally from the X9.32 docs) at:
<http://grouper.ieee.org/groups/1363/testvector.txt>
Of course, I've been watching NIST, X9F1, and various other
standards organizations let themselves be tied up in knots by the NSA on
public key crypto standards for almost a decade. Today, my confidence that
those committees and organizations want to, and can, foster public access
to strong crypto is very low.
If you are waiting for NIST to offer the sort of full crypto module
validation tests that are offered to provide assurance for the DSA/Fortezza
version of FIPS-186(a), don't hold your breath.
_Vin
-----
Vin McLellan + The Privacy Guild + <vin@shore.net>
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
-- <@><@> --
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:49