Internet-Draft ACVP KAS ECC SP800-56Ar3 August 2020
Hammett Expires 11 February 2021 [Page]
Workgroup:
Network Working Group
Internet-Draft:
:
Published:
Intended Status:
Informational
Expires:
Author:
R. Hammett, Ed.

ACVP KAS ECC SP800-56Ar3 JSON Specification

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 11 February 2021.

Table of Contents

1. Acknowledgements

There are no acknowledgements.

2. Abstract

This document defines the JSON schema for testing SP800-56Ar3 KAS ECC implementations with the ACVP specification.

3. Introduction

The Automated Crypto Validation Protocol (ACVP) defines a mechanism to automatically verify the cryptographic implementation of a software or hardware crypto module. The ACVP specification defines how a crypto module communicates with an ACVP server, including crypto capabilities negotiation, session management, authentication, vector processing and more. The ACVP specification does not define algorithm specific JSON constructs for performing the crypto validation. A series of ACVP sub-specifications define the constructs for testing individual crypto algorithms. Each sub-specification addresses a specific class of crypto algorithms. This sub-specification defines the JSON constructs for testing SP800-56Ar3 KAS ECC implementations using ACVP.

4. Terms and definitions

No terms and definitions are listed in this document.

5. Supported KAS-FFCs

The following key derivation functions MAY be advertised by the ACVP compliant cryptographic module:

6. Test Types and Test Coverage

The ACVP server performs a set of tests on the KAS protocol in order to assess the correctness and robustness of the implementation. A typical ACVP validation session SHALL require multiple tests to be performed for every supported permutation of KAS capabilities. This section describes the design of the tests used to validate implementations of KAS algorithms.

6.1. Test Types

There are two test types for KAS testing:

  • "AFT" - Algorithm Function Test. In the AFT test mode, the IUT SHALL act as a party in the Key Agreement with the ACVP server. The server SHALL generate and provide all necessary information for the IUT to perform a successful key agreement; both the server and IUT MAY act as party U/V, as well as recipient/provider to key confirmation.

  • "VAL" - Validation Test. In the VAL test mode, The ACVP server MUST generate a complete (from both party U and party V's perspectives) key agreement, and expects the IUT to be able to determine if that agreement is valid. Various types of errors MUST be introduced in varying portions of the key agreement process (changed DKM, changed key, changed hash digest, etc), that the IUT MUST be able to detect and report on.

6.2. Test Coverage

The tests described in this document have the intention of ensuring an implementation is conformant to [SP800-56Ar3].

6.2.1. KAS-ECC Requirements Covered

  • SP 800-56Ar3 - 5.1 Cryptographic Hash Functions. SHA1, SHA2, and SHA3 hash functions SHALL be available for the various pieces of KAS requiring use of a hash function; such as approved MACs and OneStep KDF.

  • SP 800-56Ar3 - 5.2 Message Authentication Code (MAC) Algorithms. AES-CMAC, HMAC, and KMAC algorithms SHALL be available for testing under KDFs and KC as the specification states.

  • SP 800-56Ar3 - 5.3 Random Number Generation. Though random values are used, the testing of the construction of those random values SHALL NOT be in scope of ACVP testing.

  • SP 800-56Ar3 - 5.4 Nonces. Though nonces are used, the testing of the construction of those nonces SHALL NOT be in scope of ACVP testing.

  • SP 800-56Ar3 - 5.5 Domain Parameters. Domain Parameters SHALL be used in the testing of KAS as per the specification, though the generation of those parameters is outside the scope of testing.

  • SP 800-56Ar3 - 5.6 Key-Pair Generation. Each KAS scheme from one or both parties utilizes a key pair for arriving at a shared secret, and deriving a key. Though a key pair(s) are utilized in ACVP testing, the testing of the generation of said key pairs is outside the scope of this testing.

  • SP 800-56Ar3 - 5.7 DLC Primitives. Diffie Hellman and MQV SHALL be tested under their respective KAS schemes.

  • SP 800-56Ar3 - 5.8 Key-Derivation Methods for Key-Establishment Schemes. The ACVP server SHALL make various KDFs available for testing. The KDFs covered under ACVP server testing SHALL include the KDFs specified in SP800-56B, SP800-56C, SP800-108, and SP800-135 (where applicable).

  • SP 800-56Ar3 - 5.9 KeyConfirmation. The ACVP server SHALL support key confirmation for applicable KAS and KTS schemes.

  • SP 800-56Ar3 - 6 Key Agreement Schemes. The ACVP server SHALL support testing for all KAS schemes specified in the SP800-56Ar3 document.

  • SP 800-56Cr1 - 4 One-Step Key Derivation. One-Step Key Derivation testing SHALL be supported by the ACVP server. FixedInfo construction is covered within the ACVP specification, and can be tailored to the IUTs needs. ASN.1 format of fixedInfo construction (currently) is NOT supported.

  • SP 800-56Cr1 - 5 Two-Step Key Derivation. Two-Step Key Derivation testing SHALL be supported by the ACVP server. FixedInfo construction is covered within the ACVP specification, and can be tailored to the IUTs needs. ASN.1 format of fixedInfo construction (currently) is NOT supported.

  • SP 800-108 - 4 Pseudorandom Function (PRF). All iterations of the KDF described in SP800-108 use a separate PRF. All implementations of the PRF SHALL be available for testing through the ACVP server generated tests.

  • SP 800-108 - 5 Key Derivation Functions (KDF). The three implementations of KDFs in SP800-108 SHALL be available for testing through the ACVP Server.

6.2.2. KAS-ECC Requirements Not Covered

  • SP 800-56Ar3 - 4.3 DLC-based Key-Transport Process. KeyWrapping is not incorporated into ACVP testing.

  • SP 800-56Ar3 - 5.3 Random Number Generation. Though random values are used, the testing of the construction of those random values SHALL NOT be in scope of ACVP testing.

  • SP 800-56Ar3 - 5.4 Nonces. Though nonces are used, the testing of the construction of those nonces SHALL NOT be in scope of ACVP testing.

  • SP 800-56Ar3 - 5.5 Domain Parameters. Domain Parameters SHALL be used in the testing of KAS as per the specification, though the generation of those parameters is outside the scope of testing.

  • SP 800-56Ar3 - 5.6 Key-Pair Generation. Each KAS scheme from one or both parties utilizes a key pair for arriving at a shared secret, and deriving a key. Though a key pair(s) are utilized in ACVP testing, the testing of the generation of said key pairs is outside the scope of this testing.

  • SP 800-56Ar3 - 5.6.2 Required Assurances. IUT assurance testing is outside the scope of ACVP testing.

  • SP 800-56Ar3 - 5.6.2 Key Pair Management. Testing the IUT's management of Key Pairs is outside the scope of ACVP testing.

  • SP 800-56Ar3 - 5.8.1.2 The ASN.1 Format for FixedInfo. The ACVP server (currently) SHALL NOT support the testing of this format of fixed info.

  • SP 800-56Ar3 - 7 Rationale for Selecting a Specific Scheme. There is no testing associated with the IUT's choice of selecting a specific scheme.

  • SP 800-56Ar3 - 8 Key Recovery. Key Recovery SHALL NOT be within the scope of ACVP testing.

  • SP 800-56Cr1 - 4 One-Step Key Derivation. ASN.1 format of fixedInfo construction (currently) is NOT supported.

  • SP 800-56Cr1 - 5 Two-Step Key Derivation. ASN.1 format of fixedInfo construction (currently) is NOT supported.

  • SP 800-56Cr1 - 7 Selecting Hash Functions and MAC Algorithms. The process that goes into the selection of Hash functions and MAC algorithms SHALL NOT be in scope of ACVP testing, though the ACVP server SHALL support all indicated Hash and MAC functions.

  • SP 800-56Cr1 - 7 Selecting Hash Functions and MAC Algorithms. The process that goes into the selection of Hash functions and MAC algorithms SHALL NOT be in scope of ACVP testing, though the ACVP server SHALL support all indicated Hash and MAC functions.

7. Capabilities Registration

ACVP requires crypto modules to register their capabilities. This allows the crypto module to advertise support for specific algorithms, notifying the ACVP server which algorithms need test vectors generated for the validation process. This section describes the constructs for advertising support of KAS ECC algorithms to the ACVP server.

The algorithm capabilities MUST be advertised as JSON objects within the 'algorithms' value of the ACVP registration message. The 'algorithms' value is an array, where each array element is an individual JSON object defined in this section. The 'algorithms' value is part of the 'capability_exchange' element of the ACVP JSON registration message. See the ACVP specification [ACVP] for more details on the registration message.

7.1. Prerequisites

Each algorithm implementation MAY rely on other cryptographic primitives. For example, RSA Signature algorithms depend on an underlying hash function. Each of these underlying algorithm primitives must be validated, either separately or as part of the same submission. ACVP provides a mechanism for specifying the required prerequisites:

Prerequisites, if applicable, MUST be submitted in the registration as the prereqVals JSON property array inside each element of the algorithms array. Each element in the prereqVals array MUST contain the following properties

Table 1: Prerequisite Properties
JSON Property Description JSON Type
algorithm a prerequisite algorithm string
valValue algorithm validation number string

A "valValue" of "same" SHALL be used to indicate that the prerequisite is being met by a different algorithm in the capability exchange in the same registration.

An example description of prerequisites within a single algorithm capability exchange looks like this

"prereqVals":
[
  {
    "algorithm": "Alg1",
    "valValue": "Val-1234"
  },
  {
    "algorithm": "Alg2",
    "valValue": "same"
  }
]
Figure 1

7.2. Prerequisite Algorithms

Some algorithm implementations rely on other cryptographic primitives. For example, IKEv2 uses an underlying SHA algorithm. Each of these underlying algorithm primitives must be validated, either separately or as part of the same submission. ACVP provides a mechanism for specifying the required prerequisites:

Table 2: Prerequisite Algorithms JSON Values
JSON Value Description JSON Type Valid Values Optional
algorithm a prerequisite algorithm value CMAC, DRBG, ECDSA, HMAC, KMAC, SHA, SP800-108 No
valValue algorithm validation number value actual number or "same" No
prereqAlgVal prerequistie algorithm validation object with algorithm and valValue properties see above Yes

7.3. Algorithm Capabilities JSON Values

Each algorithm capability advertised is a self-contained JSON object using the following values.

Table 3: Capabilities JSON Values
JSON Value Description JSON Type Valid Values Optional
algorithm The algorithm under test value KAS-ECC No
revision The algorithm testing revision to use. value "Sp800-56Ar3" No
prereqVals Prerequisite algorithm validations array of prereqAlgVal objects See Section 7.2 No
function Type of function supported array See Section 7.4 Yes
iutId The identifier of the IUT. hex No
scheme Array of supported key agreement schemes each having their own capabilities object See Section 7.5.1 No
domainParameterGen Array of IUT supported domain paameter generation methods. array P-192, P-224, P-256, P-384, P-521, K-163, K-233, K-283, K-409, K-571, B-163, B-233, B-283, B-409, B-571 No

Note: Some optional values are REQUIRED depending on the algorithm. Failure to provide these values will result in the ACVP server returning an error to the ACVP client during registration.

7.4. Supported KAS ECC Functions

The following function types MAY be advertised by the ACVP compliant crypto module:

  • keyPairGen - IUT can perform keypair generation.

  • partialVal - IUT can perform partial public key validation ([SP800-56Ar3] section 5.6.2.3).

  • fullVal - IUT can perform full public key validation ( [SP800-56Ar3] section 5.6.2.3).

7.5. KAS ECC Schemes

All other scheme capabilities are advertised as a self-contained JSON object using the following values. Note that AT LEAST one valid scheme must be registered.

7.5.1. KAS ECC Scheme Capabilities JSON Values

  • ephemeralUnified - keyConfirmation not supported.

  • fullMqv

  • fullUnified

  • onePassDh - Can only provide unilateral key confirmation party V to party U.

  • onePassMqv

  • onePassUnified

  • staticUnified

Table 4: Capabilities JSON Values
JSON Value Description JSON Type Valid Values Optional
kasRole Roles supported for key agreement array initiator and/or responder No
kdfMethods The KDF methods to use when testing KAS schemes. object Section 7.5.1.1 No
keyConfirmationMethod The KeyCnfirmation capabilities (when supported) for the scheme. object Section 7.5.1.2 Yes
The length of the key to derive (using a KDF) or transport (using a KTS scheme). This value should be large enough to accommodate the key length used for the mac algorithms in use for key confirmation, ideally the maximum value the IUT can support with their KAS/KTS implementation. Maximum value (for testing purposes) is 1024. integer 128 minimum without KC, 136 minimum with KC, maximum 1024. No
7.5.1.1. Supported Kdf Methods

Note that AT LEAST one KDF Method is required for KAS schemes. The following MAY be advertised by the ACVP compliant crypto module:

Table 5: KDF Options
JSON Value Description JSON Type Valid Values Optional
oneStepKdf Indicates the IUT will be testing key derivation using the SP800-56Cr1 OneStepKdf. object Section 7.5.1.1.1 Yes
twoStepKdf Indicates the IUT will be testing key derivation using the SP800-56Cr1 TwoStepKdf. object Section 7.5.1.1.2 Yes
7.5.1.1.1. One Step KDF Capabilities
Table 6: One Step KDF Options
JSON Value Description JSON Type Valid Values Optional
auxFunctions The auxiliary functions to use with the KDF. array of Table 7 See Table 7 No
fixedInfoPattern The pattern used for fixedInfo construction. string See Section 7.5.1.1.2 No
encoding The encoding type to use with fixedInfo construction. Note concatenation is currently supported. ASN.1 should be coming. array of string concatenation No
Table 7: AuxFunction Options
JSON Value Description JSON Type Valid Values Optional
auxFunctionName The auxiliary function to use. string SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, KMAC-128, KMAC-256 No
macSaltMethods How the salt is determined (default being all 00s, random being a random salt). array of string default, random Not optional for mac based auxiliary functions.
7.5.1.1.2. Two Step KDF Capabilities
Table 8: Two Step KDF Options
JSON Value Description JSON Type Valid Values Optional
capabilities The capabilities supported for the Two Step KDF. array of Table 9 See Table 9 No

Note this capabilities object is very similar to the capability object from SP800-108.

Table 9: TwoStepCapabilities Options
JSON Value Description JSON Type Valid Values Optional
macSaltMethod How the salt is determined (default being all 00s, random being a random salt). array of string default, random Not optional for mac based auxiliary functions.
fixedInfoPattern The pattern used for fixedInfo construction. string See Section 7.5.1.3 No
encoding The encoding type to use with fixedInfo construction. Note concatenation is currently supported. ASN.1 should be coming. array of string concatenation No
kdfMode The strategy for running the KDF. string counter, fedback, double pipeline iteration No
macMode The macMode supported by the KDF. array of string CMAC-AES128, CMAC-AES192, CMAC-AES256, HMAC-SHA-1, HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMAC-SHA2-512/256, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 No
fixedDataOrder The counter locations supported by the KDF. array of string none, before fixed data, after fixed data, before iterator No
counterLength The counter lengths supported for the KDF. array of integer 8, 16, 24, 32 Not optional for counter mode.
supportedLengths The supported derivation lengths. domain Single range (of literal) expected. Registered value must support the L value provided. No
supportsEmptyIv The KDF supports an empty IV (feedback mode). boolean true, false No
requiresEmptyIv The KDF requires an empty IV (feedback mode). boolean true, false Yes
7.5.1.2. Supported KeyConfirmation Method
Table 10: KAS ECC KeyConfirmation Capabilities JSON Values
JSON Value Description JSON Type Valid Values Optional
macMethods The MAC methods to use when testing KAS or KTS schemes with key confirmation. object Section 7.5.1.4 No
keyConfirmationDirections The directions in which key confirmation is supported. array unilateral, bilateral No
keyConfirmationRoles The roles in which key confirmation is supported. array provider, recipient No
7.5.1.3. FixedInfoPatternConstruction

IUTs SHALL be capable of specifying how the FixedInfo is constructed for the KAS/KTS negotiation.

