New Mechanisms subgroup Part 2 or 4 (DSA)

[Robert Relyea <rrelyea@redhat.com>]

Part 2 DSA key size

NIST FIPS 186-3 define (among other things) new DSA key sizes and new 
algorithms for generating PQG parameters.

For base DSA, this can be handled simply by adding the new nist key 
sizes as acceptable key sizes to CKM_DSA and friends. The size of keys 
are pretty well determined by the PQG parameters.

The new algorithms for generating DSA PQG parameters really call for 
some changes. First in the new key sizes, the size of the subprime is no 
longer constant, so CKA_SUBPRIME_BITS need to be added to 
CKO_DOMAIN_PARAMETERS.

FIPS 186-3 includes other changes to parameter generation as well. These 
changes include

1) Separation of PQ generation from G generation.
2) Hash choice is now a parameter to the PQ generation (was hard coded 
to SHA-1.
3) Definition of a whole new provable prime generation algorithm.

We suggest the following new keygen Mechanisms:

CKM_DSA_PROBABLISTIC_PARAMETER_GEN - generate PQ parameters using FIPS 
183-3 probablistic parameter gen.
CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN - generate PQ parameters using FIPS 
183-3
CKM_DSA_FIPS_G_GEN - generate G crom a given PQ parameters (in the 
template) and a seed.

The mechanism take the following parameter;

typedef struct CK_DSA_PARAMETER_GEN_PARAM {
    CK_MECHANISM_TYPE   hash;
    CK_BYTE_PTR        pSeed;
    CK_ULONG            ulSeedLen;
    CK_ULONG        ulIndex;
};

pSeed and ulSeedLen are needed for G generation and are returned
by either CKM_DSA_FIPS_186_3_PARAMETER_GEN or 
CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN.
ulIndex is an index number selected by the user and needed only for G 
generation.

Other notes.

The current spec does not specify how to get counter, seed, and h as 
part of the PQG gen. Red Hat has some old extended attributes we defined 
quite some time ago to get these:

CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED, CKA_NSS_PQG_H, 
CKA_NSS_PQG_SEED_BITS. We reused these in our implementation. DSA2 
Shawe/Tayor returns 3 seeds, 2 counts, and an index. We return the 3 
seeds concatenated together in CKA_NSS_PQG_SEED, the 2 counts in 
CKA_NSS_PQG_COUNTER as  count = count1*2^16+count2, and the index as 
CKA_NSS_PQG_H.

Since the current spec does not specify how go get counter, seed, and h, 
it also doesn't specify how to verify a given pqg was generated using a 
given counter, seed, and h. Red Hat does this by doing the verification 
when you do a create object and specify the COUNTER, SEED, and H 
parameters. I can describe the syntax if we want to roll these 
extensions into the spec, but it may not be necessary to get DSA-2 
functionality (since it wasn't included in DSA-1 even though it was part 
of the DSA-1 standard). A good place to start would be to have 
CK_DSA_PARAMETER_GEN_PARAM include the counters (both counters rather 
than a single counter) and H parameters as well. Note the the 
concantenated seed is already part of the spec for generation of 'G'.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature