[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: 0-padding attribute values of Big integer data type
My thoughts on my two questions are the following : (1)I was especially thinking about mechanisms which use bigint private keys here.
For example the CKM_DH_PKCS_* famliy of mechanisms, which is PKCS #3 DH :If the private keys CKA_VALUE_BITS attribute (which can be used to generate keys of fixed bit lenght) is not set before the key generation, the key will be an integer x : 0 < x < p - 1 i.e., of varying bit length.
Not being allowed to 0-pad x to the bit length of p turns the private key's CKA_VALUE attribute's ulValueLen into sensitive information making implementations more likely to be vulnerable to side channels.
I think it would make sense to allow 0-padding of bigint private keys of varying bit length to their maximal possible bit length (fixed by some public parameter).
(2)Regarding my second question: Since I consider pkcs11 underspecified here, I would rather encourage implementors to deal with all 0-padded bigints for robustness/inerop reasons.
Best, Patrick
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]