Konstantin Andreev wrote: > On 08/03/10 19:13, Brian Smith wrote: > > I think I found a problem with the GCM interface that seems > > to make it impossible to use the PKCS#11 interface in a FIPS-140-compliant > > manner. In particular, NIST SP800-38D requires that the IV for the GCM mode be > > generated and maintained within the cryptographic boundary, and I think this > > require conflicts with the draft PKCS#11 interface. > > > > I hope to write about it next week. > > Please, do write. There is a chance to change this before v2.30 gets finalized.
I included the message I sent to the CRYPTOKI list below. I am interested in hearing from others about this too. Thanks, Brian From: Brian Smith [mailto:br...@briansmith.org] Sent: Friday, August 27, 2010 3:18 PM To: 'crypt...@rsasecurity.com' Subject: AES-GCM PKCS#11 interface and FIPS-140 / NIST SP800-38D I would like to hear how other implementers reconciled the draft AES-GCM interface with the following requirement from NIST SP800-38D: "The IV shall be a critical security parameter as defined in FIPS Pub. 140-2 until the authenticated encryption function is invoked with the IV. Prior to this invocation, the IV shall be provided the same protection as other critical security parameters in a module that is validated to the requirements in FIPS Pub. 140-2." It seems to me that is saying the IV value must be protected as a sensitive, non-extractable, non-modifiable (i.e. modifiable by the module itself but not by the module user) object, instead of as an arbitrary buffer passed in as part of the mechanism parameter. Has anybody run into trouble trying to get a module validated due to this requirement conflicting with the way the mechanism is specified? Does anybody have an alternate mechanism design that meets all the requirements in NIST SP800-38D? In particular, I am looking for a way to implement AES-GCM within a PKCS#11 module in a FIPS-140-compliant manner, such that the PKCS#11 interface is the logical security boundary, such that an application can use this AES-GCM implementation to implement the AES-GCM cipher suites in TLS. Thanks, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto