-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IKEv1 and IKEv2 when dhLength smaller than length of gir message #907
Comments
Hi @NorthHill-16, I was reviewing some of our older open tickets and found this one. Is this still an open question/something you would like us to look into? |
Hi, @livebe01 , yes, this issue actually not solved yet. Currently I force the dhLength to be multiple of 8. This solution has no problem so far. Based on old CAVP document (https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/askdfvs.pdf) page 9, when dhLength not multiple of 8, padding is needed. I apply this method, then compute the result and sent to ACVP, ACVP says result wrong for these tcid. Question in short: |
Padding is placed on the LSB (right) side of the hex string. So a one bit message is |
Hi, @celic, sorry for late reply. I am truncating from right side, since it does not work then I try to truncate from left side. The root cause of this question is about how to "truncate" at right side. So far I tried 3 methods and none of them worked yet, I slightly guess server mis-behave or actually not support "increment: 1" in register file or I mis-understand. Take following case as example, IKEv1, and use HMAC-SHA256 as PRF function. A real sample data from server, Method #1: No action Method #2: Use truncated bits do message merge and add the padding before PRF Ni is 396 bits and Nr is 1024 bits, we merge together and get 1420 bits, then pad 4 right-most 0 to get 1424 bits. Input this message to HMAC. Method #3: No padding at all Following are detailed computation. Refers to tsId 1328915 tgId 1 tcId 1. Server does not return the sample answer(get 404 error) even I specify sample flag. CONFIG OPERANDS Method 1: Fail Method 2: Fail Method 3: Fail Additional Observation: |
Also, this is not an important question since I can force incremental to 8 in register file. These parameter seems introduced in ACVP, so far I have not seen similar case in CAVP test vector. |
For IKEv1 and IKEv2, it is possible to get a
Test Group:
dhLength=4348
Test case:
gir=ED6DAAE... (Total contains 1088 characters in hex, so 544 bytes, so 4352 bits)
Where dhLength(in bits) < gir length(in bits). In CAVP document such like this it talks about when dhLength > gir length, and provided request vectors are all dhLength > gir length. In cryptography, it seems like dhLength(in bits) < gir length(in bits) is an invalid input. PLUS, the "gir" starts with "E", which is not a padding with 0.
Same story happened in IKEv1. May I know are these valid input? If so, how to handle when dhLength(in bits) < gir length(in bits) such case?
The text was updated successfully, but these errors were encountered: