diff options
| author | J08nY | 2018-07-23 18:53:35 +0200 |
|---|---|---|
| committer | J08nY | 2018-07-23 18:57:07 +0200 |
| commit | 80ec2bcb69d62267e97f1801f21aed5fe46f109f (patch) | |
| tree | 84dec58fe9c38e91e08317e238b13b49836ce7fc | |
| parent | 289f802cbd3ad45e3c84b8d2e67324f21c3fd453 (diff) | |
| download | ECTester-80ec2bcb69d62267e97f1801f21aed5fe46f109f.tar.gz ECTester-80ec2bcb69d62267e97f1801f21aed5fe46f109f.tar.zst ECTester-80ec2bcb69d62267e97f1801f21aed5fe46f109f.zip | |
| -rw-r--r-- | README.md | 5 | ||||
| -rw-r--r-- | docs/TESTS.md | 22 |
2 files changed, 24 insertions, 3 deletions
@@ -85,6 +85,9 @@ See `java -jar ECTesterReader.jar -h` for more. text,yml,xml. -f,--fresh Generate fresh keys (set domain parameters before every generation). + --cleanup Send the cleanup command trigerring + JCSystem.requestObjectDeletion() + after some operations. -s,--simulate Simulate a card with jcardsim instead of using a terminal. -y,--yes Accept all warnings and prompts. @@ -218,6 +221,8 @@ If you are interested in testing support for other JavaCard algorithms, please v Currently supported libraries include: - BouncyCastle - SunEC + - OpenSSL + - Crypto++ - libtomcrypt - botan diff --git a/docs/TESTS.md b/docs/TESTS.md index 4d71ea6..5811577 100644 --- a/docs/TESTS.md +++ b/docs/TESTS.md @@ -66,10 +66,16 @@ This test suite also does some additional tests with corrupting the parameters: - p = 1 - p = q^2; q prime - p = q * s; q and s prime - - G = infinity - G = random point not on curve - - r = some prime (and \[r\]G != infinity) + - G = random data + - G = infinity + - r = 0 + - r = 1 + - r = some prime larger than original r (and \[r\]G != infinity) + - r = some prime smaller than original r (and \[r\]G != infninity) - r = some composite number (and \[r\]G != infinity) + - k = 0xff + - k = 0 - F2m: - e1 = e2 = e3 = 0 - m < e1 < e2 < e3 @@ -88,7 +94,10 @@ Tests using curves that don't have a prime order/nearly prime order. These tests should generally fail, a success here implies the card will use a non-secure curve if such curve is set by the applet. Operations over such curves are susceptible to small-subgroup attacks. - - r = p * q + - r = quite a smooth number, many small factors, r = |G| + - r = small prime(of increasing bit lengths), r = |G| + - r = p * q = |G| + - r = G = Carmichael number = p * q * s - \[r\]G = infinity but r != |G|, so |G| divides r For example: @@ -147,12 +156,19 @@ java -jar ECTester.jar -t cofactor ## Edge-Cases Tests various inputs to ECDH which may cause an implementation to achieve a certain edge-case state during ECDH. Some of the data is from the google/Wycheproof project. Tests include [CVE-2017-10176](https://nvd.nist.gov/vuln/detail/CVE-2017-10176) and [CVE-2017-8932](https://nvd.nist.gov/vuln/detail/CVE-2017-8932). +Various custom edge private key values are also tested. CVE-2017-10176 was in implementation issue in the SunEC Java library that caused the implementation to reach the point at infinity during ECDH computation. CVE-2017-8932 was an implementation issue in the Go standard library, in particular its scalar multiplication algorithm on the P-256 curve which leaked information about the private key. +Custom private key values over SECG curves are tested: + - s = 0, s = 1 + - s < r, s = r, s > r + - s = r - 1, s = r + 1 + - s = k\*r - 1, s = k\*r, s = k\*r + 1 + For example: ```bash java -jar ECTester.jar -t edge-cases |