OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: 0-padding attribute values of Big integer data type

My thoughts on my two questions are the following :

I was especially thinking about mechanisms which use bigint private keys here.

For example the CKM_DH_PKCS_* famliy of mechanisms, which is PKCS #3 DH :

If the private keys CKA_VALUE_BITS attribute (which can be used to generate keys of fixed bit lenght) is not set before the key generation, the key will be an integer x : 0 < x < p - 1 i.e., of varying bit length.

Not being allowed to 0-pad x to the bit length of p turns the private key's CKA_VALUE attribute's ulValueLen into sensitive information making implementations more likely to be vulnerable to side channels.

I think it would make sense to allow 0-padding of bigint private keys of varying bit length to their maximal possible bit length (fixed by some public parameter).

Regarding my second question: Since I consider pkcs11 underspecified here, I would rather encourage implementors to deal with all 0-padded bigints for robustness/inerop reasons.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]