RE: [pkcs11] Proposal: CKM_DSA_FIPS_186_4

["Burns, Robert" <Robert.Burns@thalesesec.com>]

Oscar,

Thanks for picking up the FIPS 186-4 update.  Definitely worth while considering this for the most recent update, as it appears that 186-3 has come and gone since PKCS #11 2.20 without any P11 doc updates.

The previous versions of P11 referred to FIPS 186-2 throughout the document.  It was the definition of DSA (Section 4 of v2.20 spec), the basis for CKM_DSA, (Section 12.2.7), and CKM_DSA_SHA1 (Section 12.2.8).  So, we are in the current situation where the proposed OASIS spec references 186-2 for DSA mechanisms (only), and has no updated references for 186-3, or now 186-4.

So it seems that the FIPS 186-4 release needs a bit more careful consideration for specification update rather than adding a new mechanisms.  Specifically, how DSA itself is defined, whether or not the previous CKM_DSA*** mechanisms are compatible with 186-4, and how to handle it if they are not.

My recommendation is as follows:

1) Update the DSA definition/reference to correspond to FIPS 186-4
2) Investigate the difference between how 186-2 and 186-4 defines and describes the DSA mechanisms.
3) For those mechanisms which are compatible, update the mechanism/parameter descriptions to indicate the versions of specification compatibility, (e.g. "based on the Digital Signature Algorithm defined in FIPS PUB 186-2 through FIPS PUB 186-4." -- or similar).
4) For those mechanisms which are NOT compatible, then we have to consider defining the legacy mechanisms as compatible with a specific version only, and then introduce new mechanism enumerations which match the latest specification.

By the by, FIPS 186-4 consists of primarily editorial and clarification updates so is largely (e.g. functionally) compatible with FIPS 186-3, for what it's worth.

I will respond with my analysis corresponding to #2 above, but would still like a second set of eyes on it to corroborate.

Thanks,

Bob

P.S. Your recommendation limits the magnitude of 'p' to 1024 bits, but FIPS 186-3/4 allow 'p' to be 1024, 2048, or 3072 -- it might also be important to note that the magnitude of 'N' (magnitude of q, x, and k -- the length of the input hash) can be 160, 224, or 256 -- so if we're thinking of having any sort of profile describing FIPS 186 compatibility, we should consider both the magnitude of 'p', as well as 'N'.

P.P.S. I happened to notice we're in the same situation for the SHA standard, FIPS 180-4 which replaced FIPS 180-3 -- and sometime in the near future will be replaced with FIPS 180-5 to cover SHA3 mechanisms.  Although, I suspect these should be easier to handle given they are directly compatible.

> -----Original Message-----
> From: pkcs11@lists.oasis-open.org [mailto:pkcs11@lists.oasis-open.org] On
> Behalf Of Oscar K So Jr.
> Sent: Wednesday, July 31, 2013 5:14 PM
> To: pkcs11@lists.oasis-open.org
> Subject: [pkcs11] Proposal: CKM_DSA_FIPS_186_4
> 
> Proposal: CKM_DSA_FIPS_186_4
> 
> FIPS-186-4 algorithms:
> http://www.ofr.gov/OFRUpload/OFRData/2013-17396_PI.pdf
> 
> This mechanism is equivalent to: CKM_DSA
> 
> --
> 
> Best,
> Oscar