Pattern candidates:

  • literal[0123456789ABCDEF]

    • uses the specified hex within "[]". literal[0123456789ABCDEF] substitutes "0123456789ABCDEF" in place of the field

  • uPartyInfo

    • uPartyId { || ephemeralKey } { || ephemeralNonce } { || dkmNonce } { || c }

      • "optional" items such as ephemeralKey MUST be included when available for ACVP testing.

  • vPartyInfo

    • vPartyId { || ephemeralKey } { || ephemeralNonce } { || dkmNonce } { || c }

      • "optional" items such as ephemeralKey MUST be included when available for ACVP testing.

  • context

    • Random value chosen by ACVP server to represent the context.

  • algorithmId

    • Random value chosen by ACVP server to represent the algorithmId.

  • label

    • Random value chosen by ACVP server to represent the label.

Example (Note that party U is the server in this case "434156536964", party V is the IUT "a1b2c3d4e5"):

  • "concatenation" : "literal[123456789CAFECAFE]||uPartyInfo||vPartyInfo"

Evaluated as:

  • "123456789CAFECAFE434156536964a1b2c3d4e5"

7.5.1.4. Supported MAC Methods

Note that AT LEAST one mac method must be supplied when making use of Key Confirmation.

Table 11: MAC Method Options
JSON Value Description JSON Type Valid Values Optional
CMAC Utilizes CMAC as the MAC algorithm. object See Section 7.5.1.4.1. Note that the keyLen must be 128, 192, or 256 for this MAC. Yes
HMAC-SHA2-224 Utilizes HMAC-SHA2-224 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA2-256 Utilizes HMAC-SHA2-256 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA2-384 Utilizes HMAC-SHA2-384 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA2-512 Utilizes HMAC-SHA2-512 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA2-512/224 Utilizes HMAC-SHA2-512/224 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA2-512/256 Utilizes HMAC-SHA2-512/256 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA3-224 Utilizes HMAC-SHA3-224 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA3-256 Utilizes HMAC-SHA3-256 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA3-384 Utilizes HMAC-SHA3-384 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
HMAC-SHA3-512 Utilizes HMAC-SHA3-512 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
KMAC-128 Utilizes KMAC-128 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
KMAC-256 Utilizes KMAC-256 as the MAC algorithm. object See Section 7.5.1.4.1 Yes
7.5.1.4.1. Supported MAC Options
Table 12: MAC Method Base Options
JSON Value Description JSON Type Valid Values Optional
keyLen The amount of bits from the DKM to pass into the KeyConfirmation MAC function. integer 128 - 512. Note that the DKM is REQUIRED to have at least 8 bits available after subtracting the keyLen specified. No
macLen The amount of bits to use as the tag from the MAC function. integer 64 - 512. No

7.6. Example KAS-ECC Registration

The following is a example JSON object advertising support for KAS ECC.

{
  "algorithm": "KAS-ECC",
  "revision": "Sp800-56Ar3",
  "prereqVals": [
    {
      "algorithm": "ECDSA",
      "valValue": "123456"
    },
    {
      "algorithm": "DRBG",
      "valValue": "123456"
    },
    {
      "algorithm": "SHA",
      "valValue": "123456"
    },
    {
      "algorithm": "KMAC",
      "valValue": "123456"
    },
    {
      "algorithm": "HMAC",
      "valValue": "123456"
    }
  ],
  "function": [
    "keyPairGen",
    "partialVal"
  ],
  "iutId": "123456ABCD",
  "scheme": {
    "ephemeralUnified": {
      "kasRole": [
        "initiator",
        "responder"
      ],
      "kdfMethods": {
        "oneStepKdf": {
          "auxFunctions": [
            {
              "auxFunctionName": "KMAC-128",
              "macSaltMethods": [
                "default"
              ]
            }
          ],
          "fixedInfoPattern": "algorithmId||l||uPartyInfo||vPartyInfo",
          "encoding": [
            "concatenation"
          ]
        },
        "twoStepKdf": {
          "capabilities": [
            {
              "macSaltMethods": [
                "random"
              ],
              "fixedInfoPattern": "l||label||uPartyInfo||vPartyInfo||context",
              "encoding": [
                "concatenation"
              ],
              "kdfMode": "feedback",
              "macMode": [
                "HMAC-SHA3-224"
              ],
              "supportedLengths": [
                512
              ],
              "fixedDataOrder": [
                "after fixed data"
              ],
              "counterLength": [
                32
              ],
              "requiresEmptyIv": false,
              "supportsEmptyIv": false
            }
          ]
        }
      },
      "l": 512
    },
    "onePassDh": {
      "kasRole": [
        "initiator",
        "responder"
      ],
      "kdfMethods": {
        "oneStepKdf": {
          "auxFunctions": [
            {
              "auxFunctionName": "KMAC-128",
              "macSaltMethods": [
                "default"
              ]
            }
          ],
          "fixedInfoPattern": "algorithmId||l||uPartyInfo||vPartyInfo",
          "encoding": [
            "concatenation"
          ]
        },
        "twoStepKdf": {
          "capabilities": [
            {
              "macSaltMethods": [
                "random"
              ],
              "fixedInfoPattern": "l||label||uPartyInfo||vPartyInfo||context",
              "encoding": [
                "concatenation"
              ],
              "kdfMode": "feedback",
              "macMode": [
                "HMAC-SHA3-224"
              ],
              "supportedLengths": [
                512
              ],
              "fixedDataOrder": [
                "after fixed data"
              ],
              "counterLength": [
                32
              ],
              "requiresEmptyIv": false,
              "supportsEmptyIv": false
            }
          ]
        }
      },
      "keyConfirmationMethod": {
        "macMethods": {
          "KMAC-128": {
            "keyLen": 128,
            "macLen": 128
          }
        },
        "keyConfirmationDirections": [
          "unilateral"
        ],
        "keyConfirmationRoles": [
          "provider",
          "recipient"
        ]
      },
      "l": 512
    }
  },
  "domainParameterGenerationMethods": [
    "P-192"
  ]
}
Figure 2

