Advertisement

Extending NIST’s CAVP Testing of Cryptographic Hash Function Implementations

  • Nicky MouhaEmail author
  • Christopher Celi
Conference paper
  • 7 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12006)

Abstract

This paper describes a vulnerability in Apple’s CoreCrypto library, which affects 11 out of the 12 implemented hash functions: every implemented hash function except MD2 (Message Digest 2), as well as several higher-level operations such as the Hash-based Message Authentication Code (HMAC) and the Ed25519 signature scheme. The vulnerability is present in each of Apple’s CoreCrypto libraries that are currently validated under FIPS 140-2 (Federal Information Processing Standard). For inputs of about \(2^{32}\) bytes (4 GiB) or more, the implementations do not produce the correct output, but instead enter into an infinite loop. The vulnerability shows a limitation in the Cryptographic Algorithm Validation Program (CAVP) of the National Institute of Standards and Technology (NIST), which currently does not perform tests on hash functions for inputs larger than 65 535 bits. To overcome this limitation of NIST’s CAVP, we introduce a new test type called the Large Data Test (LDT). The LDT detects vulnerabilities similar to that in CoreCrypto in implementations submitted for validation under FIPS 140-2.

Keywords

CVE-2019-8741 FIPS CAVP ACVP Apple CoreCrypto Hash function Vulnerability 

Notes

Acknowledgments

The authors would like to thank the anonymous reviewers and their NIST colleagues for providing useful comments and suggestions. Special thanks go to Patrick Kamongi, Andrew Regenscheid, Apostol Vassilev, and Jeffrey Marron for their detailed feedback. Certain algorithms and commercial products are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by NIST, nor does it imply that the algorithms or products identified are necessarily the best available for the purpose.

Supplementary material

References

  1. 1.
    Albrecht, M.R., Massimo, J., Paterson, K.G., Somorovsky, J.: Prime and prejudice: primality testing under adversarial conditions. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 281–298. ACM (2018).  https://doi.org/10.1145/3243734.3243787
  2. 2.
    American National Standards Institute: Public Key Cryptography for the Financial Services Industry - Key Agreement and Key Transport Using Elliptic Curve Cryptography. ANSI X9.63 (2017). https://webstore.ansi.org/standards/ascx9/ansix9632011r2017
  3. 3.
    Apple: Security - Apple Developer, September 2019. https://developer.apple.com/security/
  4. 4.
    Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal BLAKE. Submission to the NIST SHA-3 Competition (Round 3) (2010). http://131002.net/blake/blake.pdf
  5. 5.
    Bassham III, L.E., Hall, T.A.: The Secure Hash Algorithm Validation System (SHAVS), May 2014. https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/shs/SHAVS.pdf
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., van Assche, G.: The Keccak SHA-3 submission. Submission to the NIST SHA-3 Competition (Round 3) (2011). http://keccak.noekeon.org/Keccak-submission-3.pdf
  7. 7.
    Brumley, B.B., Barbosa, M., Page, D., Vercauteren, F.: Practical realisation and elimination of an ECC-related software bug attack. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 171–186. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-27954-6_11CrossRefGoogle Scholar
  8. 8.
    Celi, C.: ACVP Secure Hash Algorithm (SHA) JSON Specification. IETF Internet-Draft (2018). https://usnistgov.github.io/ACVP/artifacts/draft-celi-acvp-sha-00.html
  9. 9.
    Cisco: The libacvp library, September 2019. https://github.com/cisco/libacvp
  10. 10.
    Google: Project Wycheproof tests crypto libraries against known attacks, September 2019. https://github.com/google/wycheproof
  11. 11.
    Industry Working Group on Automated Cryptographic Algorithm Validation: ACVP, September 2019. https://usnistgov.github.io/ACVP/
  12. 12.
    Mouha, N., Raunak, M.S., Kuhn, D.R., Kacker, R.: Finding bugs in cryptographic hash function implementations. IEEE Trans. Reliab. 67(3), 870–884 (2018).  https://doi.org/10.1109/TR.2018.2847247CrossRefGoogle Scholar
  13. 13.
    National Bureau of Standards: Validating the Correctness of Hardware Implementations of the NBS Data Encryption Standard. NBS Special Publication 500–20, November 1977.  https://doi.org/10.6028/NBS.SP.500-20e1977
  14. 14.
    National Institute of Standards and Technology: Advanced Encryption Standard (AES). NIST Federal Information Processing Standards Publication 197, November 2001.  https://doi.org/10.6028/NIST.FIPS.197
  15. 15.
    National Institute of Standards and Technology: Description of Known Answer Test (KAT) and Monte Carlo Test (MCT) for SHA-3 Candidate Algorithm Submissions, February 2008. https://csrc.nist.gov/CSRC/media/Projects/Hash-Functions/documents/SHA3-KATMCT1.pdf
  16. 16.
    National Institute of Standards and Technology: Secure Hash Standard (SHS). NIST Federal Information Processing Standards Publication 180–4, August 2015.  https://doi.org/10.6028/NIST.FIPS.180-4
  17. 17.
    National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. NIST Federal Information Processing Standards Publication 202, August 2015.  https://doi.org/10.6028/NIST.FIPS.202
  18. 18.
    National Institute of Standards and Technology and Canadian Centre for Cyber Security: Implementation Guidance for FIPS 140–2 and the Cryptographic Module Validation Program, August 2019. https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips140-2/FIPS1402IG.pdf
  19. 19.
    SEI CERT C Coding Standard: INT17-C. Define integer constants in an implementation-independent manner, September 2019. https://wiki.sei.cmu.edu/confluence/display/c/INT17-C.+Define+integer+constants+in+an+implementation-independent+manner
  20. 20.
    The MITRE Corporation: CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’) (2019). https://cwe.mitre.org/data/definitions/835.html
  21. 21.
    Valenta, L., et al.: Measuring small subgroup attacks against Diffie-Hellman. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, 26 February - 1 March, 2017. The Internet Society (2017). https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/measuring-small-subgroup-attacks-against-diffie-hellman/

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations