219
edits
VE 07KeyMgmt: Difference between revisions
m
→Key Generation
m (→Key Generation) |
|||
| (22 intermediate revisions by 7 users not shown) | |||
| Line 20: | Line 20: | ||
#* Diffie-Hellman public keys and private keys (used for key agreement) | #* Diffie-Hellman public keys and private keys (used for key agreement) | ||
#* EC Diffie-Hellman public keys and private keys (used for key agreement) | #* EC Diffie-Hellman public keys and private keys (used for key agreement) | ||
#* TLS premaster secret (used in deriving the TLS master secret) | #* TLS premaster secret (used in deriving the TLS master secret) | ||
#* TLS master secret (used in the generation of symmetric cipher keys, IVs, and MAC secrets for TLS) | #* TLS master secret (used in the generation of symmetric cipher keys, IVs, and MAC secrets for TLS) | ||
| Line 35: | Line 34: | ||
The <code>FC_GenerateKey</code> and <code>FC_GenerateKeyPair</code> functions of the NSS cryptographic module perform key generation. <code>FC_GenerateKey</code> generates secret keys and domain parameters, and <code>FC_GenerateKeyPair</code> generates public/private key pairs. | The <code>FC_GenerateKey</code> and <code>FC_GenerateKeyPair</code> functions of the NSS cryptographic module perform key generation. <code>FC_GenerateKey</code> generates secret keys and domain parameters, and <code>FC_GenerateKeyPair</code> generates public/private key pairs. | ||
'''Approved key generation method:''' The NSS cryptographic module uses the Approved RNG specified as Algorithm | '''Approved key generation method:''' The NSS cryptographic module uses the Approved RNG specified as Algorithm Algorithm Hash_DRBG of SP 800-90 to generate cryptographic keys used by the Approved and non-Approved security functions. The validation certificate for the Approved RNG is [http://csrc.nist.gov/cryptval/rng/rngval.html#208 Cert# 208]. | ||
Secret keys for symmetric key algorithms and HMAC are generated using the output of the Approved RNG. | Secret keys for symmetric key algorithms and HMAC are generated using the output of the Approved RNG. | ||
| Line 47: | Line 46: | ||
ECDSA public and private keys are generated using the method specified in ANSI X9.62-1998. | ECDSA public and private keys are generated using the method specified in ANSI X9.62-1998. | ||
'''Security of key generation method:''' | '''Security of key generation method:''' The keys generated by the NSS cryptographic module have at most 256 bits of security. (See NIST [http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf Special Publication (SP) 800-57 Part 1], Table 2 in Section 5.6.1 on page 63.) Therefore, compromising the security of the key generation method (e.g., guessing the seed value to initialize the Approved RNG) requires at least as many operations as determining the value of the generated key. | ||
The initial value of ''XKEY'' is derived using the following procedure. | The initial value of ''XKEY'' is derived using the following procedure. | ||
* We obtain 1024 bytes from the system random number generator. On Windows XP SP 2, we call the CryptGenRandom function in the CryptoAPI. On Solaris, HP-UX, Linux, and Mac OS X, we read from the special device /dev/urandom.<div class=note>On HP-UX B.11.11, one must install the HP-UX Strong Random Number Generator (KRNG11i) bundle to | * We obtain 1024 bytes from the system random number generator. On Windows XP SP 2, we call the CryptGenRandom function in the CryptoAPI. On Solaris, HP-UX, Linux, and Mac OS X, we read from the special device /dev/urandom.<div class=note>On HP-UX B.11.11, one must install the HP-UX Strong Random Number Generator (KRNG11i) bundle to add the /dev/random and /dev/urandom special files. The KRNG11i bundle can be downloaded for free from the HP software depot, and installation is straightforward.</div> We set ''XKEY'' to the SHA-256 hash of these 1024 bytes.<pre>XKEY = SHA-256(1024 bytes from the system RNG)</pre> This is performed in the <code>RNG_RNGInit</code> function. | ||