8. Generation Requirements per Party per Scheme

The various schemes of KAS all have their own requirements as to keys and nonces per scheme, per party. The below table demonstrates those generation requirements:

Table 13: Required Party Generation Obligations
Scheme KasMode KasRole KeyConfirmationRole KeyConfirmationDirection StaticKeyPair EphemeralKeyPair EphemeralNonce DkmNonce
DhHybrid1 NoKdfNoKc InitiatorPartyU None None True True False False
DhHybrid1 NoKdfNoKc ResponderPartyV None None True True False False
DhHybrid1 KdfNoKc InitiatorPartyU None None True True False False
DhHybrid1 KdfNoKc ResponderPartyV None None True True False False
DhHybrid1 KdfKc InitiatorPartyU Provider Unilateral True True False False
DhHybrid1 KdfKc InitiatorPartyU Provider Bilateral True True False False
DhHybrid1 KdfKc InitiatorPartyU Recipient Unilateral True True False False
DhHybrid1 KdfKc InitiatorPartyU Recipient Bilateral True True False False
DhHybrid1 KdfKc ResponderPartyV Provider Unilateral True True False False
DhHybrid1 KdfKc ResponderPartyV Provider Bilateral True True False False
DhHybrid1 KdfKc ResponderPartyV Recipient Unilateral True True False False
DhHybrid1 KdfKc ResponderPartyV Recipient Bilateral True True False False
Mqv2 NoKdfNoKc InitiatorPartyU None None True True False False
Mqv2 NoKdfNoKc ResponderPartyV None None True True False False
Mqv2 KdfNoKc InitiatorPartyU None None True True False False
Mqv2 KdfNoKc ResponderPartyV None None True True False False
Mqv2 KdfKc InitiatorPartyU Provider Unilateral True True False False
Mqv2 KdfKc InitiatorPartyU Provider Bilateral True True False False
Mqv2 KdfKc InitiatorPartyU Recipient Unilateral True True False False
Mqv2 KdfKc InitiatorPartyU Recipient Bilateral True True False False
Mqv2 KdfKc ResponderPartyV Provider Unilateral True True False False
Mqv2 KdfKc ResponderPartyV Provider Bilateral True True False False
Mqv2 KdfKc ResponderPartyV Recipient Unilateral True True False False
Mqv2 KdfKc ResponderPartyV Recipient Bilateral True True False False
DhEphem NoKdfNoKc InitiatorPartyU None None False True False False
DhEphem NoKdfNoKc ResponderPartyV None None False True False False
DhEphem KdfNoKc InitiatorPartyU None None False True False False
DhEphem KdfNoKc ResponderPartyV None None False True False False
DhHybridOneFlow NoKdfNoKc InitiatorPartyU None None True True False False
DhHybridOneFlow NoKdfNoKc ResponderPartyV None None True False False False
DhHybridOneFlow KdfNoKc InitiatorPartyU None None True True False False
DhHybridOneFlow KdfNoKc ResponderPartyV None None True False False False
DhHybridOneFlow KdfKc InitiatorPartyU Provider Unilateral True True False False
DhHybridOneFlow KdfKc InitiatorPartyU Provider Bilateral True True False False
DhHybridOneFlow KdfKc InitiatorPartyU Recipient Unilateral True True False False
DhHybridOneFlow KdfKc InitiatorPartyU Recipient Bilateral True True False False
DhHybridOneFlow KdfKc ResponderPartyV Provider Unilateral True False False False
DhHybridOneFlow KdfKc ResponderPartyV Provider Bilateral True False True False
DhHybridOneFlow KdfKc ResponderPartyV Recipient Unilateral True False True False
DhHybridOneFlow KdfKc ResponderPartyV Recipient Bilateral True False True False
Mqv1 NoKdfNoKc InitiatorPartyU None None True True False False
Mqv1 NoKdfNoKc ResponderPartyV None None True False False False
Mqv1 KdfNoKc InitiatorPartyU None None True True False False
Mqv1 KdfNoKc ResponderPartyV None None True False False False
Mqv1 KdfKc InitiatorPartyU Provider Unilateral True True False False
Mqv1 KdfKc InitiatorPartyU Provider Bilateral True True False False
Mqv1 KdfKc InitiatorPartyU Recipient Unilateral True True False False
Mqv1 KdfKc InitiatorPartyU Recipient Bilateral True True False False
Mqv1 KdfKc ResponderPartyV Provider Unilateral True False False False
Mqv1 KdfKc ResponderPartyV Provider Bilateral True False True False
Mqv1 KdfKc ResponderPartyV Recipient Unilateral True False True False
Mqv1 KdfKc ResponderPartyV Recipient Bilateral True False True False
DhOneFlow NoKdfNoKc InitiatorPartyU None None False True False False
DhOneFlow NoKdfNoKc ResponderPartyV None None True False False False
DhOneFlow KdfNoKc InitiatorPartyU None None False True False False
DhOneFlow KdfNoKc ResponderPartyV None None True False False False
DhOneFlow KdfKc InitiatorPartyU Recipient Unilateral False True False False
DhOneFlow KdfKc ResponderPartyV Provider Unilateral True False False False
DhStatic NoKdfNoKc InitiatorPartyU None None True False False False
DhStatic NoKdfNoKc ResponderPartyV None None True False False False
DhStatic KdfNoKc InitiatorPartyU None None True False False True
DhStatic KdfNoKc ResponderPartyV None None True False False False
DhStatic KdfKc InitiatorPartyU Provider Unilateral True False False True
DhStatic KdfKc InitiatorPartyU Provider Bilateral True False False True
DhStatic KdfKc InitiatorPartyU Recipient Unilateral True False False True
DhStatic KdfKc InitiatorPartyU Recipient Bilateral True False False True
DhStatic KdfKc ResponderPartyV Provider Unilateral True False False False
DhStatic KdfKc ResponderPartyV Provider Bilateral True False True False
DhStatic KdfKc ResponderPartyV Recipient Unilateral True False True False
DhStatic KdfKc ResponderPartyV Recipient Bilateral True False True False

