Subject: RE: [pkcs11] Groups - GMAC corrections and enhancements uploaded
While I support the changes in the AES-GMAC section, I’m wondering about the other – and I have spotted some more problems.
There was an inconsistence between CK_GCM_PARAMS and CK_GMAC_PARAMS in the ulIvLen that you have corrected. But why are we so restrictive now and allow only 16 bytes IV max? NIST SP800-38D allows 2^64-1 bytes max for an IV. Ok, it also says “it is recommended that implementations restrict support to the length of 96 bits, to promote interoperability, efficiency, and simplicity of design.” But why are we so much stricter than NIST here?
At other places, the PKCS#11 standard is less strict than NIST: ulTagBits "can be any value between 0 and 128". According to NIST (ulTagBits is called “t” here), "t may be any one of the following five values: 128, 120, 112, 104, or 96. For certain applications, t may be 64 or 32".
For CK_CCM_PARAMS, there are also some differences to NIST SP800-38C:
- The data length's length L is in the range 2 <= L <= 8
- 0 <= ulDataLen < 2^(8L). This is an editorial issue: the ^(..) got probably lost, becoming 28L.
- If L is corrected as above, ulNonceLen <= 15-L is correct again. NIST says more explicitly: 7 <= ulNonceLen <= 13
The description of AES-GCM (section 1.2) is inconsistent to it parameter description (section 1.2.2). The latter specifies that ulIvLen must be at least 1 while the former allows an ulIvLen of 0. With current encryption/decryption function, there is no possibility to return an internally generated IV. (I recognize that some vendors have added this possibility, but this is outside of the standard and should not be supported by CKM_AES_GCM). For decryption, pIV==NULL or ulIvLen==0 does not make sense at all since it cannot be generated internally here.
Section 1.2.3 is actually the same as 1.2 and 1.2.4 the same as 1.2.1. Thus 1.2.3 and 1.2.4 can be removed.
I also suggest to decrease the level of the current header for section 1.2, making it section 1.1.2.
From: firstname.lastname@example.org [mailto:email@example.com]
On Behalf Of David Gascon
Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Malte Pollmann (Chairman) CEO, Dr. Frank J. Nellissen CFO
This communication is confidential. We only send and receive email on the basis of the terms set out at https://www.utimaco.com/en/e-mail-disclaimer/