* We then add extra entropy input to ''XKEY'' using SHA-256 as the mixing function:<pre>XKEY = SHA-256(XKEY || entropy_input)</pre> This is performed in the <code>RNG_SystemInfoForRNG</code> function. The mixing function is modeled after the reseed processes for the '''Hash_DRBG''' and '''Dual_EC_DRBG''' deterministic random bit generators in NIST SP 800-90 and the Reseed function for the Fortuna random number generator in Ferguson and Schneier's Practical Cryptography. The extra entropy input is either time-varying or machine-varying. On Unix, it includes: | * We then add extra entropy input to ''XKEY'' using SHA-256 as the mixing function:<pre>XKEY = SHA-256(XKEY || entropy_input)</pre> This is performed in the <code>RNG_SystemInfoForRNG</code> function. The mixing function is modeled after the reseed processes for the '''Hash_DRBG''' and '''Dual_EC_DRBG''' deterministic random bit generators in NIST SP 800-90 and the Reseed function for the Fortuna random number generator in Ferguson and Schneier's Practical Cryptography. The extra entropy input is either time-varying or machine-varying. On Unix, it includes: | ||
** various high-resolution clocks, | ** various high-resolution clocks, several times. Examples are | ||
*** <code>gettimeofday</code> | |||
*** <code>gethrtime</code> on Solaris | |||
*** <code>times</code> on Mac OS X | |||
*** the CR16 interval timer in the PA-RISC processor on HP-UX B.11.11 (see also http://h21007.www2.hp.com/dspp/tech/tech_TechSingleTipDetailPage_IDX/1,2366,5057,00.html) | |||
** the names, values, and memory addresses of all the environment variables. | ** the names, values, and memory addresses of all the environment variables. | ||
** current system/kernel statistics, | ** static system information or current system/kernel statistics, twice. Examples are | ||
** | *** the overall system statistics returned by the <code>sysinfo</code> function on Linux | ||
*** machine hardware name, OS release level, and hardware serial number returned by the <code>sysinfo</code> function on Solaris | |||
*** version number of OSF/AES OSC supported and version of CPU architecture returned by the <code>sysconf</code> function on HP-UX | |||
*** the maximum number of simultaneous processes per user id, the maximum number of streams that a process may have open at any one time, and the maximum number of open files per user id returned by the <code>sysconf</code> function on Mac OS X | |||
** the host name (returned by <code>gethostname</code>) | ** the host name (returned by <code>gethostname</code>) | ||
** the status information (<code>struct stat</code>) and contents of the file specified in the environment variable <code>NSRANDFILE</code> | ** the status information (<code>struct stat</code>) and contents of the file specified in the environment variable <code>NSRANDFILE</code> | ||
| Line 63: | Line 69: | ||
* On Windows, the extra entropy input includes | * On Windows, the extra entropy input includes | ||
** various high-resolution clocks, such as <code>QueryPerformanceCounter</code>, <code>GetTickCount</code> and <code>time</code>, several times. | ** various high-resolution clocks, such as <code>QueryPerformanceCounter</code>, <code>GetTickCount</code> and <code>time</code>, several times. | ||
** | ** information about the system's current usage of both physical and virtual memory returned by <code>GlobalMemoryStatus</code> | ||
** | ** the bitmask representing the currently available disk drives returned by <code>GetLogicalDrives</code> | ||
** <code>GetComputerName</code> | ** the NetBIOS name of the local computer returned by <code>GetComputerName</code> | ||
** the | ** the pseudo handle and process identifier of the current process returned by <code>GetCurrentProcess</code> and <code>GetCurrentProcessId</code> | ||
** information returned by <code>GetVolumeInformation(NULL, ...)</code> | ** information about the file system and volume of the root of the current directory returned by <code>GetVolumeInformation(NULL, ...)</code> | ||
** information returned by <code>GetDiskFreeSpace(NULL, ...)</code> | ** information about the current disk, including the amount of free space on the current disk, returned by <code>GetDiskFreeSpace(NULL, ...)</code> | ||
** the number of files in <code>C:\WINDOWS\system32</code> and the status information and contents of | ** the number of files in <code>C:\WINDOWS\system32</code> and the status information and contents of the first 10 readable files and then 10 or 11 files spread throughout the directory | ||
'''References''' | '''References''' | ||
| Line 95: | Line 101: | ||
* EC Diffie-Hellman (key agreement, key establishment methodology provides between 80 bits and 256 bits of encryption strength) | * EC Diffie-Hellman (key agreement, key establishment methodology provides between 80 bits and 256 bits of encryption strength) | ||
* RSA (PKCS #1, key wrapping, key establishment methodology provides between 80 bits and 192 bits of encryption strength) | * RSA (PKCS #1, key wrapping, key establishment methodology provides between 80 bits and 192 bits of encryption strength) | ||
The [http:// | The [http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf Security Policy Rule 20] is also annotated with these caveats. | ||
</div> | </div> | ||
| Line 133: | Line 139: | ||
=Random Number Generator= | =Random Number Generator= | ||
There is only one random number generator (RNG) used in the NSS cryptographic module. The RNG is an Approved RNG, implementing Algorithm | There is only one random number generator (RNG) used in the NSS cryptographic module. The RNG is an Approved RNG, implementing Algorithm Hash_DRBG of [http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf NIST SP 800-90]. (The RNG validation certificate is [http://csrc.nist.gov/cryptval/rng/rngval.html#208 Cert# 208 NEEDSUPDATEFOR_3_12_X].) The Approved RNG is used within the NSS cryptographic module for all cryptographic purposes, including the generation of cryptographic keys used by an Approved security function. | ||
=Key Zeroization= | =Key Zeroization= | ||
The NSS cryptographic module | The NSS cryptographic module performs explicit zeroization steps to clear the memory region previously occupied by a plaintext secret key, private key, or password. The function used to zeroize memory used by plaintext secret and private keys and passwords is the Standard C library function <code>memset()</code> or its synonym <code>PORT_Memset()</code>: | ||
#define PORT_Memset memset | #define PORT_Memset memset | ||
If the memory is allocated from the heap, the [http:// | If the memory is allocated from the heap, the [http://mxr.mozilla.org/security/ident?i=PORT_ZFree <code>PORT_ZFree()</code>] function can be used to both zeroize and free memory: | ||
void | void | ||
PORT_ZFree(void *ptr, size_t len) | PORT_ZFree(void *ptr, size_t len) | ||
| Line 164: | Line 161: | ||
* the NSS cryptographic module is shut down (with a <code>FC_Finalize</code> call), | * the NSS cryptographic module is shut down (with a <code>FC_Finalize</code> call), | ||
* the NSS cryptographic module is reinitialized (with a <code>FC_InitToken</code> call), or | * the NSS cryptographic module is reinitialized (with a <code>FC_InitToken</code> call), or | ||
* the NSS cryptographic module switches between the FIPS and non-FIPS modes (with a <code> | * the NSS cryptographic module switches between the FIPS and non-FIPS modes (with a <code>NSC_Finalize</code>/<code>FC_Initialize</code> or <code>FC_Finalize</code>/<code>NSC_Initialize</code> call sequence). | ||
Passwords are automatically zeroized by the NSS cryptographic module immediately after use. | Passwords are automatically zeroized by the NSS cryptographic module immediately after use. | ||
The <code>memset()</code> function is extremely fast. Zeroization can be performed in a time that is not sufficient to compromise plaintext secret and private keys and passwords. | The <code>memset()</code> function is extremely fast. Zeroization can be performed in a time that is not sufficient to compromise plaintext secret and private keys and passwords. | ||