9. Test Vectors

The ACVP server provides test vectors to the ACVP client, which are then processed and returned to the ACVP server for validation. A typical ACVP validation test session would require multiple test vector sets to be downloaded and processed by the ACVP client. Each test vector set represents an individual algorithm defined during the capability exchange. This section describes the JSON schema for a test vector set used with SP800-56Ar3 KAS ECC algorithms.

The test vector set JSON schema is a multi-level hierarchy that contains meta data for the entire vector set as well as individual test vectors to be processed by the ACVP client. The following table describes the JSON elements at the top level of the hierarchy.

Table 14: Top Level Test Vector JSON Elements
JSON Values Description JSON Type
acvVersion Protocol version identifier string
vsId Unique numeric vector set identifier integer
algorithm Algorithm defined in the capability exchange string
mode Mode defined in the capability exchange string
revision Protocol test revision selected string
testGroups Array of test groups containing test data, see Section 9.1 array

An example of this would look like this

{
  "acvVersion": "version",
  "vsId": 1,
  "algorithm": "Alg1",
  "mode": "Mode1",
  "revision": "Revision1.0",
  "testGroups": [ ... ]
}
Figure 3

9.1. Test Groups JSON Schema

The testGroups element at the top level in the test vector JSON object is an array of test groups. Test vectors are grouped into similar test cases to reduce the amount of data transmitted in the vector set. For instance, all test vectors that use the same key size would be grouped together. The Test Group JSON object contains meta data that applies to all test vectors within the group. The following table describes the secure hash JSON elements of the Test Group JSON object.

The test group for KAS/KTS ECC is as follows:

Table 15: Vector Group JSON Object
JSON Value Description JSON Type Optional
tgId Numeric identifier for the test group, unique across the entire vector set. value No
testType The type of test for the group (AFT or VAL). value No
scheme The scheme in use for the group. See Section 7.5.1 for possible values. value No
kasRole The group role from the perspective of the IUT. value No
The length of key to derive/transport. value No
iutId The Iut's identifier. value No
serverId The ACVP server's identifier. value No
kdfConfiguration The KDF configuration for the group. Object, See Section 9.1.1 No
macConfiguration The MAC configuration for the group. Object, See Section 9.1.2 Not optional for schemes using key confirmation.
keyConfirmationDirection The key confirmation direction. value Yes
keyConfirmationRole The key confirmation role. value Yes
domainParameterGenerationMode The domain parameter type used. value No
tests The tests for the group. Array of objects, See Section 9.2. No

9.1.1. KDF Configuration JSON Schema

Describes the KDF configuration for use under the test group.

Table 16: KdfConfiguration JSON Object
JSON Value Description JSON Type Optional
kdfType The type of KDF to use for the group. value - onestep, twostep No
satMethod The strategy used for salting. value - default (all 00s), random No
fixedInfoPattern The pattern used for constructing the fixedInfo. value - See Section 7.5.1.3. No
fixedInfoEncoding The pattern used for constructing the fixedInfo. value - See Section 7.5.1.3. No
auxFunction The auxiliary function used in the KDF. value - See Table 7. Not optional for OneStepKdf.
macMode The MAC function used in the KDF. value - See Table 9. Not optional for TwoStepKdf.
counterLocation The counter location. value Yes
counterLen The counter length. value Yes
ivLen The iv length. value Yes

9.1.2. MAC Configuration JSON Schema

Describes the key confirmation MAC configuration for use under the test group.

Table 17: MacConfiguration JSON Object
JSON Value Description JSON Type Optional
macType The macType used in key confirmation. value - HMAC-SHA2-224, HMAC-SHA2-256, HMAC-SHA2-384, HMAC-SHA2-512, HMAC-SHA2-512/224, HMAC-SHA2-512/256, HMAC-SHA3-224, HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512, CMAC, KMAC-128, KMAC-256 No
keyLen The number of bits to take from the DKM to use for the mac key in key confirmation. value No
macLen The number of bits to use for the MAC tag. value No

9.2. Test Case JSON Schema

Each test group contains an array of one or more test cases. Each test case is a JSON object that represents a single test vector to be processed by the ACVP client. The following table describes the JSON elements for each KAS/KTS ECC test vector.

Table 18: Test Case JSON Object
JSON Value Description JSON Type Optional
tcId Numeric identifier for the test case, unique across the entire vector set. value No
ephemeralPublicKeyIutX The IUT's ephemeral public key X value. value Yes
ephemeralPublicKeyIutY The IUT's ephemeral public key Y value. value Yes
staticPublicKeyIutX The IUT's static public key X value. value Yes
staticPublicKeyIutY The IUT's static public key Y value. value Yes
ephemeralPublicKeyServerX The Server's ephemeral public key X value. value Yes
ephemeralPublicKeyServerY The Server's ephemeral public key Y value. value Yes
staticPublicKeyServerX The Server's static public key X value. value Yes
staticPublicKeyServerY The Server's static public key Y value. value Yes
dkmNonceIut The IUT's nonce used in static schemes for Key Confirmation. value Yes
ephemeralNonceIut The IUT's ephemeral nonce used in some schemes. value Yes
dkmNonceServer The Server's nonce used in static schemes for Key Confirmation. value Yes
ephemeralNonceServer The Server's ephemeral nonce used in some schemes. value Yes
staticPrivateKeyIut The IUT's static private key. value Yes
ephemeralPrivateKeyIut The IUT's ephemeral private key. value Yes
kdfParameter The KDF parameters for this test case. value - See Section 9.2.1. Yes
dkm The derived keying material. value Yes
tag The tag generated as a part of key conformation (from the IUT perspective). value Yes

9.2.1. KDF Parameter JSON Schema

KDF specific options used for the test case.

Table 19: KDF Parameter JSON Object
JSON Value Description JSON Type Optional
kdfType The type of KDF utilized. value No
salt The salt used for the test case. value Yes
iv The iv used for the test case. value Yes
algorithmId The random "algorithID" used for the test case when applicable to the fixedInfo pattern. value Yes
context The random "context" used for the test case when applicable to the fixedInfo pattern. value Yes
label The random "label" used for the test case when applicable to the fixedInfo pattern. value Yes

9.3. Example Test Vectors JSON Object KAS-FFC

The following is a example JSON object for KAS-FFC test vectors sent from the ACVP server to the crypto module.

{
  "vsId": 0,
  "algorithm": "KAS-ECC",
  "revision": "Sp800-56Ar3",
  "testGroups": [
    {
      "tgId": 1,
      "testType": "AFT",
      "tests": [
        {
          "staticPublicServerX": "B7A4DDA5DC3A317647B39F39E05390A88F12F53861C24635",
          "staticPublicServerY": "CA2776BF6A0F35B727F3057340E89A1600915B81BB2E87B7",
          "tcId": 1,
          "ephemeralNonceServer": "44588073AACC3CFD6C9A5E2A0973B6BDDFC35F67EEA96FD0B070DF05F24A4B381F05CE9ACC67739B157CF8EE7459A64E",
          "kdfParameter": {
            "kdfType": "oneStep",
            "salt": "00000000000000000000000000000000",
            "algorithmId": "A51CF275ABE573209CBC606A934352FE"
          }
        }
      ],
      "domainParameterGenerationMode": "P-192",
      "scheme": "staticUnified",
      "kasRole": "initiator",
      "l": 512,
      "iutId": "123456ABCD",
      "serverId": "434156536964",
      "kdfConfiguration": {
        "kdfType": "oneStep",
        "saltMethod": "default",
        "fixedInfoPattern": "algorithmId||l||uPartyInfo||vPartyInfo",
        "fixedInfoEncoding": "concatenation",
        "auxFunction": "KMAC-128"
      },
      "macConfiguration": {
        "macType": "KMAC-128",
        "keyLen": 128,
        "macLen": 128
      },
      "keyConfirmationDirection": "unilateral",
      "keyConfirmationRole": "provider"
    },
    {
      "tgId": 2,
      "testType": "VAL",
      "tests": [
        {
          "staticPublicServerX": "87F6D507656EBC3D4D655FD4C0F13BE0F98D5B7472A3B247",
          "staticPublicServerY": "CFBC8EE38F4EF2DF1B97BF410ABCF4968F1115E7B80E34C6",
          "staticPrivateIut": "F43B6F08F570D469ED31CF920516114B1B5E3C3C7BDD6B14",
          "staticPublicIutX": "7573E06C6BACA56D5AFD08A1A014776BDDA7F4593645A07D",
          "staticPublicIutY": "93D0C1CDC5C23BD045AD6258448436A55E3C310B4333F551",
          "tcId": 21,
          "ephemeralNonceServer": "6F4C587D3CEF0B1D0D5B359B18FFB8B72C879EB3997E768826552082D56931D965E7F315FD7254C434871FA1E160873F",
          "dkmNonceIut": "AB5CCC3B75AA1FB85D28D5D53126B362AAABA3C51D427B6D138BEFD7EE636E1BC239FB45630BF6D7F0E80B59835916B9",
          "kdfParameter": {
            "kdfType": "oneStep",
            "salt": "00000000000000000000000000000000",
            "algorithmId": "342BCBC9DE15458BCA294BD16FFA10A7"
          },
          "dkm": "B9FDC93EA0B6A7906C6DB8EC17475B3073A8AD1C24CB1287AB8A6AEA46CABA4FDFD7B0CB77F74CDCF3DFF8DCC41560CF",
          "tag": "3279D63C9192B7FEF71F6735921B3B46"
        }
      ],
      "domainParameterGenerationMode": "P-192",
      "scheme": "staticUnified",
      "kasRole": "initiator",
      "l": 512,
      "iutId": "123456ABCD",
      "serverId": "434156536964",
      "kdfConfiguration": {
        "kdfType": "oneStep",
        "saltMethod": "default",
        "fixedInfoPattern": "algorithmId||l||uPartyInfo||vPartyInfo",
        "fixedInfoEncoding": "concatenation",
        "auxFunction": "KMAC-128"
      },
      "macConfiguration": {
        "macType": "KMAC-128",
        "keyLen": 128,
        "macLen": 128
      },
      "keyConfirmationDirection": "unilateral",
      "keyConfirmationRole": "provider"
    }
  ]
}
Figure 4

10. Test Vector Responses

After the ACVP client downloads and processes a vector set, it MUST send the response vectors back to the ACVP server. The following table describes the JSON object that represents a vector set response.

Table 20: Vector Set Response JSON Object
JSON Value Description JSON type Optional
acvVersion Protocol version identifier value No
vsId Unique numeric identifier for the vector set value No
testGroups Array of JSON objects that represent each test vector group. See Table 21. array No

The testGroups section is used to organize the ACVP client response in a similar manner to how it receives vectors. Several algorithms SHALL require the client to send back group level properties in their response. This structure helps accommodate that.

Table 21: Vector Set Group Response JSON Object
JSON Value Description JSON type Optional
tgId The test group Id value No
tests Array of JSON objects that represent each test vector group. See Table 22. array No

The testCase section is used to organize the ACVP client response in a similar manner to how it receives vectors. Several algorithms SHALL require the client to send back group level properties in their response. This structure helps accommodate that.

Table 22: Vector Set Test Case Response JSON Object
JSON Value Description JSON type Optional
tcId The test case Id value No
testPassed Used in VAL test types, should the KAS/KTS negotiation have succeeded? boolean Yes
ephemeralPublicKeyIutX The IUT's ephemeral public key X value. value Yes
ephemeralPublicKeyIutY The IUT's ephemeral public key Y value. value Yes
staticPublicKeyIutX The IUT's static public key X value. value Yes
staticPublicKeyIutX The IUT's static public key Y value. value Yes
dkmNonceIut The IUT's nonce used in static schemes for Key Confirmation. value Yes
ephemeralNonceIut The IUT's ephemeral nonce used in some schemes. value Yes
dkm The derived keying material. value Yes
tag The tag generated as a part of key confirmation (from the IUT perspective). value Yes

10.1. Example Test Results KAS-ECC JSON Object

The following is an example JSON object for KAS-ECC test results sent from the crypto module to the ACVP server.

[
  {
    "acvVersion": "version"
  },
  {
    "vsId": 0,
    "algorithm": "KAS-ECC",
    "revision": "Sp800-56Ar3",
    "testGroups": [
      {
        "tgId": 1,
        "tests": [
          {
            "staticPublicIutX": "ED9CF3FE1B79D014F7FF60DFDBFC19457C4F3EBEB0BB10B5",
            "staticPublicIutY": "5CA8819BC0D39E67AE9AB4747DC563ADA1AE1E9DBA12C272",
            "tcId": 1,
            "dkmNonceIut": "215D9AB3A371B395802FD0FCD97815EDFC468DC631735BAEEA0F18498EFC3B52BBABD2B953DE7B64EF20D899093B031D",
            "dkm": "56505307C7F11F4640C96D863FA3634120F2B2CAB262AE29B1CD26252BC1537E84DF3EB75C1E240983B599B30690F9B0",
            "tag": "CE39683069F0DA7624F72086FB4B2B8E"
          }
        ]
      },
      {
        "tgId": 3,
        "tests": [
          {
            "tcId": 21,
            "testPassed": true
          }
        ]
      }
    ]
  }
]
Figure 5

11. Security Considerations

There are no additional security considerations outside of those outlined in the ACVP document.

12. IANA Considerations

This document does not require any action by IANA.

13. Normative references

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", IETF RFC 2119, IETF RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC3526]
Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", IETF RFC 3526, IETF RFC 3526, DOI 10.17487/RFC3526, , <https://www.rfc-editor.org/info/rfc3526>.
[RFC7919]
Gillmor, D., "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)", IETF RFC 7919, IETF RFC 7919, DOI 10.17487/RFC7919, , <https://www.rfc-editor.org/info/rfc7919>.
[RFC7991]
Hoffman, P., "The "xml2rfc" Version 3 Vocabulary", IETF RFC 7991, IETF RFC 7991, DOI 10.17487/RFC7991, , <https://www.rfc-editor.org/info/rfc7991>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", IETF RFC 8174, IETF RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[ACVP]
Hammett, R., Fussell, B., Vassilev, A., and H. Booth, "Automatic Cryptographic Validation Protocol", .
[SP800-108]
Chen, L., "SP800-108 Recommendation for Key Derivation Using Pseudorandom Functions", , <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-108.pdf>.
[FIPS186-4]
NIST, "FIPS 186-4 Digital Signature Standard (DSS)", , <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>.
[SP800-56Ar3]
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Davis, "SP800-56Ar3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography", , <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf>.
[SP800-56Cr1]
Barker, E., Chen, L., and R. Davis, "SP800-56Cr1 Recommendation for Key-Derivation Methods in Key-Establishment Schemes", , <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr1.pdf>.

Author's Address

Russell Hammett (editor)